Docker中的mod_wsgi-express:SSLCipherSuite和SSLProtocol

时间:2016-10-20 14:10:25

标签: apache ssl mod-wsgi

我正在使用Graham's image在Docker中运行mod_wsgi-express。我希望用户通过HTTPS访问我的网站。

当我通过SSL实验室运行网站时,我可以看到SSLv3和TLS1.0已启用,RC4密码也是如此。我不想要任何这些,所以我需要访问SSLCipherSuite文件中的SSLProtocolhttpd.conf指令。

但是,查看mod_wsgi-express start-server --help中的选项和生成文件中的HTTPS节,我看不到任何方法来访问这些变量。

<IfDefine MOD_WSGI_WITH_HTTPS>
<IfDefine MOD_WSGI_WITH_LISTENER_HOST>
Listen localhost:443
</IfDefine>
<IfDefine !MOD_WSGI_WITH_LISTENER_HOST>
Listen 443
</IfDefine>
<IfVersion < 2.4>
NameVirtualHost *:443
</IfVersion>
<VirtualHost _default_:443>
<Location />
<IfVersion < 2.4>
Order deny,allow
Deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
<IfDefine MOD_WSGI_ALLOW_LOCALHOST>
Allow from localhost
</IfDefine>
</Location>
SSLEngine On
SSLCertificateFile cert-file.crt
SSLCertificateKeyFile key-file.key
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile None
SSLVerifyClient none
</IfDefine>
<IfDefine MOD_WSGI_CERTIFICATE_CHAIN>
SSLCertificateChainFile None
</IfDefine>
</VirtualHost>
<VirtualHost *:443>
ServerName my-server.me
<IfDefine MOD_WSGI_SERVER_ALIAS>
ServerAlias None
</IfDefine>
SSLEngine On
SSLCertificateFile cert-file.crt
SSLCertificateKeyFile key-file.ky
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile None
SSLVerifyClient none
</IfDefine>
<IfDefine MOD_WSGI_CERTIFICATE_CHAIN>
SSLCertificateChainFile None
</IfDefine>
<IfDefine MOD_WSGI_HTTPS_ONLY>
<IfDefine MOD_WSGI_HSTS_POLICY>
Header set Strict-Transport-Security None
</IfDefine>
</IfDefine>
<IfDefine MOD_WSGI_SSL_ENVIRONMENT>
SSLOptions +StdEnvVars
</IfDefine>
</VirtualHost>
<IfDefine MOD_WSGI_REDIRECT_WWW>
<VirtualHost *:443>
ServerName unspecified
Redirect permanent / https://my-server.me:443/
SSLEngine On
SSLCertificateFile cert-file.crt
SSLCertificateKeyFile key-file.key
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile None
SSLVerifyClient none
</IfDefine>
<IfDefine MOD_WSGI_CERTIFICATE_CHAIN>
SSLCertificateChainFile None
</IfDefine>
</VirtualHost>
</IfDefine>
</IfDefine>

</IfDefine>

是否有办法访问我遗失的SSLCipherSuiteSSLProtocol,或者我是否仍然无法构建自己的httpd.conf并将其注入图片?

1 个答案:

答案 0 :(得分:0)

Try creating a ssl.conf file and add your directives in it. Then add the option:

--include-file ssl.conf

to mod_wsgi-express when run.

These will be included at the end of the generated httpd.conf file which I think for these options is okay.

If doesn't help, then jump on to the mod_wsgi mailing list and we can discuss further there. I may have to add a --ssl-options option for including a snippet file with SSL stuff in it, so is included at the correct place in the generated file.