debian apache
介绍 (Introduction)
TLS, or transport layer security, and its predecessor SSL, which stands for secure sockets layer, are web protocols used to wrap normal traffic in a protected, encrypted wrapper.
TLS或传输层安全性及其前身SSL (代表安全套接字层)是用于将正常流量包装在受保护的加密包装器中的Web协议。
Using this technology, servers can send traffic safely between servers and clients without the possibility of messages being intercepted by outside parties. The certificate system also assists users in verifying the identity of the sites that they are connecting with.
使用此技术,服务器可以在服务器和客户端之间安全地发送流量,而不会被外部消息拦截。 证书系统还可以帮助用户验证与其连接的站点的身份。
In this guide, we will show you how to set up a self-signed SSL certificate for use with an Apache web server on Debian 10.
在本指南中,我们将向您展示如何在Debian 10上设置用于与Apache Web服务器一起使用的自签名SSL证书。
Note: A self-signed certificate will encrypt communication between your server and any clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers, users cannot use the certificate to validate the identity of your server automatically.
注意:自签名证书将加密服务器与任何客户端之间的通信。 但是,由于该证书未由Web浏览器随附的任何受信任证书颁发机构签名,因此用户无法使用该证书来自动验证服务器的身份。
A self-signed certificate may be appropriate if you do not have a domain name associated with your server and for instances where an encrypted web interface is not user-facing. If you do have a domain name, in many cases it is better to use a CA-signed certificate. You can find out how to set up a free trusted certificate with the Let’s Encrypt project here.
如果您没有与服务器关联的域名,并且加密的Web界面不是面向用户的,则自签名证书可能是合适的。 如果您确实拥有域名,则在许多情况下,最好使用CA签名的证书。 您可以在此处通过Let's Encrypt项目了解如何设置免费的受信任证书。
先决条件 (Prerequisites)
Before you begin, you should have a non-root user configured with sudo privileges. You can learn how to set up such a user account by following our Initial Server Setup with Debian 10.
在开始之前,您应该已经为非root用户配置了sudo特权。 您可以通过遵循Debian 10的初始服务器设置来学习如何设置这样的用户帐户。
You will also need to have the Apache web server installed. If you would like to install an entire LAMP (Linux, Apache, MariaDB, PHP) stack on your server, you can follow our guide on setting up LAMP on Debian 10. If you just want the Apache web server, skip the steps pertaining to PHP and MariaDB.
您还需要安装Apache Web服务器。 如果您想在服务器上安装整个LAMP(Linux,Apache,MariaDB,PHP)堆栈,则可以按照我们的指南在Debian 10上设置LAMP 。 如果只需要Apache Web服务器,请跳过与PHP和MariaDB有关的步骤。
When you have completed these prerequisites, continue below.
完成这些先决条件后,请继续以下操作。
第1步-创建SSL证书 (Step 1 — Creating the SSL Certificate)
TLS/SSL works by using a combination of a public certificate and a private key. The SSL key is kept secret on the server. It is used to encrypt content sent to clients. The SSL certificate is publicly shared with anyone requesting the content. It can be used to decrypt the content signed by the associated SSL key.
TLS / SSL通过结合使用公共证书和私钥来工作。 SSL密钥在服务器上被保密。 它用于加密发送给客户端的内容。 SSL证书与请求内容的任何人公开共享。 它可用于解密由关联的SSL密钥签名的内容。
We can create a self-signed key and certificate pair with OpenSSL in a single command:
我们可以在单个命令中使用OpenSSL创建自签名密钥和证书对:
- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
You will be asked a series of questions. Before we go over that, let’s take a look at what is happening in the command we are issuing:
您将被问到一系列问题。 在讨论之前,让我们看一下发出的命令中正在发生的事情:
openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
openssl :这是用于创建和管理OpenSSL证书,密钥和其他文件的基本命令行工具。
req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
req :此子命令指定我们要使用X.509证书签名请求(CSR)管理。 “ X.509”是SSL和TLS对其密钥和证书管理所遵循的公共密钥基础结构标准。 我们要创建一个新的X.509证书,因此我们正在使用此子命令。
-x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
-x509 :通过告诉实用程序我们要制作自签名证书而不是像通常那样生成证书签名请求,从而进一步修改了先前的子命令。
-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
-nodes :这告诉OpenSSL跳过使用密码短语来保护我们的证书的选项。 我们需要Apache在服务器启动时能够在没有用户干预的情况下读取文件。 密码短语可以防止这种情况的发生,因为每次重新启动后我们都必须输入密码。
-days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
-days 365 :此选项设置证书被视为有效的时间长度。 我们在这里设置了一年。
-newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The
rsa:2048portion tells it to make an RSA key that is 2048 bits long.-newkey rsa:2048 :这指定我们要同时生成一个新证书和一个新密钥。 我们没有在上一步中创建签名证书所需的密钥,因此我们需要将其与证书一起创建。
rsa:2048部分告诉它制作一个2048位长的RSA密钥。-keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
-keyout :此行告诉OpenSSL在何处放置我们正在创建的生成的私钥文件。
-out: This tells OpenSSL where to place the certificate that we are creating.
