我在工作中安装了 Mediawiki(最新版本),Apache Web 服务器 2.4.6 和 PHP 5。当我想在本地访问 wiki 页面并在 Mediawiki 中配置主机名时,一切都运行正常
$wgServer = https://en.wiki.example.com.
现在,一旦我在 Mediawik 中清除此主机名配置,它就会获取它获取的 Web 服务器的主机名。这种情况确实发生了,但主机名的格式是
http://en.wiki.example.com:443
这是一个不正确的 URL(因为混合了 HTTP 与 HTTPS)。
我认为这是一个 Apache 问题,因为当我尝试浏览
https://en.wiki.example.com/wiki
它会重定向到
http://en.wiki.example.com:443/wiki/index.php/Main_Page
然后我得到了一个 Bad Request 错误。wiki 后面的斜杠没有任何作用。
虚拟主机:
<VirtualHost *:443>
ServerName https://en.wiki.example.com
ServerAlias https://en.wiki.example.com en.wiki.external.com
Alias /wiki /var/www/wiki-en
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
<Directory /var/www/wiki-en>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
SSL + 默认虚拟主机:
Listen 443 https
NameVirtualHost *:443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
SSLStrictSNIVHostCheck off
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/certificates/certificate.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/certificates/certificateprivatekey.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Access Control:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
由于样式表和脚本位置均已解析,因此我看到相同的 URL 模式(
http://en.wiki.example.com:443/wiki/load.php....
)。Mediawiki 中的 URL 变量也是如此。有人看到我在这里做错了什么吗?提前谢谢。此外,我还添加了下划线以删除此问题中的链接格式。
编辑:更新了网址。
答案1
乍一看:你需要一个SSLEngine on
在每个需要支持 SSL 的 VirtualHost 条目中。默认情况下,主服务器和所有配置的虚拟主机均禁用 SSL/TLS 协议引擎。
此外,该ServerAlias
指令还应遵循主机名不是通过 URL;省略那里https://
。
答案2
确保配置文件的部分中列出了ServerAlias
相同的内容。否则,Apache 将不知道如何处理 wiki 的非安全 (http) 请求,而是提供唯一可见的选项,即端口 443 上可用的选项。ServerName
<VirtualHost *:80>