配置流程

一般情况下,httpd的安装,默认没有mod_ssl模块,需要通过yum自行安装。

  1. #可以通过httpd -M指令查询是否存在ssl模块
  2. #如果httpd.conf文件还没有配置ServerName,则-M操作会报错
  3. httpd -M |grep ssl
  4. #yum安装mod_ssl
  5. yum install -y mod_ssl.x86_64 
  6. systemctl restart httpd
  7. httpd -M|grep ssl
  8. #在httpd下创建一个存放ssl证书的cert目录
  9. mkdir cert
  10. #配置ssl
  11. vim conf.d/ssl.conf 
  12. #
  13. # When we also provide SSL we have to listen to the 
  14. # standard HTTPS port in addition.
  15. #
  16. Listen 443 https
  18. ##
  19. ##  SSL Global Context
  20. ##
  21. ##  All SSL configuration in this context applies both to
  22. ##  the main server and all SSL-enabled virtual hosts.
  23. ##
  25. #   Pass Phrase Dialog:
  26. #   Configure the pass phrase gathering process.
  27. #   The filtering dialog program (`builtin' is a internal
  28. #   terminal dialog) has to provide the pass phrase on stdout.
  29. SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
  31. #   Inter-Process Session Cache:
  32. #   Configure the SSL Session Cache: First the mechanism 
  33. #   to use and second the expiring timeout (in seconds).
  34. SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
  35. SSLSessionCacheTimeout  300
  37. #
  38. # Use "SSLCryptoDevice" to enable any supported hardware
  39. # accelerators. Use "openssl engine -v" to list supported
  40. # engine names.  NOTE: If you enable an accelerator and the
  41. # server does not start, consult the error logs and ensure
  42. # your accelerator is functioning properly. 
  43. #
  44. SSLCryptoDevice builtin
  45. #SSLCryptoDevice ubsec
  47. ##
  48. ## SSL Virtual Host Context
  49. ##
  51. <VirtualHost _default_:443>
  54. DocumentRoot "/var/www/html"
  55. ServerName www.hunzi.online
  56. ErrorLog logs/ssl_error_log
  57. TransferLog logs/ssl_access_log
  58. LogLevel warn
  59. SSLEngine on
  60. SSLHonorCipherOrder on
  61. SSLCipherSuite PROFILE=SYSTEM
  62. SSLProxyCipherSuite PROFILE=SYSTEM
  63. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  64.     SSLOptions +StdEnvVars
  65. </FilesMatch>
  66. <Directory "/var/www/cgi-bin">
  67.     SSLOptions +StdEnvVars
  68. </Directory>
  69. BrowserMatch "MSIE [2-5]" \
  70.          nokeepalive ssl-unclean-shutdown \
  71.          downgrade-1.0 force-response-1.0
  72. CustomLog logs/ssl_request_log \
  73.           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  74. SSLProtocol all -SSLv2 -SSLv3
  75.     SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
  76.     SSLHonorCipherOrder on
  77.     SSLCertificateFile cert/www.hunzi.online_public.crt
  78.     SSLCertificateKeyFile cert/www.hunzi.online.key
  79.     SSLCertificateChainFile cert/www.hunzi.online_chain.crt
  80. </VirtualHost>
  81. #检查配置文件正确性
  82. httpd -t
  83. systemctl restart httpd

利用rewrite实现强制用户通过https访问服务

  1. RewriteEngine on
  2. RewriteCond %{SERVER_PORT} !^443$
  3. RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]