无论 SNI 设置如何,apache 始终为第一个命名的 vhost 提供服务

tag-icon tag-icon apache-2.2 centos6 openssl sni namevirtualhost
无论 SNI 设置如何,apache 始终为第一个命名的 vhost 提供服务

无论 SNI 设置如何,Apache 始终为第一个命名的虚拟主机提供服务。我不确定是什么原因造成的。我不再收到消息

Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

但我今天下午 2 点就恢复了。我记得唯一更改的是添加了最后一个虚拟主机声明:

LoadModule ssl_module modules/mod_ssl.so
#LoadModule ssl_module /usr/lib64/libgnutls.so

NameVirtualHost 10.10.150.166:443
<IfModule mod_ssl.c>
     #If you add NameVirtualHost *:443 here, you will also have to change
     #the VirtualHost statement in /etc/apache2/sites-available/default-ssl
     #to 
     #Server Name Indication for SSL named virtual hosts is currently not
     #supported by MSIE on Windows XP.
    Listen 443
</IfModule>






SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin


<VirtualHost mail.napalpha.net:443>
SSLStrictSNIVHostCheck on
ServerName mail.napalpha.net
ServerAlias mail.napalpha.net
DocumentRoot /var/www/roundcubemail
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine   on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW



SSLCertificateFile /etc/pki/CA/certs/mail_napalpha_net.crt
SSLCertificateKeyFile /etc/pki/CA/private/mail.napalpha.net.key
SSLCertificateChainFile /etc/pki/CA/IntermediateCAs/GeoTrust_Intermediate.crt
SSLCACertificateFile /etc/pki/CA/CABundle/GeoTrust_CA_Bundle.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0



CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Alias /cluebringer "/usr/share/cluebringer/webui/"
Alias /iredadmin/static "/var/www/iredadmin/static/"
WSGIScriptAlias /iredadmin "/var/www/iredadmin/iredadmin.py/"
Alias /awstats/icon "/usr/share/awstats/wwwroot/icon/"
Alias /awstatsicon "/usr/share/awstats/wwwroot/icon/"
ScriptAlias /awstats "/usr/share/awstats/wwwroot/cgi-bin/"
Alias /mail "/var/www/roundcubemail/"
Alias /phppgadmin "/var/www/phppgadmin/"
Alias /groupoffice "/var/www/groupoffice/"
</VirtualHost> 

<VirtualHost www.procyon-alpha.com:443>
        ServerName www.procyon-alpha.com
        ServerAlias www.procyon-alpha.com
        DocumentRoot /var/www/ProcyonAlpha
#       SSLEngine On
        SSLStrictSNIVHostCheck on  
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLCertificateFile /etc/pki/CA/certs/SSL_www_procyon-alpha_com.crt
        SSLCertificateKeyFile /etc/pki/CA/private/procyon-alpha.key
        SSLCertificateChainFile /etc/pki/CA/IntermediateCAs/GeoTrust_Intermediate.crt
        SSLCACertificateFile /etc/pki/CA/CABundle/GeoTrust_CA_Bundle.crt
        CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


</VirtualHost>

<VirtualHost owncloud.procyon-alpha.com:443>
        ServerName owncloud.procyon-alpha.com
        ServerAlias owncloud.procyon-alpha.com
        DocumentRoot /var/www/owncloud
        SSLStrictSNIVHostCheck on
#        SSLEngine On
<Directory /var/www/owncloud/install>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
</Directory>
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLCertificateFile /etc/pki/CA/certs/SSL_owncloud_procyon-alpha_com.crt
        SSLCertificateKeyFile /etc/pki/CA/private/owncloud.procyon-alpha.com.key
        SSLCertificateChainFile /etc/pki/CA/IntermediateCAs/GeoTrust_Intermediate.crt
        SSLCACertificateFile /etc/pki/CA/CABundle/GeoTrust_CA_Bundle.crt

        CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

httpd -S 输出:

VirtualHost configuration:
10.10.150.166:443      is a NameVirtualHost
         default server mail.napalpha.net (/etc/httpd/conf.d/sslcombined.conf:30)
         port 443 namevhost mail.napalpha.net (/etc/httpd/conf.d/sslcombined.conf:30)
                 alias mail.napalpha.net
         port 443 namevhost www.procyon-alpha.com (/etc/httpd/conf.d/sslcombined.conf:79)
                 alias www.procyon-alpha.com
         port 443 namevhost owncloud.procyon-alpha.com (/etc/httpd/conf.d/sslcombined.conf:98)
                 alias owncloud.procyon-alpha.com
Syntax OK

如果您忽略证书警告,则会提供正确的内容。我对此感到困惑。

答案1

我假设10.10.150.166这是运行 Apache 的服务器的 IP 地址,请求将被路由到该服务器。(服务器是否位于某种防火墙后面,并且您已设置 NAT?只是询问,因为它是非公共 IP 地址)如果不是,您需要更新指令NameVirtualHost以指向正确的 IP 地址。

您还需要确保所有三个主机名(即mail.napalpha.netwww.procyon-alpha.comowncloud.procyon-alpha.com解析为服务器上 NameVirtualHost 指令中给出的 IP 地址。如果这与公开可见的 IP 地址不同,您可以在文件中输入相应的条目/etc/hosts

另一种方法是让每个 VirtualHost 定义具有如下所示的 IP 地址和端口。(在 VirtualHost 定义中拥有主机名意味着不建议

<VirtualHost <IP address>:443>
....
....
</VirtualHost>

对于最后两个虚拟主机,该SSLEngine On指令也需要取消注释。

相关内容