如何在SNI&中为Apache使用不同的vhost配置文件多个SSL证书? [英] How to use different vhost config files for Apache with SNI & multiple SSL certificates?

问题描述

遇到其中一种设置问题，甚至不确定是否可行.

Ran into an issue with one of our setups, not to sure if that's even possible.

我们正在运行一个简单的Ubuntu 18.04LTS服务器，该服务器安装了PHP-FPM和Apache，它将托管十二个以上的站点，其中至少一半具有不同的SSL证书.该服务器只有一个IP地址/NIC.

We're running a simple Ubuntu 18.04LTS server with PHP-FPM and Apache installed, that will host over a dozen different sites, with at least half of them having different SSL certificates. The server only has a single IP address/NIC.

为了使所有内容都易于管理，我最初在/etc/apache2/sites-available 中创建了不同的vhost配置文件，因此每个站点都有自己的；这引起了问题，因为其中一个站点被视为SSL的默认"站点，并且其证书将分发给所有其他站点.

To make everything easier to manage, I had initially created different vhost config files in /etc/apache2/sites-available, so every site would have their own; this was causing issues as one of the sites would be deemed "default" for SSL and its certificate would be handed out to all the other sites.

在StackOverflow和互联网上，我发现很多帖子都说有一个带有我们所有不同站点配置的单个vhost配置文件...但是现在我有一千行配置文件，这是一团糟.

Going through StackOverflow and the internet, I've found a lot of posts that were saying to have a single vhost config file with all of our different site configurations...but now I have a thousand line config file, which is a mess to manage.

是否可以通过单个IP/NIC，不同的vhost配置文件使用SNI，还是我们的设置不常见"，而我们需要使用单个vhost配置文件?

Is there a way to use SNI, with a single IP/NIC, with different vhost config files, or is our setup "uncommon" and we'll need to use a single vhost config file ?

谢谢！

链接到我们使用的虚拟主机配置的副本，当然已经过了消毒: https://pastebin.com/1tQYBSxR

Link to a copy of the vhost config we use, sanitized of course: https://pastebin.com/1tQYBSxR

推荐答案

这是Apache默认用于SSL VirtualHosts 的方式:

This is how Apache works for SSL VirtualHosts by default:

<VirtualHost *:443>
    ServerName site1.com
    # Certs definitions for site1.com
</VirtualHost>

<VirtualHost *:443>
    ServerName site2.com
    # Certs definitions for site2.com
</VirtualHost>

<VirtualHost *:443>
    ServerName site3.com
    # Certs definitions for site3.com
</VirtualHost>

现在，您希望当客户端与其中一个站点连接时，Apache知道它想要哪个站点并使用该证书，对吗?

Now you would expect that when a client connects with one of the sites, Apache understands which site it wants and uses that certificate, right?

但事实并非如此.在完成 SSL协商之前，Apache 不知道知道要访问哪个站点.因此，它必须始终使用第一个VirtualHost证书.

But that is not the case. Apache does not know which site is asked for until after SSL negotiation is done. It must therefore always use the first VirtualHost certificate.

NameVirtualHost (Apache 2.2指令，在v2.4中始终处于启用状态)不适用于SSL.

NameVirtualHost (Apache 2.2 directive, always on in v2.4) does not work for SSL.

您可以将每个域的定义放在单独的文件中.只要它们全部在全局配置文件中 Include d.但同样，只有第一个定义的VirtualHost可以处理* .443请求.

You can put the definitions of each domain in a separate file. As long as they are all Included in the global config file. But again, only the first defined VirtualHost will serve *.443 requests.

事实上，我已经用大约50个VirtualHost定义来管理Apache服务器，而将它们全部放在一个文件中将是一场噩梦.按域拆分它们.您甚至可以将文件命名为THE_DOMAIN.conf.

In fact I have managed Apache servers with ~50 VirtualHost definitions, and having them all in one file would have been a nightmare. Split them by domain. You can even name the file THE_DOMAIN.conf.

现在如何摆脱这个问题:

Now how to get rid of that problem:

• 每个域具有1个IP.这意味着每个VirtualHost 1个IP.这样一来，Apache就可以从一开始就知道用户请求的站点.但这需要与域一样多的地址.

• have 1 IP per domain. Which means 1 IP per VirtualHost. That way Apache knows which site the user requested, right form the start. But that requires as many addresses as you have domains.

每个域有1个端口.某些站点可以使用非默认端口，而不是使用端口443.但这对于必须在请求中指定端口的客户端来说很奇怪.前任. https://example.com:445/.在企业设置中，您可以让Firewall-nat-proxy更改回客户端的端口，但这超出了此答案的范围.由于它们不是默认端口，因此可能会被阻止.

have 1 port per domain. Instead of using port 443, some sites could use a non-default port. But that is weird for clients who have to specify the port in the request. Ex. https://example.com:445/. In enterprise setups, you can get your firewall-nat-proxy to change the port back for the client, but this is out of scope of this answer. This might be blocked as they are not default ports.

使用SNI.现代浏览器支持此功能，在SSL协商时会发送所需域的标识.

use SNI. This is supported by modern browsers, where the identification of the desired domain is sent at the time of SSL negotiation.

此处详细介绍了使用SNI(以及网络上的其他参考) https://cwiki.apache.org/confluence/display/httpd/NameBasedSSLVHostsWithSNI

Using SNI is detailed here (and other references on the web) https://cwiki.apache.org/confluence/display/httpd/NameBasedSSLVHostsWithSNI

概述:

• 第一个VirtualHost仍然是不支持SNI(例如，旧版浏览器)的客户端使用的默认值.

• the first VirtualHost is still the default used for clients that do not support SNI (older browser for example).

添加了新指令: SSLStrictSNIVHostCheck

您必须在主机上使用最低版本的OpenSSL，并且Apache必须已使用该版本进行了编译.它必须启用TLS扩展.

You must use a minimum version of OpenSSL on the host, and Apache must have been compiled with it. It must enable TLS extensions.

玩得开心！

这篇关于如何在SNI&中为Apache使用不同的vhost配置文件多个SSL证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！