我正在尝试使这个设置工作:
所以连接应该是:
我做了什么好事:
openssl s_client -connect target.internal:443 -prexit -CAfile /var/certs/root-ca.crt从反向代理 但是Apache失败了,因为当试图连接到“target.internal”时,它想要在目标证书中find主机名“reverse-proxy.com”,而目标证书是为“target.internal”制作的。
我在我的日志中有这个错误:
Cert does not match for name 'reverse-proxy.com'
它将证书链从“root-ca.crt”成功移到“target.internal.crt”后打印出来。
我不明白Apache为什么不寻找为“target.internal”制作的证书。
有人有一个想法? 谢谢。
编辑:
Listen 0.0.0.0:443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel trace1 SSLEngine on SSLProxyEngine on SSLProxyCACertificateFile /var/certs/root-ca.crt SSLProtocol -all +TLSv1.2 SSLCipherSuite HIGH:!SSLv3:!kRSA:!kECDH:!ADH:!DSS SSLCertificateFile /etc/letsencrypt/live/reverse-proxy.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/reverse-proxy.com/privkey.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ServerName reverse-proxy.com SSLCertificateChainFile /etc/letsencrypt/live/reverse-proxy.com/chain.pem ProxyPreserveHost On RewriteEngine On RewriteRule ^/stuff/(.*)$ https://target.internal/$1 [P] ProxyPassReverse /stuff/ https://target.internal/ </VirtualHost>