伺服器名稱安全連接 - 鬆散匹配
我們更新了 Apache 部署配置,以允許對我們的伺服器 (
https://example.com
) 進行非 www 請求。對於 https 連接,我們需要這個,因為名稱與證書不匹配。這很好,儘管最近我們注意到我們的本地部署安全環境 (https://chris.example.com
) 也指向這個新部署。我們註釋掉了新部署,以確認這是導致它的更改,它確實是。我們假設這是來自servername
我們設置的設置。這是我們的初始設置:NameVirtualHost example.com:443 <VirtualHost example.com:443> ServerAdmin webmaster@example.com DocumentRoot /var/www/html/www.example.com ServerName example.com SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLProtocol all SSLCertificateFile /usr/local/ssl/crt/example2017.cert SSLCertificateKeyFile /usr/local/ssl/private/ssl2017.key SSLCACertificateFile /usr/local/ssl/crt/example2017intermediate.pem DirectoryIndex index.html DirectoryIndex index.php LogLevel notice ErrorLog /var/log/httpd/www.example.com/error.log LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended CustomLog /var/log/httpd/www.example.com/access.log w3c_extended </VirtualHost>
在註釋成功後,我們認為這是
ServerName
一個鬆散的匹配,我們在 Apache 網站上閱讀了以下內容:有時,伺服器在處理 SSL 的設備後面執行,例如反向代理、負載平衡器或 SSL 解除安裝設備。在這種情況下,請在 ServerName 指令中指定客戶端連接的 https:// 方案和埠號,以確保伺服器生成正確的自引用 URL。
所以我們
servername
將條目更新為:ServerName https://example.com:443
這允許首頁 (
https://example.com
) 仍然載入和重定向,但開發環境 (https://chris.example.com
) 再次從中載入。我最初正在考慮嘗試一個明確的起始規則:ServerName ^example.com
但我找不到任何地方說
servername
接受正則表達式。有沒有辦法做到這一點,還是我自己走錯了路,問題出在其他地方?這是
httpd -S
輸出:VirtualHost configuration: 192.168.0.0:443 is a NameVirtualHost default server example.com (/etc/httpd/conf/httpd.conf:1065) port 443 namevhost example.com (/etc/httpd/conf/httpd.conf:1065) wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server *.example.com (/etc/httpd/conf.d/ssl.conf:74) port 443 namevhost *.example.com (/etc/httpd/conf.d/ssl.conf:74) port 443 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1046) port 443 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1096) port 443 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1129) port 443 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1159) port 443 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1189) port 443 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1219) port 443 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1249) port 443 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1300) port 443 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1316) *:80 is a NameVirtualHost default server www.example.com (/etc/httpd/conf/httpd.conf:1034) port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1034) port 80 namevhost dfw.example.com (/etc/httpd/conf/httpd.conf:1084) port 80 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1114) port 80 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1147) port 80 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1177) port 80 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1207) port 80 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1237) port 80 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1267) port 80 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1279) port 80 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1290) Syntax OK
新部署從第 1064 行開始,到第 1081 行結束。
在對聊天進行更徹底的調查後,似乎有兩種
NameBasedVirtualHost
聲明,一種是針對*:443
,另一種是針對example.com:443
前者俱有所有子域VirtualHost
聲明,而後者只有一個針對example.com
自身。通過一個聲明使其統一,
NameBasedVirtualHost *:443
所有子域和引用它的主域解決了這個問題。