nginx default_site似乎不能正常工作

Question

我已经将docker中的nginx作为反向代理运行，并且已经有一段时间了 - 而且它工作起来很奇妙，缺少我最近看到的一个小问题。

我想要的是：当用户访问我的nginx服务器，并且没有为该URL指定一个.conf文件时，404/444或其他一些HTTP连接断开的响应。

我所看到的：当用户浏览到sudomain.url.com并没有在我的任何* conf文件指定的子域名，Nginx的使用它找到的第一个文件CONF - 忽略默认.conf文件。在下面找到我的细节。

您可以提供的任何其他提示/技巧也会非常棒！

nginx.conf：

user nginx; 
worker_processes 1; 

error_log /etc/nginx/log/error.log warn; 
pid  /var/run/nginx.pid; 


events { 
    worker_connections 1024; 
} 


http { 

    include  /etc/nginx/mime.types; 
    default_type application/octet-stream; 

    log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 
         '$status $body_bytes_sent "$http_referer" ' 
         '"$http_user_agent" "$http_x_forwarded_for"'; 

    access_log /etc/nginx/log/access.log main; 

    sendfile  on; 
    #tcp_nopush  on; 

    keepalive_timeout 70; 

    #gzip on; 

    include /etc/nginx/conf.d/*.conf; 
} 

default.conf：conf文件的

server { 
    server_name _; 
    listen 80 default_server; 
    return 444; 
} 

server { 
    server_name _; 
    listen 443 default_server; 
    return 444; 
} 

实施例（有可能这些的打）：

server { 
    listen sub.domain.com:80; 
    server_name sub.domain.com; 
    return 302 https://sub.domain.com$request_uri; 
} 

server { 
    listen sub.domain.com:443; 
    server_name sub.domain.com; 

    ssl_certificate /etc/nginx/keys/ssl.pem; 
    ssl_certificate_key /etc/nginx/keys/ssl.key; 

    ssl on; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC4-SHA'; 
    ssl_prefer_server_ciphers on; 
    ssl_dhparam /etc/nginx/keys/dhparams.pem; 

    add_header X-Frame-Options SAMEORIGIN; 
    add_header X-XSS-Protection "1; mode=block"; 
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; 

    location/{ 
     proxy_pass http://10.0.1.4:81; 
     proxy_buffering off; 
     proxy_set_header Host $host; 
     proxy_set_header X-Real-IP $remote_addr; 
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    } 
} 

Answer 1

我还没有实际上测试了这个，但我的直觉是你的listen指令不应该包含主机名。它们应该包含您想要监听的接口的IP地址以及您希望监听的端口。然后，对于每个不同的端口/ IP组合，您可以将其中的一个指定为默认值。

只有在之后解析请求去了哪个IP地址以及哪个端口开启了，nginx开始实际处理请求。这里的第一步是检查主机头，如果它发现主机头的值匹配的服务器块，那么这是它应该路由的地方。如果它找不到一个，那么它应该路由到默认值。

如果没有接收到主机头，那么我认为，在更新的nginx版本中，它会丢弃请求，但它以前只是通过发送到默认服务器来处理IP /端口组合。

下面是一个nginx.conf，它为我提供了指定服务器的工作端点，并为其他所有服务返回404。由于HSTS标题，您需要点击test.se {1,2,3,4} .home-v.ind.in才能看到它的工作，否则您只会返回浏览器错误。

user nginx; 
worker_processes  auto; 

error_log    stderr notice; 
pid     /var/run/nginx.pid; 

events { 
    worker_connections 1024; 
} 

http { 
    include     /etc/nginx/mime.types; 
    default_type    application/octet-stream; 
    sendfile     on; 
    tcp_nopush    on; 
    keepalive_timeout   300s; 
    ssl_certificate   /etc/pki/nginx/fullchain.pem; 
    ssl_certificate_key  /etc/pki/nginx/privkey.pem; 
    ssl_dhparam    /etc/pki/nginx/dhparams.pem; 
    ssl_protocols    TLSv1.2; 
    ssl_ciphers    EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; 
    ssl_prefer_server_ciphers on; 
    ssl_buffer_size   1400; 
    ssl_session_timeout  1d; 
    ssl_session_cache   shared:SSL:50m; 
    ssl_stapling    on; 
    ssl_stapling_verify  on; 
    ssl_trusted_certificate /etc/pki/nginx/fullchain.pem; 
    add_header    "Cache-Control" "no-transform"; 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 
    resolver     8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s; 
    resolver_timeout   2s; 

    server { 
    listen 80 default_server; 
    server_name _; 
    return 301 https://$host$request_uri; 
    } 

    server { 
    listen 443 ssl http2; 
    server_name test.se1.home-v.ind.in; 
    root /usr/share/nginx/html; 
    location /.well-known { satisfy any; allow all; try_files $uri $uri/ =404; } 
    location /robots.txt { satisfy any; allow all; add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; } 
    location/{ satisfy any; allow all; add_header Content-Type text/plain; return 200 "Test Site 1"; } 
    } 

    server { 
    listen 443 ssl http2; 
    server_name test.se2.home-v.ind.in; 
    root /usr/share/nginx/html; 
    location /.well-known { satisfy any; allow all; try_files $uri $uri/ =404; } 
    location /robots.txt { satisfy any; allow all; add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; } 
    location/{ satisfy any; allow all; add_header Content-Type text/plain; return 200 "Test Site 2"; } 
    } 

    server { 
    listen 443 ssl http2 default_server; 
    server_name _; 
    root /usr/share/nginx/html; 
    location /.well-known { satisfy any; allow all; try_files $uri $uri/ =404; } 
    location/{ return 404; } 
    } 

}