-out :这告诉OpenSSL在哪里放置我们要创建的证书。
As we stated above, these options will create both a key file and a certificate. We will be asked a few questions about our server in order to embed the information correctly in the certificate.
如上所述,这些选项将创建密钥文件和证书。 我们将被询问有关服务器的一些问题,以便将信息正确地嵌入证书中。
Fill out the prompts appropriately. The most important line is the one that requests the Common Name (e.g. server FQDN or YOUR name). You need to enter the domain name associated with your server or, more likely, your server’s public IP address.
适当填写提示。 最重要的一行是请求Common Name (eg server FQDN or YOUR name)一行Common Name (eg server FQDN or YOUR name) 。 您需要输入与服务器关联的域名,或者更有可能输入服务器的公共IP地址。
The entirety of the prompts will look something like this:
整个提示如下所示:
Output
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com
Both of the files you created will be placed in the appropriate subdirectories under /etc/ssl.
您创建的两个文件都将放在/etc/ssl下的相应子目录中。
第2步-配置Apache使用SSL (Step 2 — Configuring Apache to Use SSL)
We have created our key and certificate files under the /etc/ssl directory. Now we just need to modify our Apache configuration to take advantage of these.
我们已经在/etc/ssl目录下创建了密钥和证书文件。 现在,我们只需要修改我们的Apache配置即可利用这些优势。
We will make a few adjustments to our configuration:
我们将对我们的配置进行一些调整:
- We will create a configuration snippet to specify strong default SSL settings. 我们将创建一个配置片段以指定强默认SSL设置。
- We will modify the included SSL Apache Virtual Host file to point to our generated SSL certificates. 我们将修改包含的SSL Apache虚拟主机文件,以指向我们生成的SSL证书。
- (Recommended) We will modify the unencrypted Virtual Host file to automatically redirect requests to the encrypted Virtual Host. (推荐)我们将修改未加密的虚拟主机文件,以自动将请求重定向到加密的虚拟主机。
When we are finished, we should have a secure SSL configuration.
完成后,我们应该有一个安全的SSL配置。
创建具有强加密设置的Apache配置代码段 (Creating an Apache Configuration Snippet with Strong Encryption Settings)
First, we will create an Apache configuration snippet to define some SSL settings. This will set Apache up with a strong SSL cipher suite and enable some advanced features that will help keep our server secure. The parameters we will set can be used by any Virtual Hosts enabling SSL.
首先,我们将创建一个Apache配置代码段以定义一些SSL设置。 这将为Apache设置强大的SSL密码套件并启用一些高级功能,这些功能将有助于确保服务器的安全。 我们将设置的参数可由启用SSL的任何虚拟主机使用。
Create a new snippet in the /etc/apache2/conf-available directory. We will name the file ssl-params.conf to make its purpose clear:
在/etc/apache2/conf-available目录中创建一个新代码段。 我们将文件命名为ssl-params.conf以使其用途明确:
- sudo nano /etc/apache2/conf-available/ssl-params.conf 须藤纳米/etc/apache2/conf-available/ssl-params.conf
To set up Apache SSL securely, we will be using the recommendations by Remy van Elst on the Cipherli.st site. This site is designed to provide easy-to-consume encryption settings for popular software.
为了安全地设置Apache SSL,我们将在Cipherli.st网站上使用Remy van Elst的建议。 该站点旨在为流行软件提供易于使用的加密设置。
The suggested settings on the site linked to above offer strong security. Sometimes, this comes at the cost of greater client compatibility. If you need to support older clients, there is an alternative list that can be accessed by clicking the link on the page labelled “Yes, give me a ciphersuite that works with legacy / old software.” That list can be substituted for the items copied below.
