每个带SSL的Apache服务器上有多个站点，显示带有HTTPS的错误站点 [英] Multiple sites per Apache server with SSL showing wrong site with HTTPS

问题描述

我有一个运行许多客户端站点的Debian服务器.其中大多数未运行SSL，因此可以通过HTTP访问.

I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.

我有一位拥有SSL证书的客户，也可以通过HTTPS访问他们的站点.

I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.

如果您尝试使用HTTPS访问另一个站点，则会出现问题，您将被定向到另一个具有SSL证书的站点.

The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.

例如，假设我们在服务器上有以下站点:

For instance, lets say we have the following sites on the server:

alpha.net
bravo.net
charlie.net (SSL)
delta.net

如您所见，charlie是唯一使用SSL的协议，无论您访问http charlie.net还是https charlie.net，它都可以正常工作.

So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.

http都可以，但是如果要转到https alpha.net，它最初会出现无效证书"错误，让您继续操作，但是地址栏中有alpha.net，它实际上在浏览器中显示了charlie.net网站.

http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.

我已经研究了SNI，以及是否还有其他站点具有SSL，我需要将它们全部放置在特定的IP地址上(我不知道该怎么做，我需要尝试其他方法)，但我不是确定为什么会这样或如何解决.

I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.

之前是否有人遇到过这种情况，您是如何解决的?

Has anyone else encountered this before and how did you get around it?

非常感谢，

Rob

推荐答案

这与SNI没有任何关系，因为您目前只有一个HTTPS服务器.正如您在评论中所述，发生的事情是alpha.net域解析为服务器的IP.您的Apache服务器设置为侦听此IP上端口443上的请求，并将charlie.net的内容提供给这些请求. (而且证书错误意味着浏览器注意到证书的所谓域名与用于请求的域名之间存在差异.)

This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)

从HTTPS重定向到HTTP可能更值得，因为每个域都需要有效的证书，以免向用户显示另一个安全警告.这将需要在具有SNI功能的服务器(即带有openssl的Apache 2.2+的更高版本)上为alpha.net:443等创建虚拟主机，并添加如下重定向:

Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:

RewriteEngine On 
RewriteCond %{HTTPS} on 
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

可能最简单的方法是为charlie.net使用其他IP.使用此设置，alpha.net(等等)将无法显示其他站点的内容.

Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.

这篇关于每个带SSL的Apache服务器上有多个站点，显示带有HTTPS的错误站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！