好的,这是我的第一个问题,所以请耐心等待!
我为自己和当地高中校友建立了一个网站。
我想设置https://dev.coolcomputers.info客户端证书认证唯一的问题是它有时会出现握手失败(就像我想要的那样),有时它会加载主站点https://www.coolcomputers.info。
如果您需要更多信息,请随时询问!
apache2 -v
服务器版本:Apache/2.4.18 (Ubuntu)
服务器建立时间:2017-07-27T14:34:01
其中包括我对两个站点的配置
主站:
<VirtualHost *:443>
SuexecUserGroup "#1001" "#1001"
ServerName www.coolcomputers.info
ServerAlias coolcomputers.info autoconfig.coolcomputers.info autodiscover.coolcomputers.info
DocumentRoot /home/coolcomputers/public_html
ErrorLog /var/log/virtualmin/coolcomputers.info_error_log
CustomLog /var/log/virtualmin/coolcomputers.info_access_log combined
ScriptAlias /cgi-bin/ /home/coolcomputers/cgi-bin/
ScriptAlias /awstats/ /home/coolcomputers/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/coolcomputers/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/coolcomputers/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/coolcomputers/cgi-bin/autoconfig.cgi
<Directory /home/coolcomputers/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddType application/x-httpd-php7.0 .php7.0
</Directory>
<Directory /home/coolcomputers/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /home/coolcomputers/cert.pem
SSLCertificateKeyFile /home/coolcomputers/privkey.pem
<Files awstats.pl>
AuthName "coolcomputers.info statistics"
AuthType Basic
AuthUserFile /home/coolcomputers/.awstats-htpasswd
require valid-user
</Files>
Redirect /mail/config-v1.1.xml "/cgi-bin/autoconfig.cgi"
Redirect /.well-known/autoconfig/mail/config-v1.1.xml "/cgi-bin/autoconfig.cgi"
ServerAdmin [email protected]
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCACertificateFile /home/coolcomputers/ssl.ca
</VirtualHost>
开发站点
<VirtualHost *:443>
DocumentRoot "/var/test"
ServerName dev.coolcomputers.info
ServerAdmin [email protected]
ErrorLog /var/log/apache2/error.dev.log
CustomLog /var/log/apache2/access.dev.log "combined"
LogLevel debug
SSLEngine on
SSLCertificateFile /etc/ssl/dev/dev.coolcomputers.info.cert.pem
SSLCertificateKeyFile /etc/ssl/dev/dev.coolcomputers.info.key.pem
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCACertificateFile /etc/ssl/dev/ca.cert.pem
SSLCARevocationFile /etc/ssl/dev/intermediate.crl.pem
SSLCARevocationCheck leaf
<Directory /var/test>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "CoolComputers Inc." \
and %{SSL_CLIENT_S_DN_OU} in {"Secure Intermediate Authority"}
</Directory>
</VirtualHost>
最后但并非最不重要的“apache2ctl -S”的相关输出
*:443 is a NameVirtualHost
default server dev.coolcomputers.info (/etc/apache2/sites-enabled/000-dev.coolcomputers.info.conf:1)
port 443 namevhost dev.coolcomputers.info (/etc/apache2/sites-enabled/000-dev.coolcomputers.info.conf:1)
port 443 namevhost mail.coolcomputers.info (/etc/apache2/sites-enabled/001-mail.coolcomputers.info.conf:1)
port 443 namevhost www.coolcomputers.info (/etc/apache2/sites-enabled/coolcomputers.info.conf:35)
alias coolcomputers.info
alias autoconfig.coolcomputers.info
alias autodiscover.coolcomputers.info
port 443 namevhost pshalumni.org (/etc/apache2/sites-enabled/pshalumni.org.conf:46)
alias www.pshalumni.org
alias autoconfig.pshalumni.org
alias autodiscover.pshalumni.org
答案1
SSLVerifyClient 需要 SSLVerifyDepth 5
使用文档根目录时不能放置在目录节内