腾讯云一键HTTPS服务
若之前使用过一键HTTPS的话,先解决一键HTTPS服务修改DNS解析域,定向到CNAME的问题。
困扰了我半个多小时= =
HTTPS服务证书安装
参考了以下两个链接:
在Ubuntu上的Apache配置SSL(https证书)的正确姿势
首先是按照腾讯云教程下载证书等,这里就不再详细赘述。主要是针对Ubuntu系统下利用 apt-get安装 Apache之后的情况。与CentOS的情况不同,在Ubuntu下Apache服务的默认地址是/etc/apache2/,且以这样子的方式陈列,
# It is split into several files forming the configuration hierarchy outlined # below, all located in the /etc/apache2/ directory: # # /etc/apache2/ # |-- apache2.conf # | `-- ports.conf # |-- mods-enabled # | |-- *.load # | `-- *.conf # |-- conf-enabled # | `-- *.conf # `-- sites-enabled # `-- *.conf
首先要确保局域网防火墙443接口是打开的,然后确保安装了openssl
apt-get install opanessl
然后是在ports.conf文件中,确保含有以下几句:
<IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
最后是ssl.conf、ssl.load文件的启用。ssl.load长这样
# Depends: setenvif mime socache_shmcb LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
所有/*-avaliable的文件夹下的文件都是默认没有被启用的,对于添加SSL规则需要启用新的文件。要做的就是复制/mods-avaliable文件夹下的ssl.conf, ssl.load文件到/mods-enables里面,或者也可以手动添加进执行列表,只需要修改apache2.conf文件中的includeOption那一块代码即可。 对于ssl.conf文件,这里提供一个模板,
<IfModule mod_ssl.c>
<VirtualHost 0.0.0.0:443>
DocumentRoot "/var/www/html"
#填写证书名称
ServerName ***.com
#启用 SSL 功能
SSLEngine on
#证书文件的路径
SSLCertificateFile ***.crt
#私钥文件的路径
SSLCertificateKeyFile ***.key
#证书链文件的路径
SSLCertificateChainFile ***.crt
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
然后重启apache2服务即可。
sudo systemctl restart apache2