Apache 基本身份验证不适用于 SSL 设置

tag-icon tag-icon apache-2.2 ssl authentication
Apache 基本身份验证不适用于 SSL 设置

apache 2.2 上的两个类似的.conf文件显示出不同的效果。

第一个文件000-default.conf

  • 设置虚拟http主机

  • 设置AuthType Basic

    并表现出正确的行为。

第二个文件000-default-ssl.conf

  • 设置虚拟主机https
  • 包括 SSL 证书和
  • 也设置了AuthType Basic

https实际上运行正常,但身份验证不起作用https。给定的目录根本没有受到保护并被传送到客户端。(文件肯定在工作,如果它被删除,/etc/apache2/sites-enabledhttps停止工作。)

000-default.conf

<VirtualHost *:80>

    ServerAdmin [email protected]
    ServerName domain.org

    DocumentRoot /var/www/
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        DirectoryIndex index.php index.html index.htm index.shtml index.cgi
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    <Location /project/backend/>
        AuthType Basic
        AuthName "Restricted Files"
        AuthBasicProvider file
        AuthUserFile "/usr/local/apache/passwd/passwds"
        Require user project
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

000-default-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerAdmin [email protected]
    ServerName domain.org

    DocumentRoot /var/www/
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        DirectoryIndex index.php index.html index.htm index.shtml index.cgi
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    <Location /project/backend/>
        AuthType Basic
        AuthName "Restricted Files"
        AuthBasicProvider file
        AuthUserFile "/usr/local/apache/passwd/passwds"
        Require user project
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    SSLEngine on
    SSLCertificateFile  /etc/letsencrypt/live/domain.org/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.org/privkey.pem

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    SSLCertificateChainFile /etc/letsencrypt/live/domain.org/chain.pem

</VirtualHost>
</IfModule>

diff为了便于比较,进行了如下转储:

diff 000-default.conf 000-default-ssl.conf

1,2c1,3
< <VirtualHost *:80>
<
---
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
>
37,39c38,50
<   # Possible values include: debug, info, notice, warn, error, crit,
<   # alert, emerg.
<   LogLevel warn
---
>   SSLEngine on
>   SSLCertificateFile  /etc/letsencrypt/live/domain.org/cert.pem
>   SSLCertificateKeyFile /etc/letsencrypt/live/domain.org/privkey.pem
>
>   <FilesMatch "\.(cgi|shtml|phtml|php)$">
>       SSLOptions +StdEnvVars
>   </FilesMatch>
>   <Directory /usr/lib/cgi-bin>
>       SSLOptions +StdEnvVars
>   </Directory>
>
>   BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
41c52
<   CustomLog ${APACHE_LOG_DIR}/access.log combined
---
>   SSLCertificateChainFile /etc/letsencrypt/live/domain.org/chain.pem
43a55
> </IfModule>

唯一的实际区别是与 SSL 相关。

ports.conf应该也可以

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
  # If you add NameVirtualHost *:443 here, you will also have to change
  # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
  # to <VirtualHost *:443>
  # Server Name Indication for SSL named virtual hosts is currently not
  # supported by MSIE on Windows XP.
  NameVirtualHost *:443
  Listen 443
</IfModule>

<IfModule mod_gnutls.c>
  Listen 443
</IfModule>

非常感谢您的帮助。

答案1

在我看来,您的语法应该可以工作。我将您的 Location 语法复制到我的服务器,它与 TLS 完美配合。

也许在启用模块的任何配置中都有一些奇怪的条目?我测试了这些模块:actions alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env headers mime negotiation perl php5 php5_cgi reqtimeout rewrite setenvif ssl status vhost_alias

你重新启动了 Apache 吗?(我想是的,但也许......)

相关内容