带有 SSL 的 Apache 名称虚拟主机
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/517336/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Apache Name Virtual Host with SSL
提问by JamesArmes
I am attempting to setup our servers to allow traffic over SSL. I am aware that SSL does not work with Name Virtual Host, but we have all of our apache servers on virtual machines with dedicated private IPs. We have a primary virtual machine that has mod_proxy setup to route traffic to the appropriate vms.
我正在尝试设置我们的服务器以允许通过 SSL 进行流量。我知道 SSL 不适用于 Name Virtual Host,但我们所有的 apache 服务器都位于具有专用私有 IP 的虚拟机上。我们有一个主虚拟机,它有 mod_proxy 设置来将流量路由到适当的虚拟机。
However, in order to route https traffic we need to have the certificate installed on the proxy as well as the vms. We have a wildcard certificate that can be used across all of our hosts. Everything appears to work properly, but I receive the following in the apache logs for the proxy:
但是,为了路由 https 流量,我们需要在代理和虚拟机上安装证书。我们有一个通配符证书,可以在我们所有的主机上使用。一切似乎都正常工作,但我在代理的 apache 日志中收到以下内容:
[warn] Init: SSL server IP/port conflict: host1.domain.com:443 (/etc/apache2/sites-enabled/host1:1) vs. host2.domain.com:443 (/etc/apache2/sites-enabled/host2:1)
[警告] 初始化:SSL 服务器 IP/端口冲突:host1.domain.com:443 (/etc/apache2/sites-enabled/host1:1) vs. host2.domain.com:443 (/etc/apache2/sites-启用/host2:1)
There is one of these error message for each host we have setup on the proxy. Our Virtual Host setup for the proxy is posted below:
我们在代理上设置的每台主机都有这些错误消息之一。我们的代理虚拟主机设置发布如下:
<VirtualHost ipaddress:443>
ServerName host1.domain.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://privateip:443/
ProxyPassReverse / https://privateip:443/
SSLProxyEngine on
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
Is there any way that I can get this to work?
有什么办法可以让它发挥作用吗?
采纳答案by David Z
It sounds like Apache is warning you that you have multiple <VirtualHost>sections with the same IP address and port... as far as getting it to work without warnings, I think you would need to use something like Server Name Indication (SNI), a way of identifying the hostname requested as part of the SSL handshake. Basically it lets you do name-based virtual hosting over SSL, but I'm not sure how well it's supported by browsers. Other than something like SNI, you're basically limited to one SSL-enabled domain name for each IP address you expose to the public internet.
听起来 Apache 警告您,您有多个<VirtualHost>具有相同 IP 地址和端口的部分……就让它在没有警告的情况下工作而言,我认为您需要使用诸如服务器名称指示 (SNI) 之类的方法识别作为 SSL 握手一部分请求的主机名。基本上它可以让您通过 SSL 进行基于名称的虚拟主机,但我不确定浏览器是否支持它。除了诸如 SNI 之类的东西之外,对于公开给公共互联网的每个 IP 地址,您基本上只能使用一个启用 SSL 的域名。
Of course, if you are able to access the websites properly, you'll probably be fine ignoring the warnings. These particular ones aren't very serious - they're mainly an indication of what to look at if you are experiencing problems
当然,如果您能够正确访问这些网站,则忽略这些警告可能会很好。这些特殊的不是很严重 - 它们主要是指示如果您遇到问题要查看的内容
回答by user273370
As far as I know, Apache supports SNI since Version 2.2.12 Sadly the documentation does not yet reflect that change.
据我所知,Apache 从 2.2.12 版开始支持 SNI 遗憾的是,文档还没有反映这种变化。
Go for http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNIuntil that is finished
转到http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI直到完成
回答by Harold
You may be able to replace the:
您或许可以更换:
VirtualHost ipaddress:443
with
和
VirtualHost *:443
You probably need todo this on all of your virt hosts.
您可能需要在所有 virt 主机上执行此操作。
It will probably clear up that message. Let the ServerName directive worry about routing the message request.
它可能会清除该消息。让 ServerName 指令担心路由消息请求。
Again, you may not be able to do this if you have multiple ip's aliases to the same machine.
同样,如果您在同一台机器上有多个 ip 的别名,您可能无法执行此操作。
回答by ELinuxbook
The VirtualHost would look like this:
VirtualHost 将如下所示:
NameVirtualHost IP_Address:443
<VirtualHost IP_Address:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt # Where "ca" is the name of the Certificate
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
ServerAdmin webmaster@domain_name.com
DocumentRoot /var/www/html
ServerName www.domain_name.com
ErrorLog logs/www.domain_name.com-error_log
CustomLog logs/www.domain_name.com-access_log common
</VirtualHost>
回答by DataCZ
First you need NameVirtualHost ip:443 in you config file! You probably have one with 80 at the end, but you will also need one with 443.
首先,您需要在配置文件中输入 NameVirtualHost ip:443!最后可能有一个 80,但你也需要一个 443。
Second you need a *.domain certificate (wildcard) (it is possible to make one)
其次,您需要一个 *.domain 证书(通配符)(可以制作一个)
Third you can make only something.domain webs in one ip (because of the certificate)
第三,您只能在一个 ip 中创建 something.domain 网站(因为证书)
回答by Powerlord
Apache doesn't support SSL on name-based virtual host, only on IP based Virtual Hosts.
Apache 在基于名称的虚拟主机上不支持 SSL,仅在基于 IP 的虚拟主机上支持。
Source: Apache 2.2 SSL FAQ question Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
来源:Apache 2.2 SSL FAQ question为什么不能使用基于名称的虚拟主机来识别不同的 SSL 虚拟主机?
Unlike SSL, the TLS specification allows for name-based hosts (SNI as mentioned by someone else), but Apache doesn't yet support this feature. It supposedly will in a future release when compiled against openssl 0.9.8.
与 SSL 不同,TLS 规范允许基于名称的主机(其他人提到的 SNI),但 Apache 尚不支持此功能。它应该会在未来的版本中针对 openssl 0.9.8 编译。
Also, mod_gnutlsclaims to support SNI, but I've never actually tried it.
此外,mod_gnutls声称支持 SNI,但我从未真正尝试过。
回答by Yasiru G
You MUST add below part to enable NameVirtualHostfunctionality with given IP.
您必须添加以下部分以启用NameVirtualHost给定 IP 的功能。
NameVirtualHost IP_Address:443
