openSuSE
Username:
Password:
Linki sponsorowane: | inwestycje | erasmus in warsaw
Strony: [1]
  Drukuj  
Autor Wątek: Https dla Apache  (Przeczytany 4010 razy)
0 użytkowników i 1 Gość przegląda ten wątek.
neomen
*
Offline Offline

Wiadomości: 2


« : Marzec 15, 2012, 13:27:50 »

Od dwóch tygodni głowię się jak ustawić na serwerze (openSuse 12.1, Apache PHP Mysql) szyfrowanie po porcie HTTPS. Po wytworzeniu potrzebnego certyfikatu, mam problemy z plikami wirtualnych hostów (z katalogu /etc/apache2/vhosts.d/...). Zgodnie z szablonem wytworzyłem dwa pliki które nazwałem: A_vhost.conf i B_vhost-ssl.conf). W pierwszym trzymam konfigurację dla standardowego portu 80, w drugim dla 443 (HTTPS). Konfiguracja zaczytuje te pliki w kolejności alfabetycznej (wg nazwy pliku), ten który zaczyta pierwszy działa drugi natomiast nie. Jeśli nazwy są takie jak przedstawiłem powyżej wszystko dobrze działa po porcie 80 a nie działa po 443(ssl_error_rx_record_too_long), jeśli zmienię nazwy plików na: B_vhost.conf i A_vhost-ssl.conf, wszystkie strony działają po https ale nie działają po http. Popatrzcie proszę na konfigurację tych plików, gdzie popełniłem błąd?

A_vhost.conf:
------------------
#
# VirtualHost template
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
#
# NameVirtualHost statements can be added to /etc/apache2/listen.conf.
#
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#

 


<VirtualHost mojadomena.pl:80>
 
   ServerAdmin admin@mojadomena.pl
    ServerName mojadomena.pl

    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot /srv/www/htdocs/

    # if not specified, the global error log is used
    ErrorLog /var/log/apache2/dummy-host.example.com-error_log
    CustomLog /var/log/apache2/dummy-host.example.com-access_log combined

    # don't loose time with IP address lookups
    HostnameLookups Off

    # needed for named virtual hosts
    UseCanonicalName Off

    # configures the footer on server-generated documents
    ServerSignature On


    # Optionally, include *.conf files from /etc/apache2/conf.d/
    #
    # For example, to allow execution of PHP scripts:
    #
    # Include /etc/apache2/conf.d/php5.conf
    #
    # or, to include all configuration snippets added by packages:
    # Include /etc/apache2/conf.d/*.conf


    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications and
    # run by the server when requested rather than as documents sent to the client.
    # The same rules about trailing "/" apply to ScriptAlias directives as to
    # Alias.
    #
    ScriptAlias /cgi-bin/ "/srv/www/vhosts/dummy-host.example.com/cgi-bin/"

    # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
    # CGI directory exists, if you have one, and where ScriptAlias points to.
    #
    <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin">
   AllowOverride None
   Options +ExecCGI -Includes
   Order allow,deny
   Allow from all
    </Directory>


    # UserDir: The name of the directory that is appended onto a user's home
    # directory if a ~user request is received.
    #
    # To disable it, simply remove userdir from the list of modules in APACHE_MODULES
    # in /etc/sysconfig/apache2.
    #
    <IfModule mod_userdir.c>
   # Note that the name of the user directory ("public_html") cannot simply be
   # changed here, since it is a compile time setting. The apache package
   # would have to be rebuilt. You could work around by deleting
   # /usr/sbin/suexec, but then all scripts from the directories would be
   # executed with the UID of the webserver.
   UserDir public_html
   # The actual configuration of the directory is in
   # /etc/apache2/mod_userdir.conf.
   Include /etc/apache2/mod_userdir.conf
   # You can, however, change the ~ if you find it awkward, by mapping e.g.
   # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
   #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
    </IfModule>


    #
    # This should be changed to whatever you set DocumentRoot to.
    #
    <Directory "/srv/www/htdocs/">
   
   #
   # Possible values for the Options directive are "None", "All",
   # or any combination of:
   #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
   #
   # Note that "MultiViews" must be named *explicitly* --- "Options All"
   # doesn't give it to you.
   #
   # The Options directive is both complicated and important.  Please see
   # http://httpd.apache.org/docs-2.2/mod/core.html#options
   # for more information.
   #
   Options Indexes FollowSymLinks
   
   #
   # AllowOverride controls what directives may be placed in .htaccess files.
   # It can be "All", "None", or any combination of the keywords:
   #   Options FileInfo AuthConfig Limit
   #
   AllowOverride None
   
   #
   # Controls who can get stuff from this server.
   #
   Order allow,deny
   Allow from all
   
    </Directory>

</VirtualHost>
------------------










B_vhost-ssl.conf:
------------------
# about virtual hosts.

