長い間、ワイルドカードSSLを使用してコアサイト(https://www.OURSITE.com)とクライアント固有のサブドメイン(https://CLIENT.OURSITE.com)の両方を保護するWebサイトを維持してきました。これを行うために、私たちはNGINXのための1つの仮想ホストを設定しており、すべてがうまくいっていました。NGINXでCNAMEとSSLを使用するSNIと仮想ホスト
最近、あるクライアントが独自のドメインを使用してCLIENT.OURSITE.comを表示することを望んでいました。私はwww.CLIENTSITE.comからCLIENT.OURSITE.comまでCNAMEレコードを作成するように指示しました。次に、www.CLIENTSITE.comのSSL証明書を別途購入して設定し、別の仮想ホストを作成しました。
ただし、ブラウザを起動してwww.CLIENTSITE.comに移動すると、NGINXがwww.CLIENTSITE.comではなくOURSITE.comのワイルドカード証明書を提供しているため、常に無効な共通名SSLエラーが発生します。 NGINXはSNIを使用するように正しく設定されています。
OURSITE用のnginxの設定は次のようになります。
upstream app_server {
server unix:/path/to/gunicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name OURSITE.com;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$)
{
return 444;
}
return 301 https://www.$host$request_uri;
}
server {
listen 80;
server_name *.OURSITE.com;
error_log /path/to/logs/nginx-error.log;
access_log /path/to/logs/nginx-access.log;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$)
{
return 444;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name OURSITE.com;
root /path/to/root/;
ssl_certificate /etc/ssl/OURSITE.crt;
ssl_certificate_key /etc/ssl/OURSITE.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$)
{
return 444;
}
return 301 https://www.$host$request_uri;
}
server {
listen 443 ssl;
server_name *.OURSITE.com;
root /path/to/root/;
ssl_certificate /etc/ssl/OURSITE.crt;
ssl_certificate_key /etc/ssl/OURSITE.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
client_max_body_size 4G;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$)
{
return 444;
}
gzip on;
gzip_types application/x-javascript text/plain text/css text/xml application/xml text/javascript application/json;
error_log /path/to/logs/nginx-error.log;
access_log /path/to/logs/nginx-access.log;
location/{
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# set "proxy_buffering off" *only* for Rainbows! when doing
# Comet/long-poll stuff. It's also safe to set if you're
# using only serving fast clients with Unicorn + nginx.
# Otherwise you _want_ nginx to buffer responses to slow
# clients, really.
# proxy_buffering off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://app_server;
break;
}
}
}
そしてwww.CLIENTSITE.com用のnginxの設定は次のようになります。
upstream app_server2 {
server unix:/path/to/gunicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name www.CLIENTSITE.com;
error_log /path/to/logs/client-nginx-error.log;
access_log /path/to/logs/client-nginx-access.log;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
client_max_body_size 1K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$)
{
return 444;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.CLIENTSITE.com;
root /path/to/root/;
ssl_certificate /etc/ssl/CLIENTSITE.crt;
ssl_certificate_key /etc/ssl/CLIENTSITE.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
client_max_body_size 4G;
client_body_buffer_size 2K;
client_header_buffer_size 2K;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PATCH)$)
{
return 444;
}
gzip on;
gzip_types application/x-javascript text/plain text/css text/xml application/xml text/javascript application/json;
error_log /path/to/logs/client-nginx-error.log;
access_log /path/to/logs/client-nginx-access.log;
location/{
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# set "proxy_buffering off" *only* for Rainbows! when doing
# Comet/long-poll stuff. It's also safe to set if you're
# using only serving fast clients with Unicorn + nginx.
# Otherwise you _want_ nginx to buffer responses to slow
# clients, really.
# proxy_buffering off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://app_server2;
break;
}
}
}
そして、これは、OpenSSLがWWWについて言いたいことがあるものです。 CLIENTSITE.com:
openssl s_client -connect www.CLIENTSITE.com:443 -servername www.CLIENTSITE.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.OURSITE.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
-- SNIP --
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.OURSITE.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4980 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: XYZ
Session-ID-ctx:
Master-Key: ABC
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
-- SNIP --
Start Time: 1473804850
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
ありがとうございました!
私はあなたが(WWWなしで)あまりにも –
@AlexeyTenをCLIENTSITE.comを追加する必要があると思います - CNAMEは、WWWからです。 CLIENTSITE.comからCLIENT.OURSITE.comへそれほどサーバー名ではありませんCLIENTSITE.com – user2030378