Opened 5 years ago

Closed 5 years ago

#1895 closed defect (worksforme)

Serious issue with .site domain extension

Reported by: xnokia@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.17.x
Keywords: Cc:
uname -a: Linux 5.3.7-1.el7.elrepo.x86_64 #1 SMP Thu Oct 17 18:17:07 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.17.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --with-http_geoip_module --sbin-path=/usr/local/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_realip_module --http-client-body-temp-path=/tmp/nginx_client --http-proxy-temp-path=/tmp/nginx_proxy --http-fastcgi-temp-path=/tmp/nginx_fastcgi --with-http_ssl_module --with-openssl=/usr/local/src/openssl --with-http_stub_status_module --with-threads --with-file-aio --with-http_v2_module

Description

Hi There,
I have a problem that nginx treat .site domains as one, so if I have multiple vhosts of .site domain for example hello.site and hello2.site and each of them in file with dedicated server_name, one of them will be applied to both. This happens with me only for .site domain extensions. I will share my vhost config here

##########################SSL Start#####################################
server {

real_ip_header CF-Connecting-IP;

##error_log /var/log/nginx/2020.com debug;

#error_log /dev/null crit;
#error_log off;
include mime.types;

default_type application/json;

listen 123:443 ssl;

listen 123:80;

server_name 123123.site;

keepalive_timeout 30;

ssl_certificate /etc/nginx/ssl/w2020/2019.pem;
ssl_certificate_key /etc/nginx/ssl/w2020/2019.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_session_tickets off;

## OCSP Stapling
resolver 8.8.8.8 8.8.4.4;
ssl_stapling off;
ssl_stapling_verify off;
ssl_trusted_certificate /etc/nginx/ssl/2020/2019.pem;
ssl_verify_client off;

access_log off;
log_not_found off;

error_page 404 =301 /;

root /home/1234123/public_html;

# add_header X-Cache $upstream_cache_status;

index index.php;
charset utf-8;

if ($request_uri ~* "/contacts(-amp)?/|/directory|home.php|/admin") {
return 500;

}

location / {

try_files $uri $uri/ /index.php?$query_string;
#access_log /var/log/nginx/accessAPI.log addHeaderlog;

aio threads;
}

location ~ /\.env{

deny all;

}

location ~*.*\.(jpg|png|ico|gif|mp4|js|css|svg|woff)$ {

expires 1M;

## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.

access_log off;

open_file_cache max=3000 inactive=60m;
open_file_cache_valid 5m;
open_file_cache_min_uses 1;
open_file_cache_errors off;

}

location ~ .*\.php$ {

try_files $uri =404;
#access_log /var/log/nginx/accessAPI.log addHeaderlog;
access_log off;

fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_keep_conn on;

fastcgi_pass unix:/tmp/mm70.socket;
fastcgi_index index.php;

include fastcgi_params;
}

location ~ /\.ht {
deny all;
}

}

##########################SSL Start Finish#####################################

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: worksforme
Status: newclosed

The configuration snippet provided contains only one server { ... } block. If there are no other server blocks in the configuration, listening on the same address, this server block will be used to process all requests in connections to the listening socket in question.

In contrast, two distinct server blocks with distinct server_name directives can be used to handle requests differently, for example:

server {
    listen 8080;
    server_name hello.site;
    return 200 $server_name\n;
}

server {
    listen 8080;
    server_name hello2.site;
    return 200 $server_name\n;
}

And quick tests shows it works properly:

$ curl -H 'Host: hello.site' http://127.0.0.1:8080/
hello.site
$ curl -H 'Host: hello2.site' http://127.0.0.1:8080/
hello2.site

If you think there is a bug in nginx, please provide full configuration (preferably minimal) which demonstrates the problem, as shown with nginx -T. It might be a good idea to check the configuration first though, as most likely there is something wrong with your configuration or your tests, rather than nginx logic - the above example clearly demonstrates that the logic works as expected. The most common mistake is to configure additional server blocks only listening on wrong listening sockets, making them effectively useless.

For more information on how nginx selects server blocks to handler requests, consider reading How nginx processes a request article. If you have additional questions, please use support options available.

Note: See TracTickets for help on using tickets.