Apache-2.2
RHEL/Apache ssl.conf 配置問題
我們有多個子域,每個子域在 httpd.conf 中都有自己的虛擬主機條目,在 ssl.conf 中也有(對於那些支持 https 的)。我們的主要 www 子域具有與之關聯的 GoDaddy 證書。我現在在我們的開發環境中配置的子域(“api.bulbstorm.com”)有一個 ssl.conf 虛擬主機條目,如下所示:
<VirtualHost 172.16.247.153:443> DocumentRoot "/var/www/api" ServerName api.bulbstorm.com:443 ErrorLog logs/api-error_log CustomLog logs/api-access_log common LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /var/www/certs/api/server.crt SSLCertificateKeyFile /var/www/certs/api/server.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> <Directory "/var/www/api"> Options +FollowSymLinks RewriteEngine On AllowOverride All Order allow,deny Allow from all </Directory> php_value include_path "/var/www/inc" SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
… /var/www/certs/api/ 中的 crt 和密鑰文件是根據此處找到的說明使用 openssl 生成的。
api 子域最初指向 www 子域的 godaddy 證書。但是即使我已經將與 api 子域關聯的虛擬主機條目更改為指向自簽名證書/密鑰對(並重新啟動了 httpd,完全清除了與上一個 godaddy 證書異常相關的瀏覽器設置等)瀏覽器仍在發出警告說證書適用於 www 域。當我查看證書時,瀏覽器正在拉取它,看起來他們仍在獲得 Godaddy 證書。
在 ssl.conf 文件的較高位置有以下幾行:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
此證書/密鑰對不同於 www 子域的虛擬主機條目中引用的 godaddy 證書/密鑰對,如下所示:
SSLCertificateFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.crt SSLCertificateKeyFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.key SSLCertificateChainFile /etc/www.bulbstorm.com_ssl/gd_intermediate_bundle.crt
任何人都可以對我遇到的問題提出任何意見,我們將不勝感激。
確保 api.bulbstorm.com 和 www.bulbstorm.com 虛擬主機位於不同的 IP 地址上。這是我對具有唯一 SSL 證書的 2 個不同子域的虛擬主機配置:
/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf
Listen 10.0.0.152:443 <VirtualHost 10.0.0.152:443> ServerAdmin admin@domain.com DocumentRoot /web0/cloud/login.domain.com/current ServerName login.domain.com ServerAlias www.login.domain.com login.domain.com LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" TransferLog /var/log/www/login.domain.com-access_log ErrorLog /var/log/www/login.domain.com-error_log <DIRECTORY /web0/cloud/login.domain.com/current> Allow from All OPTIONS Indexes Includes ExecCGI FollowSymLinks AllowOverride ALL </DIRECTORY> IndexOptions FancyIndexing AddType application/x-httpd-php .html SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/login.domain.com.crt" SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/login.domain.com.key" SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle" BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf
Listen 10.0.0.151:443 <VirtualHost 10.0.0.151:443> ServerAdmin admin@domain.com DocumentRoot /web0/cloud/admin.domain.com/current ServerName admin.domain.com ServerAlias www.admin.domain.com admin.domain.com LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" TransferLog /var/log/www/admin.domain.com-access_log ErrorLog /var/log/www/admin.domain.com-error_log <DIRECTORY /web0/cloud/admin.domain.com/current> Allow from All OPTIONS Indexes Includes ExecCGI FollowSymLinks AllowOverride ALL </DIRECTORY> IndexOptions FancyIndexing SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/admin.domain.com.crt" SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/admin.domain.com.key" SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle" BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>