我正在寻找在 Amazon Linux Distro 中的 Apache 2.4.33 上实现此设置的最有效方法:
- 单个服务器实例(此处为:AWS EC2)
单个关联 IP
两个(或更多)域名,每个域名都有自己的 SSL 证书
一个适用于所有其他虚拟主机的默认 SSL VirtualHost,用于设置诸如
SSLProtocol
、FilesMatch
和等内容,BrowserMatch
仅设置一次每个域都有一个专用的 VirtualHost,指向相应的文件并设置文档根目录
这个设置有问题吗?
1)/etc/httpd/conf.d/ssl.conf
(整个文件):
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# default settings for all VirtualHosts
<VirtualHost *:443>
LogLevel warn
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCypherOrder o
#use OpenSSL default
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
2)/etc/httpd/cond.f/vhosts.conf
# foo.com
<VirtualHost *:80>
ServerName foo.com
ServerAlias www.foo.com
Redirect 301 / https://foo.com
</VirtualHost>
<VirtualHost *:443>
ServerName foo.com:443
ServerAlias www.foo.com:443
DocumentRoot "/var/www/foo"
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/foo.crt
SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle
SSLCertificateKeyFile /etc/pki/tls/private/foo.key
ErrorLog logs/foo
TransferLog logs/foo-acc
</VirtualHost>
# bar.com
<VirtualHost *:80>
ServerName bar.com
ServerAlias www.bar.com
Redirect 301 / https://bar.com
</VirtualHost>
<VirtualHost *:443>
ServerName bar.com:443
ServerAlias www.bar.com:443
DocumentRoot "/var/www/bar"
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/bar.crt
SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle
SSLCertificateKeyFile /etc/pki/tls/private/bar.key
ErrorLog logs/bar
TransferLog logs/bar-acc
</VirtualHost>
这会起作用吗,还是我必须为每个专用域重复默认设置?
答案1
经过大量测试后我找到了答案:
通用“主”VirtualHostssl.conf
必须引用证书、链和密钥,否则将无法工作。因此,为了清晰起见并避免在虚拟主机之间编写(和维护)重复的行,最好将此通用虚拟主机移至vhosts.conf
其他虚拟主机之前。
那里指定的任何规则似乎都被以下虚拟主机正确继承,不需要重复。