Debian
帶有自簽名證書的 Apache 2.4 始終重定向到預設虛擬主機
我一直在嘗試使用 Apache 2.4 製作具有自簽名證書的虛擬主機。我嘗試了許多設置組合,但無論如何,我在 Firefox 中嘗試的每個虛擬主機都會直接進入預設主機(清除記憶體後)。我得到的唯一錯誤消息是在 Apache error.log 中(所有子域虛擬主機日誌都沒有錯誤消息):
[Mon Jun 17 19:32:48.866641 2019] [ssl:debug] [pid 3084] ssl_engine_kernel.c(2122): [client 192.168.1.100:57956] AH02044: No matching SSL virtual host for servername subdomain.7d.net found (使用預設/第一個虛擬主機)目前設置是基於 IP 的虛擬主機(一個物理 IP 地址由預設主機使用,許多虛擬 IP 地址用於許多虛擬主機,一對一)。在此之前,Apache 使用基於名稱的虛擬主機,只有一個物理 IP 地址具有相同的行為。
每個虛擬主機都使用自己的自簽名證書,在此之前所有虛擬主機都使用一個。由於 SSL 證書,未報告任何錯誤消息。每個證書都與其對應的名稱匹配。OpenSSL 1.1.0用於生成證書。
除了自簽名證書 Apache 正在使用
Starfield Class 2 Certificate Authority.沒有安裝 DNS 伺服器,只有一個
/etc/hosts文件,每個 IP 地址和主機名都執行良好。Apache 2.4.25在**Debian GNU/Linux «Stretch»**上執行。
ports.conf(我嘗試將
Listed 443指令放在條件塊之外,但行為是相同的)。# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf Listen 80 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>001-預設-ssl.conf
<IfModule mod_ssl.c> #<VirtualHost 192.168.1.201:443> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName triplecero.7d.net #ServerAlias www.7d.net DocumentRoot /var/www/html LogLevel info ssl:debug ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Include conf-available/serve-cgi-bin.conf SSLEngine On SSLCertificateFile /etc/ssl/localcerts/triplecero.7d.net.crt SSLCertificateKeyFile /etc/ssl/localcerts/triplecero.7d.net.key SSLCACertificateFile /etc/ssl/certs/Starfield_Class_2_CA.pem SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule>子域.conf
<VirtualHost 192.168.1.210:433> #<VirtualHost subdomain.7d.net:433> ServerName subdomain.7d.net DocumentRoot "/var/www/subdomain" DirectoryIndex index.php LogLevel info ssl:debug CustomLog ${APACHE_LOG_DIR}/subdomain-access.log combined ErrorLog ${APACHE_LOG_DIR}/subdomain-error.log SSLEngine On SSLCertificateFile "/etc/ssl/localcerts/subdomain.7d.net.crt" SSLCertificateKeyFile "/etc/ssl/localcerts/subdomain.7d.net.key" SSLCACertificateFile "/etc/ssl/certs/Starfield_Class_2_CA.pem" SSLVerifyClient optional SSLVerifyDepth 10 <Directory "/var/www/subdomain"> Redirect "http://subdomain.7d.net" "https://subdomain.7d.net" Require all granted AllowOverride All </Directory> </VirtualHost>阿帕奇2狀態:
Triplecero:~# apache2ctl -S 虛擬主機配置: 192.168.1.210:433 subdomain.7d.net (/etc/apache2/sites-enabled/grupoglobaleyr.conf:3) [許多其他虛擬主機省略] *:80 triplecero.7d.net (/etc/apache2/sites-enabled/000-default.conf:2) *:443 是一個 NameVirtualHost 預設伺服器 Triplecero.7d.net (/etc/apache2/sites-enabled/001-default-ssl.conf:3) 埠 443 namevhost Triplecero.7d.net (/etc/apache2/sites-enabled/001-default-ssl.conf:3) 埠 443 namevhost Triplecero.7d.net (/etc/apache2/sites-enabled/002-default-tls.conf:2) 伺服器根目錄:“/etc/apache2” 主文件根目錄:“/var/www/html” 主要錯誤日誌:“/var/log/apache2/error.log” 互斥鎖預設:dir="/var/run/apache2/" 機制=預設 互斥體 mpm-accept: using_defaults 互斥體 fcgid 管道:using_defaults 互斥看門狗回調:using_defaults 互斥體重寫映射:using_defaults Mutex ssl-stapling-refresh: using_defaults 互斥 gnutls-cache: using_defaults 互斥 gnutls-ocsp: using_defaults 互斥鎖 fcgid-proctbl: using_defaults 互斥 ssl 裝訂:using_defaults 互斥代理: using_defaults 互斥 ssl 記憶體:using_defaults PidFile:“/var/run/apache2/apache2.pid” 定義:DUMP_VHOSTS 定義:DUMP_RUN_CFG 使用者:name="www-data" id=33 組:name="www-data" id=33 三個零:~#子域-error.log
[Tue Jun 18 00:05:46.274025 2019] [ssl:info] [pid 3050] AH01914:為 SSL 協議配置伺服器 subdomain.7d.net:443 [2019 年 6 月 18 日星期二 00:05:46.274415] [ssl:debug] [pid 3050] ssl_engine_init.c(1756): AH02209: CA 證書: OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\\, Inc., C=美國 [2019 年 6 月 18 日星期二 00:05:46.274481] [ssl:debug] [pid 3050] ssl_engine_init.c(413): AH01893: 配置 TLS 擴展處理 [Tue Jun 18 00:05:46.340584 2019] [ssl:debug] [pid 3050] ssl_util_ssl.c(443): AH02412: [subdomain.7d.net:443] 名稱“subdomain.7d.net”的證書匹配 [主題:emailAddress=triplecerogmail.com,CN=subdomain.7d.net,OU=Development,O=ZZZ Corp.,L=Skycity,ST=Highstate,C=XX / 發行人:emailAddress=triplecerogmail.com,CN=subdomain。 7d.net,OU=Development,O=ZZZ Corp.,L=Skycity,ST=Highstate,C=XX / 序列號:B06BB41BBE840955 / 之前:格林威治標準時間 2019 年 6 月 16 日 22:00:11 / 之後:6 月 15 日 22:00:格林威治標準時間 2020 年 11 月] [Tue Jun 18 00:05:46.340606 2019] [ssl:info] [pid 3050] AH02568:從 /etc/ssl/localcerts/subdomain.7d.net 配置的證書和私鑰 subdomain.7d.net:443:0。 crt 和 /etc/ssl/localcerts/subdomain.7d.net.key
重定向的原因是指令中設置了錯誤的邏輯埠(
433相反443)VirtualHost(實際上,在每個虛擬主機中)。Apache 文件中從未聲明過 433 埠
ports.conf,因此未找到任何虛擬主機,導致重定向到預設 SSL 虛擬主機。感謝@Freddy 發現了“小錯誤”。
“(所有子域虛擬主機日誌都沒有錯誤消息)”
那是(應該是)你的線索。:) 這裡有幾個(conf)文件在起作用。我猜你已經(基本上)省略了
extra/httpd-vhosts.conf. 它定義了所有/任何虛擬主機。2.4 版變得比它的前輩更加模組化。因此,大多數舊方法要麼不起作用,要麼已被移動。
apache24/httpd.conf保存全域配置和主要主機/IP 的東西。
apache24/extra/httpd-vhosts.conf常見的虛擬主機定義。# PRIMARY (default) Vhost # Everything is on a SECURE socket. Redirect accordingly <VirtualHost *:80> ServerName main-domain.vhost Redirect permanent / https://main-domain.vhost/ </VirtualHost> # another Vhost on same IP but with different name <VirtualHost *:80> ServerName another-domain.vhost Redirect permanent / https://another-domain.vhost/ </VirtualHost> ... #################################################################### #NameVirtualHost *:443 #################################################################### # MAIN Vhost <VirtualHost *:443> ServerAdmin me@localhost DocumentRoot "/usr/local/www/data" ServerName main-domain.vhost ServerAlias www.main-domain.vhost SSLEngine on SSLCertificateFile "/usr/local/etc/letsencrypt/live/main-domain.vhost/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/main-domain.vhost/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/main-domain.vhost/fullchain.pem" # HSTS (mod_headers is required) (15768000 seconds = 6 months) # HSTS (mod_headers is required) (7884000 seconds = 3 months) Header always set Strict-Transport-Security "max-age=15768000" ... </VirtualHost> # We now need to include our INDIVIDUAL/ADDITIONAL (V) hosts # We do so thusly # They all run on a SSL Include etc/apache24/extra/hosts/another-domain.vhost.conf # NOTE above, the .conf files live in a SUBdirectory of the "extra" folder (hosts)好的,現在我們繼續查看各個V主機
.conf文件
apache24/extra/hosts/*.confapache24/extra/hosts/another-domain.vhost.conf # # # # # # # # # # # # # # # # # # # # # # # # # # # another-domain.vhost # # # # # # # # # # # # # # # # # # # # # # # # <VirtualHost *:443> ServerAdmin me@localhost DocumentRoot "/usr/local/www/another-domain.vhost" ServerName another-domain.vhost ServerAlias www.another-domain.vhost SSLEngine on SSLCertificateFile "/usr/local/etc/letsencrypt/live/another-domain.vhost/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/another-domain.vhost/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/another-domain.vhost/fullchain.pem" # HSTS (mod_headers is required) (15768000 seconds = 6 months) # HSTS (mod_headers is required) (7884000 seconds = 3 months) Header always set Strict-Transport-Security "max-age=15768000" ... </VirtualHost>這就是文件中滿足 apache(2.4) 所需的所有相關資訊。如您所見,我 1) 使用“letsencrypt”作為我的證書提供者,2) 我正在分享我的一個 BSD 盒子中的範例。但這只會改變Apache 安裝路徑的*根目錄。*來自
apache24(包括文件夾)的所有內容都apache24應該是相同的。所以如果你跟著,你應該設置。這並不能保證您的證書會通過集合。但這是針對不同的執行緒。:)
高溫高壓