[alibaba/tengine]如何配置或者如何编译,才能支持同一个server配置多个证书?

2024-05-15 744 views
7
配置文件
server {
  listen       443    ssl;
  server_name  www.aaa.org.cn file.aaa.org.cn;

  ssl_certificate      ../certs/www.aaa.org.cn.crt;
  ssl_certificate_key  ../certs/www.aaa.org.cn.key;
  ssl_certificate      ../certs/file.aaa.org.cn.crt;
  ssl_certificate_key  ../certs/file.aaa.org.cn.key;
  ssl_certificate      ../certs/all.pem;
  ssl_certificate_key  ../certs/all.key; 

  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m; 
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on; 
}

这么配置的话,只有最后一个证书生效,上面两个证书都不生效了。

回答

2

配置多个server,每个server一个域名,一个证书。

server {
  listen       443    ssl;
  server_name  www.aaa.org.cn;

  ssl_certificate      ../certs/www.aaa.org.cn.crt;
  ssl_certificate_key  ../certs/www.aaa.org.cn.key;
}
server {
  listen       443    ssl;
  server_name  file.aaa.org.cn;

  ssl_certificate      ../certs/file.aaa.org.cn.crt;
  ssl_certificate_key  ../certs/file.aaa.org.cn.key;
}
1

配置多个server,每个server一个域名,一个证书。


server {

  listen       443    ssl;

  server_name  www.aaa.org.cn;

  ssl_certificate      ../certs/www.aaa.org.cn.crt;

  ssl_certificate_key  ../certs/www.aaa.org.cn.key;

}

server {

  listen       443    ssl;

  server_name  file.aaa.org.cn;

  ssl_certificate      ../certs/file.aaa.org.cn.crt;

  ssl_certificate_key  ../certs/file.aaa.org.cn.key;

}

你实践过吗?如果是hppt协议端口复用可以,https协议这么配置永远会被第一个覆盖

4

./configure --prefix=/data/nginx --with-stream --with-stream_ssl_preread_module这一步是关键

后续配置就简单了,拿走不谢:

stream {map $ssl_preread_server_name $name { default backend; example.com backend1; test.com backend2; } server { listen 443; proxy_pass $name; ssl_preread on; } 你直接代理ssl流量,无论多少个都没关系