0

i have a server which hosts several websites. Some normal HTML, some wordpress and some reverse proxy.

Everything is managed by nginx with conf files for each site. All is managed by Ansible which means all config files are build from the same template.

I have a nginx conf like this:

# Ansible managed

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

# Load modules
include              /etc/nginx/modules-enabled/*.conf;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    
    client_max_body_size   16M;
    
    server_names_hash_max_size   512;
    server_names_hash_bucket_size  128;
    

    # MIME
    include                mime.types;
    default_type           application/octet-stream;
    
    # Log Format
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    

    # Logging
    access_log             /var/log/nginx/access.log;
    error_log              /var/log/nginx/error.log warn;
    
    # include TLS hardening
    include               /etc/nginx/snippets/tls-hardening.conf;
    
    # Load configs
    include               /etc/nginx/conf.d/*.conf;
    

    server {
    # catch-all server for both http and https
    listen *:80 default_server;
    listen *:443 default_server;
    server_name _;

    # SSL
    ssl_certificate                      /etc/ssl/FQDN.bundle.crt;
    ssl_certificate_key                  /etc/ssl/FQDN.key;


    # Redirect to canonical site
    #rewrite ^/(.*)$ http://example.com/$1 permanent;

   # return 404
   return 404;

   }



}

The default part shall catch all unconfigured requests.

the configs for normal websites are looking like this:

# Ansible managed   

 
server {
        listen                               443 ssl http2;
        listen                               [::]:443 ssl http2;
        server_name                          FQDN www.FQDN;        
        root                                 /var/www/FQDN;
        index index.html index.htm;

        # SSL
        ssl_certificate                      /etc/letsencrypt/live/FQDN/fullchain.pem;
        ssl_certificate_key                  /etc/letsencrypt/live/FQDN/privkey.pem;
        ssl_trusted_certificate              /etc/letsencrypt/live/FQDN/chain.pem;
   


   
        
        
        # security headers
        add_header X-XSS-Protection          "1; mode=block" always;
        add_header X-Content-Type-Options    "nosniff" always;
        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
        add_header Permissions-Policy        "interest-cohort=()" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # . files
        location ~ /\.(?!well-known) {
            deny all;
        }
        



        # logging
        access_log /var/log/nginx/FQDN.access.log;
        error_log  /var/log/nginx/FQDN.error.log warn;
  

        # index.html fallback
        location / {
            #try_files $uri /index.html index.htm index.php;
        }

        # favicon.ico
        location = /favicon.ico {
            log_not_found off;
            access_log    off;
        }
  

        # robots.txt
        location = /robots.txt {
            log_not_found off;
            access_log    off;
        }
  


        # assets, media
        location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
            expires    7d;
            access_log off;
        }
  

        # svg, fonts
        location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
            add_header Access-Control-Allow-Origin "*";
            expires    7d;
            access_log off;
        }
  

        # gzip
        gzip            on;
        gzip_vary       on;
        gzip_proxied    any;
        gzip_comp_level 6;
        gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}

    # HTTP redirect
server {
        listen         80;
        listen         [::]:80;
        server_name    FQDN www.FQDN;        

        # ACME-challenge
        location ^~ /.well-known/acme-challenge/ {
            root /var/www/_letsencrypt;
        }

        location / {
            return 301 https://FQDN$request_uri;
        }
}

So the SSL request shall be matched for FQDN and www.FQDN while http requests fro FQDN and www.FQDN shall be redirected to the SSL website.

This works fine for my wordpress websites but not for the HTML sites.

Even if I have a default server config nginx redirects the https://www.FQDN to the first config in the config folder.

Does anyone has a hint what's going on here?

I also See different behavior between Chrome and Firefox on one site and Safari on the other side.

Chrome and Firefox will be redirected to the first config in config folder while Safari shoes error that the requested https.www.FQDN website is not secure and readable.

Lets encrypt certificate is created for both domains FQDN and www.FQDN.

solick
  • 2,325
  • 3
  • 17
  • 29
  • Does this answer your question? [nginx - set multiple server\_name with ssl-support](https://stackoverflow.com/questions/14434120/nginx-set-multiple-server-name-with-ssl-support) – Luuk Nov 05 '22 at 10:58
  • @Luuk no because I have a wildcard domain or more precise a multi domain certificate – solick Nov 05 '22 at 12:08
  • Would that not mean setup for `different.example.com` and `example.com`. Both having the same certificate, and the second one also doing `*.example.com` ? – Luuk Nov 05 '22 at 12:13
  • yes that's correct and I have a certificate via certbot for both domains. – solick Nov 05 '22 at 12:20
  • "This works fine for my wordpress websites but not for the HTML sites." And what is the difference between a wordpress site, and a HTML site? (Besides the PHP layer, which might not exist for a HTML site) (Sorry, I am having a hard time to figure out what your problem is between the ( lots of? ) vague statement like "behave different", and "works fine for ... but not for ..." – Luuk Nov 05 '22 at 13:28
  • @luuk the wordpress sites of course have a different template but the skeleton is the same. And for them having two FQDN on servername works fine. My problem is, that for unknown reasons, neither the multi FQDN on servername nor the catchall config for default server is working with my above described nginx config. – solick Nov 07 '22 at 15:49
  • I do not know (anything) about ansible, and/or templates, but the first config seems to be used as a catch all (when no other `server` configs match). Because no config is shown in your question (besides the vague description "are looking like this"), I think a lot of requests (just to keep it vague ) are matching the "default part shall catch all unconfigured requests" – Luuk Nov 07 '22 at 17:08

0 Answers0