Aug
29
[Ubuntu 10.04] 在apache2.2上配置ssl
【参考】 http://onlamp.com/pub/a/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html
p.s. 删减部分内容,并修正原文的一些小错误
1. 生成ssl证书:
1) 如果没有安装openssl,sudo apt-get install openssl装一个
2) 生成自签名证书将HOSTNAME替换成需要的域名;更详细说明(各参数/CA签名方法)参见原文。这一步执行完后会有server.crt和server.key两个文件,server.crt是公钥,需要让运行apache的用户可读的;server.key是私钥应当chmod为600。
3). 将server.cst和server.key拷贝到/etc/apache2/ssl/下。这个路径可以更改,但相应的配置文件中的路径也需要更改。
2. 配置apache
1) 启用mod_ssl: $ sudo a2enmod ssl
2) cd到/etc/apache2/sites-available,新建一个配置文件"ssl",内容如下:3). 创建链接:
$ cd /etc/apache2/sites-enabled
$ sudo ln -s ../sites-available/ssl
4). 重启apache2
$ sudo /etc/init.d/apache2 restart
3. 访问网站 https://HOSTNAME
转载请注明出自 ,如是转载文则注明原出处,谢谢:)
RSS订阅地址: https://www.felix021.com/blog/feed.php 。
p.s. 删减部分内容,并修正原文的一些小错误
1. 生成ssl证书:
1) 如果没有安装openssl,sudo apt-get install openssl装一个
2) 生成自签名证书
引用
$ openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Company/OU=Department/CN=HOSTNAME'
3). 将server.cst和server.key拷贝到/etc/apache2/ssl/下。这个路径可以更改,但相应的配置文件中的路径也需要更改。
2. 配置apache
1) 启用mod_ssl: $ sudo a2enmod ssl
2) cd到/etc/apache2/sites-available,新建一个配置文件"ssl",内容如下:
引用
<IfModule mod_ssl.c>
#注意,下面这四行应当放在VirtualHost标签之外(原文的apache1.3可能支持放在里头,但2.2不行)
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
SSLRequireSSL
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
#注意.crt和.key文件的路径必须一致
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLVerifyClient none
SSLProxyEngine off
<IfModule mime.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
</IfModule>
#注意,下面这四行应当放在VirtualHost标签之外(原文的apache1.3可能支持放在里头,但2.2不行)
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
SSLRequireSSL
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
#注意.crt和.key文件的路径必须一致
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLVerifyClient none
SSLProxyEngine off
<IfModule mime.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
</IfModule>
$ cd /etc/apache2/sites-enabled
$ sudo ln -s ../sites-available/ssl
4). 重启apache2
$ sudo /etc/init.d/apache2 restart
3. 访问网站 https://HOSTNAME
欢迎扫码关注:
转载请注明出自 ,如是转载文则注明原出处,谢谢:)
RSS订阅地址: https://www.felix021.com/blog/feed.php 。