上面链接到的网站上的建议设置提供了强大的安全性。 有时,这是以更大的客户端兼容性为代价的。 如果您需要支持较旧的客户端,则可以通过单击标记为“是的,请给我一个适用于旧版/旧版软件的密码套件”页面上的链接来访问备用列表。 该列表可以代替下面复制的项目。
The choice of which config you use will depend largely on what you need to support. They both will provide great security.
您使用哪种配置的选择将在很大程度上取决于您需要支持的内容。 它们都将提供极大的安全性。
For our purposes, we can copy the provided settings in their entirety. We will just make one small change to this and disable the Strict-Transport-Security header (HSTS).
为了我们的目的,我们可以完整复制提供的设置。 我们将对此做一个小的更改并禁用Strict-Transport-Security标头(HSTS)。
Preloading HSTS provides increased security, but can have far-reaching consequences if accidentally enabled or enabled incorrectly. In this guide, we will not enable the settings, but you can modify that if you are sure you understand the implications.
预加载HSTS可提高安全性,但是如果意外启用或启用不正确,则可能会产生深远的影响。 在本指南中,我们将不会启用设置,但是如果您确定理解其中的含义,则可以对其进行修改。
Before deciding, take a moment to read up on HTTP Strict Transport Security, or HSTS, and specifically about the “preload” functionality.
在决定之前,请花点时间阅读一下HTTP Strict Transport Security或HSTS ,尤其是有关“预加载”功能的信息 。
Paste the following configuration into the ssl-params.conf file we opened:
将以下配置粘贴到我们打开的ssl-params.conf文件中:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets OffSave and close the file when you are finished.
完成后保存并关闭文件。
修改默认的Apache SSL虚拟主机文件 (Modifying the Default Apache SSL Virtual Host File)
Next, let’s modify /etc/apache2/sites-available/default-ssl.conf, the default Apache SSL Virtual Host file. If you are using a different server block file, substitute its name in the commands below.
接下来,让我们修改默认的Apache SSL虚拟主机文件/etc/apache2/sites-available/default-ssl.conf 。 如果使用其他服务器阻止文件,请在以下命令中替换其名称。
Before we go any further, let’s back up the original SSL Virtual Host file:
在进行下一步之前,让我们备份原始的SSL虚拟主机文件:
- sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak 须藤cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
Now, open the SSL Virtual Host file to make adjustments:
现在,打开SSL虚拟主机文件进行调整:
- sudo nano /etc/apache2/sites-available/default-ssl.conf 须藤纳米/etc/apache2/sites-available/default-ssl.conf
Inside, with most of the comments removed, the Virtual Host block should look something like this by default:
在内部,除去了大多数注释后,默认情况下,虚拟主机块应如下所示:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>We will be making some minor adjustments to the file. We will set the normal things we’d want to adjust in a Virtual Host file (ServerAdmin email address, ServerName, etc.), and adjust the SSL directives to point to our certificate and key files. Again, if you’re using a different document root, be sure to update the DocumentRoot directive.
我们将对该文件进行一些小的调整。 我们将在虚拟主机文件(ServerAdmin电子邮件地址,ServerName等)中设置我们要调整的常规内容,并调整SSL指令以指向我们的证书和密钥文件。 同样,如果您使用其他文档根目录,请确保更新DocumentRoot指令。
After making these changes, your server block should look similar to this:
进行这些更改之后,您的服务器块应类似于以下内容:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@example.com
ServerName server_domain_or_IP
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>Save and close the file when you are finished.
完成后保存并关闭文件。
(推荐)修改HTTP主机文件以重定向到HTTPS ((Recommended) Modifying the HTTP Host File to Redirect to HTTPS)
As it stands now, the server will provide both unencrypted HTTP and encrypted HTTPS traffic. For better security, it is recommended in most cases to redirect HTTP to HTTPS automatically. If you do not want or need this functionality, you can safely skip this section.
从目前的情况来看,服务器将提供未加密的HTTP和已加密的HTTPS通信。 为了提高安全性,建议在大多数情况下将HTTP自动重定向到HTTPS。 如果您不需要或不需要此功能,则可以安全地跳过此部分。
To adjust the unencrypted Virtual Host file to redirect all traffic to be SSL encrypted, open the /etc/apache2/sites-available/000-default.conf file:
要调整未加密的虚拟主机文件以将所有流量重定向为SSL加密,请打开/etc/apache2/sites-available/000-default.conf文件:
- sudo nano /etc/apache2/sites-available/000-default.conf 须藤纳米/etc/apache2/sites-available/000-default.conf
Inside, within the VirtualHost configuration blocks, add a Redirect directive, pointing all traffic to the SSL version of the site:
在VirtualHost配置块的内部,添加一个Redirect指令,将所有流量都指向站点的SSL版本:
<VirtualHost *:80>
. . .
