通过SNI提供的主机名myfirstweb.intweb.net和通过HTTP提供的主机名mysecondweb.intweb.net不同,Apache错误

时间:2018-11-28 23:25:09

标签: apache ssl nginx httpd.conf nginx-config

我有一台服务器,同一台服务器上有大约3个网站。

为了使事情变得更容易,我正在生成具有ansible的nginx配置文件以及apache配置文件,因此它更容易且更不易出错。而且,正如您将在下面看到的,我为所有这些端口使用相同的端口,因此这些apache和nginx配置文件上的唯一不同之处几乎是服务器名称,根目录位置,网站位置以及错误的位置日志将被放置。

我现在看到的问题是,我无法同时看到两个网站,当我在浏览器中打开第一个网站时,它可以正常打开,但是当我要打开第二个网站时,出现此错误:

您的浏览器发送了该服务器无法理解的请求。

当我看到apache日志时,看到以下错误:

[Fri Nov 09 16:17:51.247904 2018] [ssl:error] [pid 18614] AH02032:通过SNI提供的主机名myweb.intweb.net和通过HTTP提供的主机名mysecondweb.intweb.net不同

其中 mysecondweb.intweb.net 是我要查看的另一个网站。

这是我其中一个的nginx配置文件,您可以在其中看到我正在处理apache的请求:

# Force HTTP requests to HTTPS
server {
    listen 80;
    server_name myweb.intweb.net;
    return 301 https://myweb.intweb.net$request_uri;
}
  server {

      listen  443 ssl;
      root  /var/opt/httpd/ifdocs;

    server_name myweb.intweb.net ;

      # add Strict-Transport-Security to prevent man in the middle attacks
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl on;
    ssl_certificate     /etc/pki/tls/certs/star_intweb_net.pem;
    ssl_certificate_key /etc/pki/tls/certs/star_intweb_net.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

      access_log /var/log/nginx/iflogs/https/access.log;
    error_log  /var/log/nginx/iflogs/https/error.log;

    ###include rewrites/default.conf;


    index  index.php index.html index.htm;

    # Make nginx serve static files instead of Apache
    # NOTE this will cause issues with bandwidth accounting as files wont be logged
    location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
        expires max;
    }

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
                proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_pass https://127.0.0.1:4433;
         }

    # proxy the PHP scripts to Apache listening on <serverIP>:8080
    location ~ \.php$ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
                proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_pass https://127.0.0.1:4433;
         }

    location ~ /\. {
        deny  all;
    }

    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
  root  /usr/share/nginx/html;
    }
}

这是我对站点的Apache配置:

 <VirtualHost *:4433>

  SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star_intweb_net.crt
SSLCertificateKeyFile /etc/pki/tls/certs/star_intweb_net.key
SSLCertificateCcompanyFile /etc/pki/tls/certs/DigiCertCA.crt

ServerAdmin webmaster@company.com

DocumentRoot /var/opt/httpd/ifdocs

<Directory "/var/opt/httpd/ifdocs">
    Options FollowSymLinks
    AllowOverride All
      Require all granted
  </Directory>

ServerName myweb.intweb.net

ErrorLog /var/log/httpd/iflogs/http/error.log
CustomLog /var/log/httpd/iflogs/http/access.log combined

#    RewriteEngine on

#    Include rewrites/default.conf

</VirtualHost>

注意: 如果我删除了这些行:

proxy_ssl_server_name on;
        proxy_ssl_name $host;

我不再有这个问题,似乎可以解决我遇到的问题。在这种情况下,我只是想知道这是否会在将来引起问题,或者为什么通过删除配置中的这两行来停止在Apache中出现这些错误?

谢谢!

1 个答案:

答案 0 :(得分:0)

我能够通过在nginx.conf文件中添加以下代码来解决此问题:

proxy_ssl_session_reuse off;

显然,OpenSSL中存在错误。我通过运行以下代码对其进行了测试:

openssl genrsa -out fookey.pem 2048
openssl req -x509 -key fookey.pem -out foocert.pem -days 3650 -subj '/CN=testkey.invalid.example'

openssl s_server -accept localhost:30889 -cert foocert.pem -key fookey.pem -state -servername key1.example -cert2 foocert.pem -key2 fookey.pem

openssl s_client -connect localhost:30889 -sess_out /tmp/tempsslsess -servername key1.example

openssl s_client -connect localhost:30889 -sess_in /tmp/tempsslsess -servername key2.example

# observe key1.example in the SNI info reported by s_server for both requests.  ("Hostname in TLS extension: "...)

# If s_server is restarted, and the s_client connections/sessions are re-run using key2.example first and key1.example second, observe key2.example in the SNI info reported by s_server for both requests.

# Furthermore, I just tested on a different machine, and sometimes SNI appears to be absent in the second requests.

# shouldn't s_client filter session use so that if it knows SNI info before selecting a cached session, it only selects one that matches the intended SNI name?  And if it doesn't have a SNI name when it's searching for a session to re-use, shouldn't it still double check when it's provided (later, before connecting) SNI info, to make sure it's identical to SNI in the saved session it picked, and not use the saved session if they differ?

# It seems to me if the SNI specified by the client app ever differs from the SNI seen by the server, that's not good.

# this was discovered by someone reporting a problem using nginx to reverse proxy to apache, with apache warning that the SNI hostname didn't match the Host: header, despite the nginx config explicitly setting Host: and apache-side SNI to the same thing.
相关问题
最新问题