Apache2 "localhost" 有效,但对于 127.0.0.1 我得到 "This site can’t be reached refused to connect"。 SSL 也 returns 授权错误
Apache2 "localhost" works but for 127.0.0.1 I get "This site can’t be reached refused to connect". SSL also returns authorization error
我正在尝试 运行 docker (WSL2) 下的 apache2 使用自签名证书来测试 SSL。 docker 文件脚本如下所示
FROM php:7.1-apache
RUN apt-get update && apt-get install -y zlib1g-dev
COPY ./certs/* /etc/apache2/ssl/
COPY dev.conf /etc/apache2/sites-enabled/dev.conf
RUN docker-php-ext-install mysqli pdo pdo_mysql zip mbstring
RUN a2enmod rewrite
RUN a2enmod ssl
RUN service apache2 restart
dev.conf 包含如下所示的 SSL 虚拟主机。
<VirtualHost *:443>
DocumentRoot "/var/www/html/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
ServerName dev-asusrog.com
</VirtualHost>
运行 在端口 80 使用 chrome/firefox/opera 在 http://localhost:80 它工作。相同,但使用 http://127.0.0.1:80 代替,我得到“无法访问此站点”拒绝连接。“仅 IP6 版本协议被禁用。
sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
使用 curl -v localhost 或 curl -v 127.0.0.1 似乎在这两种情况下都有效。
curl -v localhost
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 12 Jan 2021 08:39:23 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue, 12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host localhost left intact
curl -v 127.0.0.1
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 12 Jan 2021 08:39:33 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue, 12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host 127.0.0.1 left intact
运行 https://dev-asusrog.com/(我已经在主机文件下设置 dev-asusrog.com 指向 127.0.1.1)我得到“Access to dev-asusrog.com 被拒绝。您无权查看此页面。HTTP 错误 403"
文件 server.crt 和 server.key 文件是使用下面的命令使用 openssl 创建的,使用上面的假服务器作为服务器 FQDN dev-asusrog.com。
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
我收到以下 Apache2 错误。第一个,关于完全限定域名,通过在 /etc/apache2/apache2.conf 下添加 ServerName localhost 语句来修复。其他人呢?
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.1. Set the 'ServerName' directive globally to suppress this message
[Tue Jan 12 11:53:39.329396 2021] [ssl:warn] [pid 22] AH01906: dev-asusrog.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jan 12 11:53:39.329797 2021] [ssl:error] [pid 22] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / issuer: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / serial: 08C832686429FFF4C45180A8806FE16A278B41A3 / notbefore: Jan 11 10:40:12 2021 GMT / notafter: Jan 11 10:40:12 2022 GMT]
[Tue Jan 12 11:53:39.329830 2021] [ssl:error] [pid 22] AH02604: Unable to configure certificate dev-asusrog.com:443:0 for stapling
这里有什么帮助吗?
localhost 现在通常是 ::1 的别名(注意:IPV6),而 127.0.0.1 显然是 IPV4。因此,您正在连接到不同的端点,如果您没有明确打开 IPV4 连接,那里就没有任何监听。
第一步)我必须 change/add 在 \Windows\system32\drivers\etc\hosts 本地测试域下
根据 Olaf Kock 的建议,从 127.0.0.1 dev-asusrog.com 到 ::1 dev-asusrog.com。
第 2 步)我必须禁用 ssl-params.conf 下的 SSLUseStapling 参数,即注释掉
#SSLUseStapling on
第 3 个选项步骤)在 Windows 受信任的根证书颁发机构中安装 server.crt 证书
为了您的方便,我在下面附上了受影响的文件。
我的 Dockerfile 改成了这个
FROM php:7.1-apache
COPY ./certs/* /etc/apache2/ssl/
COPY ssl-params.conf /etc/apache2/conf-available/
COPY ./sites-available/* /etc/apache2/sites-available/
RUN a2enconf ssl-params
RUN a2ensite default-ssl
RUN a2enmod rewrite
RUN a2enmod ssl
RUN a2enmod headers
WORKDIR /var/www/html/
RUN service apache2 restart
我的ssl-params.conf是这样声明的
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH$
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
文件sites-available/default-ssl.conf是这样声明的
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@example.com