Redirect "/" "https://your_domain_or_IP/"
. . .
</VirtualHost>Save and close the file when you are finished.
完成后保存并关闭文件。
That’s all of the configuration changes you need to make to Apache. Next, we will discuss how to update firewall rules with ufw to allow encrypted HTTPS traffic to your server.
这就是您需要对Apache进行的所有配置更改。 接下来,我们将讨论如何使用ufw更新防火墙规则,以允许加密的HTTPS通信进入您的服务器。
步骤3 —调整防火墙 (Step 3 — Adjusting the Firewall)
If you have the ufw firewall enabled, as recommended by the prerequisite guides, you might need to adjust the settings to allow for SSL traffic. Fortunately, when installed on Debian 10, ufw comes loaded with app profiles which you can use to tweak your firewall settings
如果按照先决条件指南的建议启用了ufw防火墙,则可能需要调整设置以允许SSL通信。 幸运的是,在Debian 10上安装ufw会加载其应用程序配置文件,您可以使用这些配置文件来调整防火墙设置
We can see the available profiles by typing:
我们可以通过输入以下内容查看可用的配置文件:
- sudo ufw app list sudo ufw应用程序列表
You should see a list like this, with the following four profiles near the bottom of the output:
您应该看到这样的列表,在输出的底部附近有以下四个配置文件:
Output
Available applications:
. . .
WWW
WWW Cache
WWW Full
WWW Secure
. . .
You can see the current setting by typing:
您可以通过键入以下内容查看当前设置:
- sudo ufw status sudo ufw状态
If you allowed only regular HTTP traffic earlier, your output might look like this:
如果您之前只允许常规HTTP通信,则输出可能如下所示:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
WWW ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
WWW (v6) ALLOW Anywhere (v6)
To additionally let in HTTPS traffic, allow the “WWW Full” profile and then delete the redundant “WWW” profile allowance:
要另外允许HTTPS通信,请允许“ WWW Full”配置文件,然后删除冗余的“ WWW”配置文件配额:
- sudo ufw allow 'WWW Full' sudo ufw允许“ WWW Full”
- sudo ufw delete allow 'WWW' sudo ufw delete允许'WWW'
Your status should look like this now:
您的状态现在应该如下所示:
- sudo ufw status sudo ufw状态
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
WWW Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
WWW Full (v6) ALLOW Anywhere (v6)
With your firewall configured to allow HTTPS traffic, you can move on to the next step where we’ll go over how to enable a few modules and configuration files to allow SSL to function properly.
将防火墙配置为允许HTTPS通信后,您可以继续执行下一步,在此我们将介绍如何启用一些模块和配置文件以允许SSL正常运行。
步骤4 —在Apache中启用更改 (Step 4 — Enabling the Changes in Apache)
Now that we’ve made our changes and adjusted our firewall, we can enable the SSL and headers modules in Apache, enable our SSL-ready Virtual Host, and then restart Apache to put these changes into effect.
现在,我们进行了更改并调整了防火墙,我们可以在Apache中启用SSL和标头模块,启用支持SSL的虚拟主机,然后重新启动Apache以使这些更改生效。
Enable mod_ssl, the Apache SSL module, and mod_headers, which is needed by some of the settings in our SSL snippet, with the a2enmod command:
使用a2enmod命令a2enmod SSL片段中某些设置所需的mod_ssl ,Apache SSL模块和mod_headers :
- sudo a2enmod ssl 须藤a2enmod ssl
- sudo a2enmod headers sudo a2enmod标头
Next, enable your SSL Virtual Host with the a2ensite command:
接下来,使用a2ensite命令启用SSL虚拟主机:
- sudo a2ensite default-ssl 须藤a2ensite default-ssl
You will also need to enable your ssl-params.conf file, to read in the values you’ve set:
您还需要启用ssl-params.conf文件,以读取您设置的值:
- sudo a2enconf ssl-params 须藤a2enconf ssl-params
At this point, the site and the necessary modules are enabled. We should check to make sure that there are no syntax errors in our files. Do this by typing:
此时,将启用站点和必要的模块。 我们应该检查以确保文件中没有语法错误。 通过键入以下内容:
- sudo apache2ctl configtest 须藤apache2ctl configtest
If everything is successful, you will get a result that looks like this:
如果一切顺利,您将获得如下结果:
Output
Syntax OK
As long as your output has Syntax OK in it, then your configuration file has no syntax errors and you can safely restart Apache to implement the changes:
只要您的输出中包含“ Syntax OK正确”,那么您的配置文件就没有语法错误,您可以安全地重新启动Apache来实现更改:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
With that, your self-signed SSL certificate is all set. You can now test that your server is correctly encrypting its traffic.
