Ниже приведен тестовый параметр для проверки того, будет ли lighttpd аутентифицироваться на основе IP-адреса, когда он включен в сертификат subjectAltNames , например,
subjectAltNames = IP: 192.168.1.20
Конфиг:
$HTTP["host"] == "192.168.1.20" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
# ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
# client side authentification
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = "10"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
## ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
Строка с /var/log/lighttpd/access.log при доступе по необработанному адресу 192.168.1.20:
1551209819|192.168.1.20|GET / HTTP/1.1|401|351
Браузер показывает 401 Не авторизовано,Это сбой SSL или есть другая проблема?