I'm looking for the most efficient way to achieve this setup on Apache 2.4.33 in the Amazon Linux Distro:
a single associated IP
two (or more) domains, each with their own SSL certificate
one default SSL VirtualHost that applies to all others, to set such things as SSLProtocol
, FilesMatch
, and BrowserMatch
only once
a dedicated VirtualHost per domain that points to the respective files and sets the document root
Is there something wrong with this setup?
1) /etc/httpd/conf.d/ssl.conf
(entire file):
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# default settings for all VirtualHosts
<VirtualHost *:443>
LogLevel warn
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCypherOrder o
#use OpenSSL default
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
2) /etc/httpd/cond.f/vhosts.conf
# foo.com
<VirtualHost *:80>
ServerName foo.com
ServerAlias www.foo.com
Redirect 301 / https://foo.com
</VirtualHost>
<VirtualHost *:443>
ServerName foo.com:443
ServerAlias www.foo.com:443
DocumentRoot "/var/www/foo"
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/foo.crt
SSLCertificateChainFile /etc/pki/tls/certs/foo.bundle
SSLCertificateKeyFile /etc/pki/tls/private/foo.key
ErrorLog logs/foo
TransferLog logs/foo-acc
</VirtualHost>
# bar.com
<VirtualHost *:80>
ServerName bar.com
ServerAlias www.bar.com
Redirect 301 / https://bar.com
</VirtualHost>
<VirtualHost *:443>
ServerName bar.com:443
ServerAlias www.bar.com:443
DocumentRoot "/var/www/bar"
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/bar.crt
SSLCertificateChainFile /etc/pki/tls/certs/bar.bundle
SSLCertificateKeyFile /etc/pki/tls/private/bar.key
ErrorLog logs/bar
TransferLog logs/bar-acc
</VirtualHost>
Will this work, or do I have to repeat the default setup for each dedicated domain?
Я понял это после некоторого обширного тестирования:
Общий "главный" VirtualHost в ssl.conf
должен ссылаться на сертификат, цепочку и ключ, иначе не получится. Итак, для ясности и во избежание написания (и поддержки) повторяющихся строк в vhosts, возможно, лучше всего переместить этот общий vhost в vhosts.conf
перед другими.
Любые указанные там правила, похоже, правильно унаследованы следующими vhosts и не должны повторяться.