Apache 上特定 URL 的 SSL 证书
SSL Certificate at a specific URL on Apache
是否可以为域内的特定 URL 配置 SSL 证书密钥文件(双向)?
是的,使用 mod_rewrite。但我真的需要保留域和请求的 URL。
当前 domain.com.conf 配置:
<VirtualHost domain.com:443>
ServerAdmin name@domain.com
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.cer
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /usr/local/apache2/conf/ca.cer
<location />
Order allow,deny
allow from all
SSLRequire (%{SSL_CLIENT_S_DN_CN} eq "clientcn")
</location>
DocumentRoot /usr/local/apache2/htdocs/
<Directory "/usr/local/apache2/htdocs">
Options FollowSymLinks
AllowOverride None
allow from all
</Directory>
LogLevel warn
ErrorLog /usr/local/apache2/conf/logs/error.log
CustomLog /usr/local/apache2/conf/logs/ssl_access.log combined
BrowserMatch ".*MSIE.*"\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
在任何 route/endpoint 调度发生之前,SSL 握手发生在服务器级别。在 TLS 协商成功之前,甚至不会考虑 HTTP header 中的完整 URL。
例如,在此 URL 上使用 curl 以查看它首先连接到主机,然后当且仅当形成可信连接时它才会传递 URI 词干。
curl -vI https://whosebug.com/questions/42718090/ssl-certificate-at-a-specific-url-on-apache
* Trying 151.101.193.69...
* Connected to whosebug.com (151.101.193.69) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 714 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.stackexchange.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=NY,L=New York,O=Stack Exchange\, Inc.,CN=*.stackexchange.com
* start date: Sat, 21 May 2016 00:00:00 GMT
* expire date: Wed, 14 Aug 2019 12:00:00 GMT
* issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
* compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD /questions/42718090/ssl-certificate-at-a-specific-url-on-apache HTTP/1.1
> Host: whosebug.com
> User-Agent: curl/7.47.0
> Accept: */*
是否可以为域内的特定 URL 配置 SSL 证书密钥文件(双向)?
是的,使用 mod_rewrite。但我真的需要保留域和请求的 URL。
当前 domain.com.conf 配置:
<VirtualHost domain.com:443>
ServerAdmin name@domain.com
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.cer
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /usr/local/apache2/conf/ca.cer
<location />
Order allow,deny
allow from all
SSLRequire (%{SSL_CLIENT_S_DN_CN} eq "clientcn")
</location>
DocumentRoot /usr/local/apache2/htdocs/
<Directory "/usr/local/apache2/htdocs">
Options FollowSymLinks
AllowOverride None
allow from all
</Directory>
LogLevel warn
ErrorLog /usr/local/apache2/conf/logs/error.log
CustomLog /usr/local/apache2/conf/logs/ssl_access.log combined
BrowserMatch ".*MSIE.*"\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
在任何 route/endpoint 调度发生之前,SSL 握手发生在服务器级别。在 TLS 协商成功之前,甚至不会考虑 HTTP header 中的完整 URL。
例如,在此 URL 上使用 curl 以查看它首先连接到主机,然后当且仅当形成可信连接时它才会传递 URI 词干。
curl -vI https://whosebug.com/questions/42718090/ssl-certificate-at-a-specific-url-on-apache
* Trying 151.101.193.69... * Connected to whosebug.com (151.101.193.69) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 714 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: *.stackexchange.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=NY,L=New York,O=Stack Exchange\, Inc.,CN=*.stackexchange.com * start date: Sat, 21 May 2016 00:00:00 GMT * expire date: Wed, 14 Aug 2019 12:00:00 GMT * issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA * compression: NULL * ALPN, server accepted to use http/1.1 > HEAD /questions/42718090/ssl-certificate-at-a-specific-url-on-apache HTTP/1.1 > Host: whosebug.com > User-Agent: curl/7.47.0 > Accept: */*