详解在Ubuntu上的Apache配置SSL(https证书)的正确姿势
发布时间:2024-01-12 点击:106
服务器
首先看一下阿里云官方的教程:
文件说明:
1. 证书文件xxxxxx.pem,包含两段内容,请不要删除任何一段内容。
2. 如果是证书系统创建的csr,还包含:证书私钥文件xxxxxxxx.key、证书公钥文件public.pem、证书链文件chain.pem。
( 1 ) 在apache的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的csr文件,请将对应的私钥文件放到cert目录下并且命名为xxxxxxxx.key;
( 2 ) 打开 apache 安装目录下 conf 目录中的 httpd.conf 文件,找到以下内容并去掉“#”:
#loadmodule ssl_module modules/mod_ssl.so (如果找不到请确认是否编译过 openssl 插件)#include conf/extra/httpd-ssl.conf( 3 ) 打开 apache 安装目录下 conf/extra/httpd-ssl.conf 文件 (也可能是conf.d/ssl.conf,与操作系统及安装方式有关), 在配置文件中查找以下配置语句:
# 添加 ssl 协议支持协议,去掉不安全的协议sslprotocol all -sslv2 -sslv3# 修改加密套件如下sslciphersuite high:!rc4:!md5:!anull:!enull:!null:!dh:!edh:!exp: mediumsslhonorcipherorder on# 证书公钥配置sslcertificatefile cert/public.pem# 证书私钥配置sslcertificatekeyfile cert/xxxxxxx.key# 证书链配置,如果该属性开头有 \\\'#\\\'字符,请删除掉sslcertificatechainfile cert/chain.pem( 4 ) 重启 apache。
( 5 ) 通过 https 方式访问您的站点,测试站点证书的安装配置,如遇到证书不信任问题,请查看帮助视频。
然而这只能参考。在ubuntu下面,我是用apt安装的apache,但是它没有httpd.conf,只有一个apache2.conf,好吧,其实这个文件和httpd.conf差不多,它里面是这样注释的:
# it is split into several files forming the configuration hierarchy outlined# below, all located in the /etc/apache2/ directory:## /etc/apache2/# |-- apache2.conf# | `-- ports.conf# |-- mods-enabled# | |-- *.load# | `-- *.conf# |-- conf-enabled# | `-- *.conf# `-- sites-enabled# `-- *.conf#这个版本的apache把配置文件分散到了其他小文件中,结构就是上面那样子的。你要是愿意的话,也可以自己写一个httpd.conf然后include进去。
重点讲一下https的配置,第一步,你要保证你外部环境的443端口是打开的。
第二步确保你安装了ssl_module。没有就apt-get install openssl ,可能还需要一些依赖,但是都是小问题。
然后打开ports.conf,以下几句是不可少的:
<ifmodule ssl_module> listen 443</ifmodule> <ifmodule mod_gnutls.c> listen 443</ifmodule>接着打开mods-available,找到ssl.conf和ssl.load
ssl.load长这样:
# depends: setenvif mime socache_shmcbloadmodule ssl_module /usr/lib/apache2/modules/mod_ssl.sossl.conf长这样:<ifmodule mod_ssl.c> # pseudo random number generator (prng): # configure one or more sources to seed the prng of the ssl library. # the seed data should be of good random quality. # warning! on some platforms /dev/random blocks if not enough entropy # is available. this means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). but usually those # platforms additionally provide a /dev/urandom device which doesn\\\'t # block. so, if available, use this one instead. read the mod_ssl user # manual for more details. # sslrandomseed startup builtin sslrandomseed startup file:/dev/urandom 512 sslrandomseed connect builtin sslrandomseed connect file:/dev/urandom 512 ## ## ssl global context ## ## all ssl configuration in this context applies both to ## the main server and all ssl-enabled virtual hosts. ## # # some mime-types for downloading certificates and crls # addtype application/x-x509-ca-cert .crt addtype application/x-pkcs7-crl .crl # pass phrase dialog: # configure the pass phrase gathering process. # the filtering dialog program (`builtin\\\' is a internal # terminal dialog) has to provide the pass phrase on stdout. sslpassphrasedialog exec:/usr/share/apache2/ask-for-passphrase # inter-process session cache: # configure the ssl session cache: first the mechanism # to use and second the expiring timeout (in seconds). # (the mechanism dbm has known memory leaks and should not be used). #sslsessioncache dbm:${apache_run_dir}/ssl_scache sslsessioncache shmcb:${apache_run_dir}/ssl_scache(512000) sslsessioncachetimeout 300 # semaphore: # configure the path to the mutual exclusion semaphore the # ssl engine uses internally for inter-process synchronization. # (disabled by default, the global mutex directive consolidates by default # this) #mutex file:${apache_lock_dir}/ssl_mutex ssl-cache # ssl cipher suite: # list the ciphers that the client is permitted to negotiate. see the # ciphers(1) man page from the openssl package for list of all available # options. # enable only secure ciphers: sslciphersuite high:!rc4:!md5:!anull:!enul
凉城云服务器购买
云服务器收费低
网站怎么做百度排名与转化率的SEO优化?
