Apache v2.4 通过端口 443 提供 HTTP 服务,也就是说,在 apache2 中使用 vhosts 启用 https

tag-icon tag-icon apache2 ssl virtualhost https
Apache v2.4 通过端口 443 提供 HTTP 服务,也就是说,在 apache2 中使用 vhosts 启用 https

我在 Ubuntu 20.04 上遇到了这个问题。

它看上去与许多类似的非常相似,但是经过几个小时的尝试后发现它并不是通常的。

我曾经certbot --apache在我的服务器上为我的一个工作网站添加 HTTPS。我要求自动重定向到 HTTPS。一切似乎都顺利。我还运行a2enmod ssl; a2nsite default-ssl.conf启用 SSL 模块并重新启动 apache2。

在日志中似乎读取了证书:

[ssl:info] [pid 4187632] AH02568: Certificate and private key mysite.com:443:0 configured from /etc/letsencrypt/live/mysite.com/fullchain.pem and /etc/letsencrypt/live/mysite.com/privkey.pem

我也发现了这一点,但找不到足够的关于它的文档:

 [headers:debug] [pid 4188047] mod_headers.c(899): AH01503: headers: ap_headers_error_filter()

最终发生的事情是,apache2 正在监听端口 443,但一旦发生重定向,就会通过该端口提供 HTTP 服务。当然,浏览器无法工作,并会出现以下错误:

This site can’t provide a secure connection
mysite.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

仅此而已。

从另一台服务器我可以进行以下两个简单的测试:

$ nmap -A -Pn -p 443 mysite.com.
Nmap scan report for mysite.com. (1.2.3.4)
Host is up (0.044s latency).
Other addresses for mysite.com. (not scanned): 1234:1234:123:1234::
rDNS record for 1.2.3.4: host1.hosting.net

PORT    STATE SERVICE VERSION
443/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://mysite.com/
Service Info: Host: mysite.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.64 seconds


$ wget -v -v -v https://mysite.com/
--2024-01-15 16:42:45--  https://mysite.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving mysite.com (mysite.com)... 1.2.3.4, 1234:1234:123:1234::
Connecting to mysite.com (mysite.com)|1.2.3.4|:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

这些证实了我的诊断(端口 443 上的 HTTP),并且没有防火墙阻止任何内容。

有什么提示吗?

我的(主要)配置位如下。

所有其他文件(000-default.confdefault-ssl.conf)都是 Ubuntu 20.04 安装的默认文件。

ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

mysite.conf

<VirtualHost _default_:80>
  ServerName  mysite.com
  ServerAlias  www.mysite.com
  ServerAdmin [email protected]
  DocumentRoot /home/fe/public_html

  <Directory />
    Options FollowSymLinks ExecCGI
    AllowOverride All
    AuthType Basic
    AuthName "Credentials, please"
    AuthUserFile /home/fe/.htpasswd
    Require valid-user
  </Directory>

  ScriptAlias /x/ /home/fe/cgi/
  <Directory "/home/fe/cgi">
    Options ExecCGI
    SetHandler cgi-script
    Require all granted
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
  LogLevel debug
  CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
  </Directory>
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
RewriteEngine on
RewriteCond %{SERVER_NAME} =site.mysite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

最后三行由 添加certbot

mysite-le-ssl.conf

<IfModule mod_ssl.c>
 <VirtualHost _default_:443>
  ServerName  mysite.com
  ServerAlias  www.mysite.com
  ServerAdmin [email protected]
  DocumentRoot /home/fe/public_html

  <Directory />
    Options FollowSymLinks ExecCGI
    AllowOverride All
    AuthType Basic
    AuthName "Credentials, please"
    AuthUserFile /home/fe/.htpasswd
    Require valid-user
  </Directory>

  ScriptAlias /x/ /home/fe/cgi/
  <Directory "/home/fe/cgi">
    Options ExecCGI
    SetHandler cgi-script
    Require all granted
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
  LogLevel debug
  CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
  </Directory>
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
</IfModule>

答案1

我自己“修复”了配置,有点幸运。

该问题似乎是由 Ubuntu 随 Apache v2.x 附带的默认配置引起的。

使用类似以下命令启用所需模块

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod socache_shmcb

我还启用了“默认 SSL 站点“ 和

sudo a2ensite default-ssl

然后在目录中添加我自己的东西/etc/apache2/sites-enabled

我添加了类似这样的内容:

01-mysite.conf
02-other.conf
03-thistoo.conf

运行后certbot --apache目录内容变成:

01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf

问题在于“默认 SSL 站点“配置文件被调用,default-ssl.conf 而”默认纯文本站点“配置被称为000-default.conf

在我的特定情况下,default-ssl.confApache v2.x 从目录中读取的最后一个文件是sites-enabled

000-default.conf
01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf
default-ssl.conf

经过 ”简单地“重命名default-ssl.conf000-default-ssl.conf我在强制重新加载后开始正常工作:systemctl apache2 reload; systemct apache2 status

nmap问题中看到的相同命令现在返回预期的结果:

$ nmap -A -Pn -p 443 mysite.com.
Nmap scan report for mysite.com. (1.2.3.4)
Host is up (0.044s latency).
Other addresses for mysite.com. (not scanned): 1234:1234:123:1234::
rDNS record for 1.2.3.4: host1.hosting.net

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd 2.4.41
| tls-alpn: 
|_  http/1.1
|_http-title: 421 Misdirected Request
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=host1
| Subject Alternative Name: DNS:host1
| Not valid before: 2022-11-06T10:22:12
|_Not valid after:  2032-11-03T10:22:12
Service Info: Host: 127.0.0.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

它似乎nmap不知道如何发出格式正确的 HTTPS SNI 请求。

但现在我们有::443/tcp open ssl/http Apache httpd 2.4.41现在是ssl/http, 不只是http

经验教训:使用 SSL/TLS 和 SNI 时,顺序很重要。而且顺序还很重要!

作为一个非常小的附注,我清理了非 SSL(又名“HTTP”)配置文件,如下所示:

<VirtualHost _default_:80>
  ServerName  mysite.com # <-----------------.
  RewriteEngine on #                         | THE SAME
  RewriteCond %{SERVER_NAME} =mysite.com # <-'
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

所有其他配置内容都已移至启用 SSL 的配置中。简单有效!

我真的希望这能够帮助到其他人。

相关内容