您的位置:首页 > 理论基础 > 计算机网络

网站添加 https

2017-04-25 10:01 141 查看
网站添加 https

1.install certbot

https://certbot.eff.org/#debianjessie-apache

add to /etc/apt/source.list

deb http://ftp.debian.org/debian jessie-backports main

update source.list

apt-get update


install

sudo apt-get install python-certbot-apache -t jessie-backports

2.generate a certificate

certbot certonly --email youremail@gmail.com --webroot -w /home/wwwroot/your.com -d your.com  -d www.your.com

config file in /etc/letsencrypt/configs/your.com .conf

certificate in /etc/letsencrypt/live/your.com /

$ ls /etc/letsencrypt/live/example.com/

cert.pem #server cert only

privkey.pem #private key

chain.pem #intermediates

fullchain.pem #server cert + intermediates


3.configrate apache

免费SSL证书Let’s Encrypt(certbot)安装使用教程

https://www.vpser.net/build/letsencrypt-certbot.html

Nginx和Apache的配置可以参考:https://www.vpser.net/build/letsencrypt-free-ssl.html 里的配置文件。

3.1 修改一下apache的配置文件

Apache在生成证书后也需要修改一下apache的配置文件 /usr/local/apache/conf/httpd.conf ,查找httpd-ssl将前面的#去掉。

3.2 修改httpd-ssl.conf

Apache 2.4如下:

cat >/usr/local/apache/conf/extra/httpd-ssl.conf

#有效的
Listen 443

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5

SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5

SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3

SSLProxyProtocol all -SSLv2 -SSLv3

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"

SSLSessionCacheTimeout 300

Mutex sysvsem default #需要注释掉

SSLStrictSNIVHostCheck on
EOF


3.3 修改对应apache虚拟主机配置文件

并在对应apache虚拟主机配置文件的最后下面添加上SSL部分的配置文件:

<VirtualHost *:443>

DocumentRoot /home/wwwroot/www.vpser.net   #网站目录

ServerName www.vpser.net:443   #域名

ServerAdmin licess@vpser.net      #邮箱

ErrorLog "/home/wwwlogs/www.vpser.net-error_log"   #错误日志

CustomLog "/home/wwwlogs/www.vpser.net-access_log" common    #访问日志

SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/www.vpser.net/fullchain.pem   #改一下里面的域名就行

SSLCertificateKeyFile /etc/letsencrypt/live/www.vpser.net/privkey.pem    #改一下里面的域名就行

<Directory "/home/wwwroot/www.vpser.net">   #网站目录

SetOutputFilter DEFLATE

Options FollowSymLinks

AllowOverride All

Order allow,deny

Allow from all

DirectoryIndex index.html index.php

</Directory>

</VirtualHost>


3.4 附录

generate SSL Configuration

https://mozilla.github.io/server-side-tls/ssl-config-generator/

这是通过生成器自动生成的

as follows:

add to /usr/local/apache/vhost/your.com.conf

其实要添加到 你的网站的conf文件里

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile      /etc/letsencrypt/live/zangcq.xyz/fullchain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/zangcq.xyz/privkey.pem
#这段可用
# Uncomment the following directive when using client certificate authentication
#SSLCACertificateFile    /path/to/ca_certs_for_client_authentication

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
#Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>


add to /usr/local/apache/conf/extra/httpd-ssl.conf

intermediate configuration, tweak to your needs

#这段没用上
SSLProtocol             all -SSLv3

SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder     on

SSLCompression          off

OCSP Stapling, only in httpd 2.3.3 and later

SSLUseStapling          on

SSLStaplingResponderTimeout 5

SSLStaplingReturnResponderErrors off

SSLStaplingCache        shmcb:/var/run/ocsp(128000)


4.restart apache

/etc/init.d/httpd restart

5.certificate 续期

certificate enlarge

$ 5 2 10 * * /usr/bin/certbot renew –pre-hook “lnmp nginx stop” –post-hook “lnmp nginx start”

cerrbot的续期比原来的更加简单,因为证书只有90天,所以建议使用crontab进行自动续期:

crontab 里加上如下规则:0 3 /5 * /root/certbot-auto renew –renew-hook “/etc/init.d/nginx reload”

这样每5天就会执行一次所有域名的续期操作。当然时间也可以自行进行调整,建议别太频繁,因为他们都有请求次数的限制,如果需要强制更新可以在前面命令上加上 –force-renew 参数。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  ubuntu server
相关文章推荐
新的分享
章节导航