2016年2月1日 星期一

在 Apache 安裝多於一張 SSL 證書


之前的 SSL 證書都要收費,公司很少使用。但隨著改革風吹起,在網上開始找到一些免費的 SSL 證書簽發服務。正好在開發一個新項目,要是用上 SSL 的話就更好。於是我在一台已有 SSL 的服務器上安裝另一個子域名的 SSL 證書。起初出現「[warn] _default_ VirtualHost overlap on port 443, the first has precedence」警告。發現原來在 /etc/httpd/conf/httpd.conf 內欠了加入「NameVirtualHost *:443」。

game.sita-chan.com.conf
##  game.sita-chan.com Server Settings
<virtualhost *:80>
   ServerAdmin support@sita-chan.com
   ServerName game.sita-chan.com
   DocumentRoot /home/www/game.sita-chan.com
   <Directory "/home/www/game.sita-chan.com">
      AllowOverride All
      Order Allow,Deny
      Allow from All
   </Directory>
   ProxyRequests off
   <proxy *>
      Order deny,allow
      Allow from all
   </proxy>

   RewriteEngine On
   RewriteLog "/var/log/httpd/rewrite_log"
   RewriteLogLevel 4
</VirtualHost>

##  SSL related
<VirtualHost *:443>
   ServerAdmin support@sita-chan.com
   ServerName game.sita-chan.com:443

   ErrorLog /var/log/httpd/ssl_error_log.game.sita-chan.com
   TransferLog logs/ssl_access_log.game.sita-chan.com

   RewriteEngine On
   RewriteLog "/var/log/httpd/rewrite_log"
   RewriteLogLevel 4

   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
   SSLCertificateFile /etc/pki/tls/certs/game.sita-chan.com/domain.crt
   SSLCertificateKeyFile /etc/pki/tls/certs/game.sita-chan.com/domain.key
   SSLCertificateChainFile /etc/pki/tls/certs/game.sita-chan.com/intermediate.pem

   DocumentRoot /home/www/game.sita-chan.com
   <Directory "/home/www/game.sita-chan.com">
      AllowOverride All
      Order Allow,Deny
      Allow from All
   </Directory>

   ProxyRequests off
   <proxy *>
      Order deny,allow
      Allow from all
   </proxy>
</VirtualHost>
以上寫法只作參考,不是一個好的做法。只要加裝 Proxy 把 HTTPS 請求改為 HTTP,就能避開一層加密算法。較好的做法是只保留 SSL 那段。

沒有留言: