带有主机名的 SSL Apache 代理不起作用

tag-icon tag-icon apache-http-server proxy ssl
带有主机名的 SSL Apache 代理不起作用

我们决定通过 apache 运行安全的 Web 代理。我们为服务器分配了一个域名,然后为该域购买了 SSL 证书,然后在 Apache/2.2.22 的 Ubuntu 12.04(精确)上应用。

当我运行服务器默认站点(HTTP),即仅使用 IP 作为虚拟主机时,代理工作正常。

然后我决定为这个代理服务器做 SSL,因为不允许对 IP 地址使用 SSL,所以我们选择了一个域名,然后继续。

我还启用了 mod_rewrite,以便所有 HTTP 请求都通过 SSL 网站

以下是我的 HTTP 虚拟主机和 SSL 虚拟主机配置,

<VirtualHost 12.12.12.12:80>
    ServerAdmin webmaster@localhost
    ServerName example.net
    ServerAlias www.example.net
    ProxyRequests On
    ProxyVia On
    <Proxy *>
    Order allow,deny
    Deny from all
    Allow from 104.12
    </Proxy>
    RewriteEngine   on
    RewriteCond     %{SERVER_PORT} ^80$
    RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
    DocumentRoot /var/www
    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug

    CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
   AllowOverride None
    Order deny,allow
    Deny from all
   Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

SSL 配置

    <IfModule mod_ssl.c>
     <VirtualHost  12.12.12.12:443>
        ServerAdmin webmaster@localhost
        ServerName example.net
        ServerAlias www.example.net
        ProxyVia On
        ProxyPass / https://127.0.0.1:443/
        ProxyPreserveHost On
        SSLProxyCheckPeerCN off
        #ProxyPreserveHost on
        ProxyRequests On
        SSLEngine on
        SSLProxyEngine On
        SSLCertificateFile    /etc/ssl/ssl_proxy/example_net.crt
        SSLCertificateKeyFile /etc/ssl/ssl_proxy/example.net.key
        SSLProxyVerify require
        SSLProxyVerifyDepth 10
        SSLProxyMachineCertificateFile /etc/ssl/ssl_proxy/example.net.csr
        SSLProxyCACertificateFile /etc/ssl/ssl_proxy/example_net.ca-bundle
        SSLStrictSNIVHostCheck on
        DocumentRoot /var/www
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        <Proxy *>
        Order allow,deny
        Deny from all
        Allow from 104.12
        </Proxy>
        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory> 
        BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

我尝试了上述所有可能的选项,但都不起作用。因此,每当我访问网站时,我都会收到以下错误

Hostname example.net provided via SNI and hostname yahoo.com provided via HTTP are different.

知道我做错了什么吗?

谢谢你,赛

答案1

有一个漏洞在 Apache 中,由于主机名区分大小写而导致此错误。该问题最近已修复,并发布了一个包含修复程序的新版本现在可用另外,您可以将证书全部改为小写,以更符合惯例(大写很少使用)。

答案2

我发现,通过 Apache 无法实现。但 Nginx、Node.js 等现代服务器通过 SPDY 协议支持它,以下是关联

相关内容