Ssl

ZendServer、Apache2 和帶有 SSL 的 VirtualHosts

  • September 9, 2011

我在 Ubuntu Linux 上有一個 ZendServer。ZendServer 使用 Apache2,所以我正在尋找合適的配置來設置一組帶有 SSL 的虛擬主機。

我不再使用httpd.conf,因為它是空白的,我假設不再使用?

因此,我一直在修改../sites-enabled/default../sites-enabled/default-ssl

這是我所擁有的(儘管伺服器正常啟動,但仍未找到 SSL 主機。

如果我刪除對“ IfModule mod_ssl.c”的引用,我會收到證書太長的 SSL 錯誤。

幾個問題:

  1. NameVirtualHost 配置我做錯了什麼
  2. 如果我想為 SSL 的每個站點指定單獨的 IP 地址,此配置不起作用 - 那麼我在哪裡引用這些 IP 地址?
  3. SSL 證書文件:我從 Parallels 下載了**.PEM**文件,因此它應該包含證書密鑰,因此我將把該引用更改為單個:SSLCertificateFile

更新:我是如何工作的

由於我使用的是 ZendServer 5.5 + Apache2 的基本未配置版本,我想我對基本的 vhosts 設置感到非常困惑,感謝你們讓我走上了正確的軌道,使用 SH 命令讓事情正常執行。

  1. 由於我使用的是ZendServer 5.5.0 + Apache2,我認為配置與大多數人使用的有點不同,因此我非常仔細地按照此處的說明進行操作。
  2. 一旦我能夠在正確的位置創建配置文件,我就可以使用命令:$ a2ensite my_site_config_filename&$ a2dissite my_site_config_filename在重新啟動 zend-server 之前啟用和禁用站點。
  3. 請記住,如果我在 對各個站點的配置文件進行了更改/apache2/sites-avaliable,我將使用前面提到的命令禁用和重新啟用(似乎有必要讓 apache2 重建符號連結或一些類似的……不確定這是否是必要的,但它是有道理的)

我也跑了a2dissite default&a2dissite default-ssl因為它們似乎與我新創建的配置衝突。

  1. SSL:我將 SSL 的配置放在與埠 80 文件相同的配置文件中,如下所示(我使用自己的證書,但在這段程式碼中,我只是指向來自 apache 的 ‘snake-oil-cert’!) .

當然執行:($ a2enmod ssl 根據 cjc 的原始答案!)

/apache2/sites-available/mysite

#
#  mysitename.com (/etc/apache2/sites-available/www.mysitename.com)
#

<VirtualHost *:80>
       ServerAdmin webmaster@example.com
       ServerName  mysitename.com
       ServerAlias mysitename.com

       # Indexes + Directory Root.
       DocumentRoot /var/www/www.mysitename.com/htdocs/

       # CGI Directory
       ScriptAlias /cgi-bin/ /var/www/www.mysitename.com/cgi-bin/
       <Location /cgi-bin>
               Options +ExecCGI
       </Location>

       # Logfiles
       ErrorLog  /var/www/www.mysitename.com/logs/error.log
       CustomLog /var/www/www.mysitename.com/logs/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
   ServerAdmin webmaster@localhost
   ServerName  maryshop.com
   ServerAlias maryshop.com

   DocumentRoot /var/www/www.mysitename.com/htdocs/

   ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   <Directory "/usr/lib/cgi-bin">
       AllowOverride None
       Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
       Order allow,deny
       Allow from all
   </Directory>

   ErrorLog ${APACHE_LOG_DIR}/error.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn

   CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

   Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
       Options Indexes MultiViews FollowSymLinks
       AllowOverride None
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/255.0.0.0 ::1/128
   </Directory>

   #   SSL Engine Switch:
   #   Enable/Disable SSL for this virtual host.
   SSLEngine on

   #   A self-signed (snakeoil) certificate can be created by installing
   #   the ssl-cert package. See
   #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
   #   If both key and certificate are stored in the same file, only the
   #   SSLCertificateFile directive is needed.
   SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

   #   Server Certificate Chain:
   #   Point SSLCertificateChainFile at a file containing the
   #   concatenation of PEM encoded CA certificates which form the
   #   certificate chain for the server certificate. Alternatively
   #   the referenced file can be the same as SSLCertificateFile
   #   when the CA certificates are directly appended to the server
   #   certificate for convinience.
   #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

