怎样配置SNI

2017年12月20日 | 分类: 【技术】

设置基本环境:

参考:http://amon.org/server

签发 SSL 证书:

参考:http://amon.org/le

编译安装 gnutls :

参考:http://amon.org/gnutls

编译安装 mod_gnutls :

参考:http://amon.org/mod_gnutls

编译安装Apache:

参考:http://amon.org/apache

配置 gnutls :

mkdir -m 0700 /var/cache/gnutls
chown apache:apache /var/cache/gnutls

在httpd.conf中:

GnuTLSCache none "/var/cache/gnutls"
GnuTLSCacheTimeout 300

/usr/local/apache2/conf/httpd.conf 全文:

ServerRoot "/usr/local/apache2"
 
Listen 80
Listen 443
 
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule expires_module modules/mod_expires.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule gnutls_module modules/mod_gnutls.so
LoadModule php7_module modules/libphp7.so

<IfModule unixd_module>
 
    User apache
    Group apache
 
</IfModule>
 
ServerAdmin support@amon.org

ServerName 123.123.123.123
 
<Directory />
    AllowOverride none
    Require all denied
</Directory>
 
DocumentRoot "/usr/local/apache2/htdocs"
 
<Directory "/usr/local/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
 
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>
 
<Files ".ht*">
    Require all denied
</Files>
 
ErrorLog "logs/error_log"
 
LogLevel warn
 
Include conf/extra/httpd-vhosts.conf
 
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
 
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
 
    CustomLog "logs/access_log" combined
</IfModule>
 
<IfModule mime_module>
 
    TypesConfig conf/mime.types
 
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
     
    AddHandler cgi-script .cgi .pl
 
</IfModule>
 
<IfModule mod_deflate.c>
 
    <IfModule mod_setenvif.c>
 
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
     
    <IfModule mod_filter.c>
 
        AddOutputFilterByType DEFLATE application/atom+xml
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/json
        AddOutputFilterByType DEFLATE application/ld+json
        AddOutputFilterByType DEFLATE application/manifest+json
        AddOutputFilterByType DEFLATE application/rdf+xml
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/schema+json
        AddOutputFilterByType DEFLATE application/vnd.geo+json
        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
        AddOutputFilterByType DEFLATE application/x-font-ttf
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
        AddOutputFilterByType DEFLATE application/xhtml+xml
        AddOutputFilterByType DEFLATE application/xml
        AddOutputFilterByType DEFLATE font/eot
        AddOutputFilterByType DEFLATE font/opentype
        AddOutputFilterByType DEFLATE image/bmp
        AddOutputFilterByType DEFLATE image/svg+xml
        AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
        AddOutputFilterByType DEFLATE image/x-icon
        AddOutputFilterByType DEFLATE text/cache-manifest
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/javascript
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/vcard
        AddOutputFilterByType DEFLATE text/vnd.rim.location.xloc
        AddOutputFilterByType DEFLATE text/vtt
        AddOutputFilterByType DEFLATE text/x-component
        AddOutputFilterByType DEFLATE text/x-cross-domain-policy
        AddOutputFilterByType DEFLATE text/xml
 
    </IfModule>
     
    <IfModule mod_mime.c>
         
        AddEncoding gzip svgz
 
    </IfModule>
 
</IfModule>
 
<IfModule proxy_html_module>
 
    Include conf/extra/proxy-html.conf
 
</IfModule>
 
<IfModule mod_gnutls.c>
 
    GnuTLSCache none "/var/cache/gnutls"
    GnuTLSCacheTimeout 300
 
</IfModule>
 
ServerTokens ProductOnly
ServerSignature Off

/usr/local/apache2/conf/extra/httpd-vhosts.conf 全文:

<VirtualHost *:80>
	ServerName 123.123.123.123
	DocumentRoot /usr/local/apache2/htdocs/domain1.com/portal/
	RewriteEngine On
	RewriteRule ^.* /redirect/index.php
</VirtualHost>

<virtualhost *:443>
	ServerName domain1.com
	DocumentRoot /usr/local/apache2/htdocs/domain1.com/portal/
	ErrorLog /usr/local/apache2/htdocs/logs/domain1.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domain1.com_access.log combined
	GnuTLSEnable on
	GnuTLSPriorities NORMAL
	GnuTLSCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem
	GnuTLSKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem
	<Directory /usr/local/apache2/htdocs/domain1.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</virtualhost>

<virtualhost *:80>
	ServerName domain1.com
	DocumentRoot /usr/local/apache2/htdocs/domain1.com/portal/
	ErrorLog /usr/local/apache2/htdocs/logs/domain1.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domain1.com_access.log combined
	<Directory /usr/local/apache2/htdocs/domain1.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

<virtualhost *:443>
	ServerName domain2.com
	DocumentRoot /usr/local/apache2/htdocs/domain2.com/portal/
	ErrorLog /usr/local/apache2/htdocs/logs/domain2.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domain2.com_access.log combined
	GnuTLSEnable on
	GnuTLSPriorities NORMAL
	GnuTLSCertificateFile /etc/letsencrypt/live/domain2.com/fullchain.pem
	GnuTLSKeyFile /etc/letsencrypt/live/domain2.com/privkey.pem
	<Directory /usr/local/apache2/htdocs/domain2.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</virtualhost>

<virtualhost *:80>
	ServerName domain2.com
	DocumentRoot /usr/local/apache2/htdocs/domain2.com/portal/
	ErrorLog /usr/local/apache2/htdocs/logs/domain2.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domain2.com_access.log combined
	<Directory /usr/local/apache2/htdocs/domain2.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

验证 phpinfo() :

Apache Environment
Variable Value
HTTPS on
SSL_VERSION_LIBRARY GnuTLS/3.6.5
SSL_VERSION_INTERFACE mod_gnutls/0.8.4
SSL_PROTOCOL TLS1.3
SSL_CIPHER ECDHE_RSA_AES_128_GCM_SHA256
SSL_COMPRESS_METHOD NULL
SSL_CLIENT_VERIFY NONE
SSL_CIPHER_USEKEYSIZE 128
SSL_CIPHER_ALGKEYSIZE 128
SSL_CIPHER_EXPORT false

验证 SNI 成效:

https://domain1.comhttps://domain2.com 均能正确打开,显示绿色小锁 SSL 图标。