wiki:TipAndDoc/network/httpd

Version 24 (modified by mitty, 12 years ago) (diff)

--

  • http://wiki.apache.org/httpd/InternalDummyConnection

    When the Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections. To do this, it sends a simple HTTP request back to itself. This request will appear in the access_log file with the remote address set to the loop-back interface (typically 127.0.0.1 or ::1 if IPv6 is configured). If you log the User-Agent string (as in the combined log format), you will see the server signature followed by "(internal dummy connection)" on non-SSL servers. During certain periods you may see up to one such request for each httpd child process.

suEXEC

Server Maintenance

  • ex) /etc/apache2/sites-available/default
            RewriteEngine On
            RewriteCond %{REQUEST_URI} !^/maintenance/.*
            RewriteRule ^.*$ - [R=503,L]
            ErrorDocument 503 /maintenance/
    

Name-based VirtualHost with SSL

  • 名前ベースのバーチャルホストで複数ドメインにSSLを割り当てることは可能か?
    • 本質的な問題
      HTTP プロトコルと SSL の原理を考えてみても不可能なことは明らかですね。
      ネームベースのバーチャルホストは、HTTP リクエストヘッダに含まれる「Host」を参照 して
      アクセスするバーチャルホストを変化させますが、
      SSL 接続の場合、HTTP リクエストヘッダは暗号化されており、
      参照することができません。
      
      参照するためには、暗号を解読してやればよいわけですが、
      暗号を解読するためには先に証明書の交換を行う必要がありますね。
      
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
    • It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI).
    • The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request did not contain any Host: field, the server had no way to decide which SSL virtual host to use. Usually, it just used the first one it found which matched the port and IP address specified.
  • ただし、全てのVirtualHostで同じワイルドカード証明書を指定すれば可能

mod_proxy

mod_rewrite