0

以下是一个测试设置,用于检查当lighttpd包含在证书subjectAltNames中时是否会基于 IP 地址进行身份验证,例如

主题AltNames=IP:192.168.1.20

配置:

$HTTP["host"] == "192.168.1.20" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
#    ssl.ca-file =  "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
    ssl.ca-file =  "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    # client side authentification
    ssl.verifyclient.activate = "enable"
    ssl.verifyclient.enforce = "enable"
    ssl.verifyclient.depth = "10"
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
##    ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
        }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

/var/log/lighttpd/access.log通过原始地址访问时的行192.168.1.20

1551209819|192.168.1.20|GET / HTTP/1.1|401|351

浏览器显示 401 未授权。是 SSL 失败还是有其他问题?

4

1 回答 1

1

$SERVER["socket"] == ":443" { ... }(或$SERVER["socket"] == "192.168.1.20:443" { ... })属于配置的顶层。放入$SERVER["socket"]其他lighttpd配置条件是错误的,即放入其中是错误的$HTTP["host"] == "192.168.1.20" { ... }

在通过加密的 TLS 通道接收 HTTP 请求之前,在套接字连接开始时协商 TLS。Host由于在协商 TLS 时还没有收到HTTP 请求头,所以放入任何其他条件都是无效$SERVER["socket"]的,例如$HTTP["host"]

于 2021-09-07T01:13:46.777 回答