Nginx stosuje elementy tej samej konfiguracji do wszystkich vhostów

0

Mam problem z instalacją nginx. W głównym pliku default.conf włączyłem TLSv1.3 z krzywą ecdhe X25519, ale mam subdomenę, która nie musi używać tej krzywej. W konfiguracji subdomeny włączyłem tylko secp381r1, ale kiedy testuję poddomenę za pomocą ssllabs w obsługiwanych nazwanych grupach, widzę trzy krzywe, które włączyłem w pliku default.conf. To samo stało się jakiś czas temu, ale z włączonymi protokołami! Jak mogę rozwiązać ten problem? Próbowałem zmienić nazwy plików i zrestartowałem nginx miliard razy, ale to nie działało. Korzystam z Nginx 1.13.2 z openssl 1.1.1-Dev na Ubuntu 17.04.

Oto test ssllabs dla mojej głównej domeny: https://www.ssllabs.com/ssltest/analyze.html?d=alessandroz.pro

A oto test dla poddomeny: https://www.ssllabs.com/ssltest/analyze.html?d=ssl.alessandroz.pro

Oto główna konfiguracja:

map $sent_http_content_type $expires {
default                    off;
text/html                  epoch;
text/css                   max;
application/javascript     max;
~image/                    max;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_tokens off;

ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;

ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;   


#add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
#add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin; 
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

root /usr/share/nginx/www;

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires 365d;
        log_not_found off;
    }   

index index.php index.html index.htm index.nginx-debian.html;

server_name alessandroz.pro;


error_page  405     =200 $uri;

location ~ /.well-known {
            allow all;
    }

location ^~ / {
    try_files $uri $uri/ /index.php$is_args$args;
    include  /etc/nginx/mime.types;

location ~ \.php$ {
    include /etc/nginx/snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

location ~ /\.ht {
    deny all;
    }

#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    #gzip off;
#root /usr/share/nginx/tripwire;
    #autoindex on;
    #fastcgi_pass unix:/var/run/fcgiwrap.socket;
    #nclude /etc/nginx/fastcgi_params;
    #fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
    #fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}

location /doc/ {
    alias /usr/share/doc/;
    autoindex on;
    allow 127.0.0.1;
    deny all;
    }

}

}

server {
 listen 80;
 server_name alessandroz.pro;
 return 301 https://alessandroz.pro$request_uri;
 gzip off;
}

A tutaj jest plik konfiguracyjny subdomeny:

map $sent_http_content_type $expires {
default                    off;
text/html                  epoch;
text/css                   max;
application/javascript     max;
~image/                    max;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_tokens off;

ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;

ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh4096.pem;
#ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;   

add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin; 
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

root /usr/share/nginx/www/ssl;

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires 365d;
        log_not_found off;
    }   

index index.php index.html index.htm index.nginx-debian.html;

server_name ssl.alessandroz.pro;


error_page  405     =200 $uri;

location ~ /.well-known {
            allow all;
    }

location ^~ / {
    try_files $uri $uri/ /index.php$is_args$args;
    include  /etc/nginx/mime.types;

location ~ \.php$ {
    include /etc/nginx/snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

location ~ /\.ht {
    deny all;
    }

#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    #gzip off;
#root /usr/share/nginx/tripwire;
    #autoindex on;
    #fastcgi_pass unix:/var/run/fcgiwrap.socket;
    #nclude /etc/nginx/fastcgi_params;
    #fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
    #fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}

location /doc/ {
    alias /usr/share/doc/;
    autoindex on;
    allow 127.0.0.1;
    deny all;
    }
}

}

server {
 listen 80;
 server_name ssl.alessandroz.pro;
 return 301 https://ssl.alessandroz.pro$request_uri;
 gzip off;
}
Alessandro Z.
źródło
Jak faktycznie wygląda twoja konfiguracja? Jaką wersję nginx i Ubuntu używasz? Jak wygląda twoja struktura plików?
Seth
Prawdopodobnie masz taką linię, include /etc/nginx/snippets/ssl-params.conf;która zawiera niektóre typowe parametry ssl. Usuń go i zapisz dostosowaną konfigurację ssl dla tej subdomeny.
simlev
Dodałem wersje nginx i ubuntu. I spojrzałem na mój plik konfiguracyjny i nie znalazłem żadnych odniesień do innych konfiguracji ssl.
Alessandro Z.