Shulou(Shulou.com)06/02 Report--

On most servers, we configure multiple vhost under one Nginx service to maximize the use of server resources. However, after enabling HTTPS for one of the vhost domain names, we found that there were some requests from other domain names in the real-time visitors or entry pages of Baidu statistics. That is, through

Https://some-other-domain.com/some-url to access the corresponding https://www.domain.com/some-url

The result is that the Google browser displays a security warning page that considers this to be an insecure web page. Because I only configured the SSL certificate for www.domain.com, other domain names are not configured.

In that case, the crawler of the search engine cannot properly access the correct domain name.

Next, the author will show you how to solve this problem.

First of all, let's deal with the concept: 1) understand the empty host head, which is caused by the improper configuration of the empty host head; 2) Domain name = > IP= > Port = > Service

Nginx is not only a high-performance and high-concurrency Web server, but also a preferred tool for reverse proxy. When we deploy this tool, the server block in the default configuration (nginx.conf) can match any domain name that points to the server without specifying server_name, that is, as long as you make an A record of the domain name pointing to the server's IP or Cname, you can "clone" the defalut_server on the server.

We know that vhost in nginx relies on server_name for routing, but ports can also play the same role.

Therefore, when we configure https for vhost, when the server_name that is not bound to the vhost (assuming: some-other-domain.com) is accessed through the https protocol, it cannot be intercepted because the empty host header cannot be set. In this case, some-other-domain.com is used as IP, and the request will be forwarded to the current server IP:443, and the default_server (www.domain.com) listening to 443 will naturally return the content.

It is easy to figure out the conceptual problem, just configure the empty host head, so that all domain names that are not explicitly bound to server_name can be blocked.

The specific configuration is as follows:

Open the / usr/local/nginx/conf/nginx.conf configuration file to modify or add the default vhost

Server {

Listen 80 default_server

Listen 443 ssl http2

Servername

Server_name_in_redirect off

Ssl_certificate / path/ssl_cert/ssl.pem

Ssl_certificate_key / path/ssl_cert/ssl.key

Error_page 401 402 403 404 / 40x.html

Location = / 40x.html {

Root html

}

Location / {

Return 404

}

}

OK, no matter how many vhost enable https now, they are not afraid to jump.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.