centos配置https(nginx,apache)
2016-09-04 17:55
567 查看
1,生成公私钥,证书文件
公私钥和证书都可以自己生成,也可以让CA机构来生成。自己生成的证书是不受浏览器信任的,浏览器会弹出警告。
如果要让CA机构来生成证书,需要提交网站的域名,公司的信息。以及你网站的公钥等信息,如果你是自己生成的公私钥的话。
也有一些免费的CA证书,比如沃通就提供免费的CA证书,只需要提交域名以及认证域名。
CA机构会给你一个签名文件,把这个签名文件和私钥文件放在网站的配置文件夹下,后面会用到。
将域名解析到对应的主机IP。
2 使用yum安装好php,nginx,apache,以及Apache的ssl模块
yum install php
yum install nginx
yum install apache
yum install mod_ssl
3 apache下的配置
加载ssl模块:LoadModule ssl_module modules/mod_ssl.so
修改/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/nginx/ssl/certification.crt //签名的证书文件
SSLCertificateKeyFile /etc/nginx/ssl/pri.key //私钥文件
保存 重启Apache,通过https访问网站,如果一个网站同时提供http和https,当你访问http时会自动跳转到相应的http页面
4 nginx下的配置
修改/etc/nginx/conf.d/ssl.conf,如果没有则新建
server {
listen 443 ssl;
server_name _;
server_name yourdomain.com;
# tell users to go to SSL version next time
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
# tell the browser dont allow hosting in a frame
add_header X-Frame-Options DENY;
# tell the browser we can only talk to self and google analytics.
add_header X-Content-Security-Policy "default-src 'self'; \
script-src 'self' https://ssl.google-analytics.com; \
img-src 'self' https://ssl.google-analytics.com";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen and ordered for mix of performance, interoperability and security
#ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
# ciphers chosen for security (drop RC4:HIGH if you are not worried about BEAST).
#ssl_ciphers RC4:HIGH:HIGH:!aNULL:!MD5;
# ciphers chosen for FIPS compliance.
#ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH;
# ciphers chosen for forward secrecy an compatibility
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
location ~ \.php/?.*$ {
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_max_temp_file_size 0;
fastcgi_buffer_size 4K;
fastcgi_buffers 64 4k;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
ssl_prefer_server_ciphers on;
ssl_certificate_key /etc/nginx/ssl/pri.key;
ssl_certificate /etc/nginx/ssl/certification.crt;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# enable ocsp stapling
#resolver 8.8.8.8;
ssl_stapling on;
#ssl_trusted_certificate certs.d/example.cer;
# let nginx handle the static resources
location ~ ^/(htm/|html/|images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
root /usr/share/nginx/html;
access_log off;
expires @30m;
}
}
重启nginx,用https访问,nginx里http的配置和https的配置是相互独立的,比如对php的解析,要在80和443端口的server块里都要配置,如果不配置则访问php时会直接显示
php源码或者弹出下载。
其实https的配置简单来说就两步:1 生成公私钥,证书文件。 2 使web服务器支持https,配置证书和私钥文件的路径
把一个http站点转化为https更难的地方在于怎么解决转化后所带来的问题,比如在https站点引用了http的资源浏览器默认不会加载这些http的资源,因为浏览器认为这是不安全的。
公私钥和证书都可以自己生成,也可以让CA机构来生成。自己生成的证书是不受浏览器信任的,浏览器会弹出警告。
如果要让CA机构来生成证书,需要提交网站的域名,公司的信息。以及你网站的公钥等信息,如果你是自己生成的公私钥的话。
也有一些免费的CA证书,比如沃通就提供免费的CA证书,只需要提交域名以及认证域名。
CA机构会给你一个签名文件,把这个签名文件和私钥文件放在网站的配置文件夹下,后面会用到。
将域名解析到对应的主机IP。
2 使用yum安装好php,nginx,apache,以及Apache的ssl模块
yum install php
yum install nginx
yum install apache
yum install mod_ssl
3 apache下的配置
加载ssl模块:LoadModule ssl_module modules/mod_ssl.so
修改/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/nginx/ssl/certification.crt //签名的证书文件
SSLCertificateKeyFile /etc/nginx/ssl/pri.key //私钥文件
保存 重启Apache,通过https访问网站,如果一个网站同时提供http和https,当你访问http时会自动跳转到相应的http页面
4 nginx下的配置
修改/etc/nginx/conf.d/ssl.conf,如果没有则新建
server {
listen 443 ssl;
server_name _;
server_name yourdomain.com;
# tell users to go to SSL version next time
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
# tell the browser dont allow hosting in a frame
add_header X-Frame-Options DENY;
# tell the browser we can only talk to self and google analytics.
add_header X-Content-Security-Policy "default-src 'self'; \
script-src 'self' https://ssl.google-analytics.com; \
img-src 'self' https://ssl.google-analytics.com";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen and ordered for mix of performance, interoperability and security
#ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
# ciphers chosen for security (drop RC4:HIGH if you are not worried about BEAST).
#ssl_ciphers RC4:HIGH:HIGH:!aNULL:!MD5;
# ciphers chosen for FIPS compliance.
#ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH;
# ciphers chosen for forward secrecy an compatibility
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
location ~ \.php/?.*$ {
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_max_temp_file_size 0;
fastcgi_buffer_size 4K;
fastcgi_buffers 64 4k;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
ssl_prefer_server_ciphers on;
ssl_certificate_key /etc/nginx/ssl/pri.key;
ssl_certificate /etc/nginx/ssl/certification.crt;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# enable ocsp stapling
#resolver 8.8.8.8;
ssl_stapling on;
#ssl_trusted_certificate certs.d/example.cer;
# let nginx handle the static resources
location ~ ^/(htm/|html/|images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
root /usr/share/nginx/html;
access_log off;
expires @30m;
}
}
重启nginx,用https访问,nginx里http的配置和https的配置是相互独立的,比如对php的解析,要在80和443端口的server块里都要配置,如果不配置则访问php时会直接显示
php源码或者弹出下载。
其实https的配置简单来说就两步:1 生成公私钥,证书文件。 2 使web服务器支持https,配置证书和私钥文件的路径
把一个http站点转化为https更难的地方在于怎么解决转化后所带来的问题,比如在https站点引用了http的资源浏览器默认不会加载这些http的资源,因为浏览器认为这是不安全的。
相关文章推荐
- Centos6.3下Apache配置https证书访问
- Centos nginx https 配置 (单项验证通过,双向未验证)
- 如何在CentOS配置Apache的HTTPS服务
- 如何在CentOS配置Apache的HTTPS服务
- CentOS生成自签名证书配置Apache https
- CentOS 安装配置 Apache, nginx, SVN, Trac 日志
- 在CentOS配置Apache的HTTPS服务
- Apache 使用ssl模块配置HTTPS(Centos7 httpd2.4.6)
- Linux|CentOS+Nginx+Apache+MySQL+PHP+Tomcat的配置教程,完美支持PHP、JAVA
- centos配置apache的https服务
- Centos下apache配置https
- CentOS 6.3+apache+nginx+mysql+php环境配置
- 如何在CentOS配置Apache的HTTPS服务
- CentOS7 配置Nginx支持HTTPS访问的实现方案
- Centos中查看nginx、apache、php、mysql配置文件路径
- Centos中查看nginx、apache、php、mysql配置文件路径
- CentOS 6.5系统下配置Apache的https证书
- 在linux(centos)使用openssl生成https证书并配置到nginx的实现过程
- Centos6.5服务器环境搭建之安装Nginx以及Https访问方式的配置
- 为微信小程序开发做准备,在Centos 6.8下利用letsencrypt.sh脚本为nginx 配置免费https证书