Apache / Mongrel / Rails 提供两个 SSL 证书吗?

tag-icon tag-icon apache-2.2 ssl mongrel
Apache / Mongrel / Rails 提供两个 SSL 证书吗?

当涉及 Mongrel 和 Rails 时,Apache(2.0)可以提供两个 SSL 证书吗?

情况是这样的……我的服务器上有两个网站:foo.com 和 bar.com。这两个网站都有自签名 SSL 证书(来自 GoDaddy),并且都有自己的 IP 地址。以下是相关的 Apache 配置设置:

<VirtualHost 192.168.100.17:443>
    ServerName secure.foo.com
    DocumentRoot /var/www/client/foo/current
    ProxyPass / http://127.0.0.1:3002/
    ProxyPassReverse / http://127.0.0.1:3002/
    ProxyPreserveHost on
    RequestHeader set X_FORWARDED_PROTO 'https'
    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.foo.com.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.foo.com.key
    SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    ErrorLog /var/www/client/foo/current/log/ssl_error_log
    TransferLog /var/www/client/foo/current/log/ssl_access_log
    LogLevel warn
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
    </Directory>
    RewriteEngine On
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost 192.168.100.16:443>
    ServerName secure.bar.com
    DocumentRoot /var/www/sites/bar/secure
    ProxyPass / http://127.0.0.1:3003/
    ProxyPassReverse / http://127.0.0.1:3003/
    ProxyPreserveHost on
    RequestHeader set X_FORWARDED_PROTO 'https'
    SSLEngine on
    SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.bar.com.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.bar.com.key
    SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    ErrorLog /var/log/httpd/bar.com/ssl_error_log
    TransferLog /var/log/httpd/bar.com/ssl_access_log
    LogLevel warn
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

如果我访问 secure.foo.com 上应该是安全的页面(例如https://secure.foo.com/login),我收到警告,证书适用于 secure.BAR.com。但如果我查看证书,它适用于 secure.FOO.com。

这只发生在 Firefox 中。MSIE 中没有警告。

我的理论是,Apache 提供了正确的证书(用于 secure.foo.com),但不知何故,secure.bar.com 的证书也被发送了。(我假设 MSIE 不会抛出错误,因为它只是忽略了第二个。)

我想把这种情况归咎于 Mongrel,但 Mongrel 并不“使用” SSL。我也想把这归咎于 Rails,但 Rails 所做的只是检查页面是否应该加密,如果没有,就将其重定向到安全连接。

有人见过这样的情况吗?你知道问题可能出在哪里吗?

更新:当然,在 Apache 配置中注释掉以下几行会导致网站关闭,但会导致正确的 SSL“握手”:

ProxyPass / http://127.0.0.1:3002/
ProxyPassReverse / http://127.0.0.1:3002/
ProxyPreserveHost on

答案1

这太尴尬了……

问题是由页面上的图标链接格式错误引起的。我们链接到https://foo.com/images/favicon.ico而应该是 https://安全的.foo.com/images/favicon.ico。

据我了解,该问题并未影响 MSIE,因为 MSIE 通过 SSL 忽略了图标链接。

相关内容