网站添加 https
来源:互联网 发布:电脑软件限制策略 编辑:程序博客网 时间:2024/05/22 12:41
网站添加 https
1.install certbot
https://certbot.eff.org/#debianjessie-apache
add to /etc/apt/source.list
deb http://ftp.debian.org/debian jessie-backports mainupdate source.listapt-get update
install
sudo apt-get install python-certbot-apache -t jessie-backports
2.generate a certificate
certbot certonly --email youremail@gmail.com --webroot -w /home/wwwroot/your.com -d your.com -d www.your.com config file in /etc/letsencrypt/configs/your.com .confcertificate in /etc/letsencrypt/live/your.com /$ ls /etc/letsencrypt/live/example.com/cert.pem #server cert only privkey.pem #private key chain.pem #intermediates fullchain.pem #server cert + intermediates
3.configrate apache
免费SSL证书Let’s Encrypt(certbot)安装使用教程
https://www.vpser.net/build/letsencrypt-certbot.html
Nginx和Apache的配置可以参考:https://www.vpser.net/build/letsencrypt-free-ssl.html 里的配置文件。
3.1 修改一下apache的配置文件
Apache在生成证书后也需要修改一下apache的配置文件 /usr/local/apache/conf/httpd.conf ,查找httpd-ssl将前面的#去掉。
3.2 修改httpd-ssl.conf
Apache 2.4如下:
cat >/usr/local/apache/conf/extra/httpd-ssl.conf
#有效的Listen 443AddType application/x-x509-ca-cert .crtAddType application/x-pkcs7-crl .crlSSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5SSLHonorCipherOrder onSSLProtocol all -SSLv2 -SSLv3SSLProxyProtocol all -SSLv2 -SSLv3SSLPassPhraseDialog builtinSSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"SSLSessionCacheTimeout 300Mutex sysvsem default #需要注释掉SSLStrictSNIVHostCheck onEOF
3.3 修改对应apache虚拟主机配置文件
并在对应apache虚拟主机配置文件的最后下面添加上SSL部分的配置文件:
<VirtualHost *:443>DocumentRoot /home/wwwroot/www.vpser.net #网站目录ServerName www.vpser.net:443 #域名ServerAdmin licess@vpser.net #邮箱ErrorLog "/home/wwwlogs/www.vpser.net-error_log" #错误日志CustomLog "/home/wwwlogs/www.vpser.net-access_log" common #访问日志SSLEngine onSSLCertificateFile /etc/letsencrypt/live/www.vpser.net/fullchain.pem #改一下里面的域名就行SSLCertificateKeyFile /etc/letsencrypt/live/www.vpser.net/privkey.pem #改一下里面的域名就行<Directory "/home/wwwroot/www.vpser.net"> #网站目录SetOutputFilter DEFLATEOptions FollowSymLinksAllowOverride AllOrder allow,denyAllow from allDirectoryIndex index.html index.php</Directory></VirtualHost>
3.4 附录
generate SSL Configuration
https://mozilla.github.io/server-side-tls/ssl-config-generator/
这是通过生成器自动生成的
as follows:
add to /usr/local/apache/vhost/your.com.conf
其实要添加到 你的网站的conf文件里
<VirtualHost *:443>SSLEngine onSSLCertificateFile /etc/letsencrypt/live/zangcq.xyz/fullchain.pemSSLCertificateKeyFile /etc/letsencrypt/live/zangcq.xyz/privkey.pem#这段可用# Uncomment the following directive when using client certificate authentication#SSLCACertificateFile /path/to/ca_certs_for_client_authentication# HSTS (mod_headers is required) (15768000 seconds = 6 months)#Header always set Strict-Transport-Security "max-age=15768000"</VirtualHost>
add to /usr/local/apache/conf/extra/httpd-ssl.conf
intermediate configuration, tweak to your needs
#这段没用上SSLProtocol all -SSLv3SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSSSSLHonorCipherOrder onSSLCompression offOCSP Stapling, only in httpd 2.3.3 and laterSSLUseStapling onSSLStaplingResponderTimeout 5SSLStaplingReturnResponderErrors offSSLStaplingCache shmcb:/var/run/ocsp(128000)
4.restart apache
/etc/init.d/httpd restart
5.certificate 续期
- certificate enlarge
$ 5 2 10 * * /usr/bin/certbot renew –pre-hook “lnmp nginx stop” –post-hook “lnmp nginx start”
cerrbot的续期比原来的更加简单,因为证书只有90天,所以建议使用crontab进行自动续期:
crontab 里加上如下规则:0 3 /5 * /root/certbot-auto renew –renew-hook “/etc/init.d/nginx reload”
这样每5天就会执行一次所有域名的续期操作。当然时间也可以自行进行调整,建议别太频繁,因为他们都有请求次数的限制,如果需要强制更新可以在前面命令上加上 –force-renew 参数。
- 网站添加 https
- 给网站添加https访问连接
- 十大免费SSL证书:网站免费添加HTTPS加密
- 网站部署到Linux服务器上并添加https证书
- 十大免费SSL证书:网站免费添加HTTPS加密
- 八大免费SSL证书-给你的网站免费添加Https安全加密
- HTTPS 方式访问网站
- 【copy】搭HTTPS网站
- 为什么网站需要https?
- https 网站时代来临?
- 个人网站配置HTTPS
- 网站http to https
- 网站升级https
- curl 登录https网站
- 给网站加https
- 网站HTTPS认证
- 网站改为https协议
- 添加https证书信任
- "hello"和new String("hello")的区别
- 树莓派Qt——托盘显示CPU温度(2)
- new stdClass的用处
- Android实用的优惠券控件
- Shiro注解
- 网站添加 https
- UIActivityViewController使用
- Java实现数据结构——二叉查找树
- oracle进程介绍
- 面试15之用两个栈去实现一个队列
- 工厂模式(静态工厂模式、工厂方法模式、抽象工厂模式)
- Android 7.0 系统相机崩溃解决android.os.FileUriExposedException
- 排序算法——选择排序法
- Qt|Qt之鼠标样式