首页 > 网站 > Apache > 正文

详解在Ubuntu上的Apache配置SSL(https证书)的正确姿势

2024-08-27 18:27:07
字体:
来源:转载
供稿:网友

首先看一下阿里云官方的教程:

文件说明:

1. 证书文件xxxxxx.pem,包含两段内容,请不要删除任何一段内容。

2. 如果是证书系统创建的CSR,还包含:证书私钥文件xxxxxxxx.key、证书公钥文件public.pem、证书链文件chain.pem。

( 1 ) 在Apache的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的CSR文件,请将对应的私钥文件放到cert目录下并且命名为xxxxxxxx.key;

( 2 ) 打开 apache 安装目录下 conf 目录中的 httpd.conf 文件,找到以下内容并去掉“#”:

#LoadModule ssl_module modules/mod_ssl.so (如果找不到请确认是否编译过 openssl 插件)#Include conf/extra/httpd-ssl.conf

( 3 ) 打开 apache 安装目录下 conf/extra/httpd-ssl.conf 文件 (也可能是conf.d/ssl.conf,与操作系统及安装方式有关), 在配置文件中查找以下配置语句:

# 添加 SSL 协议支持协议,去掉不安全的协议SSLProtocol all -SSLv2 -SSLv3# 修改加密套件如下SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUMSSLHonorCipherOrder on# 证书公钥配置SSLCertificateFile cert/public.pem# 证书私钥配置SSLCertificateKeyFile cert/xxxxxxx.key# 证书链配置,如果该属性开头有 '#'字符,请删除掉SSLCertificateChainFile cert/chain.pem

( 4 ) 重启 Apache。

( 5 ) 通过 https 方式访问您的站点,测试站点证书的安装配置,如遇到证书不信任问题,请查看帮助视频。

然而这只能参考。在Ubuntu下面,我是用apt安装的Apache,但是它没有httpd.conf,只有一个apache2.conf,好吧,其实这个文件和httpd.conf差不多,它里面是这样注释的:

# It is split into several files forming the configuration hierarchy outlined# below, all located in the /etc/apache2/ directory:## /etc/apache2/# |-- apache2.conf# | `-- ports.conf# |-- mods-enabled# | |-- *.load# | `-- *.conf# |-- conf-enabled# | `-- *.conf# `-- sites-enabled# `-- *.conf#

这个版本的Apache把配置文件分散到了其他小文件中,结构就是上面那样子的。你要是愿意的话,也可以自己写一个httpd.conf然后include进去。

重点讲一下https的配置,第一步,你要保证你外部环境的443端口是打开的。

第二步确保你安装了ssl_module。没有就apt-get install openssl ,可能还需要一些依赖,但是都是小问题。

然后打开ports.conf,以下几句是不可少的:

<IfModule ssl_module> Listen 443</IfModule> <IfModule mod_gnutls.c> Listen 443</IfModule>

接着打开mods-available,找到ssl.conf和ssl.load

ssl.load长这样:

# Depends: setenvif mime socache_shmcbLoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.sossl.conf长这样:<IfModule mod_ssl.c>  # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512  ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ##  # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl  # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase  # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism  # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300  # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization.  # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache   # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM  # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off SSLHonorCipherOrder on  # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol all -SSLv2 -SSLv3  # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on  # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet            
发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表