Ssl
Apache 的理想設置,用於在單個 IP 上使用 SNI 的多個 SSL 證書
我正在尋找在 Amazon Linux Distro 中的 Apache 2.4.33 上實現此設置的最有效方法:
- 單個伺服器實例(此處:AWS EC2)
- 單個關聯 IP
- 兩個(或更多)域,每個域都有自己的 SSL 證書
- 一個適用於所有其他人的預設 SSL 虛擬主機,用於設置諸如
SSLProtocol
、FilesMatch
和BrowserMatch
僅一次- 每個域都有一個專用的 VirtualHost,它指向相應的文件並設置文件根目錄
這個設置有問題嗎?
1)
/etc/httpd/conf.d/ssl.conf
(整個文件):Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin # default settings for all VirtualHosts <VirtualHost *:443> LogLevel warn SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLHonorCypherOrder o #use OpenSSL default #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 #SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
2)
/etc/httpd/cond.f/vhosts.conf
# foo.com <VirtualHost *:80> ServerName foo.com ServerAlias www.foo.com Redirect 301 / https://foo.com </VirtualHost> <VirtualHost *:443> ServerName foo.com:443 ServerAlias www.foo.com:443 DocumentRoot "/var/www/foo" SSLEngine on SSLCertificateFile /etc/pki/tls/certs/foo.crt SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle SSLCertificateKeyFile /etc/pki/tls/private/foo.key ErrorLog logs/foo TransferLog logs/foo-acc </VirtualHost> # bar.com <VirtualHost *:80> ServerName bar.com ServerAlias www.bar.com Redirect 301 / https://bar.com </VirtualHost> <VirtualHost *:443> ServerName bar.com:443 ServerAlias www.bar.com:443 DocumentRoot "/var/www/bar" SSLEngine on SSLCertificateFile /etc/pki/tls/certs/bar.crt SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle SSLCertificateKeyFile /etc/pki/tls/private/bar.key ErrorLog logs/bar TransferLog logs/bar-acc </VirtualHost>
這會起作用嗎,還是我必須為每個專用域重複預設設置?
經過一些廣泛的測試,我想通了:
中的通用“主”虛擬主機
ssl.conf
必須引用證書、鍊和密鑰,否則它將不起作用。因此,為了清楚起見並避免跨 vhost 編寫(和維護)重複行,最好將此通用 vhost 移動到vhosts.conf
其他虛擬主機之前。那裡指定的任何規則似乎都被以下虛擬主機正確繼承,並且不必重複。