apache 开启https访问

最新推荐文章于 2025-04-29 09:49:25 发布

会飞的爱迪生

最新推荐文章于 2025-04-29 09:49:25 发布

阅读量580

点赞数 2

分类专栏： apache与php 文章标签： apache https 网络协议

本文链接：https://blog.youkuaiyun.com/qq_25096749/article/details/139177204

版权

apache与php 专栏收录该内容

32 篇文章

订阅专栏

要求，既能http访问，又能https访问

环境：CentOS release 6.7 (Final)
编译安装：Apache/2.4.2

部署好Apache环境后，开始

购买ssl证书网站：https://www.wosign.com/

目前SSL证书分为两种：
一、多域名使用多张SSL证书，需要apache\nginx 支持SNI
二、多域名使用一张SSL证书（通配证书），要求SSL证书支持通配
在这里插入图片描述

注意：防火墙允许443端口

1、安装SSL模块

[root@www ~]# yum install mod_ssl openssl
装mod_ssl会创建一个默认的SSL证书，路径位于/etc/pki/tls
安装完成，直接重启Apache服务
[root@localhost ~]# /alidata/server/httpd/bin/httpd -t
Syntax OK
[root@localhost ~]# /alidata/server/httpd/bin/httpd -k restart

2、使用openssl 手动创建证书（这里我们不用默认证书），如果是购买的证书就不用创建了
如果购买的证书是其它格式的可以直接该后缀名：cer pem crt 后缀可以直接改

openssl genrsa -out server.key 1024  （创建私钥）
openssl req -new -key server.key -out server.csr   （创建CSR文件）
openssl x509 -days 3650 -req -in server.csr -signkey server.key -out server.crt（创建crt证书）
mkdir /etc/pki/tls/mycert  （创建证书存放目录）
mv server.* /etc/pki/tls/mycert    （把证书都拷过去）

3、指定证书路径

购买的证书会有这三个文件：
GeoTrust SSL CA - G3.crt（中级CA证书）  
server.crt（服务器证书）  
server.key（证书密钥）

(1) 将生成的ssl.conf 移动到 apache 安装目录下（我这里用自带的httpd-ssl.conf）
cp -a /etc/httpd/conf.d/ssl.conf    /alidata/server/httpd/conf/extra/
vi /alidata/server/httpd/conf/extra/ssl.conf 
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/mycert/server.crt             （服务器证书存放目录）
 
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/mycert/server.key            （证书私钥存放目录）

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/mycert/ca.crt             （把#去掉，CA证书）


(2) 将生成的mod_ssl.so 移动到 apache 安装目录下
cp -a /etc/httpd/modules/mod_ssl.so /alidata/server/httpd/modules/   （如果有就不用了）

4、修改httpd.conf

(1) 开启相关模块
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/ssl.conf       调用ssl.conf 文件，这个文件在： /alidata/server/httpd/conf/extra/ssl.conf

(2) 重启apache
[root@localhost ~]# /alidata/server/httpd/bin/httpd -t
Syntax OK
[root@localhost ~]# /alidata/server/httpd/bin/httpd -k restart
[root@localhost ~]# netstat  -npult|grep httpd
tcp        0      0 :::80                       :::*                        LISTEN      10555/httpd         
tcp        0      0 :::443                      :::*                        LISTEN      10555/httpd 


(1)遇到的apache 启动报错：
AH00526: Syntax error on line 42 of /alidata/server/httpd/conf/extra/ssl.conf:
Invalid command 'SSLMutex', perhaps misspelled or defined by a module not included in the server configuration

解决：
对于apache  2.4 直接禁用：修改/alidata/server/httpd/conf/extra/ssl.conf  42行
SSLMutex  default  改为：#SSLMutex  default



