redirect - Nginx proxy_pass 重定向到错误的域

Question

我的 nginx 配置中有三个不同的 proxy_pass。其中两个重定向到 https 主机，最后一个通过标准端口 80。

前两个(example.com 和 proxmox.example.com)工作正常。

但问题是关于第三个。http://blog.example.com 重定向到 https://example.com 我不明白为什么。

如果有人有想法......我是 nginx 的新手，我仍然很难理解有或没有 SSL 的 proxy_pass。

这是我的配置。

server {
    listen 80 default_server;
    server_name _;
    return 444;
}

server {
    listen 80;
    server_name example.com proxmox.example.com;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443;
    server_name example.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    proxy_redirect off;
    location / {
        proxy_pass https://localhost:8000;

        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
    }
}
server {
    listen 443;
    server_name proxmox.example.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    proxy_redirect off;
    location / {
        proxy_pass https://localhost:8006;

        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    listen 80;
    server_name blog.example.com;
    proxy_redirect off;
    location / {
        proxy_pass http://10.0.0.3:80;

        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
    }
}

谢谢

编辑

我已经在 Nginx 文档上阅读了这篇文章。这可能是问题的原因。

With this configuration a browser receives the default server’s certificate, i.e. www.example.com regardless of the requested server name. This is caused by SSL protocol behaviour. The SSL connection is established before the browser sends an HTTP request and nginx does not know the name of the requested server. Therefore, it may only offer the default server’s certificate.

Link: see in Name-based HTTPS servers

Answer 1

最后，这是因为我的证书只适用于 example.com 而不是 *.example.com。所以它不匹配子域，我被重定向到第一个可用的 SSL 配置(即 example.com)。所以我在我的证书中添加了一个 subjectAltName 以允许 *.example.com。

然后我还将证书声明的定义直接更改为 Nginx 配置的 html 部分以用于缓存目的。这是我的最终配置:

# Certificates
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

# Return 404 if no server name matches
server {
    listen 80 default_server;
    server_name _;
    return 404;
}

# Redirect chosen domain to https
server {
    listen 80;
    server_name example.com proxmox.example.com;
    rewrite ^(.*) https://$host$1 permanent;
}

# Main configuration
server {
    listen 443;
    server_name example.com;
    ssl on;
    proxy_redirect off;
    location / {
        proxy_pass https://localhost:8000;

        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
    }
}

# Proxmox configuration
server {
    listen 443;
    server_name proxmox.example.com;
    ssl on;
    proxy_redirect off;
    location / {
        proxy_pass https://localhost:8006;

        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}