在 Apache httpd 服务器中,是否可以定义将应用于 *所有* VirtualHosts 的 httpd.conf 部分?
In Apache httpd server, is it possible to define a section of httpd.conf that will apply to *all* VirtualHosts?
我正在慢慢学习更多关于 Apache HTTPD 服务器的知识,但我仍然是一个新手。
最近,我一直致力于通过向 VirtualHost 添加 headers 来加强安全性。但是,如果我有一个 httpd.conf 和(比如)10 个 VirtualHost 定义,是否有必要向所有 10 个 VirtualHost 定义添加相同的 header(s)?
是否可以拥有 httpd.conf 的一部分(或将包含在所有 VirtualHost 定义中的单独的 .conf 文件,而不必单独将 header 添加到每个 VirtualHost 定义?
所以,有没有可能,而不是做:
<VirtualHost *:80>
ServerAdmin my@myorg.com
ServerName www.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:80>
ServerAdmin my@myorg.com
ServerName www2.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:443>
ServerAdmin my@myorg.com
ServerName www.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
SSLCertificateChainFile /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin my@myorg.com
ServerName www2.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
SSLCertificateChainFile /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>
是否可以定义 httpd.conf 的一部分(或 httpd.conf 的包含文件),我可以在其中放置这些 header 和其他指令 once 并将它们应用于 all VirtualHost 定义?
类似于:
httpd.conf 的特定部分:
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
然后当我定义一个 VirtualHost 时,我只是做:
<VirtualHost *:80>
ServerAdmin me@myorg.com
ServerName www.myorg.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin me@myorg.com
ServerName www.myorg.com
</VirtualHost>
这样,我可以在一个地方定义(并在将来更改)我的安全相关指令,而不必在 5 或 10 或 20 或更多地方进行调整?
可能吗?
有几个选项。
选项 1:全局上下文中的配置(在任何 VirtualHost 之外)适用于所有这些。参见 https://serverfault.com/questions/834349/does-apache2-have-a-way-of-setting-global-vhosts
选项 2:mod_macro。您可以配置宏来简化multi-configuration。参见 https://httpd.apache.org/docs/2.4/en/mod/mod_macro.html
方案三:动态海量VirtualHost配置。这里使用通配符。参见 https://httpd.apache.org/docs/2.4/en/vhosts/mass.html
我正在慢慢学习更多关于 Apache HTTPD 服务器的知识,但我仍然是一个新手。
最近,我一直致力于通过向 VirtualHost 添加 headers 来加强安全性。但是,如果我有一个 httpd.conf 和(比如)10 个 VirtualHost 定义,是否有必要向所有 10 个 VirtualHost 定义添加相同的 header(s)?
是否可以拥有 httpd.conf 的一部分(或将包含在所有 VirtualHost 定义中的单独的 .conf 文件,而不必单独将 header 添加到每个 VirtualHost 定义?
所以,有没有可能,而不是做:
<VirtualHost *:80>
ServerAdmin my@myorg.com
ServerName www.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:80>
ServerAdmin my@myorg.com
ServerName www2.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:443>
ServerAdmin my@myorg.com
ServerName www.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
SSLCertificateChainFile /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>
<VirtualHost *:443>
ServerAdmin my@myorg.com
ServerName www2.myorg.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
SSLCertificateChainFile /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>
是否可以定义 httpd.conf 的一部分(或 httpd.conf 的包含文件),我可以在其中放置这些 header 和其他指令 once 并将它们应用于 all VirtualHost 定义?
类似于: httpd.conf 的特定部分:
Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
然后当我定义一个 VirtualHost 时,我只是做:
<VirtualHost *:80>
ServerAdmin me@myorg.com
ServerName www.myorg.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin me@myorg.com
ServerName www.myorg.com
</VirtualHost>
这样,我可以在一个地方定义(并在将来更改)我的安全相关指令,而不必在 5 或 10 或 20 或更多地方进行调整?
可能吗?
有几个选项。
选项 1:全局上下文中的配置(在任何 VirtualHost 之外)适用于所有这些。参见 https://serverfault.com/questions/834349/does-apache2-have-a-way-of-setting-global-vhosts
选项 2:mod_macro。您可以配置宏来简化multi-configuration。参见 https://httpd.apache.org/docs/2.4/en/mod/mod_macro.html
方案三:动态海量VirtualHost配置。这里使用通配符。参见 https://httpd.apache.org/docs/2.4/en/vhosts/mass.html