在服务于不同域的 apache 虚拟主机之间共享 SSL 配置
Sharing SSL Configuration between apache virtualhosts serving different domains
我为 apache2 服务的每个域都有一个虚拟主机。
有点像
/etc/apache2/sites-available/1.conf
<VirtualHost *:443>
ServerName xyz.com
ServerAlias www.xyz.com
SSLEngine on
SSLCertificateFile /etc/.../cert.pem
SSLCertificateKeyFile /etc/.../privkey.pem
SSLCertificateChainFile /etc/.../chain.pem
</VirtualHost
<VirtualHost *:443>
ServerName qwert.com
ServerAlias www.qwert.com
SSLEngine on
SSLCertificateFile /etc/.../cert.pem
SSLCertificateKeyFile /etc/.../privkey.pem
SSLCertificateChainFile /etc/.../chain.pem
</VirtualHost
我想添加一些 SSL 设置来指定密码套件和允许的 TLS 版本,以便它们在所有启用 SSL 的站点之间共享。
这样我就可以集中更改它们,而不是编辑每个虚拟主机。
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
我如何集中执行此操作?
Apache 提供了 Define 指令,它定义了您可以在别处使用的变量。
在我的 /etc/apache2/apache.conf 的顶部,我定义了我想要集中的所有 SSL 设置。
Define honor_ssl_cipher_order on
Define ssl_protocol "all -SSLv2 -SSLv3"
Define ssl_cipher_suite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
然后在每个虚拟主机中我可以
<VirtualHost *:443>
...
SSLProtocol ${ssl_protocol}
SSLHonorCipherOrder ${honor_ssl_cipher_order}
SSLCipherSuite "${ssl_cipher_suite}"
</VirtualHost>
或者,您可以将 SSL 配置放入文件中,并在每个虚拟主机中只包含该文件。
幸运的是 Letsencrypt 人已经为您创建了这样一个文件:搜索 options-ssl-apache.conf
locate options-ssl-apache.conf
示例包括
<VirtualHost ...>
Include /etc/letsencrypt/options-ssl-apache.conf
...
</VirtualHost>
最后是他们的示例文件,让 https 更安全的 letsencrypt 方式:
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLOptions +StrictRequire
Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
此配置导致 A+ 在 https://www.ssllabs.com/ssltest/
我为 apache2 服务的每个域都有一个虚拟主机。
有点像 /etc/apache2/sites-available/1.conf
<VirtualHost *:443>
ServerName xyz.com
ServerAlias www.xyz.com
SSLEngine on
SSLCertificateFile /etc/.../cert.pem
SSLCertificateKeyFile /etc/.../privkey.pem
SSLCertificateChainFile /etc/.../chain.pem
</VirtualHost
<VirtualHost *:443>
ServerName qwert.com
ServerAlias www.qwert.com
SSLEngine on
SSLCertificateFile /etc/.../cert.pem
SSLCertificateKeyFile /etc/.../privkey.pem
SSLCertificateChainFile /etc/.../chain.pem
</VirtualHost
我想添加一些 SSL 设置来指定密码套件和允许的 TLS 版本,以便它们在所有启用 SSL 的站点之间共享。 这样我就可以集中更改它们,而不是编辑每个虚拟主机。
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
我如何集中执行此操作?
Apache 提供了 Define 指令,它定义了您可以在别处使用的变量。
在我的 /etc/apache2/apache.conf 的顶部,我定义了我想要集中的所有 SSL 设置。
Define honor_ssl_cipher_order on
Define ssl_protocol "all -SSLv2 -SSLv3"
Define ssl_cipher_suite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
然后在每个虚拟主机中我可以
<VirtualHost *:443>
...
SSLProtocol ${ssl_protocol}
SSLHonorCipherOrder ${honor_ssl_cipher_order}
SSLCipherSuite "${ssl_cipher_suite}"
</VirtualHost>
或者,您可以将 SSL 配置放入文件中,并在每个虚拟主机中只包含该文件。
幸运的是 Letsencrypt 人已经为您创建了这样一个文件:搜索 options-ssl-apache.conf
locate options-ssl-apache.conf
示例包括
<VirtualHost ...>
Include /etc/letsencrypt/options-ssl-apache.conf
...
</VirtualHost>
最后是他们的示例文件,让 https 更安全的 letsencrypt 方式:
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLOptions +StrictRequire
Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
此配置导致 A+ 在 https://www.ssllabs.com/ssltest/