在Apache httpd服务器中,是否可以定义将应用于* all * VirtualHosts的httpd.conf部分?

时间:2019-06-28 14:56:38

标签: apache httpd.conf

我正在慢慢了解有关Apache HTTPD服务器的更多信息,但我仍然主要还是新手。

最近,我一直在通过向VirtualHost添加标头来加强安全性。但是,如果我有一个带有10个VirtualHost定义的httpd.conf,是否有必要向所有10个VirtualHost定义添加相同的标头?

是否可以有一部分httpd.conf(或将包含在所有VirtualHost定义中的单独的.conf文件,而不必将标题分别添加到每个VirtualHost定义中?

那么,有可能,而不是这样做:

<VirtualHost *:80>
    ServerAdmin my@myorg.com
    ServerName  www.myorg.com
    Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin my@myorg.com
    ServerName  www2.myorg.com
    Strict-Transport-Security: max-age=31536000; includeSubDomains
</VirtualHost>
<VirtualHost *:443>
    ServerAdmin my@myorg.com
    ServerName  www.myorg.com
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    SSLEngine On
    SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
    SSLCertificateFile      /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
     SSLCertificateKeyFile   /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
     SSLCertificateChainFile    /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt

</VirtualHost>
<VirtualHost *:443>
    ServerAdmin my@myorg.com
    ServerName  www2.myorg.com
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    SSLEngine On
    SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
    SSLCertificateFile      /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_cert.pem
    SSLCertificateKeyFile   /etc/httpd/conf/ssl_certs/nitssolutions.com/nitssol1_key.key
    SSLCertificateChainFile    /etc/httpd/conf/ssl_certs/nitssolutions.com/gd_bundle-g2-g1.crt
</VirtualHost>

是否可以定义httpd.conf的一部分(或httpd.conf的包含文件),在其中我可以将这些标头和其他指令一次放入其中,并将它们应用于所有 VirtualHost定义?

类似: httpd.conf的特定部分:

    Strict-Transport-Security: max-age=31536000; includeSubDomains
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 H+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

然后,当我定义一个VirtualHost时,我就这样做:

<VirtualHost *:80>
    ServerAdmin me@myorg.com
    ServerName  www.myorg.com
</VirtualHost>
<VirtualHost *:443>
    ServerAdmin me@myorg.com
    ServerName  www.myorg.com
</VirtualHost>

这样,我可以在一个地方定义(并在将来更改)与安全相关的指令,而不必在5个,10个或20个以上的地方进行调整?

可能吗?

1 个答案:

答案 0 :(得分:1)

有两个选项。

选项1:在全局上下文中(在任何VirtualHost之外)的配置都适用于它们。参见https://serverfault.com/questions/834349/does-apache2-have-a-way-of-setting-global-vhosts

选项2:mod_macro。您可以配置宏以简化多配置。参见https://httpd.apache.org/docs/2.4/en/mod/mod_macro.html

选项3:动态批量VirtualHost配置。在这里,您使用通配符。参见https://httpd.apache.org/docs/2.4/en/vhosts/mass.html

相关问题
最新问题