此配置可以正常工作,但它要求所有子域都提供证书。
<VirtualHost IP:443>
ServerName *.domain.tld
ServerAlias www.*.domain.tld
VirtualDocumentRoot /home/domaintld/subdomains/%1
ServerAdmin webmaster@*.domain.tld
UseCanonicalName off
UserDir public_html
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SSLCertificateFile /path/to/cert.crt
SSLCACertificateFile /path/to/CAcert.crt
SSLCertificateKeyFile /path/to/key.key
<Directory "/home/domaintld/subdomains/%1">
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Company"
and %{SSL_CLIENT_S_DN_OU} in {"Department"}
# this one is not splitted, only here to avoid horiz. scroll
</Directory>
CustomLog /usr/local/apache/domlogs/domain.tld-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
但我想让它只在子域名上请求,也就是“theone.domain.tld”
我试过:
#...
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCACertificateFile /path/to/CAcert.crt
SSLCertificateKeyFile /path/to/key.key
<Directory "/home/domaintld/subdomains/theone">
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Company"
and %{SSL_CLIENT_S_DN_OU} in {"Department"}
# this one is not splitted, only here to avoid horiz. scroll
</Directory>
#...
也与<Directory ..>外面<VirtualHost ..>
甚至添加SSLCACertificateFile在<Directory ..>
我让其他子域名通过 HTTPS 工作,但“theone”却给出Error 107 (net::ERR_SSL_PROTOCOL_ERROR)
我必须提到整个 VirtualHost 和 Directory 都在/曾经在<IfDefine SSL></IfDefine>
有什么建议么?
谢谢。
答案1
SSL 协商在传输包含选择适当虚拟主机的标准的 HTTP 标头之前完成。这意味着您不能对每个虚拟主机使用任何唯一的 SSL 选项。我知道的唯一选项是获取另一个 IP 地址并为您需要证书身份验证的站点设置基于 IP 的虚拟主机。