对于Web服务,我们有两个证书:myservice.com和api.myservice.com。 两者都具有相同的应用程序(文档根目录),但通过具有不同证书的HTTPS进行服务器。 不幸的是,我们现在还没有双域证书。
目前,我必须定义两个服务器块,每个块指向同一个根。 唯一的区别是ssl_certificate指令,但只能在http或服务器级别声明 。
不过,有没有办法避免在服务器块中复制/粘贴? 这是一个示例代码:
server { listen 443; server_name .myservice.com; root /var/www/myservice.com/public; include conf.d/common.conf.inc; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM; ssl_session_cache shared:SSL:5m; ssl_session_timeout 10m; ssl_certificate /path/to/myservice.com.bundle.crt; ssl_certificate_key /path/to//myservice.com.key; ssl_prefer_server_ciphers on; } server { listen 443; server_name api.myservice.com; root /var/www/myservice.com/public; include conf.d/common.conf.inc; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM; ssl_session_cache shared:SSL:5m; ssl_session_timeout 10m; ssl_certificate /path/to/api.myservice.com.bundle.crt; ssl_certificate_key /path/to//myservice.com.key; ssl_prefer_server_ciphers on; }
/编辑:按照要求,这里输出nginx -V :
nginx版本:nginx / 1.2.7
TLS SNI支持启用configuration
参数:–prefix = / usr / share / nginx –conf-path = /etc/nginx/nginx.conf –error -log-path = / var / log / nginx / error.log –http-client- body-temp-path = / var / lib / nginx / body –http -fastcgi-temp-path = / var / lib / nginx / fastcgi –http-log-path = / var / log / nginx / access.log –http-proxy-temp-path = / var / lib / nginx / proxy –http -script -temp path = / var / lib / nginx / scgi –http-uwsgi -temp path = / var / lib / nginx / uwsgi –lock-path = / var / lock / nginx.lock –pid-path = / run / nginx.pid –with-pcre -jit –with-debug –with-http_addition_module –with -http_dav_module –with-http_flv_module –with-http_geoip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_mp4_module –with-http_perl_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with -http_stub_status_module –with-http_ssl_module –with-http_sub_module –with-http_xslt_module –with-ipv6 –with-sha1 = / usr / include / openssl –with-md5 = / usr / include / openssl –with- mail –with-mail_ssl_module –add-module = / build /buildd/nginx-1.2.7/debian/modules/nginx-auth-pam –add-module = / build / buildd / nginx-1.2.7 / debian / modules / chunkin -nginx-module –add-module = /build/buildd/nginx-1.2.7/debian/modules/headers-more-nginx-module –add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx-development-kit – add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx-echo –add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx -http-push – add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx-lua –add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx-upload-module – add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx-upload-progress –add-module = / build / buildd / nginx-1.2.7 / debian / modules / nginx-upstream-fair –add模块= /build造/ buildd / nginx的-1.2.7 / Debian的/模块/ nginx的-DAV-EXT-模块
你已经知道(并正在使用)答案! 只需include来自单独文件的公共部分。
你可以通过使用“if”这样的方法避免重复虚拟主机,并定义一个虚拟主机:
服务器{
听443;
server_name .myservice.com api.myservice.com;
root /var/www/myservice.com/public;
包括conf.d / common.conf.inc;
ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_session_cache共享:SSL:5米;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers;
如果($ server_name = .myservice.com){
ssl_certificate /path/to/myservice.com.bundle.crt;
ssl_certificate_key /path/to//myservice.com.key;
}
如果($ server_name = api.myservice.com){
ssl_certificate /path/to/api.myservice.com.bundle.crt;
ssl_certificate_key /path/to//myservice.com.key ;;
}
...
}