像这样吗?
# TLS v1.0+ for one IP
<VirtualHost _default_:443>
Order deny,allow // <------------- HERE
Deny from all // <------------- HERE
Allow from 10.20.30.40 // <------------- HERE
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
...
</VirtualHost>
# TLS v1.2 for everyone else
<VirtualHost _default_:443>
Order allow,deny // <------------- HERE
Deny from 10.20.30.40 // <------------- HERE
Allow from * // <------------- HERE
SSLProtocol -all +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
...
</VirtualHost>
编辑:
我还想为不同的端口创建第二个 VirtualHost,比如 344,并将端口 443 转发/路由到该特定 IP 的 344。这可能吗?
答案1
创建两个虚拟主机,仅使用的端口不同。
使用 iptables 有条件地将选定的 IP 重定向到 TLS 1.0 实例。
iptables -t nat -A PREROUTING -s CLIENT_OF_INTEREST -p tcp --dport 443 -j REDIRECT --to-port 344
不过,我必须补充一点,这样做会让我感到有点恶心。如果可能的话,让客户端能够执行 TLS 1.2 会更好。
例如,如果是 Java,请确保已添加“无限制”加密位。
但我完全明白这并不总是可能的。
答案2
是的,这是可能的,您可以为每个虚拟主机设置 SSLProtocol 指令。
您发布的示例配置似乎没问题,但您正在使用默认虚拟主机。您最好使用 IP:Port。
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol