Server Name Indication
From ICO wiki
Jump to navigationJump to search
Server Name Indication
Eeldused
Ubuntu server 9.10 (Karmic Koala) beta versioonist alates
Apache 2.2.12
OpenSSL 0.9.8g
Seadistamine
Kui Apachel ja OpenSSL'il on SNI tugi olemas, saab ühe IP ja pordi pealt suunata päringuid erinevatele https veebilehtedele kasutades selleks ServerName'i nagu tavalise http puhulgi.
Muuta võib kohe /etc/apache2/sites-enabled/000-default faili uue konfiguratsiooniga
sudo nano /etc/apache2/sites-enabled/000-default
Järgnevalt on toodud näidiskonfiguratsioon:
NameVirtualHost *:443
SSLStrictSNIVHostCheck on
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www.firma.ee
DocumentRoot /var/www/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/www.error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/www.access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
ErrorLog /var/log/apache2/www.firma.ee-ssl-error.log
TransferLog /var/log/apache2/www.firma.ee-ssl-access.log
SSLEngine on
SSLCertificateFile /etc/apache2/www.firma.ee.crt
SSLCertificateKeyFile /etc/apache2/www.firma.ee.key
SSLOptions +StdEnvVars
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName sales.firma.ee
DocumentRoot /var/www/sales
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/sales>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/sales.error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/sales.access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
ErrorLog /var/log/apache2/sales.firma.ee-ssl-error.log
TransferLog /var/log/apache2/sales.firma.ee-ssl-access.log
SSLEngine on
SSLCertificateFile /etc/apache2/sales.firma.ee.crt
SSLCertificateKeyFile /etc/apache2/sales.firma.ee.key
SSLOptions +StdEnvVars
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName www.firma.ee
DocumentRoot /var/www/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/www-error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/www-access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName sales.firma.ee
DocumentRoot /var/www/sales
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/sales>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/sales.error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/sales.access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
NameVirtualHost *:443 - määrab, et kõigil IP'del kuulatakse virtual host päringuid
SSLStrictSNIVHostCheck - määrab, kas ühendusi lubatakse ka mitte-SNI klientidelt (off = lubatakse, on = ei lubata)
Testimine
Testimiseks on vajalik SNI tuge omavat veebibrauserit. Seega ei sobi Links. SNI toega brauserid on Firefox 2.0+, IE 7.0+, Google Chrome, Opera 8.0+
