Apache上特定URL的SSL证书

时间:2017-03-10 12:08:25

标签: apache ssl ssl-certificate

是否可以为域内的特定网址配置SSL证书密钥文件(双向)?

是的,使用mod_rewrite。但我真的需要保留域和所请求的URL。

当前domain.com.conf配置:

<VirtualHost domain.com:443>
    ServerAdmin name@domain.com
    SSLEngine on
    SSLCertificateFile    /usr/local/apache2/conf/server.cer
    SSLCertificateKeyFile /usr/local/apache2/conf/server.key

    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLCACertificateFile /usr/local/apache2/conf/ca.cer

    <location />
        Order allow,deny
        allow from all
        SSLRequire (%{SSL_CLIENT_S_DN_CN} eq "clientcn")
    </location>

    DocumentRoot /usr/local/apache2/htdocs/
    <Directory "/usr/local/apache2/htdocs">
        Options FollowSymLinks
        AllowOverride None
        allow from all
    </Directory>

    LogLevel warn
    ErrorLog /usr/local/apache2/conf/logs/error.log
    CustomLog /usr/local/apache2/conf/logs/ssl_access.log combined

    BrowserMatch ".*MSIE.*"\
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
</VirtualHost>

1 个答案:

答案 0 :(得分:2)

this is not possible

在进行任何路由/端点调度之前,SSL握手发生在服务器级别。在成功进行TLS协商之后,甚至不会考虑HTTP标头中的完整URL。

例如,在此URL上使用curl以查看它是否首先连接到主机,然后当且仅当形成可信连接时才会传递URI主干。

curl -vI https://stackoverflow.com/questions/42718090/ssl-certificate-at-a-specific-url-on-apache

*   Trying 151.101.193.69...
* Connected to stackoverflow.com (151.101.193.69) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 714 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*      server certificate verification OK
*      server certificate status verification SKIPPED
*      common name: *.stackexchange.com (matched)
*      server certificate expiration date OK
*      server certificate activation date OK
*      certificate public key: RSA
*      certificate version: #3
*      subject: C=US,ST=NY,L=New York,O=Stack Exchange\, Inc.,CN=*.stackexchange.com
*      start date: Sat, 21 May 2016 00:00:00 GMT
*      expire date: Wed, 14 Aug 2019 12:00:00 GMT
*      issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
*      compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD /questions/42718090/ssl-certificate-at-a-specific-url-on-apache HTTP/1.1
> Host: stackoverflow.com
> User-Agent: curl/7.47.0
> Accept: */*
相关问题
最新问题