Apache-2.2

伺服器名稱安全連接 - 鬆散匹配

  • March 13, 2017

我們更新了 Apache 部署配置,以允許對我們的伺服器 ( https://example.com) 進行非 www 請求。對於 https 連接,我們需要這個,因為名稱與證書不匹配。這很好,儘管最近我們注意到我們的本地部署安全環境 ( https://chris.example.com) 也指向這個新部署。我們註釋掉了新部署,以確認這是導致它的更改,它確實是。我們假設這是來自servername我們設置的設置。這是我們的初始設置:

NameVirtualHost example.com:443
<VirtualHost example.com:443>
   ServerAdmin webmaster@example.com
   DocumentRoot /var/www/html/www.example.com
   ServerName example.com
   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
   SSLProtocol all
   SSLCertificateFile /usr/local/ssl/crt/example2017.cert
   SSLCertificateKeyFile /usr/local/ssl/private/ssl2017.key
   SSLCACertificateFile /usr/local/ssl/crt/example2017intermediate.pem
   DirectoryIndex index.html
   DirectoryIndex index.php
   LogLevel notice
   ErrorLog /var/log/httpd/www.example.com/error.log
   LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
   CustomLog /var/log/httpd/www.example.com/access.log w3c_extended
</VirtualHost>

在註釋成功後,我們認為這是ServerName一個鬆散的匹配,我們在 Apache 網站上閱讀了以下內容:

有時,伺服器在處理 SSL 的設備後面執行,例如反向代理、負載平衡器或 SSL 解除安裝設備。在這種情況下,請在 ServerName 指令中指定客戶端連接的 https:// 方案和埠號,以確保伺服器生成正確的自引用 URL。

所以我們servername將條目更新為:

ServerName https://example.com:443

這允許首頁 ( https://example.com) 仍然載入和重定向,但開發環境 ( https://chris.example.com) 再次從中載入。我最初正在考慮嘗試一個明確的起始規則:

ServerName ^example.com

但我找不到任何地方說servername接受正則表達式。有沒有辦法做到這一點,還是我自己走錯了路,問題出在其他地方?

這是httpd -S輸出:

VirtualHost configuration:
192.168.0.0:443     is a NameVirtualHost
        default server example.com (/etc/httpd/conf/httpd.conf:1065)
        port 443 namevhost example.com (/etc/httpd/conf/httpd.conf:1065)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
        default server *.example.com (/etc/httpd/conf.d/ssl.conf:74)
        port 443 namevhost *.example.com (/etc/httpd/conf.d/ssl.conf:74)
        port 443 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1046)
        port 443 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1096)
        port 443 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1129)
        port 443 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1159)
        port 443 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1189)
        port 443 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1219)
        port 443 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1249)
        port 443 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1300)
        port 443 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1316)
*:80                   is a NameVirtualHost
        default server www.example.com (/etc/httpd/conf/httpd.conf:1034)
        port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1034)
        port 80 namevhost dfw.example.com (/etc/httpd/conf/httpd.conf:1084)
        port 80 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1114)
        port 80 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1147)
        port 80 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1177)
        port 80 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1207)
        port 80 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1237)
        port 80 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1267)
        port 80 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1279)
        port 80 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1290)
Syntax OK

新部署從第 1064 行開始,到第 1081 行結束。

在對聊天進行更徹底的調查後,似乎有兩種 NameBasedVirtualHost聲明,一種是針對*:443,另一種是針對example.com:443前者俱有所有子域VirtualHost聲明,而後者只有一個針對example.com自身。

通過一個聲明使其統一,NameBasedVirtualHost *:443所有子域和引用它的主域解決了這個問題。

引用自:https://serverfault.com/questions/836861