Apache Web 服务器 HTTPS 端口重定向到 HTTP 端口 443

tag-icon tag-icon ssl apache-2.4 php5 centos7 mediawiki
Apache Web 服务器 HTTPS 端口重定向到 HTTP 端口 443

我在工作中安装了 Mediawiki(最新版本),Apache Web 服务器 2.4.6 和 PHP 5。当我想在本地访问 wiki 页面并在 Mediawiki 中配置主机名时,一切都运行正常

$wgServer = https://en.wiki.example.com.

现在,一旦我在 Mediawik 中清除此主机名配置,它就会获取它获取的 Web 服务器的主机名。这种情况确实发生了,但主机名的格式是

http://en.wiki.example.com:443

这是一个不正确的 URL(因为混合了 HTTP 与 HTTPS)。

我认为这是一个 Apache 问题,因为当我尝试浏览

https://en.wiki.example.com/wiki

它会重定向到

http://en.wiki.example.com:443/wiki/index.php/Main_Page

然后我得到了一个 Bad Request 错误。wiki 后面的斜杠没有任何作用。

虚拟主机:

<VirtualHost *:443>
ServerName https://en.wiki.example.com
ServerAlias https://en.wiki.example.com en.wiki.external.com
Alias /wiki /var/www/wiki-en
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
<Directory /var/www/wiki-en>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
</VirtualHost>

SSL + 默认虚拟主机:

Listen 443 https

NameVirtualHost *:443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

SSLStrictSNIVHostCheck off

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/certificates/certificate.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/certificates/certificateprivatekey.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Access Control:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

由于样式表和脚本位置均已解析,因此我看到相同的 URL 模式(

http://en.wiki.example.com:443/wiki/load.php....

)。Mediawiki 中的 URL 变量也是如此。有人看到我在这里做错了什么吗?提前谢谢。此外,我还添加了下划线以删除此问题中的链接格式。

编辑:更新了网址。

答案1

乍一看:你需要一个SSLEngine on在每个需要支持 SSL 的 VirtualHost 条目中。默认情况下,主服务器和所有配置的虚拟主机均禁用 SSL/TLS 协议引擎。

此外,该ServerAlias指令还应遵循主机名不是通过 URL;省略那里https://

答案2

确保配置文件的部分中列出了ServerAlias相同的内容。否则,Apache 将不知道如何处理 wiki 的非安全 (http) 请求,而是提供唯一可见的选项,即端口 443 上可用的选项。ServerName<VirtualHost *:80>

相关内容