我们已更新 Apache 部署配置,以允许对我们的服务器 ( https://example.com) 发出非 www 请求。对于 https 连接,我们需要这样做,因为名称与证书不匹配。这很好,但最近我们注意到我们的本地部署安全环境 ( https://chris.example.com) 也指向这个新部署。我们注释掉了新部署,以确认这是导致它发生的更改,结果确实如此。我们推测这是由servername我们设置的设置引起的。这是我们的初始设置:
NameVirtualHost example.com:443
<VirtualHost example.com:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html/www.example.com
ServerName example.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLProtocol all
SSLCertificateFile /usr/local/ssl/crt/example2017.cert
SSLCertificateKeyFile /usr/local/ssl/private/ssl2017.key
SSLCACertificateFile /usr/local/ssl/crt/example2017intermediate.pem
DirectoryIndex index.html
DirectoryIndex index.php
LogLevel notice
ErrorLog /var/log/httpd/www.example.com/error.log
LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
CustomLog /var/log/httpd/www.example.com/access.log w3c_extended
</VirtualHost>
在注释起作用之后,我们认为这是ServerName一个松散的匹配,我们在 Apache 网站上看到了以下内容:
有时,服务器会在处理 SSL 的设备(例如反向代理、负载平衡器或 SSL 卸载设备)后面运行。在这种情况下,请在 ServerName 指令中指定 https:// 方案和客户端连接的端口号,以确保服务器生成正确的自引用 URL。
-http://httpd.apache.org/docs/2.2/mod/core.html#servername
因此我们将该servername条目更新为:
ServerName https://example.com:443
这样主页 ( https://example.com) 仍可加载和重定向,但开发环境 ( https://chris.example.com) 又会从主页加载。我最初考虑尝试一个明确的起始规则:
ServerName ^example.com
但我找不到任何地方说servername接受正则表达式。有没有办法做到这一点,还是我走错了路,问题出在其他地方?
输出如下httpd -S:
VirtualHost configuration:
192.168.0.0:443 is a NameVirtualHost
default server example.com (/etc/httpd/conf/httpd.conf:1065)
port 443 namevhost example.com (/etc/httpd/conf/httpd.conf:1065)
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server *.example.com (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost *.example.com (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1046)
port 443 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1096)
port 443 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1129)
port 443 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1159)
port 443 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1189)
port 443 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1219)
port 443 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1249)
port 443 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1300)
port 443 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1316)
*:80 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf/httpd.conf:1034)
port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1034)
port 80 namevhost dfw.example.com (/etc/httpd/conf/httpd.conf:1084)
port 80 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1114)
port 80 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1147)
port 80 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1177)
port 80 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1207)
port 80 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1237)
port 80 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1267)
port 80 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1279)
port 80 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1290)
Syntax OK
新的部署从第 1064 行开始,到第 1081 行结束。
答案1
经过更彻底的聊天调查后发现二 NameBasedVirtualHost语句,一个用于,*:443另一个用于,example.com:443前者具有所有子域VirtualHost声明,而后者只有一个用于example.com自身的声明。
NameBasedVirtualHost *:443通过一个声明和引用它的所有子域和主域使其统一,解决了这个问题。