SLES 上的 Apache 仅使用 -D SSL 参数启动 https

SLES 上的 Apache 仅使用 -D SSL 参数启动 https

几天来我一直在破解这台服务器,试图将新安装的 Apache 转换为 HTTPS,并计划在 SSL 正常运行后将其转换为 NSS。这台服务器不面向互联网,仅供内部网络使用,因此使用了自签名证书。我相信这很简单,经验丰富的人很快就会发现。

its:/etc/apache2 # httpd -v
Server version: Apache/2.4.23 (Linux/SUSE)
Server built:   2018-04-04 10:24:21.000000000 +0000

这是启动启用 SSL 的服务器的命令:

its:~ # apache2ctl -D SSL -k start

您可以从下面的命令中看到 httpd 正在监听 80 和 443:

its:~ # netstat -anp | grep -i listen |head -10
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      12704/postgres
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1587/master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1461/sshd
tcp        0      0 ::1:5432                :::*                    LISTEN      12704/postgres
tcp        0      0 ::1:25                  :::*                    LISTEN      1587/master
tcp        0      0 :::443                  :::*                    LISTEN      17086/httpd-prefork
tcp        0      0 :::80                   :::*                    LISTEN      17086/httpd-prefork
tcp        0      0 :::22                   :::*                    LISTEN      1461/sshd
unix  2      [ ACC ]     STREAM     LISTENING     20198  3246/gnome-session- @/tmp/.ICE-unix/3246
unix  2      [ ACC ]     STREAM     LISTENING     26729  10664/2             /tmp/ssh-QVZiT6g6BZ/agent.10664

运行上述命令时,apache 错误日志中显示的内容如下:

[Tue Jun 19 18:09:06.548624 2018] [mpm_prefork:notice] [pid 17086] AH00163: Apache/2.4.23 (Linux/SUSE) OpenSSL/1.0.2j-fips PHP/7.0.7 configured -- resuming normal operations
[Tue Jun 19 18:09:06.548653 2018] [core:notice] [pid 17086] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SSL'

现在,当尝试正常启动服务器时(不带 -D SSL 选项):

its:~ # apache2ctl start
its:/etc/apache2 # netstat -anp | grep -i listen |head -10
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      12704/postgres
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1587/master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1461/sshd
tcp        0      0 ::1:5432                :::*                    LISTEN      12704/postgres
tcp        0      0 ::1:25                  :::*                    LISTEN      1587/master
tcp        0      0 :::80                   :::*                    LISTEN      22448/httpd-prefork
tcp        0      0 :::22                   :::*                    LISTEN      1461/sshd
unix  2      [ ACC ]     STREAM     LISTENING     20198  3246/gnome-session- @/tmp/.ICE-unix/3246
unix  2      [ ACC ]     STREAM     LISTENING     26729  10664/2             /tmp/ssh-QVZiT6g6BZ/agent.10664
unix  2      [ ACC ]     STREAM     LISTENING     20051  1911/gdm-simple-sla @/tmp/dbus-UIT8sEpY

在 Apache 错误日志中:

[Wed Jun 20 09:00:59.337270 2018] [ssl:warn] [pid 22448] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Jun 20 09:00:59.342902 2018] [mpm_prefork:notice] [pid 22448] AH00163: Apache/2.4.23 (Linux/SUSE) OpenSSL/1.0.2j-fips PHP/7.0.7 configured -- resuming normal operations
[Wed Jun 20 09:00:59.342982 2018] [core:notice] [pid 22448] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf'

我确实注意到了ssl:warn上面第二个演示中的内容,因此这里是该研究:

its:/etc/apache2 # cat httpd.conf |grep ssl-global.conf |grep -v \#
Include /etc/apache2/ssl-global.conf
its:/etc/apache2 # cat ssl-global.conf|grep SSLSessionCache |grep -v \#
        SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
        SSLSessionCacheTimeout  300

httpd.conf:

its:/etc/apache2 # cat httpd.conf |grep -v ^\# |grep -v ^$
Include /etc/apache2/uid.conf
Include /etc/apache2/server-tuning.conf
ErrorLog /var/log/apache2/error_log
<IfDefine !SYSCONFIG>
  Include /etc/apache2/loadmodule.conf
</IfDefine>
Include /etc/apache2/listen.conf
Include /etc/apache2/mod_log_config.conf
<IfDefine !SYSCONFIG>
  Include /etc/apache2/global.conf
</IfDefine>
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
Include /etc/apache2/mod_reqtimeout.conf
Include /etc/apache2/mod_cgid-timeout.conf
Include /etc/apache2/mod_usertrack.conf
Include /etc/apache2/mod_autoindex-defaults.conf
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf
Include /etc/apache2/errors.conf
Include /etc/apache2/ssl-global.conf
<Directory />
    Options None
    AllowOverride None
    <IfModule !mod_access_compat.c>
        Require all denied
    </IfModule>
    <IfModule mod_access_compat.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>
AccessFileName .htaccess
<Files ~ "^\.ht">
    <IfModule !mod_access_compat.c>
        Require all denied
    </IfModule>
    <IfModule mod_access_compat.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>
DirectoryIndex index.html index.html.var
Include /etc/apache2/default-server.conf
IncludeOptional /etc/apache2/vhosts.d/*.conf
ServerName 192.168.25.53
AddType  application/x-httpd-php         .php
AddType  application/x-httpd-php-source  .phps

最后是我的 vhost 文件:

its:/etc/apache2 # cat vhosts.d/*conf |grep -v \# |grep -v ^$
ServerTokens Prod
TraceEnable off
LogLevel notice
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost _default_:443>
DocumentRoot /srv/www/htdocs/mantis
ServerName 192.168.25.53
ServerAlias 192.168.25.53
ServerAdmin [email protected]
ErrorLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/error_log_ssl.%Y%m%d 100M"
TransferLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/access_log_ssl.%Y%m%d 100M"
CustomLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/ssl_request_log.%Y%m%d 100M" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
CustomLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/ssl_referer_log.%Y%m%d 100M" "%t %h %{Referer}i -> %U"
<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
</IfModule>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLCertificateChainFile /etc/apache2/ssl/apache.crt
SSLCACertificatePath /etc/apache2/ssl
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

<Directory "/srv/www/htdocs/mantis">
    Require all granted
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>
</IfDefine>
</IfDefine>

如果还有其他 conf 或日志文件需要包含以更好地解决这个问题,请在下面的评论中写下。我愿意接受任何可能超出这个问题范围的建议或最佳实践方法,但请将其限制在评论中。

答案1

显然,在 SuSE 中,您需要将此行放在 /etc/sysconfig/apache2 文件中:

APACHE_SERVER_FLAGS="-D SSL"

您可以看到您的配置文件包含IfDefine,因此它是故意这样做的。

相关内容