Ssl

Apache webserver HTTPS 埠重定向到帶有埠 443 的 HTTP

  • January 12, 2016

在我的工作中,我使用 PHP 5 在 Apache 網路伺服器 2.4.6 上安裝了 Mediawiki(最新版本)。當我想在本地訪問 wiki 頁面並在 Mediawiki 中配置主機名時,一切正常

$wgServer = https://en.wiki.example.com. 

現在,一旦我在 Mediawik 中清除了這個主機名配置,它就應該獲取它獲取網路伺服器的主機名。發生這種情況,但主機名的格式是

http://en.wiki.example.com:443 

這是一個不正確的 URL(因為混合了 HTTP 和 HTTPS)。

我認為這是一個 Apache 問題,因為當我嘗試瀏覽到

https://en.wiki.example.com/wiki 

它重定向到

http://en.wiki.example.com:443/wiki/index.php/Main_Page

我收到一個錯誤的請求錯誤。wiki 後面的斜杠沒有任何效果。

虛擬主機:

<VirtualHost *:443>
ServerName https://en.wiki.example.com
ServerAlias https://en.wiki.example.com en.wiki.external.com
Alias /wiki /var/www/wiki-en
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
<Directory /var/www/wiki-en>
   Options Indexes FollowSymLinks
   AllowOverride None
   Require all granted
</Directory>
</VirtualHost>

SSL + 預設虛擬主機:

Listen 443 https

NameVirtualHost *:443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

SSLStrictSNIVHostCheck off

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/certificates/certificate.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/certificates/certificateprivatekey.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Access Control:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
   SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

#   Per-Server Logging:
CustomLog logs/ssl_request_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost> 

因為樣式表和腳本位置都已解析,所以我看到相同的 URL 模式(

http://en.wiki.example.com:443/wiki/load.php....

)。Mediawiki 中的 URL 變數也是如此。有誰看到我在這裡做錯了什麼?提前致謝。我還添加了下劃線以刪除此問題中的連結格式。

編輯:更新的網址。

乍一看:您需要SSLEngine on在每個需要支持 SSL 的 VirtualHost 條目中添加一個。預設情況下,主伺服器和所有配置的虛擬主機都禁用 SSL/TLS 協議引擎。

此外,該ServerAlias指令後面應該跟一個主機名,而不是一個 URL;離開https://那裡。

確保您有相同的內容ServerAlias並在配置文件的部分中ServerName列出。<VirtualHost *:80>否則,Apache 將不知道如何處理 wiki 的非安全 (http) 請求,而是提供唯一可查看的選項,該選項可在埠 443 上使用。

引用自:https://serverfault.com/questions/748404