   #   Certificate Authority (CA):
   #   Set the CA certificate verification path where to find CA
   #   certificates for client authentication or alternatively one
   #   huge file containing all of them (file must be PEM encoded)
   #   Note: Inside SSLCACertificatePath you need hash symlinks
   #         to point to the certificate files. Use the provided
   #         Makefile to update the hash symlinks after changes.
   #SSLCACertificatePath /etc/ssl/certs/
   #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

   #   Certificate Revocation Lists (CRL):
   #   Set the CA revocation path where to find CA CRLs for client
   #   authentication or alternatively one huge file containing all
   #   of them (file must be PEM encoded)
   #   Note: Inside SSLCARevocationPath you need hash symlinks
   #         to point to the certificate files. Use the provided
   #         Makefile to update the hash symlinks after changes.
   #SSLCARevocationPath /etc/apache2/ssl.crl/
   #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

   #   Client Authentication (Type):
   #   Client certificate verification type and depth.  Types are
   #   none, optional, require and optional_no_ca.  Depth is a
   #   number which specifies how deeply to verify the certificate
   #   issuer chain before deciding the certificate is not valid.
   #SSLVerifyClient require
   #SSLVerifyDepth  10

   #   Access Control:
   #   With SSLRequire you can do per-directory access control based
   #   on arbitrary complex boolean expressions containing server
   #   variable checks and other lookup directives.  The syntax is a
   #   mixture between C and Perl.  See the mod_ssl documentation
   #   for more details.
   #<Location />
   #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
   #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
   #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
   #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
   #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
   #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
   #</Location>

   #   SSL Engine Options:
   #   Set various options for the SSL engine.
   #   o FakeBasicAuth:
   #     Translate the client X.509 into a Basic Authorisation.  This means that
   #     the standard Auth/DBMAuth methods can be used for access control.  The
   #     user name is the `one line' version of the client's X.509 certificate.
   #     Note that no password is obtained from the user. Every entry in the user
   #     file needs this password: `xxj31ZMTZzkVA'.
   #   o ExportCertData:
   #     This exports two additional environment variables: SSL_CLIENT_CERT and
   #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
   #     server (always existing) and the client (only existing when client
   #     authentication is used). This can be used to import the certificates
   #     into CGI scripts.
   #   o StdEnvVars:
   #     This exports the standard SSL/TLS related `SSL_*' environment variables.
   #     Per default this exportation is switched off for performance reasons,
   #     because the extraction step is an expensive operation and is usually
   #     useless for serving static content. So one usually enables the
   #     exportation for CGI and SSI requests only.
   #   o StrictRequire:
   #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
   #     under a "Satisfy any" situation, i.e. when it applies access is denied
   #     and no other module can change it.
   #   o OptRenegotiate:
   #     This enables optimized SSL connection renegotiation handling when SSL
   #     directives are used in per-directory context.
   #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
   </Directory>

   #   SSL Protocol Adjustments:
   #   The safe and default but still SSL/TLS standard compliant shutdown
   #   approach is that mod_ssl sends the close notify alert but doesn't wait for
   #   the close notify alert from client. When you need a different shutdown
   #   approach you can use one of the following variables:
   #   o ssl-unclean-shutdown:
   #     This forces an unclean shutdown when the connection is closed, i.e. no
   #     SSL close notify alert is send or allowed to received.  This violates
   #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
   #     this when you receive I/O errors because of the standard approach where
   #     mod_ssl sends the close notify alert.
   #   o ssl-accurate-shutdown:
   #     This forces an accurate shutdown when the connection is closed, i.e. a
   #     SSL close notify alert is send and mod_ssl waits for the close notify
   #     alert of the client. This is 100% SSL/TLS standard compliant, but in
   #     practice often causes hanging connections with brain-dead browsers. Use
   #     this only for browsers where you know that their SSL implementation
   #     works correctly.
   #   Notice: Most problems of broken clients are also related to the HTTP
   #   keep-alive facility, so you usually additionally want to disable
   #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
   #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
   #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
   #   "force-response-1.0" for this.
   BrowserMatch "MSIE [2-6]" \
       nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0
   # MSIE 7 and newer should be able to use keepalive
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

/apache2/conf.d/virtual.conf

#
#  We're running multiple virtual hosts.
#
NameVirtualHost *:80

/apache2/conf.d/virtual-ssl.conf

#
#  We're running multiple virtual hosts.
#
NameVirtualHost *:443

您是否使用“a2enmod”啟用了 SSL 模組?這類似於 sites-available/sites-enabled 東西,其中符號連結是從 mods-enabled 到 mods-available 中的文件創建的。

要使用 IP 地址,請將其放在 VirtualHost 行中,例如<VirtualHost 192.168.1.1:443>.

引用自:https://serverfault.com/questions/309459