我正在嘗試使用 NGINX 來配置我的網站。我有點力不從心,並且已經嘗試了我能找到的所有相關解決方案,所以感謝您的耐心:)
我希望所有 http 流量都重定向到 https,並且到我網站的 www 子網域和我的伺服器 IP 位址(對於我們的目的是 123.123.123.123)的連線應該會重定向到 mywebsite.com。我的伺服器配置如下,它滿足所有這些條件,除了 www 重定向,它給了我一個 NGINX 404 頁面。我不明白的是,IP 位址和 www 子網域的處理對我來說似乎是相同的 - 問題是否在其他地方,例如 DNS 或 SSL 憑證?謝謝。
/etc/nginx/sites-available/mywebsite
server {
listen 80 ;
server_name www.mywebsite.com mywebsite.com 123.123.123.123 ;
return 301 https://mywebsite.com$request_uri ;
}
server {
server_name www.mywebsite.com ;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
return 301 https://mywebsite.com$request_uri ;
}
server {
server_name 123.123.123.123;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
return 301 https://mywebsite.com$request_uri ;
}
server {
server_name mywebsite.com ;
root /var/www/mywebsite ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
if ($host != mywebsite.com) {
return 301 https://mywebsite.com$request_uri;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
root@localhost:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: mail.mywebsite.com
Serial Number: ###################################
Key Type: ECDSA
Domains: mail.mywebsite.com
Expiry Date: 2023-12-09 16:27:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.mywebsite.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.mywebsite.com/privkey.pem
Certificate Name: mywebsite.com
Serial Number: ###################################
Key Type: ECDSA
Domains: mywebsite.com mail.mywebsite.com www.mywebsite.com
Expiry Date: 2023-12-09 03:09:48+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/mywebsite.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mywebsite.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
對於 DNS,我有 mywebsite.com 和 *.mywebsite.com 的 A 和 AAAA 記錄分別指向我的伺服器的 ipv4 和 ipv6 位址,以及我的郵件子網域的 MX 記錄和一些 TXT 記錄。
A mywebsite.com 123.123.123.123 600
A *.mywebsite.com 123.123.123.123 600
AAAA mywebsite.com 1234:1234::1234:1234:1234:1234 600
AAAA *.mywebsite.com 1234:1234::1234:1234:1234:1234 600
MX mywebsite.com mail.mywebsite.com 600 10
TXT _dmarc.mywebsite.com v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1 600
TXT mywebsite.com v=spf1 mx a:mail.mywebsite.com -all 600
TXT mail._domainkey.mywebsite.com v=DKIM1; h=sha256; k=rsa; p=##################################### 600
答案1
(這主要是評論,但篇幅有限)
我希望所有 http 流量重定向到 https,
好吧,看起來很明智。
到我網站的 www 子網域和我的伺服器 IP 位址(對於我們的目的是 123.123.123.123)的連線應該會重定向到 mywebsite.com
為什麼?我認為這樣做沒有任何好處,而且它實際上關閉了服務高可用性的大門。
是的,對配置的隨意檢查表明它應該按照您的想法進行。但是,為什麼您使用不同的伺服器區塊來描述www.mywebsite.com和 123.123.123.123 當他們實現相同的行為? (實際上,您可以在單一伺服器區塊中實現 3 個 SSL 虛擬主機的行為)。同樣,您不需要 mail.mywebsite.com 的單獨憑證。
證書問題不太可能導致 404 錯誤。
DNS 似乎是顯而易見的要檢查的事情/相反,您可以明確覆蓋任何現有的 DNS 並使用(例如)查看實際的 HTTP 標頭:
curl -I -k --resolve \*:443:123.123.123 https://www.example.com