linux:httpd:virtualhost_sni_redirect

Apache SSL での VirtualHost、SNI、Redirect の設定

複数の SSL ドメインを 1台の Web サーバーでホスティングし、且つ、すべてのユーザーアクセスパターンをドメイン毎に単一バーチャルホストへリダイレクトするための設定を実現する。
Server Name Indication(SNI) を利用する事で、1台の Web サーバーで複数の SSL ドメインをホスティングする事ができる。
SNI 利用するには以下の条件が必要である。

  • Apache 2.2.12 以降
  • 複数の SSL 証明書を取得済みである事
ユーザーアクセスパターン Apache の動作
http://monsters-g.com https://www.monsters-g.com へリダイレクト
http://www.monsters-g.com https://www.monsters-g.com へリダイレクト
https://monsters-g.com https://www.monsters-g.com へリダイレクト
http://tomoyan.net https://www.tomoyan.net へリダイレクト
http://www.tomoyan.net https://www.tomoyan.net へリダイレクト
https://tomoyan.net https://www.tomoyan.net へリダイレクト
http://repos.tomoyan.net https://repos.tomoyan.net へリダイレクト

Apache は Rewrite より Redirect の方が処理としては軽い。
Rewrite するだけの処理であったとしても SSL の証明書の指定は必要である。もしも証明書を指定しなかった場合は、全体的に原因不明な変な動作を引き起こした。

$ sudo vi /etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/ssl.conf
# SNIに未対応のブラウザ用の設定
SSLStrictSNIVHostCheck off

Apache のバーチャルホストの設定。

$ sudo vi /etc/httpd/conf.d/www.monsters-g.com.conf
/etc/httpd/conf.d/www.monsters-g.com.conf
<VirtualHost *:80>
    ServerName www.monsters-g.com
    ServerAlias monsters-g.com
    Redirect "/" "https://www.monsters-g.com/"
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/vhosts/www.monsters-g.com"
    ServerName www.monsters-g.com
    ServerAlias monsters-g.com
 
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^monsters-g\.com
    RewriteRule ^/(.*)$ https://www.monsters-g.com/$1 [R=301,L]
 
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite !3DES:!aNULL:EDH+HIGH:ECDH+HIGH:-AES128:-3DES:-DSS:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/letsencrypt/live/monsters-g.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/monsters-g.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/monsters-g.com/chain.pem
    <Directory "/var/www/vhosts/www.monsters-g.com">
        Require all granted
        Options All
        AllowOverride All
        DirectoryIndex index.php index.html
    </Directory>
</VirtualHost>
$ sudo vi /etc/httpd/conf.d/www.tomoyan.net.conf
/etc/httpd/conf.d/www.tomoyan.net.conf
<VirtualHost *:80>
    ServerName www.tomoyan.net
    ServerAlias tomoyan.net
    Redirect "/" "https://www.tomoyan.net/"
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/vhosts/www.tomoyan.net/dokuwiki"
    ServerName www.tomoyan.net
    ServerAlias tomoyan.net
 
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^tomoyan\.net
    RewriteRule ^/(.*)$ https://www.tomoyan.net/$1 [R=301,L]
 
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite !3DES:!aNULL:EDH+HIGH:ECDH+HIGH:-AES128:-3DES:-DSS:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/letsencrypt/live/tomoyan.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tomoyan.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/tomoyan.net/chain.pem
    <Directory "/var/www/vhosts/www.tomoyan.net/dokuwiki">
        Require all granted
        Options All
        AllowOverride All
        DirectoryIndex index.php index.html
    </Directory>
</VirtualHost>

Apache のバーチャルホストの設定。

$ sudo vi /etc/httpd/conf.d/repos.tomoyan.net.conf
/etc/httpd/conf.d/repos.tomoyan.net.conf
<VirtualHost *:80>
    ServerName repos.tomoyan.net
    Redirect "/" "https://repos.tomoyan.net/"
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/vhosts/repos.tomoyan.net"
    ServerName repos.tomoyan.net
 
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite !3DES:!aNULL:EDH+HIGH:ECDH+HIGH:-AES128:-3DES:-DSS:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/letsencrypt/live/tomoyan.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tomoyan.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/tomoyan.net/chain.pem
    <Directory "/var/www/vhosts/repos.tomoyan.net">
        Require all granted
        Options All
        AllowOverride All
        DirectoryIndex index.php index.html
    </Directory>
</VirtualHost>

結論から言うと以下の設定方法では問題が発生しました。
なぜか https://monsters-g.com のユーザーアクセスパターンの時だけ、Apache が tomoyan.net の SSL 証明書を使って通信を暗号化しようとする現象が発生し、原因不明で悩みました。

$ sudo vi /etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/ssl.conf
# SNIに未対応のブラウザ用の設定
SSLStrictSNIVHostCheck off
$ sudo vi /etc/httpd/conf.d/www.monsters-g.com.conf
/etc/httpd/conf.d/www.monsters-g.com.conf
<VirtualHost *:80 *:443>
    ServerName monsters-g.com
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^monsters-g\.com
    RewriteRule ^/(.*)$ https://www.monsters-g.com/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:80>
    ServerName www.monsters-g.com
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.monsters-g\.com
    RewriteRule ^/(.*)$ https://www.monsters-g.com/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/vhosts/www.monsters-g.com"
    ServerName www.monsters-g.com
    SSLCertificateFile /etc/letsencrypt/live/monsters-g.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/monsters-g.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/monsters-g.com/chain.pem
    <Directory "/var/www/vhosts/www.monsters-g.com">
        Require all granted
        Options All
        AllowOverride All
        DirectoryIndex index.php index.html
    </Directory>
</VirtualHost>
$ sudo vi /etc/httpd/conf.d/www.tomoyan.net.conf
/etc/httpd/conf.d/www.tomoyan.net.conf
<VirtualHost *:80 *:443>
    ServerName tomoyan.net
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^tomoyan\.net
    RewriteRule ^/(.*)$ https://www.tomoyan.net/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:80>
    ServerName www.tomoyan.net
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.tomoyan\.net
    RewriteRule ^/(.*)$ https://www.tomoyan.net/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/vhosts/www.tomoyan.net/dokuwiki"
    ServerName www.tomoyan.net
    SSLCertificateFile /etc/letsencrypt/live/tomoyan.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tomoyan.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/tomoyan.net/chain.pem
    <Directory "/var/www/vhosts/www.tomoyan.net/dokuwiki">
        Require all granted
        Options All
        AllowOverride All
        DirectoryIndex index.php index.html
    </Directory>
</VirtualHost>
$ sudo vi /etc/httpd/conf.d/repos.tomoyan.net.conf
/etc/httpd/conf.d/repos.tomoyan.net.conf
<VirtualHost *:80>
    ServerName repos.tomoyan.net
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^repos\.tomoyan\.net
    RewriteRule ^/(.*)$ https://repos.tomoyan.net/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/var/www/vhosts/repos.tomoyan.net"
    ServerName repos.tomoyan.net
    SSLCertificateFile /etc/letsencrypt/live/tomoyan.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tomoyan.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/tomoyan.net/chain.pem
    <Directory "/var/www/vhosts/repos.tomoyan.net">
        Require all granted
        Options All
        AllowOverride All
        DirectoryIndex index.php index.html
    </Directory>
</VirtualHost>
  • linux/httpd/virtualhost_sni_redirect.txt
  • 最終更新: 2023/06/01 05:55
  • by ともやん