云服务器建站价格对比图
云计算核心技术Docker教程:利用Dockerfile来创建镜像
最新版Linux7.0系统宝塔面板安装教程
这个让你们修改为一样的了为啥提交不了帮忙看下
word文档标题怎么设置 word文档设置标题样式的方法
首先看一下阿里云官方的教程:
文件说明:
1. 证书文件xxxxxx.pem,包含两段内容,请不要删除任何一段内容。
2. 如果是证书系统创建的csr,还包含:证书私钥文件xxxxxxxx.key、证书公钥文件public.pem、证书链文件chain.pem。
( 1 ) 在apache的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的csr文件,请将对应的私钥文件放到cert目录下并且命名为xxxxxxxx.key;
( 2 ) 打开 apache 安装目录下 conf 目录中的 httpd.conf 文件,找到以下内容并去掉“#”:
#loadmodule ssl_module modules/mod_ssl.so (如果找不到请确认是否编译过 openssl 插件)#include conf/extra/httpd-ssl.conf( 3 ) 打开 apache 安装目录下 conf/extra/httpd-ssl.conf 文件 (也可能是conf.d/ssl.conf,与操作系统及安装方式有关), 在配置文件中查找以下配置语句:
# 添加 ssl 协议支持协议,去掉不安全的协议sslprotocol all -sslv2 -sslv3# 修改加密套件如下sslciphersuite high:!rc4:!md5:!anull:!enull:!null:!dh:!edh:!exp: mediumsslhonorcipherorder on# 证书公钥配置sslcertificatefile cert/public.pem# 证书私钥配置sslcertificatekeyfile cert/xxxxxxx.key# 证书链配置,如果该属性开头有 \\\'#\\\'字符,请删除掉sslcertificatechainfile cert/chain.pem( 4 ) 重启 apache。
( 5 ) 通过 https 方式访问您的站点,测试站点证书的安装配置,如遇到证书不信任问题,请查看帮助视频。
然而这只能参考。在ubuntu下面,我是用apt安装的apache,但是它没有httpd.conf,只有一个apache2.conf,好吧,其实这个文件和httpd.conf差不多,它里面是这样注释的:
# it is split into several files forming the configuration hierarchy outlined# below, all located in the /etc/apache2/ directory:## /etc/apache2/# |-- apache2.conf# | `-- ports.conf# |-- mods-enabled# | |-- *.load# | `-- *.conf# |-- conf-enabled# | `-- *.conf# `-- sites-enabled# `-- *.conf#这个版本的apache把配置文件分散到了其他小文件中,结构就是上面那样子的。你要是愿意的话,也可以自己写一个httpd.conf然后include进去。
重点讲一下https的配置,第一步,你要保证你外部环境的443端口是打开的。
第二步确保你安装了ssl_module。没有就apt-get install openssl ,可能还需要一些依赖,但是都是小问题。
然后打开ports.conf,以下几句是不可少的:
<ifmodule ssl_module> listen 443</ifmodule> <ifmodule mod_gnutls.c> listen 443</ifmodule>接着打开mods-available,找到ssl.conf和ssl.load
ssl.load长这样:
# depends: setenvif mime socache_shmcbloadmodule ssl_module /usr/lib/apache2/modules/mod_ssl.sossl.conf长这样:<ifmodule mod_ssl.c> # pseudo random number generator (prng): # configure one or more sources to seed the prng of the ssl library. # the seed data should be of good random quality. # warning! on some platforms /dev/random blocks if not enough entropy # is available. this means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). but usually those # platforms additionally provide a /dev/urandom device which doesn\\\'t # block. so, if available, use this one instead. read the mod_ssl user # manual for more details. # sslrandomseed startup builtin sslrandomseed startup file:/dev/urandom 512 sslrandomseed connect builtin sslrandomseed connect file:/dev/urandom 512 ## ## ssl global context ## ## all ssl configuration in this context applies both to ## the main server and all ssl-enabled virtual hosts. ## # # some mime-types for downloading certificates and crls # addtype application/x-x509-ca-cert .crt addtype application/x-pkcs7-crl .crl # pass phrase dialog: # configure the pass phrase gathering process. # the filtering dialog program (`builtin\\\' is a internal # terminal dialog) has to provide the pass phrase on stdout. sslpassphrasedialog exec:/usr/share/apache2/ask-for-passphrase # inter-process session cache: # configure the ssl session cache: first the mechanism # to use and second the expiring timeout (in seconds). # (the mechanism dbm has known memory leaks and should not be used). #sslsessioncache dbm:${apache_run_dir}/ssl_scache sslsessioncache shmcb:${apache_run_dir}/ssl_scache(512000) sslsessioncachetimeout 300 # semaphore: # configure the path to the mutual exclusion semaphore the # ssl engine uses internally for inter-process synchronization. # (disabled by default, the global mutex directive consolidates by default # this) #mutex file:${apache_lock_dir}/ssl_mutex ssl-cache # ssl cipher suite: # list the ciphers that the client is permitted to negotiate. see the # ciphers(1) man page from the openssl package for list of all available # options. # enable only secure ciphers: sslciphersuite high:!rc4:!md5:!anull:!enul
凉城云服务器购买
云服务器收费低
网站怎么做百度排名与转化率的SEO优化?
云服务器建站价格对比图
云计算核心技术Docker教程:利用Dockerfile来创建镜像
最新版Linux7.0系统宝塔面板安装教程
这个让你们修改为一样的了为啥提交不了帮忙看下
word文档标题怎么设置 word文档设置标题样式的方法