首先看一下阿里云官方的教程:
文件說明:
1. 證書文件xxxxxx.pem�,包含兩段內容,請不要刪除任何一段內容�����。
2. 如果是證書系統創建的CSR���,還包含:證書私鑰文件xxxxxxxx.key�、證書公鑰文件public.pem��、證書鏈文件chain.pem�����。
( 1 ) 在Apache的安裝目錄下創建cert目錄����,并且將下載的全部文件拷貝到cert目錄中����。如果申請證書時是自己創建的CSR文件���,請將對應的私鑰文件放到cert目錄下并且命名為xxxxxxxx.key��;
( 2 ) 打開 apache 安裝目錄下 conf 目錄中的 httpd.conf 文件���,找到以下內容并去掉“#”:
#LoadModule ssl_module modules/mod_ssl.so (如果找不到請確認是否編譯過 openssl 插件)#Include conf/extra/httpd-ssl.conf
( 3 ) 打開 apache 安裝目錄下 conf/extra/httpd-ssl.conf 文件 (也可能是conf.d/ssl.conf�����,與操作系統及安裝方式有關)��, 在配置文件中查找以下配置語句:
# 添加 SSL 協議支持協議���,去掉不安全的協議SSLProtocol all -SSLv2 -SSLv3# 修改加密套件如下SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUMSSLHonorCipherOrder on# 證書公鑰配置SSLCertificateFile cert/public.pem# 證書私鑰配置SSLCertificateKeyFile cert/xxxxxxx.key# 證書鏈配置,如果該屬性開頭有 '#'字符�����,請刪除掉SSLCertificateChainFile cert/chain.pem
( 4 ) 重啟 Apache�。
( 5 ) 通過 https 方式訪問您的站點,測試站點證書的安裝配置,如遇到證書不信任問題��,請查看幫助視頻����。
然而這只能參考。在Ubuntu下面�����,我是用apt安裝的Apache�,但是它沒有httpd.conf,只有一個apache2.conf���,好吧��,其實這個文件和httpd.conf差不多���,它里面是這樣注釋的:
# It is split into several files forming the configuration hierarchy outlined# below, all located in the /etc/apache2/ directory:## /etc/apache2/# |-- apache2.conf# | `-- ports.conf# |-- mods-enabled# | |-- *.load# | `-- *.conf# |-- conf-enabled# | `-- *.conf# `-- sites-enabled# `-- *.conf#
這個版本的Apache把配置文件分散到了其他小文件中,結構就是上面那樣子的���。你要是愿意的話,也可以自己寫一個httpd.conf然后include進去�����。
重點講一下https的配置����,第一步�����,你要保證你外部環境的443端口是打開的。
第二步確保你安裝了ssl_module����。沒有就apt-get install openssl ,可能還需要一些依賴�����,但是都是小問題��。
然后打開ports.conf����,以下幾句是不可少的:
<IfModule ssl_module> Listen 443</IfModule> <IfModule mod_gnutls.c> Listen 443</IfModule>
接著打開mods-available,找到ssl.conf和ssl.load
ssl.load長這樣:
# Depends: setenvif mime socache_shmcbLoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.sossl.conf長這樣:<IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol all -SSLv2 -SSLv3 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