ServerName dev-asusrog.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
如果你遇到了我遇到的同样问题,希望它能对你有所帮助。
此致,
我正在尝试 运行 docker (WSL2) 下的 apache2 使用自签名证书来测试 SSL。 docker 文件脚本如下所示
FROM php:7.1-apache
RUN apt-get update && apt-get install -y zlib1g-dev
COPY ./certs/* /etc/apache2/ssl/
COPY dev.conf /etc/apache2/sites-enabled/dev.conf
RUN docker-php-ext-install mysqli pdo pdo_mysql zip mbstring
RUN a2enmod rewrite
RUN a2enmod ssl
RUN service apache2 restart
dev.conf 包含如下所示的 SSL 虚拟主机。
<VirtualHost *:443>
DocumentRoot "/var/www/html/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
ServerName dev-asusrog.com
</VirtualHost>
运行 在端口 80 使用 chrome/firefox/opera 在 http://localhost:80 它工作。相同,但使用 http://127.0.0.1:80 代替,我得到“无法访问此站点”拒绝连接。“仅 IP6 版本协议被禁用。
sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
使用 curl -v localhost 或 curl -v 127.0.0.1 似乎在这两种情况下都有效。
curl -v localhost
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 12 Jan 2021 08:39:23 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue, 12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host localhost left intact
curl -v 127.0.0.1
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 12 Jan 2021 08:39:33 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue, 12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host 127.0.0.1 left intact
运行 https://dev-asusrog.com/(我已经在主机文件下设置 dev-asusrog.com 指向 127.0.1.1)我得到“Access to dev-asusrog.com 被拒绝。您无权查看此页面。HTTP 错误 403"
文件 server.crt 和 server.key 文件是使用下面的命令使用 openssl 创建的,使用上面的假服务器作为服务器 FQDN dev-asusrog.com。
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
我收到以下 Apache2 错误。第一个,关于完全限定域名,通过在 /etc/apache2/apache2.conf 下添加 ServerName localhost 语句来修复。其他人呢?
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.1. Set the 'ServerName' directive globally to suppress this message
[Tue Jan 12 11:53:39.329396 2021] [ssl:warn] [pid 22] AH01906: dev-asusrog.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jan 12 11:53:39.329797 2021] [ssl:error] [pid 22] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / issuer: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / serial: 08C832686429FFF4C45180A8806FE16A278B41A3 / notbefore: Jan 11 10:40:12 2021 GMT / notafter: Jan 11 10:40:12 2022 GMT]
[Tue Jan 12 11:53:39.329830 2021] [ssl:error] [pid 22] AH02604: Unable to configure certificate dev-asusrog.com:443:0 for stapling
这里有什么帮助吗?
localhost 现在通常是 ::1 的别名(注意:IPV6),而 127.0.0.1 显然是 IPV4。因此,您正在连接到不同的端点,如果您没有明确打开 IPV4 连接,那里就没有任何监听。
第一步)我必须 change/add 在 \Windows\system32\drivers\etc\hosts 本地测试域下
根据 Olaf Kock 的建议,从 127.0.0.1 dev-asusrog.com 到 ::1 dev-asusrog.com。
第 2 步)我必须禁用 ssl-params.conf 下的 SSLUseStapling 参数,即注释掉
#SSLUseStapling on
第 3 个选项步骤)在 Windows 受信任的根证书颁发机构中安装 server.crt 证书 为了您的方便,我在下面附上了受影响的文件。
我的 Dockerfile 改成了这个
FROM php:7.1-apache
COPY ./certs/* /etc/apache2/ssl/
COPY ssl-params.conf /etc/apache2/conf-available/
COPY ./sites-available/* /etc/apache2/sites-available/
RUN a2enconf ssl-params
RUN a2ensite default-ssl
RUN a2enmod rewrite
RUN a2enmod ssl
RUN a2enmod headers
WORKDIR /var/www/html/
RUN service apache2 restart
我的ssl-params.conf是这样声明的
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH$
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
文件sites-available/default-ssl.conf是这样声明的
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@example.com
ServerName dev-asusrog.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
如果你遇到了我遇到的同样问题,希望它能对你有所帮助。
此致,