Server Name Conflict Resolution & LE SSL Resolution

jasperf · March 1, 2021, 2:35am

I am having server_name conflicts but not sure how I can avoid them. I have the main server where all requests end up at. It is the server that feeds the sites under domain.com (main application domain) and domaingo.com (test subdomains run under it) with its data. It uses two server blocks, one for port 80 that Let's Encrypt needs and one for https that the application uses:

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/before/*;

server {
    # listen 80;
    # listen [::]:80;
    listen  80 default_server;
    listen  [::]:80 default_server;
    server_name *.domain.com;
    # server_name default_server;
    server_tokens off;
    root /home/forge/domain.com/current/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domain.com/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com/xxxxxx/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    # https://www.laravel-enlightn.com/docs/security/hsts-header-analyzer.html
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
    
    # bugnag crossorigin
    location ~ \.js {
        add_header Access-Control-Allow-Origin "*";
    }
    
    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .domain.com;
    root /home/forge/domain.com/current/public;

    client_max_body_size 200M;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domain.com/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com/xxxxxx/server.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "application/json";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    #Bugsnag crossorigin
    location ~ \.js {
      add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/after/*;

the go domain *domaingo.com for sites testing has this configuration:

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/before/*;

server {
    listen 80;
    listen [::]:80;
    server_name *.domaingo.com;

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .domaingo.com;
    server_tokens off;
    root /home/forge/domain.com/current/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domaingo.com/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domaingo.com/xxxxxx/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    # https://www.laravel-enlightn.com/docs/security/hsts-header-analyzer.html
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domaingo.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .domain.com;
    root /home/forge/domain.com/current/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domaingo.com/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domaingo.com/xxxxxx/server.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "application/json";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    #Bugsnag crossorigin
    location ~ \.js {
      add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/after/*;

because both domaingo.com and domain.com get data from main application we added a .domain.com block to the domaingo configuration file. But now we have

nginx: [warn] conflicting server name "*.domain.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "*.domain.com" on [::]:80, ignored
nginx: [warn] conflicting server name ".domain.com" on [::]:80, ignored
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name ".domain.com" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

We do want LE SSL certificates to be provided for all *.domain.com domains. We do not use them for *.domaingo.com for which we use Xolphin.

FYIs:

both domain.com and domaingo.com load data from app at domain.com using mainly Axios JSON data. That is why domaingo.com uses the same root as domain.com:

server_name .domaingo.com;
server_tokens off;
root /home/forge/domain.com/current/public;

domaingo.com does not use LE SSL, domain.com does use LE SSL

So I wonder...

Can we remove the .domain.com block at the domaingo.com configuration file here?
Can I use default_server as server name for port 80 for domain.com and still get Let's Encrypt to access our server for sub.domain.com SSL certificate renewals?

_az · March 1, 2021, 5:08am

It doesn't seem like the nginx configuration you posted shows us the complete picture. Not all of the nginx warnings make sense if comparing the two.

It might help to instead post the output of:

sudo nginx -T

which will be the full parsed configuration.

rg305 · March 1, 2021, 1:46pm

jasperf:

    listen  80 default_server;
    listen  [::]:80 default_server;
    server_name *.domain.com;
...
    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domain.com/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com/xxxxxx/server.key;

Port 80 shouldn't be using SSL.
So ignore the "DO NOT REMOVE!" and remove it.

jasperf · March 4, 2021, 5:00am

Sorry for the delay. Been busy with Laravel/Vue development. But here are all configurations and the warnings using the command you suggested. Neat one. I replaced domains by fictional ones as before:

nginx -T

warnings:

nginx: [warn] conflicting server name "*.domain.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "*.domain.com" on [::]:80, ignored
nginx: [warn] conflicting server name ".domain.com" on [::]:80, ignored
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name ".domain.com" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

main configuration

# configuration file /etc/nginx/nginx.conf:
user forge;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	server_names_hash_bucket_size 128;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	include /home/forge/domain.com/shared/storage/tls/sites.d/*.conf;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-ssl-ct.conf:
load_module modules/ngx_ssl_ct_module.so;
load_module modules/ngx_http_ssl_ct_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf:
load_module modules/ngx_stream_geoip_module.so;

mime types

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

cache expiration

# configuration file /etc/nginx/conf.d/cache_expiration.conf:
# ----------------------------------------------------------------------
# | Cache expiration                                                   |
# ----------------------------------------------------------------------

# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires

map $sent_http_content_type $expires {
  default                                 1M;

  # CSS
  ~*text/css                              1y;

  # Data interchange
  ~*application/atom\+xml                 1h;
  ~*application/rdf\+xml                  1h;
  ~*application/rss\+xml                  1h;

  ~*application/json                      0;
  ~*application/ld\+json                  0;
  ~*application/schema\+json              0;
  ~*application/geo\+json                 0;
  ~*application/xml                       0;
  ~*text/calendar                         0;
  ~*text/xml                              0;

  # Favicon (cannot be renamed!) and cursor images
  ~*image/vnd.microsoft.icon              1w;
  ~*image/x-icon                          1w;

  # HTML
  ~*text/html                             0;

  # JavaScript
  ~*application/javascript                1y;
  ~*application/x-javascript              1y;
  ~*text/javascript                       1y;

  # Manifest files
  ~*application/manifest\+json            1w;
  ~*application/x-web-app-manifest\+json  0;
  ~*text/cache-manifest                   0;

  # Markdown
  ~*text/markdown                         0;

  # Media files
  ~*audio/                                1M;
  ~*image/                                1M;
  ~*video/                                1M;

  # WebAssembly
  ~*application/wasm                      1y;

  # Web fonts
  ~*font/                                 1M;
  ~*application/vnd.ms-fontobject         1M;
  ~*application/x-font-ttf                1M;
  ~*application/x-font-woff               1M;
  ~*application/font-woff                 1M;
  ~*application/font-woff2                1M;

  # Other
  ~*text/x-cross-domain-policy            1w;
}

expires $expires;

# configuration file /etc/nginx/conf.d/gzip.conf:
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;

gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;

uploads:

# configuration file /etc/nginx/conf.d/uploads.conf:
client_max_body_size 1024M;

# configuration file /etc/nginx/sites-enabled/000-catch-all:
server {
    return 404;
}

Main application domain

# configuration file /etc/nginx/sites-enabled/domain.com:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/before/*;

server {
    # listen 80;
    # listen [::]:80;
    listen  80 default_server;
    listen  [::]:80 default_server;
    server_name *.domain.com;
    # server_name default_server;
    server_tokens off;
    root /home/forge/domain.com/current/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domain.com/926074/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com/926074/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    # https://www.laravel-enlightn.com/docs/security/hsts-header-analyzer.html
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    # bugnag crossorigin
    location ~ \.js {
        add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .domain.com;
    root /home/forge/domain.com/current/public;

    client_max_body_size 200M;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domain.com/926074/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com/926074/server.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "application/json";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    #Bugsnag crossorigin
    location ~ \.js {
      add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/after/*;

Main Domain SSL redirect:

# configuration file /etc/nginx/forge-conf/domain.com/before/ssl_redirect.conf:
# Redirect every request to HTTPS...
server {
    listen 80;
    listen [::]:80;

    server_name .domain.com;
    return 301 https://$host$request_uri;
}

Fast CGI

# configuration file /etc/nginx/fastcgi_params:
fastcgi_param   QUERY_STRING        $query_string;
fastcgi_param   REQUEST_METHOD      $request_method;
fastcgi_param   CONTENT_TYPE        $content_type;
fastcgi_param   CONTENT_LENGTH      $content_length;
fastcgi_param   SCRIPT_FILENAME     $request_filename;
fastcgi_param   SCRIPT_NAME     $fastcgi_script_name;
fastcgi_param   REQUEST_URI     $request_uri;
fastcgi_param   DOCUMENT_URI        $document_uri;
fastcgi_param   DOCUMENT_ROOT       $document_root;
fastcgi_param   SERVER_PROTOCOL     $server_protocol;
fastcgi_param   GATEWAY_INTERFACE   CGI/1.1;
fastcgi_param   SERVER_SOFTWARE     nginx/$nginx_version;
fastcgi_param   REMOTE_ADDR     $remote_addr;
fastcgi_param   REMOTE_PORT     $remote_port;
fastcgi_param   SERVER_ADDR     $server_addr;
fastcgi_param   SERVER_PORT     $server_port;
fastcgi_param   SERVER_NAME     $server_name;
fastcgi_param   HTTPS           $https if_not_empty;
fastcgi_param   REDIRECT_STATUS     200;
fastcgi_param   HTTP_PROXY  "";

Main test domains under which subdomains go for end users:

# configuration file /etc/nginx/sites-enabled/domaingo.com:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/before/*;

server {
    listen 80;
    listen [::]:80;
    server_name *.domaingo.com;

