假设顶级域名已经配置了SSL证书,需要给二级域名配置新的SSL证书。
做法:打开/etc/httpd/conf.d/ssl.conf,在文件末尾追加一下内容:
<VirtualHost *:443>
#项目路径
DocumentRoot "/projectPath"
#访问域名
ServerName XXXX.com:443
#错误日志
ErrorLog logs/ssl_error_erji_log
TransferLog logs/ssl_access_erji_log
#错误登记
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
SSLHonorCipherOrder on
#证书路径
SSLCertificateFile /etc/httpd/ssl_erji/point.pem
SSLCertificateKeyFile /etc/httpd/ssl_erji/server.key
SSLCertificateChainFile /etc/httpd/ssl_erji/chain.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/projectPath">
AllowOverride All
SSLOptions +StdEnvVars
</Directory>
<Directory "/projectPath">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
WSGIScriptAlias / /projectPath/projectName/projectName/wsgi.py
<Directory /projectPath/projectName/projectName>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
Alias /static/ /projectPath/projectName/static/
<Directory /projectPath/projectName/static>
Require all granted
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/fbms/ssl_request_erji_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
二:修改配置,所有http的配置都只想https
打开/etc/httpd/conf/httpd.conf
在二级域名关联的虚拟机块里修改如下:
<VirtualHost *:80>
#项目路径
DocumentRoot "/projectPath"
#命名域名
ServerName xxxxx.com:80
#域名重定向
RewriteEngine On
#禁用IP 访问是
RewriteCond %{HTTP_HOST} ^(\d{1,3}\.){3}\d{1,3}$
RewriteRule ^(.*)$ - [F,L]
#HTTP 跳转到 HTTPS
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>