搞了几乎2个小时, 发现阿里的论坛还是有些人维护的.
先是根据阿里云自己的文档试了一下, 不起作用, 妈的文档..
https://help.aliyun.com/knowledge_detail/95493.html?spm=a2c4g.11186623.2.13.44a834f1MWJXjR
接着灵机一动, google了一下, 觉得这种问题应该是有普遍意义的, 毕竟玩轻量应用的穷鬼不止我一个.
结果发现还真有:
https://bbs.aliyun.com/simple/t307238.html
根据帖子里面的提示, 发现了阿里云的开发者论坛里面有一个帖子是人家一步步实验出来的.
https://bbs.aliyun.com/read/304549.html?spm=a2c4e.11155515.0.0.3c8b5ebasyYdK1
记得把NameVirtualHost *:443 这一行删掉就行了.
算了, 我还是把过程贴一下吧.
首先, 轻量应用预装的apache, 已经引入了ssl的模块, 也打开了, 所以, 也就是剩下修改httpd-ssl.conf这个文件了.
[root@izwz99hcysthc27dr4zj2kz bin]# cat ../conf/extra/httpd-ssl.conf # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailed information about these # directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # Required modules: mod_log_config, mod_setenvif, mod_ssl, # socache_shmcb_module (for default value of SSLSessionCache) # # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate, # and that httpd will negotiate as the client of a proxied server. # See the OpenSSL documentation for a complete list of ciphers, and # ensure these follow appropriate best practices for this deployment. # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 # By the end of 2016, only TLSv1.2 ciphers should remain in use. # Older ciphers should be disallowed as soon as possible, while the # kRSA ciphers do not offer forward secrecy. These changes inhibit # older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy # non-browser tooling) from successfully connecting. # # To restrict mod_ssl to use only TLSv1.2 ciphers, and disable # those protocols which do not support forward secrecy, replace # the SSLCipherSuite and SSLProxyCipherSuite directives above with # the following two directives, as soon as practical. # SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA # SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA # User agents such as web browsers are not configured for the user's # own preference of either security or performance, therefore this # must be the prerogative of the web server administrator who manages # cpu load versus confidentiality, so enforce the server's cipher order. SSLHonorCipherOrder on # SSL Protocol support: # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv3 # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is an internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache "dbm:/usr/aliyun/ace/softwares/apache2.4/logs/ssl_scache" #SSLSessionCache "shmcb:/usr/aliyun/ace/softwares/apache2.4/logs/ssl_scache(512000)" #SSLSessionCacheTimeout 300 # OCSP Stapling (requires OpenSSL 0.9.8h or later) # # This feature is disabled by default and requires at least # the two directives SSLUseStapling and SSLStaplingCache. # Refer to the documentation on OCSP Stapling in the SSL/TLS # How-To for more information. # # Enable stapling for all SSL-enabled servers: #SSLUseStapling On # Define a relatively small cache for OCSP Stapling using # the same mechanism that is used for the SSL session cache # above. If stapling is used with more than a few certificates, # the size may need to be increased. (AH01929 will be logged.) #SSLStaplingCache "shmcb:/usr/aliyun/ace/softwares/apache2.4/logs/ssl_stapling(32768)" # Seconds before valid OCSP responses are expired from the cache #SSLStaplingStandardCacheTimeout 3600 # Seconds before invalid OCSP responses are expired from the cache #SSLStaplingErrorCacheTimeout 600 ## ## SSL Virtual Host Context ## <VirtualHost *:443> ServerName m.montauklaw.com DocumentRoot /home/www/htdocs SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM SSLHonorCipherOrder on SSLCertificateFile "/usr/local/apache/cert/m_public.crt" SSLCertificateKeyFile "/usr/local/apache/cert/m.key" SSLCertificateChainFile "/usr/local/apache/cert/m_chain.crt" </VirtualHost>
对应的key跟证书, 从申请到批下来, 只要1个小时.
然后重启apache即可.