Why does this nginx server redirect to a wrong domain? My nginx webserver has two domains to serve, server1.eu and server2.eu, why do they interfere with each other?
When forcing nginx only to listen to IPv4 and browsing to server1.eu there's a SSL certificate mismatch (only valid for server2.eu) and after forcing accept the certificate there's a 301 redirect to server2.eu
With server2.eu removed from sites-enabled, and server1.eu IPv4 disabled in nginx server setup, it results in "no connection to server" when browsing to server1.eu
With server2.eu removed from sites-enabled, and server1.eu IPv6 disabled from nginx server setup, it works seemingly normal and there is no SSL certificate mismatch and no 301 redirect.
Again restoring server2.eu and disabling server1.eu IPv4 from nginx server setup, results in a SSL certificate mismatch (only valid for server2.eu) and after forcing accept certificate 301 redirect to server2.eu
find /etc/nginx/{conf.d,sites-enabled} gives
/etc/nginx/sites-enabled/server1.eu /etc/nginx/sites-enabled/server2.eu The zone file records:
AAAA server1.eu directs to IPv6 address A server1.eu directs to IPv4 address AAAA server2.eu directs to IPv6 address A server2.eu directs to IPv4 address the nginx server configuration:
server { listen 80; listen [::]:80; return 301 https://www.server1.eu; } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/server1.eu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server1.eu/privkey.pem; include snippets/ssl-params.conf; server_name www.server1.eu; root /var/www/server1.eu/webroot; index index.php index.html index.htm ; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include fastcgi.conf; fastcgi_pass unix:/run/php/php7.2-fpm.sock; } } and
server { listen 80; listen [::]:80; server_name www.server2.eu; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/server2.eu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server2.eu/privkey.pem; include snippets/ssl-params.conf; server_name www.server2.eu; root /var/www/server2.eu/webroot; index index.php index.html index.htm ; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include fastcgi.conf; fastcgi_pass unix:/run/php/php7.2-fpm.sock; } } 1 Answers
Answers 1
The nginx webserver listening to IPv6 takes precedence over IPv4 and interferes with SNI. Testing with removing servers reveals the default behaviour of nginx.
Remove all servers except server 1, with IPv4 and IPv6 enabled, reload nginx, then activate server 2, with only an IPv4 listener and reload nginx again. Browsing to server 2 will let you end up at server 1. It appears that nginx automatically listens to the first added IPv6. So interchanging the sequence of activation will switch the routing.
0 comments:
Post a Comment