Apache 配置ssl
简介
准备
-
安装httpd服务
详细安装步骤参见 Apache安装
-
安装mod_ssl
# yum install mod_ssl -y
备注: 执行完如上的步骤会在/etc/httpd/conf.d目录下增加一个ssl.conf的文件
- 创建ssl目录
# mkdir /etc/httpd/ssl/
-
将证书文件上传到/etc/httpd/ssl目录下
- 如果自制证书请参见X509自制证书;
- 也可以通过let's encrypt制作证书,参见encrypt 制作证书.
配置
- 修改如下配置文件 文件名:/etc/httpd/conf.d/ssl.conf
Listen 443 https
#在<VirtualHost _default_:443>段修改如下内容
SSLEngine on #启用SSL功能
ServerName www.siguadantang.com:443
SSLCertificateFile /etc/letsencrypt/live/siguadantang.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/siguadantang.com/privkey.pem
- 修改如下配置文件 文件名:/etc/httpd/conf/httpd.conf
#配置支持https
修改:<Directory "/var/www/html">内容下的AllowOverride None 改为AllowOverride All
- 在/var/www/html目录下创建文件:.htaccess
# 创建跳转文件
$ touch .htaccess
# 编辑跳转文件的内容
$ vi .htaccess
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://www.siguadantang.com/$1 [R,L]
:wq
重启服务
- 重启apache服务
# systemctl restart httpd
验证
点击右方地址:https://www.siguadantang.com
样例配置文件
- 文件名:/etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName www.siguadantang.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/letsencrypt/live/siguadantang.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/siguadantang.com/privkey.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
结语
- 当配置ssl时,缺失mod_ssl,执行如下命令安装ssl
# yum install mod_ssl