我正在运行 Apache 2.2.15(CentOS 6.6)和一个仅 HTTP 域
demo.xml-director.info
使用 wget 我可以正确检索内容
wget -S http://demo.xml-director.info
--2015-01-05 13:31:41-- http://demo.xml-director.info/
Resolving demo.xml-director.info (demo.xml-director.info)... 176.9.146.28
Connecting to demo.xml-director.info (demo.xml-director.info)|176.9.146.28|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Mon, 05 Jan 2015 12:31:41 GMT
Server: Zope/(2.13.22, python 2.7.6, linux2) ZServer/1.1
Content-Length: 20227
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Content-Type: text/html;charset=utf-8
X-Ua-Compatible: IE=edge,chrome=1
Content-Language: en
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Length: 20227 (20K) [text/html]
Saving to: 'index.html.4'
但是 Chrome/Firefox 总是会因为 HTST 将请求从 http 更改为 https。但是对于此特定域,没有配置 HSTS。
服务器为 www.xml-director.info 运行 SSL,并启用 HSTS 支持。但是,这里还有另一个别名,可以将 demo.xml-director.info 映射到 www.xml-director.info。
如何解决此问题?
www.xml-director.info 的 VHOst:
<VirtualHost *:443>
ServerName www.xml-director.info
ServerAlias xml-director.info
SSLEngine on
SSLCertificateFile /etc/httpd/certs/15742445repl_2.crt
SSLCertificateCHainFile /etc/httpd/certs/15742445repl_2.ca-bundle
SSLCertificateKeyFile /etc/httpd/certs/zopyx.com.key
CustomLog /var/log/httpd/xml-director.info.log combined
DocumentRoot /var/www/xml-director/landing-v1
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
<location "/">
Options +Indexes
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "X-Requested-With,Content-Type"
</location>
</VirtualHost>
<VirtualHost *:80>
ServerAlias www.xml-director.com
ServerAlias www.xml-director.info
ServerAlias www.xml-director.de
ServerAlias xml-director.com
ServerAlias xml-director.info
ServerAlias xml-director.de
RedirectPermanent / https://xml-director.info/
</VirtualHost>
以及 demo.xml-director.info
<VirtualHost *:80>
ServerName demo.xml-director.info
RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:12020/VirtualHostBase/http/demo.xml-director.info:80/xml-director/VirtualHostRoot/$1 [L,P]
RewriteRule ^/$ http://127.0.0.1:12020/VirtualHostBase/http/demo.xml-director.info:80/xml-director/VirtualHostRoot/$1 [L,P]
CustomLog /var/log/httpd/demo.xml-director.info.log combined
AddOutputFilterByType DEFLATE text/html text/xml text/plain text/css text/javascript
CacheRoot /tmp/cache
CacheEnable disk /
CacheIgnoreCacheControl on
KeepAliveTimeout 15
KeepAlive on
ExpiresActive On
ExpiresByType image/gif "access plus 10 day"
ExpiresByType image/jpg "access plus 10 day"
ExpiresByType image/jpeg "access plus 10 day"
ExpiresByType image/png "access plus 10 day"
ExpiresByType text/javascript "access plus 10 day"
ExpiresByType text/html "access plus 1 hour"
ExpiresByType text/html "access plus 1 hour"
ExpiresByType text/css "access plus 10 days"
<Location "/">
Order allow,deny
Allow from all
</Location>
</VirtualHost>
答案1
严格传输安全-includeSubdomains
问题在于 HSTS 标头的范围,它包括所有子域。如果http://demo.xml-director.info使用浏览器访问第一的它会正常工作。
但是,首次访问时https://xml-director.info/,https://www.xml-director.info浏览器将收到所有设置为在未来过期(两年后……?)的子域名的 HSTS 标头,因此在标头过期之前,不会再次尝试通过 http 连接到任何(子)域名。
wget顺便说一句,这个标题对和等 cli 工具没有影响curl。
不要包含子域名
如果有任何应该通过 http 访问的子域 - 不要使用includeSubdomains。相反,如果您想使用 HSTS 标头,请将其仅限制为访问的域(这是默认行为):
<VirtualHost *:443>
ServerName www.xml-director.info
ServerAlias xml-director.info
Header always set Strict-Transport-Security "max-age=63072000"
修复不需要的 HSTS 标头
收到 HSTS 标头的浏览器无法自行清除它,它将始终尝试通过 https 访问域,如果没有回应就意味着它陷入了困境。
为了纠正现有浏览器的当前情况(假设这不是“仅限我”的问题),有必要通过 https 连接使 HSTS 标头过期。即:
<VirtualHost *:443>
ServerName *.xml-director.info
Header always set Strict-Transport-Security "max-age=0"
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI}
或者等效的。这样 HSTS 标头就被清除了,并且 http 访问被恢复了。