在 Apache 上设置 SSL
该证书是自签名的,并使用
openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout private.key -out public.crt
要求
http://domain.com - HTTP 200
https://domain.com - HTTP 404
httpd配置文件
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerName domain.com
DocumentRoot /var/www/domain.com/public/api
</VirtualHost>
<VirtualHost *:443>
ServerName domain.com
DocumentRoot /var/www/domain.com/public/api
SSLEngine on
SSLCertificateFile /var/ini/ssl/domain.com/public.crt
SSLCertificateKeyFile /var/ini/ssl/domain.com/private.key
</VirtualHost>
Apache 模块
# apache2ctl -M
[Tue Oct 08 11:09:38 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Oct 08 11:09:38 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
Loaded Modules:
...
ssl_module (shared)
Syntax OK
日志
[Tue Oct 08 12:36:34 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 12:36:34 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 13:14:13 2013] [info] Loading certificate & private key of SSL-aware server
[Tue Oct 08 13:14:13 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Oct 08 13:14:14 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 13:14:14 2013] [info] Configuring server for SSL protocol
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(469): Creating new SSL context (protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2)
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(836): Configuring RSA server certificate
[Tue Oct 08 13:14:14 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(875): Configuring RSA server private key
答案1
您不能结合 SSL 进行基于名称的虚拟托管,因为网络连接在Host
传递标头之前已加密。
因此您应该NameVirtualHost *:443
从配置中删除。
答案2
将以下内容添加到每个虚拟主机后,它就可以工作了
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5