主页 / ubuntu / 问题 / 1500148
Accepted
EnzoR
Asked: 2024-01-16 00:01:41 +0800 CST

Apache v2.4 通过端口 443 提供 HTTP 服务

  • 772

我在 Ubuntu 20.04 上遇到了这个问题。

它看起来很像许多类似的东西,但经过几个小时的尝试,结果证明它不是通常的东西。

我曾经certbot --apache将 HTTPS 添加到我服务器上的一个工作网站。我要求自动重定向到 HTTPS。一切显然都顺利。我还运行a2enmod ssl; a2nsite default-ssl.conf启用 SSL 模块并重新启动 apache2。

在日志中似乎读取了证书:

[ssl:info] [pid 4187632] AH02568: Certificate and private key mysite.com:443:0 configured from /etc/letsencrypt/live/mysite.com/fullchain.pem and /etc/letsencrypt/live/mysite.com/privkey.pem

我也发现了这个,但找不到足够的文档:

 [headers:debug] [pid 4188047] mod_headers.c(899): AH01503: headers: ap_headers_error_filter()

最终发生的情况是,apache2 正在侦听端口 443,但一旦发生重定向,就会通过该端口提供 HTTP 服务。当然,浏览器无法工作并会抛出如下错误:

This site can’t provide a secure connection
mysite.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

没有别的。

从另一台服务器我可以做这两个简单的测试:

$ nmap -A -Pn -p 443 mysite.com.
Nmap scan report for mysite.com. (1.2.3.4)
Host is up (0.044s latency).
Other addresses for mysite.com. (not scanned): 1234:1234:123:1234::
rDNS record for 1.2.3.4: host1.hosting.net

PORT    STATE SERVICE VERSION
443/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://mysite.com/
Service Info: Host: mysite.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.64 seconds


$ wget -v -v -v https://mysite.com/
--2024-01-15 16:42:45--  https://mysite.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving mysite.com (mysite.com)... 1.2.3.4, 1234:1234:123:1234::
Connecting to mysite.com (mysite.com)|1.2.3.4|:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

这些证实了我的诊断(通过端口 443 的 HTTP),并且没有防火墙阻止任何内容。

有什么提示吗?

我的(主要)配置位如下。

所有其他文件(000-default.confdefault-ssl.conf)都是 Ubuntu 20.04 安装的默认文件。

ports.conf:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

mysite.conf

<VirtualHost _default_:80>
  ServerName  mysite.com
  ServerAlias  www.mysite.com
  ServerAdmin [email protected]
  DocumentRoot /home/fe/public_html

  <Directory />
    Options FollowSymLinks ExecCGI
    AllowOverride All
    AuthType Basic
    AuthName "Credentials, please"
    AuthUserFile /home/fe/.htpasswd
    Require valid-user
  </Directory>

  ScriptAlias /x/ /home/fe/cgi/
  <Directory "/home/fe/cgi">
    Options ExecCGI
    SetHandler cgi-script
    Require all granted
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
  LogLevel debug
  CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
  </Directory>
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
RewriteEngine on
RewriteCond %{SERVER_NAME} =site.mysite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

最后三行已由 添加certbot

mysite-le-ssl.conf

<IfModule mod_ssl.c>
 <VirtualHost _default_:443>
  ServerName  mysite.com
  ServerAlias  www.mysite.com
  ServerAdmin [email protected]
  DocumentRoot /home/fe/public_html

  <Directory />
    Options FollowSymLinks ExecCGI
    AllowOverride All
    AuthType Basic
    AuthName "Credentials, please"
    AuthUserFile /home/fe/.htpasswd
    Require valid-user
  </Directory>

  ScriptAlias /x/ /home/fe/cgi/
  <Directory "/home/fe/cgi">
    Options ExecCGI
    SetHandler cgi-script
    Require all granted
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
  LogLevel debug
  CustomLog ${APACHE_LOG_DIR}/mysite-access.log combined
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
  </Directory>
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
</IfModule>
apache2

1 个回答

  1. Best Answer

    我自己“修复”了配置,运气不错。

    该问题似乎是由 Ubuntu 附带 Apache v2.x 的默认配置引起的。

    使用类似的方法启用所需的模块后

    sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod socache_shmcb

    我还启用了“默认 SSL 站点

    sudo a2ensite default-ssl

    然后在目录中添加我自己的东西/etc/apache2/sites-enabled

    我添加了类似的内容:

    01-mysite.conf
02-other.conf
03-thistoo.conf

    运行后certbot --apache目录内容变为:

    01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf

    问题是由于在调用“默认 SSL 站点”配置文件的同时调用了default-ssl.conf默认纯文本站点000-default.conf”配置。

    在我的具体情况下,default-ssl.conf这是 Apache v2.x 从目录中读取的最后一个sites-enabled

    000-default.conf
01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf
default-ssl.conf

    通过“简单地”重命名default-ssl.conf为,000-default-ssl.conf在强制重新加载后,我开始让事情正常工作:systemctl apache2 reload; systemct apache2 status

    nmap问题中看到的相同命令现在返回预期结果:

    $ nmap -A -Pn -p 443 mysite.com.
Nmap scan report for mysite.com. (1.2.3.4)
Host is up (0.044s latency).
Other addresses for mysite.com. (not scanned): 1234:1234:123:1234::
rDNS record for 1.2.3.4: host1.hosting.net

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd 2.4.41
| tls-alpn: 
|_  http/1.1
|_http-title: 421 Misdirected Request
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=host1
| Subject Alternative Name: DNS:host1
| Not valid before: 2022-11-06T10:22:12
|_Not valid after:  2032-11-03T10:22:12
Service Info: Host: 127.0.0.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

    它似乎nmap不知道如何发出格式正确的 HTTPS SNI 请求。

    但现在我们有::443/tcp open ssl/http Apache httpd 2.4.41现在ssl/http,不仅仅是http

    经验教训:对于 SSL/TLS 和 SNI,顺序很重要。而且还很多!

    作为一个非常小的旁注,我清理了非 SSL(又名“HTTP”)配置文件,如下所示:

    <VirtualHost _default_:80>
  ServerName  mysite.com # <-----------------.
  RewriteEngine on #                         | THE SAME
  RewriteCond %{SERVER_NAME} =mysite.com # <-'
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

    所有其他配置内容已移至启用 SSL 的配置中。简单又有效!

    我真的希望这能帮助其他人。

    • 0

相关问题