多年来,我一直在 Ubuntu 18.04 LTS 服务器上通过 mod_rewrite 强制升级 HTTPS。我最近将其中一些服务器升级到了 Ubuntu 22.04.1 LTS,以确保可以使用最新的安全性和 Apache 版本。
一切似乎都很好,直到我发现每一个不同的 Apache 配置都确保http://始终升级到https:// 不再起作用。
以下是我当前的配置文件。Certbot 甚至正确设置了它,但它在 :80 配置上不起作用。所有必需的模块都已启用。
我知道 mod_rewrite 有效,因为 Laravel 仍然有效。我完全困惑了!我试过了RedirectMatch,等等Redirect。GoogleRewriteRule上的每个结果都说要做这些相同的事情。Certbot 甚至“正确”地设置了它。
<VirtualHost *:80>
ServerName mydomain.com.au
ServerAdmin [email protected]
DocumentRoot "/var/www/mydomain.com.au/public"
ErrorLog "/var/log/apache2/mydomain.com.au-error.log"
CustomLog "/var/log/apache2/mydomain.com.au-access.log" common
# Not exactly needed...
<Directory "/var/www/mydomain.com.au/public">
DirectoryIndex index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomain.com.au
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
# This actually works in browsers at least
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>
<VirtualHost *:443>
ServerName mydomain.com.au
ServerAdmin [email protected]
DocumentRoot "/var/www/mydomain.com.au/public"
Header unset Upgrade
Protocols http/1.1 # AWS ELB runs HTTP/2
ErrorLog "/var/log/apache2/mydomain.com.au-error.log"
CustomLog "/var/log/apache2/mydomain.com.au-access.log" common
<Directory "/var/www/mydomain.com.au/public">
DirectoryIndex index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<FilesMatch "\.(php)$">
SSLOptions +StdEnvVars
</FilesMatch>
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com.au/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com.au/privkey.pem
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>
更新
从那时起,我就在 Laravel 项目中强制使用 HTTPS,并要求仅通过安全连接发送 cookie,以防止任何会话登录。如今,浏览器也会阻止以不安全的方式发送表单。
我只是很惊讶为什么 Apache HTTPS 升级现在根本不起作用。