(2)ssl模块已经加载：
 module ssl_module is already loaded, skipping

解决：加上#号
#LoadModule ssl_module modules/mod_ssl.so

5、增加虚拟主机


(1) 添加基于http的虚拟主机
################################# http://www.playyx.com ####################
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
        DocumentRoot /alidata/www/www.playyx.com
        ServerName www.playyx.com
        ServerAlias   playyx.com
        <Directory "/alidata/www/www.playyx.com">
            Options  FollowSymLinks
            AllowOverride all
            Order allow,deny
            Allow from all
        </Directory>
RewriteRule ^/games/xialan/(.*)  http://www.playyx.com/games/xl/$1 [R=permanent,L]
ErrorDocument 404 /404.html
#CustomLog "|/usr/local/cronolog/sbin/cronolog /alidata/log/httpd/www_access_%Y%m%d.log" combined
  ErrorLog "|/usr/local/cronolog/sbin/cronolog /alidata/log/httpd/www_error_%Y%m%d.log"
<Files ~ "\.(txt|cvs|svn|git|hg|bzr)$">
Order allow,deny
Deny from all
</Files>
</VirtualHost>

############################  http://hjh.playyx.com  rewrite ###################
<VirtualHost *:80>
        ServerName hjh.playyx.com
        RewriteEngine on
        RewriteRule ^(.*) http://www.playyx.com/games/hjh/ [R=permanent,L]
</VirtualHost>

(2) 根据上面的做增加/修改
################################# https://www.playyx.com ##############################
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile        /etc/pki/tls/mycert/server.crt              （服务器证书）
SSLCertificateKeyFile /etc/pki/tls/mycert/server.key             （证书私钥）
SSLCertificateChainFile /usr/local/ssl/crt/ca.crt                      (CA中级证书)

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
        DocumentRoot /alidata/www/www.playyx.com
        ServerName www.playyx.com
       ServerAlias   playyx.com
        <Directory "/alidata/www/www.playyx.com">
            Options  FollowSymLinks
            AllowOverride all
            Order allow,deny
            Allow from all
        </Directory>
RewriteRule ^/games/xialan/(.*)  https://www.playyx.com/games/xl/$1 [R=permanent,L]
ErrorDocument 404 /404.html
#CustomLog "|/usr/local/cronolog/sbin/cronolog /alidata/log/httpd/www_access_%Y%m%d.log" combined
#ErrorLog "|/usr/local/cronolog/sbin/cronolog /alidata/log/httpd/www_error_%Y%m%d.log"
<Files ~ "\.(txt|cvs|svn|git|hg|bzr)$">
Order allow,deny
Deny from all
</Files>
</VirtualHost>

####################################  https://hjh.playyx.com  rewrite ############################
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile    /etc/pki/tls/mycert/server.crt
SSLCertificateKeyFile /etc/pki/tls/mycert/server.key

        ServerName hjh.playyx.com
        RewriteEngine on
        RewriteRule ^(.*) https://www.playyx.com/games/hjh/ [R=permanent,L]

</VirtualHost>

#前提是www.playyx.com 可以用https访问

只要把基于80端口的虚拟主机再次复制一份，增加/修改以下就OK 了
1、修改端口
<VirtualHost *:443> 80改为443

2、开启ca认证
SSLEngine on
SSLCertificateFile /etc/pki/tls/mycert/server.crt （服务器证书）
SSLCertificateKeyFile /etc/pki/tls/mycert/server.key （证书私钥）

3、如果有rewrite 需要改为https
RewriteRule ^/games/xialan/(.*) https://www.playyx.com/games/xl/$1 [R=permanent,L]

4、日志可以禁用（可选）
#ErrorLog “|/usr/local/cronolog/sbin/cronolog /alidata/log/httpd/www_error_%Y%m%d.log”

6、重启apache测试

访问：http://www.playyx.com/game/xialan   跳转到  http://www.playyx.com/game/xl
访问：https://www.playyx.com/game/xialan  跳转到  https://www.playyx.com/game/xl
访问：http://hjh.playyx.com       跳转到     http://www.playyx.com/game/hjh
访问：https://hjh.playyx.com      跳转到     https://www.playyx.com/game/hjh