通过 SNI 提供的主机名 myfirstweb.intweb.net 和通过 HTTP 提供的主机名 mysecondweb.intweb.net 不同，Apache 错误

Question

我有一台服务器，同一台服务器上有大约 3 个网站。

为了让事情变得更容易，我使用 ansible 生成 nginx 配置文件和 apache 配置文件，这样更容易且不易出错。正如您将在下面看到的，我对所有这些都使用相同的端口，所以这些 apache 和 nginx 配置文件几乎唯一不同的是服务器名称、根位置、网站位置以及错误和访问日志。

我现在看到的问题是我无法同时看到两个网站，当我在浏览器上打开第一个网站时，它可以正常打开，但是当我想打开第二个网站时，我收到此错误：

您的浏览器发送了此服务器无法理解的请求。

当我看到 apache 日志时，我看到以下错误：

[Fri Nov 09 16:17:51.247904 2018] [ssl:error] [pid 18614] AH02032：通过 SNI 提供的主机名 myweb.intweb.net 和通过 HTTP 提供的主机名 mysecondweb.intweb.net不同

mysecondweb.intweb.net 是我要打开的另一个网站。

这是我其中一个的 nginx 配置文件，您可以在其中看到我正在处理对 apache 的请求：

# Force HTTP requests to HTTPS
server {
    listen 80;
    server_name myweb.intweb.net;
    return 301 https://myweb.intweb.net$request_uri;
}
  server {

      listen  443 ssl;
      root  /var/opt/httpd/ifdocs;

    server_name myweb.intweb.net ;

      # add Strict-Transport-Security to prevent man in the middle attacks
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl on;
    ssl_certificate     /etc/pki/tls/certs/star_intweb_net.pem;
    ssl_certificate_key /etc/pki/tls/certs/star_intweb_net.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

      access_log /var/log/nginx/iflogs/https/access.log;
    error_log  /var/log/nginx/iflogs/https/error.log;

    ###include rewrites/default.conf;


    index  index.php index.html index.htm;

    # Make nginx serve static files instead of Apache
    # NOTE this will cause issues with bandwidth accounting as files wont be logged
    location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
        expires max;
    }

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
                proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_pass https://127.0.0.1:4433;
         }

    # proxy the PHP scripts to Apache listening on <serverIP>:8080
    location ~ \.php$ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
                proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_pass https://127.0.0.1:4433;
         }

    location ~ /\. {
        deny  all;
    }

    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
  root  /usr/share/nginx/html;
    }
}

这是我对这些站点的 Apache 配置：

 <VirtualHost *:4433>

  SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/star_intweb_net.crt
SSLCertificateKeyFile /etc/pki/tls/certs/star_intweb_net.key
SSLCertificateCcompanyFile /etc/pki/tls/certs/DigiCertCA.crt

ServerAdmin webmaster@company.com

DocumentRoot /var/opt/httpd/ifdocs

<Directory "/var/opt/httpd/ifdocs">
    Options FollowSymLinks
    AllowOverride All
      Require all granted
  </Directory>

ServerName myweb.intweb.net

ErrorLog /var/log/httpd/iflogs/http/error.log
CustomLog /var/log/httpd/iflogs/http/access.log combined

#    RewriteEngine on

#    Include rewrites/default.conf

</VirtualHost>

注意： 如果我删除这些行：

proxy_ssl_server_name on;
        proxy_ssl_name $host;

我没有那个问题了，似乎解决了我遇到的问题。在这种情况下，我只是好奇这是否会在未来引起问题，或者为什么通过删除配置中的这两行，我不再在 apache 中出现这些错误？

谢谢！

Answer 1

我可以通过在我的 nginx.conf 文件中添加这行代码来解决这个问题：

proxy_ssl_session_reuse off;

显然 OpenSSL 中有一个错误。我运行以下代码对其进行了测试：

openssl genrsa -out fookey.pem 2048
openssl req -x509 -key fookey.pem -out foocert.pem -days 3650 -subj '/CN=testkey.invalid.example'

openssl s_server -accept localhost:30889 -cert foocert.pem -key fookey.pem -state -servername key1.example -cert2 foocert.pem -key2 fookey.pem

openssl s_client -connect localhost:30889 -sess_out /tmp/tempsslsess -servername key1.example

openssl s_client -connect localhost:30889 -sess_in /tmp/tempsslsess -servername key2.example

# observe key1.example in the SNI info reported by s_server for both requests.  ("Hostname in TLS extension: "...)

# If s_server is restarted, and the s_client connections/sessions are re-run using key2.example first and key1.example second, observe key2.example in the SNI info reported by s_server for both requests.

# Furthermore, I just tested on a different machine, and sometimes SNI appears to be absent in the second requests.

# shouldn't s_client filter session use so that if it knows SNI info before selecting a cached session, it only selects one that matches the intended SNI name?  And if it doesn't have a SNI name when it's searching for a session to re-use, shouldn't it still double check when it's provided (later, before connecting) SNI info, to make sure it's identical to SNI in the saved session it picked, and not use the saved session if they differ?

# It seems to me if the SNI specified by the client app ever differs from the SNI seen by the server, that's not good.

# this was discovered by someone reporting a problem using nginx to reverse proxy to apache, with apache warning that the SNI hostname didn't match the Host: header, despite the nginx config explicitly setting Host: and apache-side SNI to the same thing.