我正在运行Apache 2.2.15(CentOS 6.6)与一个仅HTTP域
demo.xml-director.info
使用wget我可以正确地检索内容
wget -S http://demo.xml-director.info --2015-01-05 13:31:41-- http://demo.xml-director.info/ Resolving demo.xml-director.info (demo.xml-director.info)... 176.9.146.28 Connecting to demo.xml-director.info (demo.xml-director.info)|176.9.146.28|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Mon, 05 Jan 2015 12:31:41 GMT Server: Zope/(2.13.22, python 2.7.6, linux2) ZServer/1.1 Content-Length: 20227 Expires: Sat, 01 Jan 2000 00:00:00 GMT Content-Type: text/html;charset=utf-8 X-Ua-Compatible: IE=edge,chrome=1 Content-Language: en Vary: Accept-Encoding Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Length: 20227 (20K) [text/html] Saving to: 'index.html.4' 不过,由于HTST的原因,Chrome / Firefox总是将请求从http更改为https。 但是对于这个特定的域,没有configurationHSTS。
服务器为启用了HSTS支持的www.xml-director.info运行SSL。 然而,这里有更多的别名将demo.xml-director.info映射到www.xml-director.info。
这个问题怎么解决。
VHOst为www.xml-director.info:
<VirtualHost *:443> ServerName www.xml-director.info ServerAlias xml-director.info SSLEngine on SSLCertificateFile /etc/httpd/certs/15742445repl_2.crt SSLCertificateCHainFile /etc/httpd/certs/15742445repl_2.ca-bundle SSLCertificateKeyFile /etc/httpd/certs/zopyx.com.key CustomLog /var/log/httpd/xml-director.info.log combined DocumentRoot /var/www/xml-director/landing-v1 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" <location "/"> Options +Indexes Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE" Header set Access-Control-Allow-Headers "X-Requested-With,Content-Type" </location> </VirtualHost> <VirtualHost *:80> ServerAlias www.xml-director.com ServerAlias www.xml-director.info ServerAlias www.xml-director.de ServerAlias xml-director.com ServerAlias xml-director.info ServerAlias xml-director.de RedirectPermanent / https://xml-director.info/ </VirtualHost>
和demo.xml-director.info
<VirtualHost *:80> ServerName demo.xml-director.info RewriteEngine On RewriteRule ^/(.*) http://127.0.0.1:12020/VirtualHostBase/http/demo.xml-director.info:80/xml-director/VirtualHostRoot/$1 [L,P] RewriteRule ^/$ http://127.0.0.1:12020/VirtualHostBase/http/demo.xml-director.info:80/xml-director/VirtualHostRoot/$1 [L,P] CustomLog /var/log/httpd/demo.xml-director.info.log combined AddOutputFilterByType DEFLATE text/html text/xml text/plain text/css text/javascript CacheRoot /tmp/cache CacheEnable disk / CacheIgnoreCacheControl on KeepAliveTimeout 15 KeepAlive on ExpiresActive On ExpiresByType image/gif "access plus 10 day" ExpiresByType image/jpg "access plus 10 day" ExpiresByType image/jpeg "access plus 10 day" ExpiresByType image/png "access plus 10 day" ExpiresByType text/javascript "access plus 10 day" ExpiresByType text/html "access plus 1 hour" ExpiresByType text/html "access plus 1 hour" ExpiresByType text/css "access plus 10 days" <Location "/"> Order allow,deny Allow from all </Location> </VirtualHost>
问题是HSTS头的范围,它包括所有子域。 如果首先使用浏览器访问http://demo.xml-director.info ,它会正常工作。
但是,在第一次访问https://xml-director.info/或https://www.xml-director.info ,浏览器将会收到一个设置为将来(两年内)失效的所有子域的HSTS头。 ..),因此不会再尝试通过http连接到任何(子)域,直到头过期。
顺便提一下,这个头文件对cli工具(如wget和curl没有影响。
如果有任何应该通过http访问的子域,请不要使用includeSubdomains 。 相反,如果您要使用HSTS标头,请将其限制为仅限访问的域(这是默认行为):
<VirtualHost *:443> ServerName www.xml-director.info ServerAlias xml-director.info Header always set Strict-Transport-Security "max-age=63072000"
一个接收到HSTS头的浏览器本身没有清除它的方法,它总是试图通过https访问域 ,如果没有响应就意味着它陷入了僵局。
为了纠正现有浏览器的现状(假设它不是一个“只有我”的问题),必须通过https连接使HSTS头过期。 即:
<VirtualHost *:443> ServerName *.xml-director.info Header always set Strict-Transport-Security "max-age=0" RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI}
或同等学历。 这样HSTS头被清除,并且http访问被恢复。