我正在尝试在同一台服务器上沿着自己的云实例设置一个gitlab实例。 两者都可以正常工作,如果启用了一个主机,则两者都可以正常工作。
奇怪的是,自己的云主机捕获所有的请求到服务器,即使站点configuration只说它应该赶上一个合适的域,从而防止gitlab虚拟主机应答。
自己的云:
upstream php-handler { # server 127.0.0.1:9000; server unix:/var/run/php5-fpm.sock; } server { listen 80; server_name cloud.example.com; return 301 https://$server_name$request_uri; # enforce https } server { listen 443 ssl; server_name cloud.example.com; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # Don't show version server_tokens off; # Have separate logs for this vhost access_log /var/log/nginx/owncloud_access.log; error_log /var/log/nginx/owncloud_error.log; # Path to the root of your installation root /usr/share/nginx/owncloud; client_max_body_size 10G; # set max upload size fastcgi_buffers 64 4K; rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; index index.php; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(?:\.|data|config|db_structure\.xml|README) { deny all; } location / { # The following 2 rules are only needed with webfinger rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; try_files $uri $uri/ index.php; } location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_connect_timeout 120; fastcgi_pass php-handler; } # Optional: set long EXPIRES header on static assets location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { expires 30d; # Optional: Don't log access to assets access_log off; } } 只应该赶上cloud.domain.com的请求?
GitLabconfiguration:
upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket; } ## This is a normal HTTP host which redirects all traffic to the HTTPS host. server { listen *:80 default_server; server_name git.example.com; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice root /nowhere; ## root doesn't have to be a valid path since we are redirecting rewrite ^ https://$server_name$request_uri permanent; } server { listen 443 ssl; server_name git.example.com; ## Replace this with something like gitlab.example.com server_tokens off; root /home/git/gitlab/public; ## Increase this if you want to upload large attachments ## Or if you want to accept large git objects over http client_max_body_size 512M; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl on; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; location / { ## Serve static files from defined root folder. ## @gitlab is a named location for the upstream fallback, see below. try_files $uri $uri/index.html $uri.html @gitlab; } ## If a file, which is not found in the root folder is requested, ## then the proxy pass the request to the upsteam (gitlab unicorn). location @gitlab { ## If you use https make sure you disable gzip compression ## to be safe against BREACH attack. gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_pass http://gitlab; } ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls do remove the block below ## See config/application.rb under "Relative url support" for the list of ## other files that need to be changed for relative url support location ~ ^/(assets)/ { root /home/git/gitlab/public; gzip_static on; # to serve pre-gzipped version expires max; add_header Cache-Control public; } error_page 502 /502.html; }
AMEND:对于HTTP,一切都按预期工作,并有多个虚拟主机。 问题始于SSL。 是的,nginx启用了SNI(nginx -V这么说)。
感谢您的帮助,我知道那里有一位专家,他知道答案。 🙂
从http://nginx.org/en/docs/http/request_processing.html (其中有例子):
In this configuration nginx tests only the request's header field “Host” to determine which server the request should be routed to. If its value does not match any server name, or the request does not contain this header field at all, then nginx will route the request to the default server for this port. In the configuration above, the default server is the first one — which is nginx's standard default behaviour. It can also be set explicitly which server should be default, with the default_server parameter in the listen directive
因此,如果您不希望此服务器成为端口443请求的默认值,则需要在定义此服务器之前或在listen指令中使用default_server参数来定义另一个服务器。