网站添加 https
2017-04-25 10:01
141 查看
网站添加 https
1.install certbot
https://certbot.eff.org/#debianjessie-apache
add to /etc/apt/source.list
install
sudo apt-get install python-certbot-apache -t jessie-backports
2.generate a certificate
3.configrate apache
免费SSL证书Let’s Encrypt(certbot)安装使用教程
https://www.vpser.net/build/letsencrypt-certbot.html
Nginx和Apache的配置可以参考:https://www.vpser.net/build/letsencrypt-free-ssl.html 里的配置文件。
3.1 修改一下apache的配置文件
Apache在生成证书后也需要修改一下apache的配置文件 /usr/local/apache/conf/httpd.conf ,查找httpd-ssl将前面的#去掉。
3.2 修改httpd-ssl.conf
Apache 2.4如下:
cat >/usr/local/apache/conf/extra/httpd-ssl.conf
3.3 修改对应apache虚拟主机配置文件
并在对应apache虚拟主机配置文件的最后下面添加上SSL部分的配置文件:
3.4 附录
generate SSL Configuration
https://mozilla.github.io/server-side-tls/ssl-config-generator/
这是通过生成器自动生成的
as follows:
add to /usr/local/apache/vhost/your.com.conf
其实要添加到 你的网站的conf文件里
add to /usr/local/apache/conf/extra/httpd-ssl.conf
intermediate configuration, tweak to your needs
4.restart apache
/etc/init.d/httpd restart
5.certificate 续期
certificate enlarge
$ 5 2 10 * * /usr/bin/certbot renew –pre-hook “lnmp nginx stop” –post-hook “lnmp nginx start”
cerrbot的续期比原来的更加简单,因为证书只有90天,所以建议使用crontab进行自动续期:
crontab 里加上如下规则:0 3 /5 * /root/certbot-auto renew –renew-hook “/etc/init.d/nginx reload”
这样每5天就会执行一次所有域名的续期操作。当然时间也可以自行进行调整,建议别太频繁,因为他们都有请求次数的限制,如果需要强制更新可以在前面命令上加上 –force-renew 参数。
1.install certbot
https://certbot.eff.org/#debianjessie-apache
add to /etc/apt/source.list
deb http://ftp.debian.org/debian jessie-backports main update source.list apt-get update
install
sudo apt-get install python-certbot-apache -t jessie-backports
2.generate a certificate
certbot certonly --email youremail@gmail.com --webroot -w /home/wwwroot/your.com -d your.com -d www.your.com config file in /etc/letsencrypt/configs/your.com .conf certificate in /etc/letsencrypt/live/your.com / $ ls /etc/letsencrypt/live/example.com/ cert.pem #server cert only privkey.pem #private key chain.pem #intermediates fullchain.pem #server cert + intermediates
3.configrate apache
免费SSL证书Let’s Encrypt(certbot)安装使用教程
https://www.vpser.net/build/letsencrypt-certbot.html
Nginx和Apache的配置可以参考:https://www.vpser.net/build/letsencrypt-free-ssl.html 里的配置文件。
3.1 修改一下apache的配置文件
Apache在生成证书后也需要修改一下apache的配置文件 /usr/local/apache/conf/httpd.conf ,查找httpd-ssl将前面的#去掉。
3.2 修改httpd-ssl.conf
Apache 2.4如下:
cat >/usr/local/apache/conf/extra/httpd-ssl.conf
#有效的 Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5 SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5 SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 Mutex sysvsem default #需要注释掉 SSLStrictSNIVHostCheck on EOF
3.3 修改对应apache虚拟主机配置文件
并在对应apache虚拟主机配置文件的最后下面添加上SSL部分的配置文件:
<VirtualHost *:443> DocumentRoot /home/wwwroot/www.vpser.net #网站目录 ServerName www.vpser.net:443 #域名 ServerAdmin licess@vpser.net #邮箱 ErrorLog "/home/wwwlogs/www.vpser.net-error_log" #错误日志 CustomLog "/home/wwwlogs/www.vpser.net-access_log" common #访问日志 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.vpser.net/fullchain.pem #改一下里面的域名就行 SSLCertificateKeyFile /etc/letsencrypt/live/www.vpser.net/privkey.pem #改一下里面的域名就行 <Directory "/home/wwwroot/www.vpser.net"> #网站目录 SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php </Directory> </VirtualHost>
3.4 附录
generate SSL Configuration
https://mozilla.github.io/server-side-tls/ssl-config-generator/
这是通过生成器自动生成的
as follows:
add to /usr/local/apache/vhost/your.com.conf
其实要添加到 你的网站的conf文件里
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/zangcq.xyz/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/zangcq.xyz/privkey.pem #这段可用 # Uncomment the following directive when using client certificate authentication #SSLCACertificateFile /path/to/ca_certs_for_client_authentication # HSTS (mod_headers is required) (15768000 seconds = 6 months) #Header always set Strict-Transport-Security "max-age=15768000" </VirtualHost>
add to /usr/local/apache/conf/extra/httpd-ssl.conf
intermediate configuration, tweak to your needs
#这段没用上 SSLProtocol all -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000)
4.restart apache
/etc/init.d/httpd restart
5.certificate 续期
certificate enlarge
$ 5 2 10 * * /usr/bin/certbot renew –pre-hook “lnmp nginx stop” –post-hook “lnmp nginx start”
cerrbot的续期比原来的更加简单,因为证书只有90天,所以建议使用crontab进行自动续期:
crontab 里加上如下规则:0 3 /5 * /root/certbot-auto renew –renew-hook “/etc/init.d/nginx reload”
这样每5天就会执行一次所有域名的续期操作。当然时间也可以自行进行调整,建议别太频繁,因为他们都有请求次数的限制,如果需要强制更新可以在前面命令上加上 –force-renew 参数。
相关文章推荐
- LAMP环境添加SSL证书,使网站变成HTTPS加密传输
- 八大免费SSL证书-给你的网站免费添加Https安全加密
- 给网站添加https访问连接
- 给网站添加免费Https SSL证书
- 八大免费SSL证书-给你的网站免费添加Https安全加密
- 十大免费SSL证书:网站免费添加HTTPS加密
- 八大免费SSL证书-给你的网站免费添加Https安全加密
- 网站部署到Linux服务器上并添加https证书
- 十大免费SSL证书:网站免费添加HTTPS加密
- 记录一次给网站服务器添加SSL(https)的过程
- 网站添加QQ登陆,QQ登录报错:可能是服务器无法请求https协议
- 在网站中添加 https 百度分享
- 25种方式给网站添加优质内容
- 让网站添加人性化的声音提示
- 给自己的网站添加CSS样式
- 添加(地址是https协议) web引用时要注意的问题....
- asp.net 操作 xml格式网站地图 添加删除修改!(简单版)
- SharePoint网站配置技巧--在添加Web部件时不让联机Web部件库显示
- IIS添加新网站
- 给网站添加优质内容的25种方式