如何解决Apache2“本地主机”有效,但对于 127.0.0.1 我得到“无法访问此站点拒绝连接” SSL 还会返回授权错误
我正在尝试使用自签名证书在 docker (WSL2) 下运行 apache2 来测试 SSL。 docker 文件脚本如下所示
FROM PHP:7.1-apache
RUN apt-get update && apt-get install -y zlib1g-dev
copY ./certs/* /etc/apache2/ssl/
copY dev.conf /etc/apache2/sites-enabled/dev.conf
RUN docker-PHP-ext-install MysqLi pdo pdo_MysqL zip mbstring
RUN a2enmod rewrite
RUN a2enmod ssl
RUN service apache2 restart
dev.conf
包含如下所示的 SSL 虚拟主机。
<VirtualHost *:443>
DocumentRoot "/var/www/html/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
ServerName dev-asusrog.com
</VirtualHost>
在端口 80 上使用 chrome/firefox/opera 在 http://localhost:80
上运行它可以工作。相同,但使用 http://127.0.0.1:80
时,我收到“无法访问此站点”拒绝连接的信息。”仅 IP6 版本协议已禁用。
sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
使用 curl -v localhost
或 curl -v 127.0.0.1
似乎在这两种情况下都有效。
curl -v localhost
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue,12 Jan 2021 08:39:23 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue,12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host localhost left intact
curl -v 127.0.0.1
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue,12 Jan 2021 08:39:33 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Tue,12 Jan 2021 08:05:26 GMT
< ETag: "20-5b8af7c33cb30"
< Accept-Ranges: bytes
< Content-Length: 32
< Content-Type: text/html
<
<html>
<h1>Welcome</h1>
</html>
* Connection #0 to host 127.0.0.1 left intact
运行 https://dev-asusrog.com/
(我已经在主机文件 dev-asusrog.com 下设置指向 127.0.1.1)我得到“访问 dev-asusrog.com 被拒绝。你没有查看此页面的授权。HTTP ERROR 403"
文件 server.crt
和 server.key
文件是使用 openssl 创建的,使用下面的命令,使用 dev-asusrog.com
上面的假服务器作为服务器 FQDN。
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
我收到以下 Apache2 错误。第一个是关于完全限定域名的,通过在 ServerName localhost
下添加 /etc/apache2/apache2.conf
语句来修复。其他人呢?
AH00558: apache2: Could not reliably determine the server's fully qualified domain name,using 192.168.1.1. Set the 'ServerName' directive globally to suppress this message
[Tue Jan 12 11:53:39.329396 2021] [ssl:warn] [pid 22] AH01906: dev-asusrog.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jan 12 11:53:39.329797 2021] [ssl:error] [pid 22] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=dev-asusrog.com,OU=informatics,O=Company,L=mystate,ST=mystate,C=US / issuer: CN=dev-asusrog.com,C=US / serial: 08C832686429FFF4C45180A8806FE16A278B41A3 / notbefore: Jan 11 10:40:12 2021 GMT / notafter: Jan 11 10:40:12 2022 GMT]
[Tue Jan 12 11:53:39.329830 2021] [ssl:error] [pid 22] AH02604: Unable to configure certificate dev-asusrog.com:443:0 for stapling
这里有什么帮助吗?
解决方法
localhost
现在通常是 ::1
的别名(注意:IPV6),而 127.0.0.1
显然是 IPV4。因此,您正在连接到不同的端点,如果您没有明确打开 IPV4 连接,则那里没有任何监听。
第一步)我必须在 \Windows\system32\drivers\etc\hosts
下更改/添加本地测试域
按照 Olaf Kock 的建议,从 127.0.0.1 dev-asusrog.com
到 ::1 dev-asusrog.com
。
第二步)我不得不禁用 SSLUseStapling
下的 ssl-params.conf
参数,即注释掉
#SSLUseStapling on
3nd -option- step) 在 Windows 受信任的根证书颁发机构中安装 server.crt 证书 为方便起见,我在下面附上了受影响的文件。
我的 Dockerfile 变成了这个
FROM php:7.1-apache
COPY ./certs/* /etc/apache2/ssl/
COPY ssl-params.conf /etc/apache2/conf-available/
COPY ./sites-available/* /etc/apache2/sites-available/
RUN a2enconf ssl-params
RUN a2ensite default-ssl
RUN a2enmod rewrite
RUN a2enmod ssl
RUN a2enmod headers
WORKDIR /var/www/html/
RUN service apache2 restart
我的ssl-params.conf
声明如下
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH$
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
文件 sites-available/default-ssl.conf
是这样声明的
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@example.com
ServerName dev-asusrog.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
如果你遇到和我一样的问题,希望它能帮到你。
此致,
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。