Apache-2.2

RHEL/Apache ssl.conf 配置問題

  • November 17, 2010

我們有多個子域,每個子域在 httpd.conf 中都有自己的虛擬主機條目,在 ssl.conf 中也有(對於那些支持 https 的)。我們的主要 www 子域具有與之關聯的 GoDaddy 證書。我現在在我們的開發環境中配置的子域(“api.bulbstorm.com”)有一個 ssl.conf 虛擬主機條目,如下所示:

<VirtualHost 172.16.247.153:443>
 DocumentRoot "/var/www/api"
 ServerName api.bulbstorm.com:443
 ErrorLog logs/api-error_log
 CustomLog logs/api-access_log common
 LogLevel warn
 SSLEngine on
 SSLProtocol all -SSLv2
 SSLCertificateFile /var/www/certs/api/server.crt
 SSLCertificateKeyFile /var/www/certs/api/server.key
 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
 </Files>
 <Directory "/var/www/cgi-bin">
   SSLOptions +StdEnvVars
 </Directory>
 <Directory "/var/www/api">
   Options +FollowSymLinks
   RewriteEngine On
   AllowOverride All
   Order allow,deny
   Allow from all
 </Directory>
 php_value include_path "/var/www/inc"
 SetEnvIf User-Agent ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0
 CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

… /var/www/certs/api/ 中的 crt 和密鑰文件是根據此處找到的說明使用 openssl 生成的。

api 子域最初指向 www 子域的 godaddy 證書。但是即使我已經將與 api 子域關聯的虛擬主機條目更改為指向自簽名證書/密鑰對(並重新啟動了 httpd,完全清除了與上一個 godaddy 證書異常相關的瀏覽器設置等)瀏覽器仍在發出警告說證書適用於 www 域。當我查看證書時,瀏覽器正在拉取它,看起來他們仍在獲得 Godaddy 證書。

在 ssl.conf 文件的較高位置有以下幾行:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

此證書/密鑰對不同於 www 子域的虛擬主機條目中引用的 godaddy 證書/密鑰對,如下所示:

SSLCertificateFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.crt
SSLCertificateKeyFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.key
SSLCertificateChainFile /etc/www.bulbstorm.com_ssl/gd_intermediate_bundle.crt

任何人都可以對我遇到的問題提出任何意見,我們將不勝感激。

確保 api.bulbstorm.com 和 www.bulbstorm.com 虛擬主機位於不同的 IP 地址上。這是我對具有唯一 SSL 證書的 2 個不同子域的虛擬主機配置:

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

Listen 10.0.0.152:443

<VirtualHost 10.0.0.152:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/login.domain.com/current
ServerName login.domain.com

ServerAlias www.login.domain.com login.domain.com


LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/login.domain.com-access_log
ErrorLog /var/log/www/login.domain.com-error_log

<DIRECTORY /web0/cloud/login.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

AddType application/x-httpd-php .html

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/login.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/login.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0


</VirtualHost>

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Listen 10.0.0.151:443

<VirtualHost 10.0.0.151:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/admin.domain.com/current
ServerName admin.domain.com

ServerAlias www.admin.domain.com admin.domain.com

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/admin.domain.com-access_log
ErrorLog /var/log/www/admin.domain.com-error_log

<DIRECTORY /web0/cloud/admin.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/admin.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/admin.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0


</VirtualHost>

引用自:https://serverfault.com/questions/45433