neomen
Offline
Wiadomości: 2
|
|
« : Marzec 15, 2012, 13:27:50 » |
|
Od dwóch tygodni głowię się jak ustawić na serwerze (openSuse 12.1, Apache PHP Mysql) szyfrowanie po porcie HTTPS. Po wytworzeniu potrzebnego certyfikatu, mam problemy z plikami wirtualnych hostów (z katalogu /etc/apache2/vhosts.d/...). Zgodnie z szablonem wytworzyłem dwa pliki które nazwałem: A_vhost.conf i B_vhost-ssl.conf). W pierwszym trzymam konfigurację dla standardowego portu 80, w drugim dla 443 (HTTPS). Konfiguracja zaczytuje te pliki w kolejności alfabetycznej (wg nazwy pliku), ten który zaczyta pierwszy działa drugi natomiast nie. Jeśli nazwy są takie jak przedstawiłem powyżej wszystko dobrze działa po porcie 80 a nie działa po 443(ssl_error_rx_record_too_long), jeśli zmienię nazwy plików na: B_vhost.conf i A_vhost-ssl.conf, wszystkie strony działają po https ale nie działają po http. Popatrzcie proszę na konfigurację tych plików, gdzie popełniłem błąd?
A_vhost.conf: ------------------ # # VirtualHost template # Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf. # Files must have the .conf suffix to be loaded. # # See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints # about virtual hosts. # # NameVirtualHost statements can be added to /etc/apache2/listen.conf. # # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. #
<VirtualHost mojadomena.pl:80> ServerAdmin admin@mojadomena.pl ServerName mojadomena.pl
# DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. DocumentRoot /srv/www/htdocs/
# if not specified, the global error log is used ErrorLog /var/log/apache2/dummy-host.example.com-error_log CustomLog /var/log/apache2/dummy-host.example.com-access_log combined
# don't loose time with IP address lookups HostnameLookups Off
# needed for named virtual hosts UseCanonicalName Off
# configures the footer on server-generated documents ServerSignature On
# Optionally, include *.conf files from /etc/apache2/conf.d/ # # For example, to allow execution of PHP scripts: # # Include /etc/apache2/conf.d/php5.conf # # or, to include all configuration snippets added by packages: # Include /etc/apache2/conf.d/*.conf
# ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/srv/www/vhosts/dummy-host.example.com/cgi-bin/"
# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have one, and where ScriptAlias points to. # <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory>
# UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # # To disable it, simply remove userdir from the list of modules in APACHE_MODULES # in /etc/sysconfig/apache2. # <IfModule mod_userdir.c> # Note that the name of the user directory ("public_html") cannot simply be # changed here, since it is a compile time setting. The apache package # would have to be rebuilt. You could work around by deleting # /usr/sbin/suexec, but then all scripts from the directories would be # executed with the UID of the webserver. UserDir public_html # The actual configuration of the directory is in # /etc/apache2/mod_userdir.conf. Include /etc/apache2/mod_userdir.conf # You can, however, change the ~ if you find it awkward, by mapping e.g. # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/ #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2 </IfModule>
# # This should be changed to whatever you set DocumentRoot to. # <Directory "/srv/www/htdocs/"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs-2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory>
</VirtualHost> ------------------
B_vhost-ssl.conf: ------------------ # about virtual hosts.
# NameVirtualHost statements should be added to /etc/apache2/listen.conf.
# # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. #
<IfDefine SSL> <IfDefine !NOSSL>
## ## SSL Virtual Host Context ##
<VirtualHost mojadomena.pl:443>
# General setup for the virtual host DocumentRoot "/srv/www/htdocs" #ServerName www.example.com:443 ServerName 123.45.67.89:443 #moje IP
#ServerAdmin webmaster@example.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on
# SSL protocols # Supporting TLS only is adequate nowadays SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # We disable weak ciphers by default. # See the mod_ssl documentation or "openssl ciphers -v" for a # complete list. SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
# Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) SSLCertificateFile /etc/apache2/ssl.crt/server.crt #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/apache2/ssl.key/server.key #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
# Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/apache2/ssl.crt #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10
# Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location>
# SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o CompatEnvVars: # This exports obsolete environment variables for backward compatibility # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory>
# SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. # SetEnvIf User-Agent ".*MSIE [1-5].*" \ # nokeepalive ssl-unclean-shutdown \ # downgrade-1.0 force-response-1.0
# Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
</IfDefine> </IfDefine>
------------------
|