我正在運行 Nginx 代理伺服器,在多租戶 SAAS 平台中使用 OpenResty/Lua 和 LetsEncrypt 自動產生 SSL 憑證。我有許多需要憑證的網域,但無法將它們列入白名單,因此我的憑證伺服器接受指向它的所有請求。
我開始看到許多與以下域結構相符的無效域請求:
www.randomsubdomain.anydomain.com
該網域結構對我的服務無效,因此我想要做的是在我的 nginx 配置中建立一個伺服器區塊來捕獲此結構並傳回 444 回應,因此根本不會從 LE 請求憑證。
這是我測試過的:
server {
listen 80;
server_name ~^www\.(.+)\.(.+)\.com$;
return 444;
}
不幸的是,一旦我重新加載配置,這個區塊似乎就無法捕獲我的測試域。我的測試網域(www.randomsubdomain.anydomain.com)通過並頒發了證書,這不是我想要的。這是我的正規表示式嗎?我距離 PCRE/nginx 正規表示式專家還很遠,所以我的正規表示式是使用可用的線上測試器之一建立的。
但是,如果我將 server_name 更改為實際網域名稱“www.test.customdomain.com”,伺服器區塊會捕獲它並返回所需的 444 回應。
我為我的應用程式配置了相當多的 server_blocks,以便頒發 LetsEncrypt 證書,因此,如果它不是我的正則表達式,我認為其他其中一個優先,即使我在頂部附近有上述區塊。
這是一個供參考的完整區塊,其中 app-server.com 是我的服務的網域名稱。預先感謝您的任何提示/指導。
user ec2-user www;
events {
worker_connections 1024;
}
http {
lua_shared_dict auto_ssl 100m; #need 1MB per 100 domains in memory
lua_shared_dict auto_ssl_settings 64k;
resolver 8.8.8.8 ipv6=off;
init_by_lua_block {
auto_ssl = (require "resty.auto-ssl").new()
auto_ssl:set("allow_domain", function(domain)
return true
end)
auto_ssl:init()
}
init_worker_by_lua_block {
auto_ssl:init_worker()
}
# Handles SSL app-server.com subdomain requests so they aren't redirected
server {
listen 443 ssl;
server_name *.app-server.com;
location / {
proxy_pass http://ssl-sites.app-server.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
}
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
}
# Capture SSL requests that already have www and redirect to https://www
server {
listen 443 ssl;
server_name www.*;
location / {
proxy_pass http://ssl-sites.app-server.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
}
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
}
# Capture SSL requests without www and redirect to https://www on subsequent requests once the cert is issued
server {
listen 443 ssl default_server;
ssl_certificate_by_lua_block {
auto_ssl:ssl_certificate()
}
ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
return 301 https://www.$host$request_uri;
}
# Capture invalid subdomains
server {
listen 80;
server_name ~^www\.(.+)\.(.+)\.com$;
return 444;
}
# Capture requests that already have www and redirect to https://www
server {
listen 80;
server_name www.*;
location / {
return 301 https://$host$request_uri;
}
# send to challenge if looking for it
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
# Captures the app-server.com subdomain requests and redirects them
server {
listen 80 ;
server_name *.app-server.com;
location / {
return 301 https://$host$request_uri;
}
# send to challenge if looking for it
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
# Capture requests without www and redirect to https://www
server {
listen 80 default_server;
location / {
return 301 https://www.$host$request_uri;
}
# Endpoint used for Let's Encrypt domain validation
location /.well-known/acme-challenge/ {
content_by_lua_block {
auto_ssl:challenge_server()
}
}
}
server {
listen 127.0.0.1:8999;
client_body_buffer_size 128k;
client_max_body_size 128k;
location / {
content_by_lua_block {
auto_ssl:hook_server()
}
}
}
}