Ssl

Apache 的理想設置,用於在單個 IP 上使用 SNI 的多個 SSL 證書

  • August 6, 2018

我正在尋找在 Amazon Linux Distro 中的 Apache 2.4.33 上實現此設置的最有效方法:

  • 單個伺服器實例(此處:AWS EC2)
  • 單個關聯 IP
  • 兩個(或更多)域,每個域都有自己的 SSL 證書
  • 一個適用於所有其他人的預設 SSL 虛擬主機,用於設置諸如SSLProtocolFilesMatchBrowserMatch僅一次
  • 每個域都有一個專用的 VirtualHost,它指向相應的文件並設置文件根目錄

這個設置有問題嗎?

1)/etc/httpd/conf.d/ssl.conf(整個文件):

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

# default settings for all VirtualHosts
<VirtualHost *:443>

LogLevel warn

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLHonorCypherOrder o

#use OpenSSL default
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5

<FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
</FilesMatch>

<Directory "/var/www/cgi-bin">
 SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

2)/etc/httpd/cond.f/vhosts.conf

# foo.com

<VirtualHost *:80>
 ServerName foo.com
 ServerAlias www.foo.com
 Redirect 301 / https://foo.com
</VirtualHost>

<VirtualHost *:443>
 ServerName foo.com:443
 ServerAlias www.foo.com:443

 DocumentRoot "/var/www/foo"

 SSLEngine on
 SSLCertificateFile /etc/pki/tls/certs/foo.crt
 SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle
 SSLCertificateKeyFile /etc/pki/tls/private/foo.key

 ErrorLog logs/foo
 TransferLog logs/foo-acc
</VirtualHost>


# bar.com

<VirtualHost *:80>
 ServerName bar.com
 ServerAlias www.bar.com
 Redirect 301 / https://bar.com
</VirtualHost>

<VirtualHost *:443>
 ServerName bar.com:443
 ServerAlias www.bar.com:443

 DocumentRoot "/var/www/bar"

 SSLEngine on
 SSLCertificateFile /etc/pki/tls/certs/bar.crt
 SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle
 SSLCertificateKeyFile /etc/pki/tls/private/bar.key

 ErrorLog logs/bar
 TransferLog logs/bar-acc
</VirtualHost>

這會起作用嗎,還是我必須為每個專用域重複預設設置?

經過一些廣泛的測試,我想通了:

中的通用“主”虛擬主機ssl.conf 必須引用證書、鍊和密鑰,否則它將不起作用。因此,為了清楚起見並避免跨 vhost 編寫(和維護)重複行,最好將此通用 vhost 移動到vhosts.conf其他虛擬主機之前。

那裡指定的任何規則似乎都被以下虛擬主機正確繼承,並且不必重複。

引用自:https://serverfault.com/questions/923809