我在我们的一台服务器上设置了大规模虚拟主机,这样我基本上可以在某个目录中创建一个符号链接,并立即让该主机在 http 和 https 上都可用。如果所有主机名都在同一个域中(通配符证书),则此方法很有效,否则则不行。让我向您展示我的 VirtualHost 容器:
<VirtualHost 1.2.3.4:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
### Mass SSL Vhosts ###
RewriteEngine on
# define two maps: one for fixing the URL and one which defines
# the available virtual hosts with their corresponding
# DocumentRoot.
RewriteMap lowercase int:tolower
# 2. make sure we have a Host header
RewriteCond %{HTTP_HOST} !^$
# 3. lowercase the hostname
RewriteCond ${lowercase:%{HTTP_HOST}|NONE} ^(.+)$
# 5. finally we can map the URL to its docroot location
# and remember the virtual host for logging puposes
RewriteRule ^/(.*)$ /wwwroot/vhosts/%{HTTP_HOST}/$1 [E=VHOST:${lowercase:%{HTTP_HOST}}]
<Directory "/wwwroot/vhosts/">
Options FollowSymLinks
AllowOverride All
</Directory>
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLCertificateFile /etc/pki/tls/certs/wildcard.foo.com.crt
SSLCACertificateFile /etc/pki/tls/certs/wildcard.foo.com.intermediate.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.foo.com.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
每当我想创建一个 something.foo.com 域时,此设置都有效。我只需在 /wwwroot/vhosts 中创建一个指向用户目录的符号链接,它就可以正常工作。我现在想创建一个 something.bar.com 域。同样,我只需创建它并将其放入即可http://something.bar.com可以工作。然而我无法工作的是https://something.bar.com因为上面明确定义的证书。
有没有办法在 VirtualHost 容器内部分支以根据主机名使用不同的 SSL 证书?
答案1
您是否研究过 SNI (服务器名称指示)?例如使用 mod_ssl 或 mod_gnutls: