堆栈内存溢出
  简体   繁体   English

在Ubuntu上使用SNI的多个SSL

[英]Multiple SSL using SNI on Ubuntu

 原文  2015-10-19 23:25:14       apache/ ubuntu/ ssl

问题描述

  • Apache/2.4.7 (Ubuntu) Apache / 2.4.7(Ubuntu)
  • Ubuntu 14.04 Ubuntu 14.04

I'm trying to run multiple ssl on the same ip. 我正在尝试在同一个IP上运行多个SSL。 When I type in the first domain it redirects to the second domain. 当我输入第一个域时,它将重定向到第二个域。

I'm probably missing one little thing somewhere, if you could help me out that would be awesome. 如果您能帮助我,那我可能在某处错过了一件小事,那太好了。

I followed the DO tutorial without changing the ports.conf file (as I'm under the impression NameVirtualHost is no longer in use). 我遵循DO教程,但没有更改ports.conf文件(因为印象中NameVirtualHost不再使用)。

I have two .conf files in my sites-enabled directory and i've tried merging them but get the same result. 我的启用站点的目录中有两个.conf文件,我尝试合并它们,但得到的结果相同。

Output from apachectl -S is: apachectl -S的输出是: 

*:443 is a NameVirtualHost
 default server domain2.com (/etc/apache2/sites-enabled/domain2.com.conf:19)
 port 443 namevhost domain2.com (/etc/apache2/sites-enabled/domain2.com.conf:19)
 port 443 namevhost www.domain1.com (/etc/apache2/sites-enabled/domain1.com.conf:19)
     alias domain1.com
     wild alias *.domain1.com

Here is my ports.conf (should be default Ubuntu): 这是我的ports.conf(应该是默认的Ubuntu): 

Listen 80

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

I've tried switching from mod_ssl to mod_gnutls (with updated conf file) and get the same result. 我尝试从mod_ssl切换到mod_gnutls(使用更新的conf文件),并得到相同的结果。

Domain 1 .conf file in sites-enabled: 已启用站点的域1 .conf文件: 

<VirtualHost *:80>
    ServerName domain1.com
    ServerAlias www.domain1.com *.domain1.com 
    DocumentRoot /git/domain1.com/public/
    ServerAdmin webmaster@domain1.com

    <Directory /git/domain1.com/public/>
        Options +Indexes +FollowSymLinks -MultiViews
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/apache2/error_domain1.com.log
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin webmaster@domain1.com
        ServerName domain1.com
        DocumentRoot /git/domain1.com/public/

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile /git/domain1.com/apache/ssl/apache.crt
        SSLCertificateKeyFile /git/domain1.com/apache/ssl/apache.key

    <Directory /git/domain1.com/public/>
        Options +Indexes +FollowSymLinks -MultiViews
        AllowOverride All
        Require all granted
    </Directory>

</VirtualHost>

</IfModule>

Domain 2 conf: 域2 conf: 

<VirtualHost *:80>
    ServerName domain2.com
    ServerAlias www.domain2.com *.domain2.com domain2.ca *.domain2.ca
    DocumentRoot /git/domain2.com/public/
    ServerAdmin webmaster@domain2.com

    <Directory /git/domain2.com/public/>
        Options +Indexes +FollowSymLinks -MultiViews
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/apache2/error_domain2.com.log
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin webmaster@domain2.com
        ServerName domain2.com
        DocumentRoot /git/domain2.com/public/

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile /git/domain2.com/apache/ssl/apache.crt
        SSLCertificateKeyFile /git/domain2.com/apache/ssl/apache.key

    <Directory /git/domain2.com/public/>
        Options +Indexes +FollowSymLinks -MultiViews
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog /var/log/apache2/error_domain2.com.log

</VirtualHost>

</IfModule>

1 个解决方案

解决方案1
 0  2015-10-20 00:48:24

*:443 is a NameVirtualHost
 default server domain2.com (/etc/apache2/sites-enabled/domain2.com.conf:19)
 port 443 namevhost domain2.com (/etc/apache2/sites-enabled/domain2.com.conf:19)
 port 443 namevhost www.domain1.com (/etc/apache2/sites-enabled/domain1.com.conf:19)
     alias domain1.com
     wild alias *.domain1.com

