介绍如何在apache 安装配置SSL证书,以及相关注意事项
准备所需文件
安装SSL证书到Apache服务器上, 我们需要3个文件,进入你的证书详情页去下载证书,解压后有一个 apache 文件夹,里面有这2个文件,分别是 服务器证书 server.crt 和中级证书 ca.crt 。第三个需要的文件是私钥,这是你提交订单前生成CSR的时候生成的,如果你在提交订单时候选择系统生成CSR的,请检查邮箱,有一封邮件主题是 “订单编号xxxx的CSR和私钥“的邮件,下载server.key 这个附件,这个文件就是私钥。
(1) . 服务器证书 server.crt;
(2) . 中级证书 ca.crt;
(3) . 私钥(Key) server.key;
配置Apache
参考下面的代码,在Apache目录下的 httpd.conf 文件增加一个虚拟主机
<VirtualHost *:443>
…
SSLEngine on
SSLCertificateKeyFile /etc/ssl/server.key
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateChainFile /etc/ssl/ca.crtSSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off……..
</VirtualHost>
然后保存。重启Apache
/etc/init.d/httpd restart
Apache重定向http到https
在Apache服务器上,让安装了SSL证书的网站默认使用https访问网站,只需在网站目录下面的.htaccess 文件加上下面几行代码:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 如果你的网站上面没有.htaccess文件, 你可以自己建立一个,然后将上面的代码复制过去即可。
如果你只是想让某个页面强制使用https访问,如访问 https://www.sslgood.com/123.html 自动跳转到 https://www.sslgood.com/123.html 可以参考如下代码
RewriteEngine On
RewriteRule ^123\.html$ https://www.sslgood.com/123.html [R=301,L]Apache的SSL证书安全与兼容性设置
禁用 SSLv2 and SSLv3
SSLProtocol All -SSLv2 -SSLv3如果Apache 2.2.24+ 以上版本 添加以下代码
SSLCompression off使用安全的Cipher Suite
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
如果想兼容XP/IE6 ,请使用以下的 Cipher Suite
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
Forward Secrecy & Diffie Hellman Ephemeral Parameters ,如果你用的 Apache 2.4.8以上 OpenSSL 1.0.2 或以上版本,可以运行一下命令
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096然后将以下代码添加到网站配置文件
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"根据你的apache版本不同, 将代码添加到apache的网站配置文件里面, 参考下面的例子
<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot "/home/sslgood"
ServerName www.sslgood.com
SSLEngine on
SSLCertificateKeyFile /usr/local/httpd/sslgood.key
SSLCertificateFile /usr/local/httpd/sslgood.crt
SSLCertificateChainFile /usr/local/httpd/sslgood.bundle
####///////////////////SSL安全设置代码 开始//////
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLHonorCipherOrder on
SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#####//////////////////SSL安全设置代码 结束//////////
......
</VirtualHost>
QQ咨询
阿里旺旺
#skype#