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .domaingo.com;
    server_tokens off;
    root /home/forge/domain.com/current/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domaingo.com/1012559/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domaingo.com/1012559/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    # https://www.laravel-enlightn.com/docs/security/hsts-header-analyzer.html
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domaingo.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .domain.com;
    root /home/forge/domain.com/current/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/domaingo.com/1012559/server.crt;
    ssl_certificate_key /etc/nginx/ssl/domaingo.com/1012559/server.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers removed;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "application/json";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/domain.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/domain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    #Bugsnag crossorigin
    location ~ \.js {
      add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domain.com/after/*;

customer custom domain 2:

# configuration file /home/forge/domain.com/shared/storage/tls/sites.d/testdomain2.com.conf:
server {
    listen 80;
    listen [::]:80;
    server_name testdomain2.com;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/forge/domain.com/shared/storage/tls/challenges/testdomain2.com;
    }

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name testdomain2.com;
    root /home/forge/domain.com/current/public;

    ssl_certificate     /home/forge/domain.com/shared/storage/tls/le-storage/95865564/rsa/certificate-fullchained.crt;
    ssl_certificate_key /home/forge/domain.com/shared/storage/tls/le-storage/95865564/rsa/private.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers removed;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/forge/domain.com/shared/storage/tls/le-storage/95865564/rsa/certificate-fullchained.crt;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/testdomain2.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

customer custom domain one

# configuration file /home/forge/domain.com/shared/storage/tls/sites.d/testdomain.com.conf:
server {
    listen 80;
    listen [::]:80;
    server_name testdomain.com;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/forge/domain.com/shared/storage/tls/challenges/testdomain.com;
    }

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name testdomain.com;
    root /home/forge/domain.com/current/public;

    ssl_certificate     /home/forge/domain.com/shared/storage/tls/le-storage/b7bd877f/rsa/certificate-fullchained.crt;
    ssl_certificate_key /home/forge/domain.com/shared/storage/tls/le-storage/b7bd877f/rsa/private.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers removed;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/forge/domain.com/shared/storage/tls/le-storage/b7bd877f/rsa/certificate-fullchained.crt;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/testdomain.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

_az · March 4, 2021, 6:27am

Something still doesn't add up with the config you've posted. You report that there are 4 warnings for .domain.com on port 80, but there's only 2 such warnings in that config:

$ sudo nginx -t -c /etc/nginx/nginx-wtf.conf
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name ".domain.com" on [::]:80, ignored
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name ".domain.com" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx-wtf.conf syntax is ok
nginx: configuration file /etc/nginx/nginx-wtf.conf test is successful

Anyway, the core issue about the conflicts is one you should fix.

For example, these two virtual hosts are redundant - only one is actually effective for .domain.com:

jasperf:

server {
    # listen 80;
    # listen [::]:80;
    listen  80 default_server;
    listen  [::]:80 default_server;
    server_name *.domain.com;
    # server_name default_server;
    server_tokens off;
    root /home/forge/domain.com/current/public;

and

They can't both work at the same time - nginx will only make use of one of them when somebody visits abc123.domain.com (dependent on config load order). Identify which one makes sense for that server_name, and get rid the other one.

If you want to keep the redirect virtualhost, get rid of the first one.

Same goes for the two port 443 conflicts. The virtualhosts appear to be identical, so it should be safe to get rid of either of them.

jasperf · March 4, 2021, 7:06am

Yeah , I should remove two blocks it seems. Was just worried of access for the customer domains as we do need port 80 access for LE SSL checks. And as all checks go through domain.com to get data I thought I could not remove port 80 access.

But if the custom domain does allow port 80 access already it should not really matter now should it? If so I can keep the redirect, remove the other block, make sure the block port 80 has no SSL stuff as that is for port 443.

NB

When I check the main domain I see the http goes 301 to https already so it seems the block added to domaingo.com seems to be taking priority. Odd as I thought the domain.com config was number one. But I guess I was wrong.

system · April 3, 2021, 7:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I have mixed up two certificates. One for my subdomain one for my actual domain. Need help to fix Help	7	1313	July 13, 2017
Load LE Certificate using Nginx Include Server	5	734	August 11, 2018
Nginx error conflict when having two domain names Help	14	2315	September 22, 2023
Nginx: [warn] conflicting server name "example.com" on 0.0.0.0:80, ignored Help	14	4459	October 13, 2023
Problems with server_name Help	16	475	March 6, 2021

Server Name Conflict Resolution & LE SSL Resolution

Related topics