我有一个服务器运行在一个子域configuration像这样:
server { listen 80 default_server; listen [::]:80 default_server; server_name x.example.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern> ssl_client_certificate /etc/ssl/certs/root-ca.crt; ssl_verify_client on; ssl_verify_depth 2; root /var/www/html; index index.html index.htm; location / { try_files $uri $uri/ =404; } } 目前,我使用自己的根CA作为客户端validation和服务器的主要证书。 我想过渡到使用Let's Encrypt证书,但这会带来一个问题,因为Let's Encryptvalidation过程将需要访问x.example.com/.well-known并且没有匹配的客户端证书。
我已经尝试添加像这样的第二个服务器块,如这里推荐,但我一直无法得到它的工作:
server { listen 443 ssl; listen [::]:443 ssl; server_name x.example.com; <same Mozilla configuration--I've got it stored as a snippet> ssl_verify_client off; root /var/www/html; index index.html index.htm; location /.well-known { try_files $uri $uri/ =404; } }
什么是适当的方法来做到这一点?
让我们encryption并不寻找HTTPS的挑战,所以你可以简单地设置这样的东西:
server { listen 80 default_server; listen [::]:80 default_server; server_name x.example.com; location /.well-known { try_files $uri $uri/ =404; } location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl; listen [::]:443 ssl; <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern> ssl_client_certificate /etc/ssl/certs/root-ca.crt; ssl_verify_client on; ssl_verify_depth 2; root /var/www/html; index index.html index.htm; location / { try_files $uri $uri/ =404; } }