nginx 监听私有 ip 而不是 0.0.0.0 多个站点
nginx listen on private ip instead of 0.0.0.0 with multiple sites
我最近在我周围的 pi 上设置了一个 pihole,它很棒。当域被阻止时,它会根据其默认配置 BLOCKINGMODE=NULL 返回 IP 地址 0.0.0.0。
我面临的问题是,当我从我的服务器浏览网页时,该服务器通过 nginx 托管多个子域,它不断尝试连接到我的 nginx 站点,并用 404 填充其日志。
我相信解决方案是更新我的 nginx 配置以指向我的私有 ip 而不是 0.0.0.0。我认为它会像更新一样简单 listen 443 ssl;
至 listen 192.168.1.10:443 ssl;
不幸的是,在我进行更改之后,我所有的子域都随机指向其中一个。前任。 a.mysite.com、b.mysite.com、c.mysite.com都指向a.mysite.com
我的大多数网站都将 docker 实例转发到 443,还有一些只提供本地文件。
我最初在 pihole 论坛上提问,他们为我指出了正确的方向,但我不确定如何使用我的私有 ip 而不是 0.0.0.0 让 nginx 工作。
https://discourse.pi-hole.net/t/blockingmode-null-vs-nodata/53016/7
简单的解决方案是单独保留我的 nginx 配置并将 pihole 从 BLOCKINGMODE=NULL 更新为 BLOCKINGMODE=NXDOMAIN 或 BLOCKINGMODE=NODATA,但根据他们的帮助文档,“类似于 NULL 阻塞,但实验表明客户端与 NULL 阻止相比,可能会更频繁地尝试解析被阻止的域。”
https://docs.pi-hole.net/ftldns/blockingmode/
感谢阅读!
mrplow@dan-server:~$ dig ads.facebook.com
; <<>> DiG 9.16.15-Ubuntu <<>> ads.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ads.facebook.com. IN A
;; ANSWER SECTION:
ads.facebook.com. 2 IN A 0.0.0.0
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 27 14:50:46 PST 2022
;; MSG SIZE rcvd: 61
mrplow@dan-server:~$ date && curl ads.facebook.com && tail -n 1 /var/log/nginx/access.log
Thu 27 Jan 2022 03:00:19 PM PST
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
127.0.0.1 - - [27/Jan/2022:15:00:19 -0800] "GET / HTTP/1.1" 404 162 "-" "curl/7.74.0"
示例 nginx 配置文件
server {
server_name a.mysite.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:9117;
}
ssl_dhparam /etc/ssl/certs/a.mysite.pem;
listen 443 ssl; # managed by Certbot
# listen 192.168.1.10:443 ssl;
ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = a.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name a.mysite.com;
listen 80;
# listen 192.168.1.10:80;
return 404; # managed by Certbot
}
想通了。
我在 listen 指令中包含私有 ip 是正确的。但是,我还需要更新我所有的 server_name 指令以包含私有 IP 地址。
在我更新所有 nginx 配置后,它不再监听 0.0.0.0,当我卷曲一个被阻止的站点时,它现在给出正确的 curl: (7) Failed to connect to ads.facebook.com port 80: Connection refused 响应。
工作示例:
server {
server_name a.mysite.com 192.168.1.10;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:9117;
}
ssl_dhparam /etc/ssl/certs/a.mysite.pem;
listen 192.168.1.10:443 ssl;
ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = a.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name a.mysite.com 192.168.1.10;
listen 192.168.1.10:80;
return 404; # managed by Certbot
}
我最近在我周围的 pi 上设置了一个 pihole,它很棒。当域被阻止时,它会根据其默认配置 BLOCKINGMODE=NULL 返回 IP 地址 0.0.0.0。
我面临的问题是,当我从我的服务器浏览网页时,该服务器通过 nginx 托管多个子域,它不断尝试连接到我的 nginx 站点,并用 404 填充其日志。
我相信解决方案是更新我的 nginx 配置以指向我的私有 ip 而不是 0.0.0.0。我认为它会像更新一样简单 listen 443 ssl;
至 listen 192.168.1.10:443 ssl;
不幸的是,在我进行更改之后,我所有的子域都随机指向其中一个。前任。 a.mysite.com、b.mysite.com、c.mysite.com都指向a.mysite.com
我的大多数网站都将 docker 实例转发到 443,还有一些只提供本地文件。
我最初在 pihole 论坛上提问,他们为我指出了正确的方向,但我不确定如何使用我的私有 ip 而不是 0.0.0.0 让 nginx 工作。 https://discourse.pi-hole.net/t/blockingmode-null-vs-nodata/53016/7
简单的解决方案是单独保留我的 nginx 配置并将 pihole 从 BLOCKINGMODE=NULL 更新为 BLOCKINGMODE=NXDOMAIN 或 BLOCKINGMODE=NODATA,但根据他们的帮助文档,“类似于 NULL 阻塞,但实验表明客户端与 NULL 阻止相比,可能会更频繁地尝试解析被阻止的域。” https://docs.pi-hole.net/ftldns/blockingmode/
感谢阅读!
mrplow@dan-server:~$ dig ads.facebook.com
; <<>> DiG 9.16.15-Ubuntu <<>> ads.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ads.facebook.com. IN A
;; ANSWER SECTION:
ads.facebook.com. 2 IN A 0.0.0.0
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 27 14:50:46 PST 2022
;; MSG SIZE rcvd: 61
mrplow@dan-server:~$ date && curl ads.facebook.com && tail -n 1 /var/log/nginx/access.log
Thu 27 Jan 2022 03:00:19 PM PST
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
127.0.0.1 - - [27/Jan/2022:15:00:19 -0800] "GET / HTTP/1.1" 404 162 "-" "curl/7.74.0"
示例 nginx 配置文件
server {
server_name a.mysite.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:9117;
}
ssl_dhparam /etc/ssl/certs/a.mysite.pem;
listen 443 ssl; # managed by Certbot
# listen 192.168.1.10:443 ssl;
ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = a.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name a.mysite.com;
listen 80;
# listen 192.168.1.10:80;
return 404; # managed by Certbot
}
想通了。
我在 listen 指令中包含私有 ip 是正确的。但是,我还需要更新我所有的 server_name 指令以包含私有 IP 地址。
在我更新所有 nginx 配置后,它不再监听 0.0.0.0,当我卷曲一个被阻止的站点时,它现在给出正确的 curl: (7) Failed to connect to ads.facebook.com port 80: Connection refused 响应。
工作示例:
server {
server_name a.mysite.com 192.168.1.10;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:9117;
}
ssl_dhparam /etc/ssl/certs/a.mysite.pem;
listen 192.168.1.10:443 ssl;
ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = a.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name a.mysite.com 192.168.1.10;
listen 192.168.1.10:80;
return 404; # managed by Certbot
}