Apache 在 mod_jk 之前重写(删除 www)

Question

这里是上下文:

• 我正在使用 Centos 7、apache 2.4.6 和 tomcat 8.0。
• 我有一个经典的 php 网站，存储在/var/www 文件夹中。
• 我有一个 JEE 网站，存储在 tomcat webapps 文件夹中。
• 我有通配符 ssl 证书(已签名)。

这是我想要的:

• 我希望对我的服务器的所有访问都重定向到正确的网站，使用 https，而不使用 www。

以下是用例:

• URL 'example.com' ==> 重定向到 https OK
• URL 'www.example.com' ==> 重定向 https + 删除 www OK

• 网址 ' https://www.example.com ' ==> 保留 https + 删除 www OK

• URL 'test.example.com' ==> 重定向到 https OK

• URL 'www.test.example.com' ==> 重定向 https + 删除 www OK
• 网址 ' https://www.test.example.com ' ==> KO 未重定向 - 浏览器显示一个页面，说明网站配置错误且连接不安全(因为通配符 ssl 不涵盖 2 个级别)

最后一点是我要解决的问题。

这是我的配置:

    <VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com
        Redirect / https://example.com/
    </VirtualHost>
    <VirtualHost *:80>
        ServerName test.example.com
        ServerAlias www.test.example.com
        Redirect / https://test.example.com/
    </VirtualHost>
    <VirtualHost *:443>
        ServerName example.com
        ServerAlias www.example.com
        DocumentRoot /var/www/public/example
        SSLEngine on
        SSLCertificateFile xxx
        SSLCertificateKeyFile xxx
        SSLCertificateChainFile xxx
        RewriteEngine On
        RewriteCond %{HTTPS} off [OR]
        RewriteCond %{HTTP_HOST} ^www\. [NC]
        RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
        RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
    </VirtualHost>
    <VirtualHost *:443>
        ServerName test.example.com
        ServerAlias www.test.example.com
        SSLEngine on
        SSLCertificateFile xxx
        SSLCertificateKeyFile xxx
        SSLCertificateChainFile xxx
        RewriteEngine On
        RewriteCond %{HTTPS} off [OR]
        RewriteCond %{HTTP_HOST} ^www\. [NC]
        RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
        RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
        JkMount / worker_test
        JkMount /* worker_test
    </VirtualHost>

所以，看起来我快到了，但我做错了什么？

Answer 1

据我所知，您不能为每个 IP 配置多个 https 虚拟主机，就是这样，基于名称的虚拟主机仅限于一个 SSL 虚拟主机。

此信息来自https://wiki.apache.org/httpd/NameBasedSSLVHosts

As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.

In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In certain specific circumstances, it is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:

1. All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com.

2. You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)

我听说过使用 SNI 来实现这种配置，但我从未测试过:SSL with Virtual Hosts Using SNI