演示环境用的是mac os 下的MAMP PRO 5.2
1、首先找到对应的虚拟站点,再选择ssl的tab,操作如下图:
点击“Create self-signed certificate...”,弹出如下界面:
填写信息,点击“Generate”生成证书,保存好文件,这时在浏览器输入“https://testa/”,出现如下界面:
说明ssl配置成功。
下面我们去看下“httpd.conf”配置文件,多出如下这一行,看下图:
指向新建的文件“httpd-ssl.conf”,文件代码如下:
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt .der
AddType application/x-pkcs7-crl .crl
AddType application/x-pem-file .pem
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache "shmcb:/Applications/MAMP/Library/logs/apache_ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex "file:/Applications/MAMP/Library/logs/apache_ssl_mutex"
##
## MAMP SSL Virtual Hosts
##
NameVirtualHost *:443
ServerName ___default___
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/server/default.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/server/default.key"
SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Redirect 404 /
# SSLStrictSNIVHostCheck on -> Don't accept connections from non-SNI clients
SSLStrictSNIVHostCheck off
#这是testa的开始
ServerName testa
DocumentRoot "/Users/xiangzeping/Documents/xzptest/testa"
XSendFilePath "/Users/xiangzeping/Documents/xzptest/testa"
SSLEngine on
# Uncomment the next line if Apache should not accept SSLv3 connections, to learn more google for "POODLE SSLv3".
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:-SSLv3:+EXP:+eNULL
# Comment the next line (and uncomment the line above) if Apache should not accept SSLv3 connections, to learn more google for "POODLE SSLv3".
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
#SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#SSLHonorCipherOrder on
#SSLCompression off
#
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
#
ErrorLog "/Applications/MAMP/logs/apache_ssl_error.log"
TransferLog "/Applications/MAMP/logs/apache_ssl_access.log"
CustomLog "/Applications/MAMP/logs/apache_ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#ssl证书开始
SSLCertificateFile "/Users/xiangzeping/Desktop/12/testa.crt"
SSLCertificateKeyFile "/Users/xiangzeping/Desktop/12/testa.key"
SSLSessionTickets on
#ssl证书结束
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Options Includes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
WSGIDaemonProcess testaSSL processes=2 threads=15
WSGIProcessGroup testaSSL
WSGIScriptAlias /testaWsgiApp "/Users/xiangzeping/Documents/xzptest/testa/wsgiapp.py"
#这是testa的结束
# DONT REMOVE: MAMP PRO httpd-ssl.conf template compatibility version: 16
在如上代码找到“testa”虚拟站点块,注意监听端口变为“443”,加了证书地址,看下面的说明 :
监听端口为443,代码如下:
ssl证书配置代码如下:
SSLEngine on
SSLCertificateFile "/Users/xiangzeping/Desktop/12/testa.crt"
SSLCertificateKeyFile "/Users/xiangzeping/Desktop/12/testa.key"若是阿里云上购买的证书、服务器,配置代码如下:
ServerName #修改为申请证书时绑定的域名。
SSLCertificateFile cert/domain_name_public.crt # 将domain_name_public.crt替换成您证书文件名。
SSLCertificateKeyFile cert/domain_name.key # 将domain_name.key替换成您证书的密钥文件名。
SSLCertificateChainFile cert/domain_name_chain.crt # 将domain_name_chain.crt替换成您证书的证书链文件名。
#自定义设置使用的TLS协议的类型以及加密套件(以下为配置示例,请您自行评估是否需要配置)
#TLS协议版本越高,HTTPS通信的安全性越高,但是相较于低版本TLS协议,高版本TLS协议对浏览器的兼容性较差。
#SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议,去掉不安全的协议。
#SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。
#如果证书包含多个域名,复制VirtualHost参数,并将ServerName修改为第二个域名。
ServerName #修改为申请证书时绑定的第二个域名。
SSLCertificateFile cert/domain_name2_public.crt # 将domain_name2替换成您申请证书时的第二个域名。
SSLCertificateKeyFile cert/domain_name2.key # 将domain_name2替换成您申请证书时的第二个域名。
SSLCertificateChainFile cert/domain_name2_chain.crt # 将domain_name2替换成您申请证书时的第二个域名。
SSLEngine on
SSLHonorCipherOrder on
#自定义设置使用的TLS协议的类型以及加密套件(以下为配置示例,请您自行评估是否需要配置)
#TLS协议版本越高,HTTPS通信的安全性越高,但是相较于低版本TLS协议,高版本TLS协议对浏览器的兼容性较差。
#SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议,去掉不安全的协议。
#SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。
如果需要HTTP请求自动跳转HTTPS,那么在“httpd.conf”文件,下面加入如下代码:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
本文暂时没有评论,来添加一个吧(●'◡'●)