要求

要求

在 Apache 上设置 SSL

该证书是自签名的,并使用

openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout private.key -out public.crt

要求

http://domain.com - HTTP 200
https://domain.com - HTTP 404

httpd配置文件

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    ServerName domain.com
    DocumentRoot /var/www/domain.com/public/api
</VirtualHost>

<VirtualHost *:443>
    ServerName domain.com
    DocumentRoot /var/www/domain.com/public/api

    SSLEngine on
    SSLCertificateFile /var/ini/ssl/domain.com/public.crt
    SSLCertificateKeyFile /var/ini/ssl/domain.com/private.key
</VirtualHost>

Apache 模块

# apache2ctl -M
[Tue Oct 08 11:09:38 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Oct 08 11:09:38 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
Loaded Modules:
...
 ssl_module (shared)
Syntax OK

日志

[Tue Oct 08 12:36:34 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 12:36:34 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 13:14:13 2013] [info] Loading certificate & private key of SSL-aware server
[Tue Oct 08 13:14:13 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Oct 08 13:14:14 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 13:14:14 2013] [info] Configuring server for SSL protocol
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(469): Creating new SSL context (protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2)
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(836): Configuring RSA server certificate
[Tue Oct 08 13:14:14 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 08 13:14:14 2013] [debug] ssl_engine_init.c(875): Configuring RSA server private key

答案1

您不能结合 SSL 进行基于名称的虚拟托管,因为网络连接在Host传递标头之前已加密。

因此您应该NameVirtualHost *:443从配置中删除。

答案2

将以下内容添加到每个虚拟主机后,它就可以工作了

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

相关内容