Since the default server is domain2.com, the HTTPS requests that come from a non-SNI supported browser will probably be redirected to domain2.com, even you are intended to access www.domain1.com. 由于默认服务器是domain2.com,因此即使您打算访问www.domain1.com,来自不支持SNI的浏览器的HTTPS请求也可能会重定向到domain2.com。

And one more possibility you may investigate on, if you are sure that the client is supporting SNI, then check whether the installed OpenSSL is supporting TLS and your Apache is built with that OpenSSL version. 如果您确定客户端支持SNI,还可以进行另一种调查,然后检查所安装的OpenSSL是否支持TLS,并且您的Apache是​​使用该OpenSSL版本构建的。 Both server side and client side prerequisites must be fulfilled in order to make a name-based Apache Virtual Host to handle requests correctly. 为了使基于名称的Apache虚拟主机能够正确处理请求,必须满足服务器端和客户端的先决条件。

Update 1 更新1

You may see an error log like Init: Name-based SSL virtual hosts require an OpenSSL version with support for TLS extensions (RFC 6066 - Server Name Indication / SNI), but the currently used library version (%s) is lacking this feature in your error log when you started your server. 您可能会看到类似Init: Name-based SSL virtual hosts require an OpenSSL version with support for TLS extensions (RFC 6066 - Server Name Indication / SNI), but the currently used library version (%s) is lacking this feature的错误日志Init: Name-based SSL virtual hosts require an OpenSSL version with support for TLS extensions (RFC 6066 - Server Name Indication / SNI), but the currently used library version (%s) is lacking this feature在以下Init: Name-based SSL virtual hosts require an OpenSSL version with support for TLS extensions (RFC 6066 - Server Name Indication / SNI), but the currently used library version (%s) is lacking this feature启动服务器时的错误日志。

Update 2 更新2

And also, although the result of apachectl -S 而且,尽管apachectl -S的结果 

  port 443 namevhost www.domain1.com (/etc/apache2/sites-enabled/domain1.com.conf:19)
     alias domain1.com
     wild alias *.domain1.com

is showing *.domain1.com or domain1.com will be handled as www.domain1.com, in your domain1.conf 显示* .domain1.com或domain1.com将在您的domain1.conf中作为www.domain1.com处理 

<VirtualHost *:443>

        ServerAdmin webmaster@domain1.com
        ServerName domain1.com

is not defining any alias for this virtual host, so I am wondering whether this virtual host will handle requests like what you assumed. 没有为此虚拟主机定义任何别名,因此我想知道此虚拟主机是否会像您假设的那样处理请求。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SNI多域SSL SSL II - SNI multiple domain ssl apache iis 在托管多个虚拟主机条目的单个服务器上避免SSL的SNI - Avoiding SNI for SSL on a single server hosting multiple vhost entries Apache SNI:一个IP地址上的多个SSL证书 - Apache SNI: multiple SSL certificates on one IP address 如何使用具有 SNI 和多个 SSL 证书的 Apache 的不同虚拟主机配置文件? - How to use different vhost config files for Apache with SNI & multiple SSL certificates? SSL无法在具有多个虚拟主机的ubuntu服务器上运行 - SSL not working on ubuntu server with multiple vhosts Ubuntu-Apache SSL更新 - Ubuntu - Apache ssl renew Blazor 与 Ubuntu 和 Certbot 上的 SSL - Blazor with SSL on Ubuntu and Certbot XP上的IE不支持SNI允许单个服务器的多个证书 - IE on XP does not support SNI to permit multiple certificates for single server Apache,Ubuntu,SSL,别名和虚拟 - Apache, Ubuntu, SSL, alias and virtual 在一个Google云实例上使用多个SSL证书 - Using Multiple SSL Cert on one Google Cloud Instance
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM