Mar*_*ler 2 ssl domain redirection apache-2.2
我正在运行带有仅 HTTP 域的 Apache 2.2.15 (CentOS 6.6)
demo.xml-director.info
使用 wget 我可以正确检索内容
wget -S http://demo.xml-director.info
--2015-01-05 13:31:41-- http://demo.xml-director.info/
Resolving demo.xml-director.info (demo.xml-director.info)... 176.9.146.28
Connecting to demo.xml-director.info (demo.xml-director.info)|176.9.146.28|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Mon, 05 Jan 2015 12:31:41 GMT
Server: Zope/(2.13.22, python 2.7.6, linux2) ZServer/1.1
Content-Length: 20227
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Content-Type: text/html;charset=utf-8
X-Ua-Compatible: IE=edge,chrome=1
Content-Language: en
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Length: 20227 (20K) [text/html]
Saving to: 'index.html.4'
但是,由于 HTST,Chrome/Firefox 总是将请求从 http 更改为 https。然而,对于这个特定的域,没有配置 HSTS。
服务器为 www.xml-director.info 运行 SSL,并启用 HSTS 支持。然而,这里还有一个别名可以将 demo.xml-director.info 映射到 www.xml-director.info。
如何解决这个问题。
www.xml-director.info 的 VHOst:
<VirtualHost *:443>
ServerName www.xml-director.info
ServerAlias xml-director.info
SSLEngine on
SSLCertificateFile /etc/httpd/certs/15742445repl_2.crt
SSLCertificateCHainFile /etc/httpd/certs/15742445repl_2.ca-bundle
SSLCertificateKeyFile /etc/httpd/certs/zopyx.com.key
CustomLog /var/log/httpd/xml-director.info.log combined
DocumentRoot /var/www/xml-director/landing-v1
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
<location "/">
Options +Indexes
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "X-Requested-With,Content-Type"
</location>
</VirtualHost>
<VirtualHost *:80>
ServerAlias www.xml-director.com
ServerAlias www.xml-director.info
ServerAlias www.xml-director.de
ServerAlias xml-director.com
ServerAlias xml-director.info
ServerAlias xml-director.de
RedirectPermanent / https://xml-director.info/
</VirtualHost>
和 demo.xml-director.info
<VirtualHost *:80>
ServerName demo.xml-director.info
RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:12020/VirtualHostBase/http/demo.xml-director.info:80/xml-director/VirtualHostRoot/$1 [L,P]
RewriteRule ^/$ http://127.0.0.1:12020/VirtualHostBase/http/demo.xml-director.info:80/xml-director/VirtualHostRoot/$1 [L,P]
CustomLog /var/log/httpd/demo.xml-director.info.log combined
AddOutputFilterByType DEFLATE text/html text/xml text/plain text/css text/javascript
CacheRoot /tmp/cache
CacheEnable disk /
CacheIgnoreCacheControl on
KeepAliveTimeout 15
KeepAlive on
ExpiresActive On
ExpiresByType image/gif "access plus 10 day"
ExpiresByType image/jpg "access plus 10 day"
ExpiresByType image/jpeg "access plus 10 day"
ExpiresByType image/png "access plus 10 day"
ExpiresByType text/javascript "access plus 10 day"
ExpiresByType text/html "access plus 1 hour"
ExpiresByType text/html "access plus 1 hour"
ExpiresByType text/css "access plus 10 days"
<Location "/">
Order allow,deny
Allow from all
</Location>
</VirtualHost>
问题是 HSTS 标头的范围,它包括所有子域。如果首先http://demo.xml-director.info使用浏览器访问它会正常工作。
但是,在第一次访问https://xml-director.info/或https://www.xml-director.info浏览器将收到所有子域的 HSTS 标头,这些子域设置为在未来(两年后......?)到期,因此不会再次尝试通过 http 连接到任何(子)域,直到标头过期。
顺便说一句,此标头对wget和等 cli 工具没有影响curl。
如果有任何应该通过 http 访问的子域,请不要使用includeSubdomains. 相反,如果您想使用 HSTS 标头,请将其限制为仅访问的域(这是默认行为):
<VirtualHost *:443>
ServerName www.xml-director.info
ServerAlias xml-director.info
Header always set Strict-Transport-Security "max-age=63072000"
收到 HSTS 标头的浏览器无法自行清除它,它将始终尝试通过 https 访问域,如果没有响应,则意味着它陷入困境。
要纠正现有浏览器的当前情况(假设这不是“只是我”的问题),有必要通过 https 连接使 HSTS 标头过期。IE:
<VirtualHost *:443>
ServerName *.xml-director.info
Header always set Strict-Transport-Security "max-age=0"
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI}
或同等学历。这样就清除了HSTS头,恢复了http访问。
| 归档时间: |
|
| 查看次数: |
1243 次 |
| 最近记录: |