服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Nginx – SSL,HSTS和代理请求到不同的CN
Intereting Posts
雪豹与思科VPN不会closures拆分隧道 Hadoop initscript askes密码 设置Windows Server 2008 R2 DC +文件服务器:本地还是虚拟? JMeter的Nginx + PHP-FPM基准testing – Spikes 我怎样才能让我的mediawiki停止思考我的cookies被禁用? Celery和RabbitMQ – 用于监测和标注报警的工具 通过Putty从远程服务器“stream”tar操作? 在2003R2中通过组策略将_default_打印机设置为XP 在CentOS上设置Godaddy SSL? 你可以阻止多个连接的IP? (Apache ddos​​攻击) 将VPN上的设备列入白名单 如何导入现有的linux软arrays卷组 如何获得服务在Windows Server 2003上的端口80上侦听 如何更改Samba4 AD领域 FTP扩展命令CLNT在哪里定义?

Nginx – SSL,HSTS和代理请求到不同的CN

我们使用Nginx作为反向代理,并希望允许网站访问者从Azure Blob下载文件 

server { listen 443; ssl_certificate /sslcert/ssl.crt; ssl_certificate_key /sslcert/com.key; server_name get.domain.com; location / { proxy_redirect off; proxy_pass http://oururl.blob.core.windows.net/; }

但是,HSTS不允许此请求,因为后端将显示具有不同通用名称的证书(?)。 即使HSTS被禁用,我们仍然会看到关于主机真实性的警告。

奇怪的是,我们正在使用proxy_pass作为本地后端,没有任何问题。

作品: 

 /home/user# curl get.domain.com <?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidQueryParameterValue</Code><Message>Value for one of the query parameters specified in the request URI is invalid.

不起作用: 

 /home/user# curl https://get.domain.com curl: (51) SSL: no alternative certificate subject name matches target host name 'get.domain.com'

最后 – 是的,我们知道Azure存储的子域掩码function。 我们不使用它,因为我们将我们的子域名转发给Nginx IP进行自定义处理。

更新: 

 curl -k -v get.domain.com * Hostname was NOT found in DNS cache * Trying 140.17.8.10... * Connected to get.domain.com (140.17.8.10) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA384 * Server certificate: * subject: CN=*.blob.core.windows.net * start date: 2015-06-10 01:45:43 GMT * expire date: 2017-06-09 01:45:43 GMT * issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT SSL SHA2 * SSL certificate verify ok. > GET /releases/RELEASES HTTP/1.1 > User-Agent: curl/7.35.0 > Host: get.domain.com > Accept: */* > < HTTP/1.1 200 OK < Content-Length: 79 < Content-Type: application/octet-stream < Content-MD5: IK8vn1QxUXipiqosdijfdA== < Last-Modified: Tue, 05 Jan 2016 07:03:15 GMT < ETag: 0x8D3159E48B72E88 * Server Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 is not blacklisted < Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 < x-ms-request-id: XXXXXX-XXXXX-XXXXXXXXXXXX < x-ms-version: 2009-09-19 < x-ms-lease-status: unlocked < x-ms-blob-type: BlockBlob < Date: Sat, 09 Jan 2016 06:46:43 GMT < * Connection #0 to host get.domain.com left intact