当从不同的服务器代理多个站点时,apache 反向代理主机上会出现 SNI 和 TLS 错误吗?

tag-icon tag-icon ssl apache-2.4 sni
当从不同的服务器代理多个站点时,apache 反向代理主机上会出现 SNI 和 TLS 错误吗?

我有一个 apache2 反向代理,它代理许多服务,包括 zabbix 和 nextcloud,并将通配符 SSL 证书应用于所述服务。这些都是单独的虚拟主机,但它们都使用相同的 CA 验证通配符 SSL 证书。原则上,这运行良好。zabbix 服务器和 nextcloud 服务器是它们自己的 VM,如果我在 Firefox 中加载“https://zabbix.domain.tld”或“https://nextcloud.domain.tld”,一切都很顺利,服务器日志中没有任何错误。

但是,如果我加载 Firefox 并打开 2 个选项卡,一个带有“https://nextcloud.domain.tld”,另一个带有“https://zabbix.domain.tld”,我的 apache 日志就会开始显示以下错误:

[Tue Jul 18 14:15:31.891105 2023] [ssl:error] [pid 357025:tid 140406695503424] [client 10.#.#.#:59958] AH02032: Hostname nextcloud.domain.tld provided via SNI and hostname zabbix.domain.tld provided via HTTP have no compatible SSL setup
[Tue Jul 18 14:15:38.849413 2023] [ssl:error] [pid 357022:tid 140406779430464] [client 10.#.#.#:59962] AH02032: Hostname zabbix.domain.tld provided via SNI and hostname nextcloud.domain.tld provided via HTTP have no compatible SSL setup

总体而言,一切都正常,但这两个网站我经常不关闭,所以我的日志被大量发送。我应该担心这个吗?我没能在我的 apache 配置中找到任何反指示。我一直担心反向代理的主机名会以某种方式泄露,但我无法使用在线 TLS 检查器或各种 curl 命令进行调试,却什么也没显示出来?

下面是 zabbix 配置,它最终与 nextcloud 配置相同:

<VirtualHost *:443>
        ServerName zabbix.domain.tld
        ServerAlias zabbix.domain.tld
        ServerAlias *.zabbix.domain.tld
        RequestHeader set X-SCHEME https
        ProxyPass / https://10.2.2.202/
        ProxyPassReverse / https://10.2.2.202/
#        RewriteEngine on
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                SSLOptions +StdEnvVars
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.zabbix.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.zabbix.log combined
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/wildcard.domain.tld.crt
        SSLCertificateKeyFile /etc/ssl/private/wildcard.domain.tld.key
        SSLCACertificateFile /etc/ssl/certs/RapidSSL.Intermediate.crt
        SSLHonorCipherOrder On
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDS
A-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA25
6:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
        SSLInsecureRenegotiation off
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
        SSLProxyEngine          On
        ProxyRequests           On
        SSLProxyVerify          none 
        SSLProxyCheckPeerCN     off
        SSLProxyCheckPeerName   off
        SSLProxyCheckPeerExpire off
        ProxyPreserveHost       On
        RequestHeader           set             X-Forwarded-Proto "https"
</VirtualHost>

相关内容