为什么我的网站的非 www 版本返回 403 而 www 版本在 nginx 上返回 404?
Why is the non-www version of my website returning a 403 and the www version returning 404 on nginx?
一些背景知识;我是一个菜鸟,在同一个 VPS 上托管个人邮件服务器、nextcloud 服务器和 nginx。我的 nextcloud 和邮件服务器工作正常,但自从我添加了网络服务器后,事情变得很无聊。
我的 www.redacted.xyz returns 一个 404 和 redacted.xyz returns 一个 403...虽然我一直我在下面描述的 Certbot 有奇怪的端口东西,这似乎是一个促成因素。
nginx -t -c /etc/nginx/nginx.conf:
root@vultr: nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx/sites-enabled/redacted
server {
listen 8080 ;
listen [::]:8080 ;
server_name redacted.xyz www.redacted.xyz ;
root /var/www/redacted ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
listen [::]:8443 ssl ipv6only=on; # managed by Certbot
listen 8443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/redacted.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/redacted.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
请注意,我使用的是 8080 和 8443 而不是 80 和 443,因为它们似乎会导致 Certbot 出现问题,如下所示。使用这些端口似乎解决了这个问题,但似乎对这个新问题有所贡献。
当我在启用站点的文件中将 8443 更改为 443 时,www.该网站的版本突然工作。从 8080 更改为 80 仍然会导致非 www 上的 403。当然,客户端没有明显的变化,因为我将网站设置为重定向到 https。
这到底是怎么回事?
Certbot --nginx
root@vultr: certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: redacted.xyz
2: mail.redacted.xyz
3: www.mail.redacted.xyz
4: www.redacted.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/redacted.xyz.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/redacted
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/redacted
nginx: [warn] conflicting server name "redacted.xyz" on [::]:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "redacted.xyz" on [::]:80, ignored
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/redacted
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/redacted
nginx: [warn] conflicting server name "redacted.xyz" on [::]:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "redacted.xyz" on [::]:80, ignored
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://redacted.xyz,
https://mail.redacted.xyz, https://www.mail.redacted.xyz, and
https://www.redacted.xyz
我想知道这是否与您使用 certbot 的方式有关。您需要一个涵盖两个域名的证书——从共享的输出来看,您似乎正在尝试生成两个证书,一个用于 FQDN 的每个变体。端口问题可能是因为 certbot 希望至少使用端口 80(不确定 443)来验证域并添加证书。
好吧,我想通了……原来我忘记设置云了。用于我的 Nextcloud 服务器的子域,所以它使用 redacted.Xyz 代替。
将 Nextcloud 的服务器块中的服务器名称更改为 cloud.redacted.Xyz 并删除了 redacted.Xyz。这解决了主要问题,并促使我解决了 certbot 问题!
(现在我无法让该子域正常工作,但那是另一个 post 哈哈)
一些背景知识;我是一个菜鸟,在同一个 VPS 上托管个人邮件服务器、nextcloud 服务器和 nginx。我的 nextcloud 和邮件服务器工作正常,但自从我添加了网络服务器后,事情变得很无聊。
我的 www.redacted.xyz returns 一个 404 和 redacted.xyz returns 一个 403...虽然我一直我在下面描述的 Certbot 有奇怪的端口东西,这似乎是一个促成因素。
nginx -t -c /etc/nginx/nginx.conf:
root@vultr: nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx/sites-enabled/redacted
server {
listen 8080 ;
listen [::]:8080 ;
server_name redacted.xyz www.redacted.xyz ;
root /var/www/redacted ;
index index.html index.htm index.nginx-debian.html ;
location / {
try_files $uri $uri/ =404 ;
}
listen [::]:8443 ssl ipv6only=on; # managed by Certbot
listen 8443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/redacted.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/redacted.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
请注意,我使用的是 8080 和 8443 而不是 80 和 443,因为它们似乎会导致 Certbot 出现问题,如下所示。使用这些端口似乎解决了这个问题,但似乎对这个新问题有所贡献。
当我在启用站点的文件中将 8443 更改为 443 时,www.该网站的版本突然工作。从 8080 更改为 80 仍然会导致非 www 上的 403。当然,客户端没有明显的变化,因为我将网站设置为重定向到 https。
这到底是怎么回事?
Certbot --nginx
root@vultr: certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: redacted.xyz
2: mail.redacted.xyz
3: www.mail.redacted.xyz
4: www.redacted.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/redacted.xyz.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/redacted
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/redacted
nginx: [warn] conflicting server name "redacted.xyz" on [::]:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "redacted.xyz" on [::]:80, ignored
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/redacted
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/redacted
nginx: [warn] conflicting server name "redacted.xyz" on [::]:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "redacted.xyz" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "redacted.xyz" on [::]:80, ignored
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://redacted.xyz,
https://mail.redacted.xyz, https://www.mail.redacted.xyz, and
https://www.redacted.xyz
我想知道这是否与您使用 certbot 的方式有关。您需要一个涵盖两个域名的证书——从共享的输出来看,您似乎正在尝试生成两个证书,一个用于 FQDN 的每个变体。端口问题可能是因为 certbot 希望至少使用端口 80(不确定 443)来验证域并添加证书。
好吧,我想通了……原来我忘记设置云了。用于我的 Nextcloud 服务器的子域,所以它使用 redacted.Xyz 代替。
将 Nextcloud 的服务器块中的服务器名称更改为 cloud.redacted.Xyz 并删除了 redacted.Xyz。这解决了主要问题,并促使我解决了 certbot 问题!
(现在我无法让该子域正常工作,但那是另一个 post 哈哈)