Apache 在单个 IP 上使用 SNI 的多个 SSL 证书的理想设置

tag-icon tag-icon ssl apache-2.4 openssl sni
Apache 在单个 IP 上使用 SNI 的多个 SSL 证书的理想设置

我正在寻找在 Amazon Linux Distro 中的 Apache 2.4.33 上实现此设置的最有效方法:

  • 单个服务器实例(此处为:AWS EC2)

  • 单个关联 IP

  • 两个(或更多)域名,每个域名都有自己的 SSL 证书

  • 一个适用于所有其他虚拟主机的默认 SSL VirtualHost,用于设置诸如SSLProtocolFilesMatch和等内容,BrowserMatch仅设置一次

  • 每个域都有一个专用的 VirtualHost,指向相应的文件并设置文档根目录

这个设置有问题吗?

1)/etc/httpd/conf.d/ssl.conf(整个文件):

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

# default settings for all VirtualHosts
<VirtualHost *:443>

LogLevel warn

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLHonorCypherOrder o

#use OpenSSL default
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5

<FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
</FilesMatch>

<Directory "/var/www/cgi-bin">
  SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

2)/etc/httpd/cond.f/vhosts.conf

# foo.com

<VirtualHost *:80>
  ServerName foo.com
  ServerAlias www.foo.com
  Redirect 301 / https://foo.com
</VirtualHost>

<VirtualHost *:443>
  ServerName foo.com:443
  ServerAlias www.foo.com:443

  DocumentRoot "/var/www/foo"

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/foo.crt
  SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle
  SSLCertificateKeyFile /etc/pki/tls/private/foo.key

  ErrorLog logs/foo
  TransferLog logs/foo-acc
</VirtualHost>


# bar.com

<VirtualHost *:80>
  ServerName bar.com
  ServerAlias www.bar.com
  Redirect 301 / https://bar.com
</VirtualHost>

<VirtualHost *:443>
  ServerName bar.com:443
  ServerAlias www.bar.com:443

  DocumentRoot "/var/www/bar"

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/bar.crt
  SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle
  SSLCertificateKeyFile /etc/pki/tls/private/bar.key

  ErrorLog logs/bar
  TransferLog logs/bar-acc
</VirtualHost>

这会起作用吗,还是我必须为每个专用域重复默认设置?

答案1

经过大量测试后我找到了答案:

通用“主”VirtualHostssl.conf 必须引用证书、链和密钥,否则将无法工作。因此,为了清晰起见并避免在虚拟主机之间编写(和维护)重复的行,最好将此通用虚拟主机移至vhosts.conf其他虚拟主机之前。

那里指定的任何规则似乎都被以下虚拟主机正确继承,不需要重复。

相关内容