apache - 通过 SNI 提供的主机名 myfirstweb.intweb.net 和通过 HTTP 提供的主机名 mysecondweb.intweb.net 不同，Apache 错误

Question

我有一台服务器，同一台服务器上有大约 3 个网站。

为了让事情变得更简单，我使用 ansible 生成了 nginx 配置文件和 apache 配置文件，这样更容易也更不容易出错。正如您将在下面看到的，我对它们都使用相同的端口，所以这些 apache 和 nginx 配置文件几乎唯一不同的是服务器名称、根位置、网站位置以及错误和访问日志。

我现在看到的问题是我无法同时看到两个网站，当我在浏览器中打开第一个网站时它打开正常，但是当我想打开第二个网站时出现此错误:

您的浏览器发送了该服务器无法理解的请求。

当我看到 apache 日志时，我看到以下错误:

[Fri Nov 09 16:17:51.247904 2018] [ssl:error] [pid 18614] AH02032:通过 SNI 提供的主机名 myweb.intweb.net 和通过 HTTP 提供的主机名 mysecondweb.intweb.net是不同的

mysecondweb.intweb.net 是我要打开的另一个网站。

这是其中之一的我的 nginx 配置文件，您可以在其中看到我正在处理对 apache 的请求:

# Force HTTP requests to HTTPS
server {
    listen 80;
    server_name myweb.intweb.net;
    return 301 https://myweb.intweb.net$request_uri;
}
  server {

      listen  443 ssl;
      root  /var/opt/httpd/ifdocs;

    server_name myweb.intweb.net ;

      # add Strict-Transport-Security to prevent man in the middle attacks
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl on;
    ssl_certificate     /etc/pki/tls/certs/star_intweb_net.pem;
    ssl_certificate_key /etc/pki/tls/certs/star_intweb_net.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

      access_log /var/log/nginx/iflogs/https/access.log;
    error_log  /var/log/nginx/iflogs/https/error.log;

    ###include rewrites/default.conf;


    index  index.php index.html index.htm;

    # Make nginx serve static files instead of Apache
    # NOTE this will cause issues with bandwidth accounting as files wont be logged
    location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
        expires max;
    }

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
                proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_pass https://127.0.0.1:4433;
         }

    # proxy the PHP scripts to Apache listening on <serverIP>:8080
    location ~ \.php$ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
                proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_pass https://127.0.0.1:4433;
         }

    location ~ /\. {
        deny  all;
    }

    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
  root  /usr/share/nginx/html;
    }
}

这是我的网站的 Apache 配置:

 <VirtualHost *:4433>

  SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star_intweb_net.crt
SSLCertificateKeyFile /etc/pki/tls/certs/star_intweb_net.key
SSLCertificateCcompanyFile /etc/pki/tls/certs/DigiCertCA.crt

ServerAdmin webmaster@company.com

DocumentRoot /var/opt/httpd/ifdocs

<Directory "/var/opt/httpd/ifdocs">
    Options FollowSymLinks
    AllowOverride All
      Require all granted
  </Directory>

ServerName myweb.intweb.net

ErrorLog /var/log/httpd/iflogs/http/error.log
CustomLog /var/log/httpd/iflogs/http/access.log combined

#    RewriteEngine on

#    Include rewrites/default.conf

</VirtualHost>

注意:如果我删除这些行:

proxy_ssl_server_name on;
        proxy_ssl_name $host;

我不再有那个问题，而且似乎解决了我遇到的问题。在这种情况下，我只是好奇这是否会在未来引起问题，或者为什么通过删除配置中的这两行，我就不再在 apache 中出现这些错误了？

谢谢!

Answer 1

我能够通过在我的 nginx.conf 文件中添加这行代码来解决这个问题:

proxy_ssl_session_reuse off;

显然 OpenSSL 中存在错误。我测试了它运行以下代码:

openssl genrsa -out fookey.pem 2048
openssl req -x509 -key fookey.pem -out foocert.pem -days 3650 -subj '/CN=testkey.invalid.example'

openssl s_server -accept localhost:30889 -cert foocert.pem -key fookey.pem -state -servername key1.example -cert2 foocert.pem -key2 fookey.pem

openssl s_client -connect localhost:30889 -sess_out /tmp/tempsslsess -servername key1.example

openssl s_client -connect localhost:30889 -sess_in /tmp/tempsslsess -servername key2.example

# observe key1.example in the SNI info reported by s_server for both requests.  ("Hostname in TLS extension: "...)

# If s_server is restarted, and the s_client connections/sessions are re-run using key2.example first and key1.example second, observe key2.example in the SNI info reported by s_server for both requests.

# Furthermore, I just tested on a different machine, and sometimes SNI appears to be absent in the second requests.

# shouldn't s_client filter session use so that if it knows SNI info before selecting a cached session, it only selects one that matches the intended SNI name?  And if it doesn't have a SNI name when it's searching for a session to re-use, shouldn't it still double check when it's provided (later, before connecting) SNI info, to make sure it's identical to SNI in the saved session it picked, and not use the saved session if they differ?

# It seems to me if the SNI specified by the client app ever differs from the SNI seen by the server, that's not good.

# this was discovered by someone reporting a problem using nginx to reverse proxy to apache, with apache warning that the SNI hostname didn't match the Host: header, despite the nginx config explicitly setting Host: and apache-side SNI to the same thing.