lighttpd 配置 - lighttpd 是否使用地址进行身份验证,例如subjectAltNames=IP:192.168.1.20?

lighttpd configuration - does lighttpd authenticate with an address, e.g. subjectAltNames=IP:192.168.1.20?

以下是一个测试设置,用于检查 lighttpd 是否会根据包含在证书 subjectAltNames 中的 IP 地址进行身份验证,例如

subjectAltNames=IP:192.168.1.20

配置:

$HTTP["host"] == "192.168.1.20" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
#    ssl.ca-file =  "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
    ssl.ca-file =  "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    # client side authentification
    ssl.verifyclient.activate = "enable"
    ssl.verifyclient.enforce = "enable"
    ssl.verifyclient.depth = "10"
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
##    ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
        }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0[=10=]")
    }
  }
}

当通过原始地址 192.168.1.20 访问时来自 /var/log/lighttpd/access.log 的行:

1551209819|192.168.1.20|GET / HTTP/1.1|401|351

浏览器显示401未授权。是 SSL 失败还是有其他问题?

$SERVER["socket"] == ":443" { ... }(或$SERVER["socket"] == "192.168.1.20:443" { ... })属于配置的顶层。将 $SERVER["socket"] 放入其他 lighttpd 配置条件中是错误的,即放入 $HTTP["host"] == "192.168.1.20" { ... }

是错误的

在通过加密的 TLS 通道接收 HTTP 请求之前,在套接字连接开始时协商 TLS。由于协商TLS时HTTP请求Host头还没有收到,所以把$SERVER["socket"]放在任何其他条件里面都是无效,比如$HTTP["host"]