Virtual Hosting in SSL with VirtualDocumentRoot

2019-06-22 04:56发布

站内问答 / 前端开发
1495 2 5

I do my dev work on an ubuntu 16.04 VM

As I work on a number of projects, to make my life easier I use VirtualDocumentRoot and the hosts file to server sites from my home folder using *.dev domains:

In 000-default.conf I have:

<VirtualHost *:80>
  VirtualDocumentRoot  /home/steve/websites/%-2/%-2/public_html
  ServerAlias *.dev
</VirtualHost>

then in hosts I have the various sites I'm working on:

127.0.0.1   somesite.dev
127.0.0.1   another.dev
127.0.0.1   athirdone.dev
127.0.0.1   blog.athirdone.dev

That way, when I add a new project I just need to create the correct folder structure in the websites directory and add a line to hosts, eg if I want to work on a new project somecoolproject.dev, I just add a folder:

/home/steve/websites/somecoolproject/somecoolproject/public_html

and a line in hosts:

127.0.0.1    somecoolproject.dev

And I'm good to go.

Anyway, pretty much everything I work on now runs over https, and many of the projects have code to enforce this, either in the source code or htaccess etc, making it a pain to work on dev copies.

I would like to create a self-signed cert on my dev machine, and ideally in a way that i dont need to generate a new one for every project, so some kind of wildcard *.dev would be great.

But even if I do need to create a new one for each project, I still can't work out how to install it with my setup - everything I find presumes a fixed document and hardcoded servername.

2条回答
来,给爷笑一个
2楼-- · 2019-06-22 05:41

If I understand the requirements correctly, you want to know:

  • how to generate an wildcard SSL cert for *.dev
  • how to configure apache locally with a configuration that would allow server any *.dev domain over SSL/TLS w/o changing the configuration as new *.dev domains are created.

If I understood this correctly, this is certainly doable.

How will it work: SNI - server name indication, a TLS protocol extension, in which, the hostname is passed when establishing the TLS connection, BEFORE HTTP data (like the host header) is available. All the popular web browsers, curl, all of the popular webservers support it.

Steps:

First. Generate the cert:

mindaugas@mindaugas-ubuntu-14:/usr/local/apache2/conf$ sudo openssl req        -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
Generating a 2048 bit RSA private key
.............+++
..................+++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.dev
Email Address []:

The key part is:

Common Name (e.g. server FQDN or YOUR name) []:*.dev

Second.

Server configuration:

Listen 443

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile "/usr/local/apache2/conf/domain.crt"
  SSLCertificateKeyFile "/usr/local/apache2/conf/domain.key"

  VirtualDocumentRoot /home/mindaugas/websites/%-2/pubic/
  ServerAlias *.dev
  <Directory "/">
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      Allow from All
      Require all granted
  </Directory>
</VirtualHost>

Enable ssl and restart apache:

sudo a2enmod ssl
sudo service apache2 restart

You can test this by:

  • creating two document file structures;
  • populating them w/ a simple HTML page;
  • issuing requests by providing the domain - ip mapping in the hosts file OR, as I did it, w/ "Modify headers" plugin, by issuing different hosts headers when needed:

enter image description here

查看更多
0人赞 添加讨论(0) 举报
祖国的老花朵
3楼-- · 2019-06-22 05:52

We like bounties since it's a bit long to write the solution for you :) The real answer to your question is how to make it work, while VirtualDocumentRoot is not gonna work in SSL. I suggest to proxify requests from the default SSL virtual host, to the dynamic non-ssl virtual host. This is possible by keeping the host name which is requested.

First, do all the preliminary work : 1/ generate your private key and certificate (a wildcard if you want so), there are many tutorials for this, 2/ in your main httpd.conf you activate the Include for the extra/httpd-ssl.conf

In the httpd-ssl.conf, you need this conf (I tested it successfully) :

UseCanonicalName Off
ProxyPreserveHost  On

SetEnvIf  Server_Addr "(.*)"  sname=$1

RewriteEngine   On
RewriteCond     "%{HTTPS}" =on
RewriteRule     ^/(.*)$ "http://%{ENV:sname}:80/$1" [P]

I also suggest to customize the Log format, then you see better what is requested. This will help later debugging, and here are some directives to log with the host name which is requested, and you can recognize SSL or non-SSL traffic by the length of the log lines. In the httpd.conf, look for the the place where the LogFormat is defined and add :

LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" enhanced
LogFormat "%V %h %l %u %t \"%r\" %>s %b" enhancedSSL
CustomLog "logs/access_log" enhanced

in httpd-ssl.conf, you just need this one :

CustomLog "logs/access_log" enhancedSSL

Tell us if it's working as expected. Once working, the next step is probably to disable non-SSL traffic at least from remote. To achieve this, either configure the local firewall to block requests on port 80, or (better) configure the VirtualHost to listen locally only (VirtualHost 127.0.0.1:80 instead of *:80).

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)