这样,您的自签名SSL证书就全部设置好了。 现在,您可以测试服务器是否正确加密了其流量。
第5步-测试加密 (Step 5 — Testing Encryption)
You’re now ready to test your SSL server.
现在您可以测试SSL服务器了。
Open your web browser and type https:// followed by your server’s domain name or IP into the address bar:
打开Web浏览器,然后在地址栏中输入https://然后输入服务器的域名或IP:
https://server_domain_or_IPBecause the certificate you created isn’t signed by one of your browser’s trusted certificate authorities, you will likely see a scary looking warning like the one below:
由于您创建的证书不是由浏览器的受信任证书颁发机构之一签名的,因此您可能会看到类似以下内容的可怕警告:
This is expected and normal. We are only interested in the encryption aspect of our certificate, not the third party validation of our host’s authenticity. Click ADVANCED and then the link provided to proceed to your host anyways:
这是正常现象。 我们只对证书的加密方面感兴趣,而不对主机的真实性进行第三方验证。 单击“ 高级” ,然后单击提供的链接以继续转到主机:
You should be taken to your site. If you look in the browser address bar, you will see a lock with an “x” over it or another similar “not secure” notice. In this case, this just means that the certificate cannot be validated. It is still encrypting your connection.
您应该被带到您的网站。 如果您在浏览器地址栏中查看,则会看到一个带有“ x”的锁或另一个类似的“不安全”通知。 在这种情况下,这仅意味着无法验证证书。 它仍在加密您的连接。
If you configured Apache to redirect HTTP to HTTPS, you can also check whether the redirect functions correctly:
如果您将Apache配置为将HTTP重定向到HTTPS,则还可以检查重定向是否正常运行:
http://server_domain_or_IPIf this results in the same icon, this means that your redirect worked correctly. However, the redirect you created earlier is only a temporary redirect. If you’d like to make the redirection to HTTPS permanent, continue on to the final step.
如果这导致出现相同的图标,则表明您的重定向正常工作。 但是,您之前创建的重定向只是一个临时重定向。 如果您想永久重定向到HTTPS,请继续执行最后一步。
第6步-更改为永久重定向 (Step 6 — Changing to a Permanent Redirect)
If your redirect worked correctly and you are sure you want to allow only encrypted traffic, you should modify the unencrypted Apache Virtual Host again to make the redirect permanent.
如果您的重定向正常工作,并且您确定只希望允许加密的流量通过,则应再次修改未加密的Apache虚拟主机,以使重定向永久生效。
Open your server block configuration file again:
再次打开服务器块配置文件:
- sudo nano /etc/apache2/sites-available/000-default.conf 须藤纳米/etc/apache2/sites-available/000-default.conf
Find the Redirect line we added earlier. Add permanent to that line, which changes the redirect from a 302 temporary redirect to a 301 permanent redirect:
找到我们之前添加的Redirect行。 在该行中添加permanent重定向,这会将重定向从302临时重定向更改为301永久重定向:
<VirtualHost *:80>
. . .
Redirect permanent "/" "https://your_domain_or_IP/"
. . .
</VirtualHost>Save and close the file.
保存并关闭文件。
Check your configuration for syntax errors:
检查您的配置是否存在语法错误:
- sudo apache2ctl configtest 须藤apache2ctl configtest
If this command doesn’t report any syntax errors, restart Apache:
如果此命令未报告任何语法错误,请重新启动Apache:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
This will make the redirect permanent, and your site will only serve traffic over HTTPS.
这将使重定向永久化,并且您的站点将仅通过HTTPS提供流量。
结论 (Conclusion)
You have configured your Apache server to use strong encryption for client connections. This will allow you serve requests securely, and will prevent outside parties from reading your traffic.
您已将Apache服务器配置为对客户端连接使用强加密。 这样一来,您就可以安全地处理请求,并阻止外部各方读取您的流量。
debian apache
1123
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
