Best practice to handle default server and ip forw

2019-09-13 21:30发布

问题:

I have recently created a nginx server on debian 8. It came up with a default config on /etc/nginx/sites-available/default which redirects to an nginx welcome page.

server {
listen 80 default_server;
listen [::]:80 default_server;

root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;

server_name your_server_ip;

location / {
    try_files $uri $uri/ =404;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
    deny all;
}
}

I had added a new production page, say 'example.com' with ssl on it.

In the config for ../example.com, it is not set as the default server.

server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl;
listen [::]:443 ssl;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
....

Now when I ssl security tested it on https://www.ssllabs.com/ssltest/analyze.html?d=example.com, it got a A+. But it had commented 'Inconsistent server configuration'.

And when I load the ip address, say x.x.x.x on browser as https://x.x.x.x it loads the same page as of https://example.com but without ssl (green address bar) on it. If i load http://x.x.x.x it loads the default nginx welcome page.

I tried to set the default config (for ip) to get a forbidden message, I have added the following code

location / {
deny all;
}

Now when I ssl security test the example.com, it says "No secure protocols supported" and no test results appeared.

So my questions are,

What should be done with the default config that comes with nginx which loads for the ip address?

which server_name (config file) should be set as the default_server on 'listen' command?

what should be done with the ip which is currently forwarding https requests to the example domain?

Intended results:-

https://example.com only should be used to connect to the server and loading ip address can show 'page not found' or 'forbidden', since the example.com will be used for php scripts on it.

SSL tests should give atleast a A rating after the set configuration.

ip address should not accept any connections directly and process it.

回答1:

Default configuration obviously doesn't offer SSL. Generally, you need to install an SSL certificate. There are plenty of tutorials on this. The entry point into your web pages is up to you. You're asking different questions in the same post.

Obviously you can find the answers here, and elsewhere, by searching for them.