禁用默认 443 虚拟主机的 Apache SSL 引擎 [英] Disable Apache SSL engine for default 443 Virtual Host

问题描述

我有两个域，example1.com 和 example2.com，在同一个 IP 上运行，12.345.678.90.

I have two domains, example1.com and example2.com, running on the same IP, 12.345.678.90.

现在我想通过 12.345.678.90 完全禁用 https 访问.

Now I want to completely dissable https access via 12.345.678.90.

我试图这样做(没有花哨的东西的紧凑代码)

I tried to do this (compact code without fancy stuff)

<VirtualHost *:443>
    SSLEngine off
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    ServerName example1.com
    DocumentRoot /var/www/html/example1
    SSLCertificateFile /etc/.../fullchain.pem
    SSLCertificateKeyFile /etc/.../privkey.pem
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    ServerName example2.com
    DocumentRoot /var/www/html/example2
    SSLCertificateFile /etc/.../fullchain.pem
    SSLCertificateKeyFile /etc/.../privkey.pem
</VirtualHost>

现在，当我禁用默认情况下捕获所有内容的第一个块时，两个示例站点都可以工作.但是，如果我启用它，则不再有效.其实这只是为443复制的80端口解决方案，看来是SSL特定问题(编码请求数据).

Now when I dissable the first block that catches all by default, the two example site work. However, if I enable it, nothing works anymore. Actually, this is just the port 80 solution copied for 443. It seems to be a SSL specific problem (encoded request data).

如何通过 https 阻止IP 访问"?或者，配置我的设置的常用方法是什么?

How can I block "IP access" over https? Or, what is the commonly used way to configure my setup?

背景是:创建基于 IP 的 SSL 证书甚至没有标准化，因此允许这种请求是没有意义的.

Background is: It is not even standardized to create IP-based SSL-certificates, so it makes no sense to allow this kind of request.

推荐答案

创建基于 IP 的 SSL 证书甚至没有标准化，

It is not even standardized to create IP-based SSL-certificates,

这不是真的.该标准明确定义了特定 IP 地址的证书应使用主题备用名称部分中的 iPAddress 类型.但公共 CA 将不再为 IP 地址颁发证书，而仅为主机名颁发证书.

This is not really true. The standard explicitly defines that certificates for a specific IP address should use the iPAddress type in the subject alternative names section. But public CA will no longer issue certificates for an IP address but only for a hostname.

除此之外，您的服务器要么接受特定 IP 地址上的 SSL 端口上的连接，要么不接受.这是因为在 TCP 级别只能看到 IP 地址，并且不知道主机名.如果客户端使用所有现代浏览器都使用的 SNI TLS 扩展，则主机名只会在 TLS 握手中被知道.

Apart from that your server either accepts connections on the SSL port on a specific IP address or it does not. This is because at the TCP level only the IP address is seen and there is no knowledge about the hostname. The hostname gets only known inside the TLS handshake if the client uses the SNI TLS extension which all modern browsers do.

因此，如果客户端在 SNI 扩展中使用未知主机名或根本不使用 SNI 扩展，即使用 https://ip-address/，您最多可以做的是使 TLS 握手失败.这可以通过使用 SSLStrictSNIVHostCheck 指令如文档所述来完成:

Thus the most you can do is to make the TLS handshake fail if the client uses an unknown hostname in the SNI extension or does not use the SNI extension at all, i.e. uses https://ip-address/. This can be done by using the SSLStrictSNIVHostCheck directive as documented:

如果在默认的基于名称的虚拟主机中设置为 on，则不会允许 SNI 不知道的客户端访问属于此特定 IP/端口组合的任何虚拟主机.

If set to on in the default name-based virtual host, clients that are SNI unaware will not be allowed to access any virtual host, belonging to this particular IP / port combination.

使用此选项设置对 http://ip-address/ 的访问将导致向客户端发出 TLS 警报，并且 TLS 握手将失败.

With this option set an access to http://ip-address/ will result in a TLS alert to the client and the TLS handshake will fail.

这篇关于禁用默认 443 虚拟主机的 Apache SSL 引擎的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！