Ubuntu

帶有 ssl 證書的網頁通過 http 443 服務

  • December 10, 2017

我有一台帶有 ubuntu xenial、apache 和幾個虛擬主機的機器,每個虛擬主機都有它的 domain.conf 和 domain-ssl.conf。每個 domain.conf 使用 ssl 證書重定向到 domain-ssl.conf,但問題是它在 chrome 中拋出 ERR_SSL_PROTOCOL_ERROR 錯誤,因為它試圖通過埠 443 提供加密的 web,即 apache 正在嘗試服務 ssl web通過http。

有趣的是,如果我訪問http://example.com:443顯示網路正常,但沒有 https。順便說一句,我在 apache 中啟用了 ssl 模組,我也嘗試了這個條件,它保持不變。

例子.conf

<VirtualHost *:80>
   ServerName example.com
   ServerAdmin development@example.com

   VirtualDocumentRoot /var/www/html/example

   SetEnv ENV stage

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   <Directory "/var/www/html/example">
           AllowOverride None
           Require all granted

           <IfModule mod_rewrite.c>
                   Options -MultiViews
                   RewriteEngine On
                   RewriteCond %{HTTPS} off
                   RewriteRule (.*) https://example.com/$1 [R,L]
           </IfModule>
   </Directory>

範例-ssl.conf

<VirtualHost _default_:443>
   ServerName example.com
   ServerAdmin development@example.com

   VirtualDocumentRoot /var/www/html/example

   SetEnv ENV stage

   LogLevel warn
   ErrorLog /var/www/html/example/var/logs/apache-ssl.log
   CustomLog /var/www/html/example/var/logs/access.log combined

   SSLEngine on
   SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf

   <Directory "/var/www/html/example">
           AllowOverride None
           Require all granted

           Options -MultiViews
           RewriteEngine On
           RewriteRule ^(.*)/$ /$1 [L,R=301]
           RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
   </Directory>...

退出 apachectl -S:

user@myserver:~$ sudo apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
        default server example.com (/etc/apache2/sites-enabled/010-example-ssl.conf:1)
        port 443 namevhost example.com (/etc/apache2/sites-enabled/010-example-ssl.conf:1)
*:80                   is a NameVirtualHost
        default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
        port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
        port 80 namevhost example.com (/etc/apache2/sites-enabled/015-example.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

選項-ssl-apache.conf

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

最後,我創建了default-ssl.conf失去的文件,並使用sudo a2ensite default-ssl. 修復了問題!

引用自:https://serverfault.com/questions/886612