lighttpd 配置 - lighttpd 是否使用地址进行身份验证,例如subjectAltNames=IP:192.168.1.20?
lighttpd configuration - does lighttpd authenticate with an address, e.g. subjectAltNames=IP:192.168.1.20?
以下是一个测试设置,用于检查 lighttpd 是否会根据包含在证书 subjectAltNames 中的 IP 地址进行身份验证,例如
subjectAltNames=IP:192.168.1.20
配置:
$HTTP["host"] == "192.168.1.20" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
# ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
# client side authentification
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = "10"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
## ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0[=10=]")
}
}
}
当通过原始地址 192.168.1.20 访问时来自 /var/log/lighttpd/access.log 的行:
1551209819|192.168.1.20|GET / HTTP/1.1|401|351
浏览器显示401未授权。是 SSL 失败还是有其他问题?
$SERVER["socket"] == ":443" { ... }(或$SERVER["socket"] == "192.168.1.20:443" { ... })属于配置的顶层。将 $SERVER["socket"] 放入其他 lighttpd 配置条件中是错误的,即放入 $HTTP["host"] == "192.168.1.20" { ... }
是错误的
在通过加密的 TLS 通道接收 HTTP 请求之前,在套接字连接开始时协商 TLS。由于协商TLS时HTTP请求Host头还没有收到,所以把$SERVER["socket"]放在任何其他条件里面都是无效,比如$HTTP["host"]
以下是一个测试设置,用于检查 lighttpd 是否会根据包含在证书 subjectAltNames 中的 IP 地址进行身份验证,例如
subjectAltNames=IP:192.168.1.20
配置:
$HTTP["host"] == "192.168.1.20" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
# ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
# client side authentification
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = "10"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
## ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0[=10=]")
}
}
}
当通过原始地址 192.168.1.20 访问时来自 /var/log/lighttpd/access.log 的行:
1551209819|192.168.1.20|GET / HTTP/1.1|401|351
浏览器显示401未授权。是 SSL 失败还是有其他问题?
$SERVER["socket"] == ":443" { ... }(或$SERVER["socket"] == "192.168.1.20:443" { ... })属于配置的顶层。将 $SERVER["socket"] 放入其他 lighttpd 配置条件中是错误的,即放入 $HTTP["host"] == "192.168.1.20" { ... }
在通过加密的 TLS 通道接收 HTTP 请求之前,在套接字连接开始时协商 TLS。由于协商TLS时HTTP请求Host头还没有收到,所以把$SERVER["socket"]放在任何其他条件里面都是无效,比如$HTTP["host"]