腾讯云一键HTTPS服务
若之前使用过一键HTTPS的话,先解决一键HTTPS服务修改DNS解析域,定向到CNAME的问题。
困扰了我半个多小时= =
HTTPS服务证书安装
参考了以下两个链接:
在Ubuntu上的Apache配置SSL(https证书)的正确姿势
首先是按照腾讯云教程下载证书等,这里就不再详细赘述。主要是针对Ubuntu系统下利用 apt-get安装 Apache之后的情况。与CentOS的情况不同,在Ubuntu下Apache服务的默认地址是/etc/apache2/
,且以这样子的方式陈列,
# It is split into several files forming the configuration hierarchy outlined # below, all located in the /etc/apache2/ directory: # # /etc/apache2/ # |-- apache2.conf # | `-- ports.conf # |-- mods-enabled # | |-- *.load # | `-- *.conf # |-- conf-enabled # | `-- *.conf # `-- sites-enabled # `-- *.conf
首先要确保局域网防火墙443接口是打开的,然后确保安装了openssl
apt-get install opanessl
然后是在ports.conf
文件中,确保含有以下几句:
<IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
最后是ssl.conf
、ssl.load
文件的启用。ssl.load
长这样
# Depends: setenvif mime socache_shmcb LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
所有/*-avaliable
的文件夹下的文件都是默认没有被启用的,对于添加SSL规则需要启用新的文件。要做的就是复制/mods-avaliable
文件夹下的ssl.conf
, ssl.load
文件到/mods-enables
里面,或者也可以手动添加进执行列表,只需要修改apache2.conf
文件中的includeOption
那一块代码即可。 对于ssl.conf
文件,这里提供一个模板,
<IfModule mod_ssl.c> <VirtualHost 0.0.0.0:443> DocumentRoot "/var/www/html" #填写证书名称 ServerName ***.com #启用 SSL 功能 SSLEngine on #证书文件的路径 SSLCertificateFile ***.crt #私钥文件的路径 SSLCertificateKeyFile ***.key #证书链文件的路径 SSLCertificateChainFile ***.crt # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. # BrowserMatch "MSIE [2-6]" \ # nokeepalive ssl-unclean-shutdown \ # downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
然后重启apache2服务即可。
sudo systemctl restart apache2