使用certbot配置多个域和子域+后的重复-寻求最佳实践

Question

在配置了多个域和一些子域以在nginx下运行之后，我设法让多个服务器块正常工作。仍然留下了混乱的结果如下。

这在设置多个域之后，使用certbot创建证书和编辑nginx配置文件。

查看nginx配置文件，很明显，如果原来的默认配置文件去掉了注释行，这将更加清晰。仍然可以看到默认配置文件中的域服务器块的一些奇怪的明显重复。

我使用在nginx下为domain.tld和www.domain.tld提供的静态文件，nodejs为blah.domain.tld提供服务，因此这种组合在将来可能会有所不同。

所以，一些关于好的/坏的实践的快速问题。-一个包含domain.tld、www.domain.tld和blah.domain.tld的证书？-应该/etc/nginx/blah.domain.tld-可用/默认排除对/etc/nginx/site中配置的各个域的所有服务器块引用-available/domain.tld？-似乎certbot编辑了/etc/nginx/sites available/默认添加对各个域信任的引用。我不愿意编辑由certbot编辑的任何配置文件，但是重复的混乱表明可以进行清理。

还有:可疑的符号可能是什么？

sudo nginx -t
nginx: [warn] server name "blah.domain.tld/" has suspicious symbols in     /etc/nginx/sites-enabled/blah.domain.tld:41
nginx: [warn] conflicting server name "www.domain.tld" on [::]:443, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on [::]:443, ignored
nginx: [warn] conflicting server name "www.domain.tld" on 0.0.0.0:443,     ignored
nginx: [warn] conflicting server name "blah.domain.tld" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.domain.tld" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.domain.tld" on [::]:80, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

下一区

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' domain.tld'     /etc/nginx/sites-available/
/etc/nginx/sites-available/domain.tld:39:  server_name domain.tld;
/etc/nginx/sites-available/domain.tld:96:    if ($host = domain.tld) {
/etc/nginx/sites-available/domain.tld:104: server_name domain.tld;

下一区

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' www.domain.tld'     /etc/nginx/sites-available/
/etc/nginx/sites-available/blah.domain.tld:110:    server_name www.domain.tld; # managed by Certbot
/etc/nginx/sites-available/blah.domain.tld:148:    if ($host = www.domain.tld) {
/etc/nginx/sites-available/blah.domain.tld:155:    server_name www.domain.tld;
/etc/nginx/sites-available/default:110:    server_name www.domain.tld; # managed by Certbot
/etc/nginx/sites-available/default:148:    if ($host = www.domain.tld) {
/etc/nginx/sites-available/default:155:    server_name www.domain.tld;

下一区

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' blah.domain.tld'         /etc/nginx/sites-available/
/etc/nginx/sites-available/blah.domain.tld:41: server_name blah.domain.tld/;
/etc/nginx/sites-available/blah.domain.tld:182:    server_name blah.domain.tld; # managed by Certbot
/etc/nginx/sites-available/blah.domain.tld:219:    if ($host = blah.domain.tld) {
/etc/nginx/sites-available/blah.domain.tld:226:    server_name blah.domain.tld;
/etc/nginx/sites-available/default:182:    server_name blah.domain.tld; # managed by Certbot
/etc/nginx/sites-available/default:219:   
  if ($host = blah.domain.tld) {
  /etc/nginx/sites-available/default:226:    server_name blah.domain.tld;

Answer 1

为这个混乱的问题道歉，并感谢最初的回答，睡了一觉，解决问题的方法变得明显起来。

• certbot插入/etc/nginx/site中的服务器块-可用/默认，导致*.domain.tld服务器块重复
• 将/etc/nginx/sites现有/*.domain.tld移出/etc/nginx/sites可用/消除大量"nginx:冲突的服务器名称“消息。
• 在/etc/nginx/site中做一些小的修正-可用/默认，以确保所有的https、https、www.domain.tld、domain.tld、subdomain.domain.tld的变体都按预期处理。

现在工作/etc/nginx/站点的副本-可用/默认下面。显然，这应该被拆分为默认的、domain.tld & subdomain.domain.tld的最佳实践和清理符号链接。

            # Default server configuration
            #
            server {
                listen 80 default_server;
                listen [::]:80 default_server;

                root /var/www/html;

                index index.html;

                server_name _;

                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                }

            }


            server {

                root /var/www/domain.tld/html;

                index index.html;
                server_name www.domain.tld domain.tld; # managed by Certbot

                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                }


                listen [::]:443 ssl; # managed by Certbot
                listen 443 ssl; # managed by Certbot
                ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


            }

            #redirect from http to https for www.domain.tld
            server {
                if ($host = www.domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                listen 80 ;
                listen [::]:80 ;
                server_name www.domain.tld;
                return 404; # managed by Certbot

            }

            #redirect from http to https for domain.tld
            server {
                if ($host = domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                    listen 80 ;
                    listen [::]:80 ;
                server_name domain.tld;
                return 404; # managed by Certbot

            }


            server {


                root /var/www/subdomain.domain.tld/html;

                index index.html;
                server_name subdomain.domain.tld; # managed by Certbot


                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    #try_files $uri $uri/ =404;
                    proxy_pass http://localhost:4000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
                }


                listen [::]:443 ssl; # managed by Certbot
                listen 443 ssl; # managed by Certbot
                ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

            }
            server {
                if ($host = subdomain.domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                listen 80 ;
                listen [::]:80 ;
                server_name subdomain.domain.tld;
                return 404; # managed by Certbot


            }

基础问题是certbot在添加子域的证书时，在默认情况下会复制服务器块，创建域的原始证书。

修复方法是删除单独的服务器配置文件，在默认情况下清理所有服务器块，直到开始工作为止。

Answer 2

可能会出现“冲突的servername”问题，因为您配置了两个不同的服务器块，侦听相同的uri。一个用于ipv6，另一个用于ipv4

我认为您应该创建一个同时监听ipv4和ipv6的服务器块。