Apache2 禁用来自 LAN 的 SSL 请求

tag-icon tag-icon ssl apache-2.4 virtualhost
Apache2 禁用来自 LAN 的 SSL 请求

我有一台 Linux 服务器,有 3 个网络接口,一个用于 LAN,两个用于 WAN(IPv4 和 IPv6)。
到目前为止,Apache 已配置为使用 80 上的单个虚拟主机为这两个网络接口提供同一个网站external.domain.com(作为服务器名称) 和内部.域.本地(作为服务器别名
我现在已经获得了external.domain.com并使用 mod_rewrite 重新配置虚拟主机,将 HTTP 请求重定向到 HTTPS。从外部访问网站时,它运行良好。

但是,由于该网站是通过不同的主机名访问的,我认为来自 LAN 的请求应该使用纯 HTTP 来处理。
我是否需要创建单独的虚拟主机,还是只用一个虚拟主机就可以处理所有事情?

这是我当前的配置:

<VirtualHost *:80>
    ServerName external.domain.com
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName external.domain.com
    ServerAlias internal.domain.local
    Header always add Strict-Transport-Security "max-age=15768000"
    DocumentRoot /data/htdocs/site1

    <Directory /data/htdocs/site1>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/site1-error.log

    LogLevel info

    CustomLog ${APACHE_LOG_DIR}/site1-access.log combined
    ServerSignature On

        SSLEngine on
    SSLCertificateFile /etc/ssl/private/apache/external.domain.com.crt
    SSLCertificateKeyFile /etc/ssl/private/apache/external.domain.com.key 
    SSLCertificateChainFile /etc/ssl/certs/COMODO_DV_SHA-256_bundle.crt
    SSLProtocol all -SSLv2 -SSLv3
    #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES+SHA384:ECDH+AES+SHA256:DH+AES:!RSA+AES256:!ADH:!AECDH:!MD5:!DSS:!aNULL:!eNULL:!LOW:!EXP
    #SSLHonorCipherOrder on

    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    SSLHonorCipherOrder on
    #SSLOpenSSLConfCmd DHParameters /etc/apache2/ssl/dhparams.pem
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

谢谢

答案1

如果您拥有不同的接口,并希望其表现不同,则应定义不同的虚拟主机,并在“需要”时为每个虚拟主机指定 IP。Scheme 可以这样,或者至少我发现这是更简单的方法:

<VirtualHost localip:80>
....
</VirtualHost>

<VirtualHost extip:80>
Redirect / https://external.example.com/
</VirtualHost>

<VirtualHost extip:443>
....
</VirtualHost>

相关内容