1 前言
一个问题,一篇文章,一出故事。
笔者公司聘请安全供应商为外网的域名进行安全扫描,生产服务器是一个反向代理,配置了多个域名。有时一个单独的端口属于域名A,结果扫描域名B也把开放的端口也认为是域名B的(其实属于域名A专用的),于是他提示你证书不匹配。
这操作让笔者苦不堪言,于是想到使用变量根据域名动态匹配证书的方式来修复所谓的域名与证书不匹配问题。
2 最佳实践
2.1 配置前的准备
2.1.1 确认nginx支持SNI
nginx -V 2>&1 | grep -i SNI
可见如下提示,
TLS SNI support enabled
2.1.2 准备证书
cp wildcard.cmdschool.org.crt /etc/nginx/ cp wildcard.cmdschool.org.key /etc/nginx/ cp wildcard.cmdschool.com.crt /etc/nginx/ cp wildcard.cmdschool.com.key /etc/nginx/ cp wildcard.cmdschool.net.crt /etc/nginx/ cp wildcard.cmdschool.net.key /etc/nginx/ cp wildcard.cmdschool.cn.crt /etc/nginx/ cp wildcard.cmdschool.cn.key /etc/nginx/
2.2 配置动态加载证书
2.2.1 准备域名与证书映射表
vim /etc/nginx/public/ssl_map.conf
加入如下配置,
map $ssl_server_name $certificate_name { www.cmdschool.com wildcard.cmdschool.com; www.cmdschool.net wildcard.cmdschool.net; www.cmdschool.cn wildcard.cmdschool.cn; default wildcard.cmdschool.org; }
然后,你需要使用如下命令加载该配置,
vim /etc/nginx/nginx.conf
加入如下配置,
http { #... include /etc/nginx/public/ssl_map.conf; include /etc/nginx/conf.d/*.conf; #... }
2.2.2 准备证书配置文件
vim /etc/nginx/public/ssl_default.conf
加入如下配置,
ssl_certificate ${certificate_name}.crt; ssl_certificate_key ${certificate_name}.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers on;
注:命令“ssl_certificate”与“ssl_certificate_key”在比较新的版本支持变量。
2.2.3 引入证书配置
vim /etc/nginx/conf.d/www.cmdschool.org_443.conf
加入如下配置,
server { listen 443 ssl; #... include /etc/nginx/public/ssl_default.conf; #... }
然后,你需要使用如下命令确认配置可用,
nginx -t
然后,你需要使用如下命令重载配置以便配置生效,
systemctl reload nginx
2.3 测试动态加载证书
openssl s_client -connect www.cmdschool.org:443 -servername www.cmdschool.org openssl s_client -connect www.cmdschool.com:443 -servername www.cmdschool.com openssl s_client -connect www.cmdschool.net:443 -servername www.cmdschool.net openssl s_client -connect www.cmdschool.cn:443 -servername www.cmdschool.cn
参阅文档
======================
官方文档
——————–
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
http://nginx.org/en/docs/http/configuring_https_servers.html#Server%20Name%20Indication
http://nginx.org/en/docs/http/ngx_http_map_module.html#map
非官方文档
—————
https://www.cnblogs.com/hugetong/p/11727275.html
https://serverfault.com/questions/505015/nginx-use-server-name-on-ssl-certificate-path
没有评论