Nginx почему может не работать sni?

Question

[Дмитрий]

nginx -V

nginx version: nginx/1.16.1                                                              
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)                             
built with OpenSSL 1.0.2g  1 Mar 2016                                                    
TLS SNI support enabled                                                                  
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/
lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error
.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=
/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-prox
y-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi
_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache
/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads 
--with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with
-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4
_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link
_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --
with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stre
am --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module 
--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp
,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,rel
ro -Wl,-z,now -Wl,--as-needed -pie'

nginx.conf практически дефолтный

user www-data;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    limit_conn addr 10;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

#    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
	client_max_body_size 128m;
}

конфиг сайта сертификат которого отдается всем

server {
		server_name domen.ru superdomen.ru www.domen.ru;
		#listen 1.1.1.1:80;
		listen 1.1.1.1:443 ssl;
				ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate /etc/nginx/crt/2019.chained.crt;
		ssl_certificate_key /etc/nginx/crt/2019.key;
		charset UTF-8;
       
		disable_symlinks if_not_owner from=$root_path/$subdomain;
		index index.php index.shtml;
		set $root_path /opt0/www/domen.ru;
		set $subdomain "";
		if ($host ~* ^((.*).domen.ru)$) {
			set $subdomain $2;
		}
		
		 if ( $scheme = "http" ) {
	      rewrite ^/(.*)$	https://$host/$1 permanent;
        }
		location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
			root $root_path/$subdomain;

			#access_log /home/httpd-logs/domen.ru.access.log ;
			error_page 404 = @fallback;
		}
		location / {
			proxy_pass http://1.1.1.1:81;
			proxy_redirect http://1.1.1.1:81/ https://domen.ru/;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
		}
		location ~* ^/(webstat|awstats|webmail|phpmyadmin|pgadmin)/ {
			proxy_pass http://1.1.1.1:81;
			proxy_redirect http://1.1.1.1:81/ /;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
		}
		location @fallback {
			proxy_pass http://1.1.1.1:81;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
		}

		error_page 404 = https://domen.ru/404/;
	}

конфиг одного из поддоменов на который нужно повесить отдельный сертификат

server {
		server_name img.domen.ru www.img.domen.ru;
	listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/img.domen.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/img.domen.ru/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
		charset UTF-8;
#       return 301 https://$host:443$request_uri;
		disable_symlinks if_not_owner from=$root_path/$subdomain;
		index index.php index.shtml;
		set $root_path /opt0/www/domen.ru/img.domen.ru;
		set $subdomain "";
		if ($host ~* ^((.*).domen.ru)$) {
			set $subdomain $2;
		}
		location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
			root $root_path/$subdomain;

			#access_log /home/httpd-logs/domen.ru.access.log ;
			error_page 404 = @fallback;
		}
		location / {
			proxy_pass http://1.1.1.1:81;
			proxy_redirect http://1.1.1.1:81/ /;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
		}
		location ~* ^/(webstat|awstats|webmail|phpmyadmin|pgadmin)/ {
			proxy_pass http://1.1.1.1:81;
			proxy_redirect http://1.1.1.1:81/ /;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
		}
		location @fallback {
			proxy_pass http://1.1.1.1:81;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
		}
	

		error_page 404 = http://domen.ru/404/;
	



}
server {
    if ($host = www.img.domen.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = img.domen.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


		server_name img.domen.ru www.img.domen.ru;
		listen 1.1.1.1:80;
    return 404; # managed by Certbot




}

Answer 1

[Lynn «Кофеман»]

https://nginx.org/ru/docs/http/request_processing....

Сначала nginx выбирает серверный блок исходя из IP и порта на которые пришёл запрос отдавая предпочтение наиболее точному совпадению. И только если таких блоков несколько, тогда он будет выбирать из них по директиве server_name.

В вашем случае есть два блока, в одном написано listen 1.1.1.1:443;, а во втором listen 443; (что эквивалентно listen *:443;).

Если запрос приходит на IP 1.1.1.1 порт 443, то всегда выберется первый блок.

Решение простое, либо дописывать IP во второй блок, либо убирать из первого.