服务器名称安全连接 - 松散匹配

服务器名称安全连接 - 松散匹配

我们已更新 Apache 部署配置,以允许对我们的服务器 ( https://example.com) 发出非 www 请求。对于 https 连接,我们需要这样做,因为名称与证书不匹配。这很好,但最近我们注意到我们的本地部署安全环境 ( https://chris.example.com) 也指向这个新部署。我们注释掉了新部署,以确认这是导致它发生的更改,结果确实如此。我们推测这是由servername我们设置的设置引起的。这是我们的初始设置:

NameVirtualHost example.com:443
<VirtualHost example.com:443>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html/www.example.com
    ServerName example.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLProtocol all
    SSLCertificateFile /usr/local/ssl/crt/example2017.cert
    SSLCertificateKeyFile /usr/local/ssl/private/ssl2017.key
    SSLCACertificateFile /usr/local/ssl/crt/example2017intermediate.pem
    DirectoryIndex index.html
    DirectoryIndex index.php
    LogLevel notice
    ErrorLog /var/log/httpd/www.example.com/error.log
    LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
    CustomLog /var/log/httpd/www.example.com/access.log w3c_extended
</VirtualHost>

在注释起作用之后,我们认为这是ServerName一个松散的匹配,我们在 Apache 网站上看到了以下内容:

有时,服务器会在处理 SSL 的设备(例如反向代理、负载平衡器或 SSL 卸载设备)后面运行。在这种情况下,请在 ServerName 指令中指定 https:// 方案和客户端连接的端口号,以确保服务器生成正确的自引用 URL。

-http://httpd.apache.org/docs/2.2/mod/core.html#servername

因此我们将该servername条目更新为:

ServerName https://example.com:443

这样主页 ( https://example.com) 仍可加载和重定向,但开发环境 ( https://chris.example.com) 又会从主页加载。我最初考虑尝试一个明确的起始规则:

ServerName ^example.com

但我找不到任何地方说servername接受正则表达式。有没有办法做到这一点,还是我走错了路,问题出在其他地方?

输出如下httpd -S

VirtualHost configuration:
192.168.0.0:443     is a NameVirtualHost
         default server example.com (/etc/httpd/conf/httpd.conf:1065)
         port 443 namevhost example.com (/etc/httpd/conf/httpd.conf:1065)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server *.example.com (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost *.example.com (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1046)
         port 443 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1096)
         port 443 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1129)
         port 443 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1159)
         port 443 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1189)
         port 443 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1219)
         port 443 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1249)
         port 443 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1300)
         port 443 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1316)
*:80                   is a NameVirtualHost
         default server www.example.com (/etc/httpd/conf/httpd.conf:1034)
         port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1034)
         port 80 namevhost dfw.example.com (/etc/httpd/conf/httpd.conf:1084)
         port 80 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1114)
         port 80 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1147)
         port 80 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1177)
         port 80 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1207)
         port 80 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1237)
         port 80 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1267)
         port 80 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1279)
         port 80 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1290)
Syntax OK

新的部署从第 1064 行开始,到第 1081 行结束。

答案1

经过更彻底的聊天调查后发现 NameBasedVirtualHost语句,一个用于,*:443另一个用于,example.com:443前者具有所有子域VirtualHost声明,而后者只有一个用于example.com自身的声明。

NameBasedVirtualHost *:443通过一个声明和引用它的所有子域和主域使其统一,解决了这个问题。

相关内容