Apache2“本地主机”有效，但对于 127.0.0.1 我得到“无法访问此站点拒绝连接” SSL 还会返回授权错误

如何解决Apache2“本地主机”有效，但对于 127.0.0.1 我得到“无法访问此站点拒绝连接” SSL 还会返回授权错误

我正在尝试使用自签名证书在 docker (WSL2) 下运行 apache2 来测试 SSL。 docker 文件脚本如下所示

FROM PHP:7.1-apache
RUN apt-get update && apt-get install -y zlib1g-dev
copY ./certs/* /etc/apache2/ssl/
copY dev.conf /etc/apache2/sites-enabled/dev.conf
RUN docker-PHP-ext-install MysqLi pdo pdo_MysqL zip mbstring
RUN a2enmod rewrite
RUN a2enmod ssl
RUN service apache2 restart

dev.conf 包含如下所示的 SSL 虚拟主机。

<VirtualHost *:443>
    DocumentRoot "/var/www/html/"
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    SSLEngine on
    
    SSLCertificateFile "/etc/apache2/ssl/server.crt"
    SSLCertificateKeyFile "/etc/apache2/ssl/server.key" 
                
    ServerName dev-asusrog.com

</VirtualHost>

在端口 80 上使用 chrome/firefox/opera 在 http://localhost:80 上运行它可以工作。相同，但使用 http://127.0.0.1:80 时，我收到“无法访问此站点”拒绝连接的信息。”仅 IP6 版本协议已禁用。

sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0

使用 curl -v localhost 或 curl -v 127.0.0.1 似乎在这两种情况下都有效。

curl -v localhost
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue,12 Jan 2021 08:39:23 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue,12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host localhost left intact


curl -v 127.0.0.1
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue,12 Jan 2021 08:39:33 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue,12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host 127.0.0.1 left intact

运行 https://dev-asusrog.com/（我已经在主机文件 dev-asusrog.com 下设置指向 127.0.1.1）我得到“访问 dev-asusrog.com 被拒绝。你没有查看此页面的授权。HTTP ERROR 403"

文件 server.crt 和 server.key 文件是使用 openssl 创建的，使用下面的命令，使用 dev-asusrog.com 上面的假服务器作为服务器 FQDN。

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

我收到以下 Apache2 错误。第一个是关于完全限定域名的，通过在 ServerName localhost 下添加 /etc/apache2/apache2.conf 语句来修复。其他人呢？

AH00558: apache2: Could not reliably determine the server's fully qualified domain name,using 192.168.1.1. Set the 'ServerName' directive globally to suppress this message
[Tue Jan 12 11:53:39.329396 2021] [ssl:warn] [pid 22] AH01906: dev-asusrog.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jan 12 11:53:39.329797 2021] [ssl:error] [pid 22] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / issuer: CN=dev-asusrog.com,C=US / serial: 08C832686429FFF4C45180A8806FE16A278B41A3 / notbefore: Jan 11 10:40:12 2021 GMT / notafter: Jan 11 10:40:12 2022 GMT]
[Tue Jan 12 11:53:39.329830 2021] [ssl:error] [pid 22] AH02604: Unable to configure certificate dev-asusrog.com:443:0 for stapling

这里有什么帮助吗？

解决方法

localhost 现在通常是 ::1 的别名（注意：IPV6），而 127.0.0.1 显然是 IPV4。因此，您正在连接到不同的端点，如果您没有明确打开 IPV4 连接，则那里没有任何监听。

第一步）我必须在 \Windows\system32\drivers\etc\hosts 下更改/添加本地测试域按照 Olaf Kock 的建议，从 127.0.0.1 dev-asusrog.com 到 ::1 dev-asusrog.com。

第二步）我不得不禁用 SSLUseStapling 下的 ssl-params.conf 参数，即注释掉

#SSLUseStapling on

3nd -option- step) 在 Windows 受信任的根证书颁发机构中安装 server.crt 证书为方便起见，我在下面附上了受影响的文件。

我的 Dockerfile 变成了这个

FROM php:7.1-apache

COPY ./certs/* /etc/apache2/ssl/
COPY ssl-params.conf /etc/apache2/conf-available/
COPY ./sites-available/* /etc/apache2/sites-available/
RUN a2enconf ssl-params
RUN a2ensite default-ssl
RUN a2enmod rewrite
RUN a2enmod ssl
RUN a2enmod headers

WORKDIR /var/www/html/

RUN service apache2 restart

我的ssl-params.conf声明如下

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH$
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder On

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"

Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

# Requires Apache >= 2.4.11
SSLSessionTickets Off

文件 sites-available/default-ssl.conf 是这样声明的

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin your_email@example.com
                ServerName dev-asusrog.com

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile "/etc/apache2/ssl/server.crt"
                SSLCertificateKeyFile "/etc/apache2/ssl/server.key"             

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                               nokeepalive ssl-unclean-shutdown \
                               downgrade-1.0 force-response-1.0

        </VirtualHost>
</IfModule>

如果你遇到和我一样的问题，希望它能帮到你。

此致，