# NameVirtualHost statements should be added to /etc/apache2/listen.conf.

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#

<IfDefine SSL>
<IfDefine !NOSSL>

##
## SSL Virtual Host Context
##

<VirtualHost mojadomena.pl:443>


   #  General setup for the virtual host
   DocumentRoot "/srv/www/htdocs"
   
   #ServerName www.example.com:443
   ServerName  123.45.67.89:443 #moje IP

   #ServerAdmin webmaster@example.com
   ErrorLog /var/log/apache2/error_log
   TransferLog /var/log/apache2/access_log

   #   SSL Engine Switch:
   #   Enable/Disable SSL for this virtual host.
   SSLEngine on

   #  SSL protocols
   #  Supporting TLS only is adequate nowadays
   SSLProtocol all -SSLv2 -SSLv3

   #   SSL Cipher Suite:
   #   List the ciphers that the client is permitted to negotiate.
   #   We disable weak ciphers by default.
   #   See the mod_ssl documentation or "openssl ciphers -v" for a
   #   complete list.
   SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH

   #   Server Certificate:
   #   Point SSLCertificateFile at a PEM encoded certificate.  If
   #   the certificate is encrypted, then you will be prompted for a
   #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
   #   in mind that if you have both an RSA and a DSA certificate you
   #   can configure both in parallel (to also allow the use of DSA
   #   ciphers, etc.)
   SSLCertificateFile /etc/apache2/ssl.crt/server.crt
   #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt

   #   Server Private Key:
   #   If the key is not combined with the certificate, use this
   #   directive to point at the key file.  Keep in mind that if
   #   you've both a RSA and a DSA private key you can configure
   #   both in parallel (to also allow the use of DSA ciphers, etc.)
   SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
   #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key

   #   Server Certificate Chain:
   #   Point SSLCertificateChainFile at a file containing the
   #   concatenation of PEM encoded CA certificates which form the
   #   certificate chain for the server certificate. Alternatively
   #   the referenced file can be the same as SSLCertificateFile
   #   when the CA certificates are directly appended to the server
   #   certificate for convinience.
   #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt

   #   Certificate Authority (CA):
   #   Set the CA certificate verification path where to find CA
   #   certificates for client authentication or alternatively one
   #   huge file containing all of them (file must be PEM encoded)
   #   Note: Inside SSLCACertificatePath you need hash symlinks
   #         to point to the certificate files. Use the provided
   #         Makefile to update the hash symlinks after changes.
   #SSLCACertificatePath /etc/apache2/ssl.crt
   #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

   #   Certificate Revocation Lists (CRL):
   #   Set the CA revocation path where to find CA CRLs for client
   #   authentication or alternatively one huge file containing all
   #   of them (file must be PEM encoded)
   #   Note: Inside SSLCARevocationPath you need hash symlinks
   #         to point to the certificate files. Use the provided
   #         Makefile to update the hash symlinks after changes.
   #SSLCARevocationPath /etc/apache2/ssl.crl
   #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

   #   Client Authentication (Type):
   #   Client certificate verification type and depth.  Types are
   #   none, optional, require and optional_no_ca.  Depth is a
   #   number which specifies how deeply to verify the certificate
   #   issuer chain before deciding the certificate is not valid.
   #SSLVerifyClient require
   #SSLVerifyDepth  10

   #   Access Control:
   #   With SSLRequire you can do per-directory access control based
   #   on arbitrary complex boolean expressions containing server
   #   variable checks and other lookup directives.  The syntax is a
   #   mixture between C and Perl.  See the mod_ssl documentation
   #   for more details.
   #<Location />
   #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
   #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
   #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
   #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
   #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
   #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
   #</Location>

   #   SSL Engine Options:
   #   Set various options for the SSL engine.
   #   o FakeBasicAuth:
   #     Translate the client X.509 into a Basic Authorisation.  This means that
   #     the standard Auth/DBMAuth methods can be used for access control.  The
   #     user name is the `one line' version of the client's X.509 certificate.
   #     Note that no password is obtained from the user. Every entry in the user
   #     file needs this password: `xxj31ZMTZzkVA'.
   #   o ExportCertData:
   #     This exports two additional environment variables: SSL_CLIENT_CERT and
   #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
   #     server (always existing) and the client (only existing when client
   #     authentication is used). This can be used to import the certificates
   #     into CGI scripts.
   #   o StdEnvVars:
   #     This exports the standard SSL/TLS related `SSL_*' environment variables.
   #     Per default this exportation is switched off for performance reasons,
   #     because the extraction step is an expensive operation and is usually
   #     useless for serving static content. So one usually enables the
   #     exportation for CGI and SSI requests only.
   #   o CompatEnvVars:
   #     This exports obsolete environment variables for backward compatibility
   #     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
   #     to provide compatibility to existing CGI scripts.
   #   o StrictRequire:
   #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
   #     under a "Satisfy any" situation, i.e. when it applies access is denied
   #     and no other module can change it.
   #   o OptRenegotiate:
   #     This enables optimized SSL connection renegotiation handling when SSL
   #     directives are used in per-directory context.
   #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
   <Files ~ "\.(cgi|shtml|phtml|php3?)$">
       SSLOptions +StdEnvVars
   </Files>
   <Directory "/srv/www/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>

   #   SSL Protocol Adjustments:
   #   The safe and default but still SSL/TLS standard compliant shutdown
   #   approach is that mod_ssl sends the close notify alert but doesn't wait for
   #   the close notify alert from client. When you need a different shutdown
   #   approach you can use one of the following variables:
   #   o ssl-unclean-shutdown:
   #     This forces an unclean shutdown when the connection is closed, i.e. no
   #     SSL close notify alert is send or allowed to received.  This violates
   #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
   #     this when you receive I/O errors because of the standard approach where
   #     mod_ssl sends the close notify alert.
   #   o ssl-accurate-shutdown:
   #     This forces an accurate shutdown when the connection is closed, i.e. a
   #     SSL close notify alert is send and mod_ssl waits for the close notify
   #     alert of the client. This is 100% SSL/TLS standard compliant, but in
   #     practice often causes hanging connections with brain-dead browsers. Use
   #     this only for browsers where you know that their SSL implementation
   #     works correctly.
   #   Notice: Most problems of broken clients are also related to the HTTP
   #   keep-alive facility, so you usually additionally want to disable
   #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
   #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
   #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
   #   "force-response-1.0" for this.
#   SetEnvIf User-Agent ".*MSIE [1-5].*" \
#       nokeepalive ssl-unclean-shutdown \
#       downgrade-1.0 force-response-1.0

   #   Per-Server Logging:
   #   The home of a custom SSL log file. Use this when you want a
   #   compact non-error SSL logfile on a virtual host basis.
   CustomLog /var/log/apache2/ssl_request_log   ssl_combined

</VirtualHost>                                 

</IfDefine>
</IfDefine>

------------------
« Ostatnia zmiana: Marzec 15, 2012, 14:06:04 wysłane przez neomen » Zapisane
susek.info
Admin
*
Offline Offline

Wiadomości: 453



« Odpowiedz #1 : Marzec 19, 2012, 23:13:25 »

Wydaje mi się że wystarczy jeden plik z dwoma wpisami jeden pod drógim
Zapisane
neomen
*
Offline Offline

Wiadomości: 2


« Odpowiedz #2 : Marzec 20, 2012, 13:47:03 »

Niestety nie pomogło objaw jest identyczny, ten virtual host który jest pierwszy działa, drugi nie Smutny
Zapisane
susek.info
Admin
*
Offline Offline

Wiadomości: 453



« Odpowiedz #3 : Marzec 26, 2012, 20:55:20 »

tutaj masz dyskusję na ten temat:

http://forums.opensuse.org/english/get-technical-help-here/network-internet/450710-how-create-virtual-web-site-name-based-accessible-http-https-simultaneously.html (http://forums.opensuse.org/english/get-technical-help-here/network-internet/450710-how-create-virtual-web-site-name-based-accessible-http-https-simultaneously.html)
Zapisane
Strony: [1]
  Drukuj  
 
Skocz do:  

erasmus - serwis komputerowy lubin - projektowanie stron lubin - cuprum lubin - projektowanie stron - zaproszenia lockerz - notatki studenckie
Template modified by designworld.pl