获取SSL证书:
domain.crt
)intermediate.crt
)domain.key
)确认Apache安装:
apache2 -v
或 httpd -v
# Debian/Ubuntu
sudo a2enmod ssl
sudo systemctl restart apache2
# CentOS/RHEL
sudo yum install mod_ssl
sudo systemctl restart httpd
将证书文件上传到服务器,建议存放在:
/etc/ssl/certs/ # 证书文件
/etc/ssl/private/ # 私钥文件
编辑SSL配置文件(位置可能因系统而异):
- /etc/apache2/sites-available/default-ssl.conf
(Debian/Ubuntu)
- /etc/httpd/conf.d/ssl.conf
(CentOS/RHEL)
<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
# 其他配置...
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# Debian/Ubuntu
sudo a2ensite default-ssl
sudo systemctl reload apache2
# CentOS/RHEL
sudo systemctl restart httpd
在80端口的虚拟主机配置中添加:
<VirtualHost *:80>
ServerName yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>
# 禁用不安全的协议和加密套件
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
SSLUseStapling on
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
https://yourdomain.com
,检查锁图标使用SSL测试工具:
openssl s_client -connect yourdomain.com:443
检查Apache错误日志:
tail -f /var/log/apache2/error.log
# 或
tail -f /var/log/httpd/error_log
证书链不完整:
cat domain.crt intermediate.crt > combined.crt
合并证书私钥不匹配:
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl rsa -noout -modulus -in domain.key | openssl md5
权限问题:
chmod 600 domain.key
SELinux阻止:
chcon -R -t httpd_sys_content_t /etc/ssl/certs/
chcon -R -t httpd_sys_content_t /etc/ssl/private/
通过以上步骤,您应该能够成功在Apache上配置HTTPS加密。如需更高级的安全配置,建议参考Mozilla的SSL配置生成器获取最新最佳实践。