apache服务器如何配置ssl证书演示

演示环境用的是mac os 下的MAMP PRO 5.2

1、首先找到对应的虚拟站点，再选择ssl的tab，操作如下图：

点击“Create self-signed certificate...”，弹出如下界面：

填写信息，点击“Generate”生成证书，保存好文件，这时在浏览器输入“https://testa/”，出现如下界面：

说明ssl配置成功。

下面我们去看下“httpd.conf”配置文件，多出如下这一行，看下图：

指向新建的文件“httpd-ssl.conf”，文件代码如下：

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
# 
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#

#
# When we also provide SSL we have to listen to the 
# standard HTTP port (see above) and to the HTTPS port
#

Listen 443


##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
<IfModule mime_module>
    AddType application/x-x509-ca-cert .crt .der
    AddType application/x-pkcs7-crl    .crl
    AddType application/x-pem-file     .pem
</IfModule>

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache        "shmcb:/Applications/MAMP/Library/logs/apache_ssl_scache(512000)"
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  "file:/Applications/MAMP/Library/logs/apache_ssl_mutex"

##
## MAMP SSL Virtual Hosts
##


NameVirtualHost *:443

<VirtualHost *:443>
    ServerName ___default___ 
    SSLEngine on
    SSLCertificateFile "/Applications/MAMP/conf/server/default.crt"
    SSLCertificateKeyFile "/Applications/MAMP/conf/server/default.key"
    SSLProtocol         -all +TLSv1.2 +TLSv1.1 +TLSv1
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    Redirect 404 /
</VirtualHost>


# SSLStrictSNIVHostCheck on -> Don't accept connections from non-SNI clients
SSLStrictSNIVHostCheck off

#这是testa的开始
<VirtualHost *:443>
	ServerName testa
	
	
	DocumentRoot "/Users/xiangzeping/Documents/xzptest/testa"

	

    <IfModule xsendfile_module>
        XSendFilePath "/Users/xiangzeping/Documents/xzptest/testa"
    </IfModule>

    SSLEngine on

    # Uncomment the next line if Apache should not accept SSLv3 connections, to learn more google for "POODLE SSLv3".
    # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:-SSLv3:+EXP:+eNULL

    # Comment the next line (and uncomment the line above) if Apache should not accept SSLv3 connections, to learn more google for "POODLE SSLv3".
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    #SSLProtocol         -all +TLSv1.2 +TLSv1.1 +TLSv1
    #SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    #SSLHonorCipherOrder on
    #SSLCompression      off

    #<IfModule mod_headers.c>
    #	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    #</IfModule>

    ErrorLog "/Applications/MAMP/logs/apache_ssl_error.log"
    TransferLog "/Applications/MAMP/logs/apache_ssl_access.log"
    CustomLog "/Applications/MAMP/logs/apache_ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	#ssl证书开始
    SSLCertificateFile "/Users/xiangzeping/Desktop/12/testa.crt"
    SSLCertificateKeyFile "/Users/xiangzeping/Desktop/12/testa.key"
    
    SSLSessionTickets on
    #ssl证书结束

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    
    <Directory "/Applications/MAMP/Library/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

	<Directory "/Users/xiangzeping/Documents/xzptest/testa">
		Options Includes FollowSymLinks
		AllowOverride All
		Order allow,deny
        Allow from all
		
	</Directory>

    WSGIDaemonProcess testaSSL processes=2 threads=15
	WSGIProcessGroup testaSSL
    WSGIScriptAlias /testaWsgiApp "/Users/xiangzeping/Documents/xzptest/testa/wsgiapp.py"
    
	
</VirtualHost>

#这是testa的结束

# DONT REMOVE: MAMP PRO httpd-ssl.conf template compatibility version: 16

在如上代码找到“testa”虚拟站点块，注意监听端口变为“443”，加了证书地址，看下面的说明 ：

监听端口为443，代码如下：

<VirtualHost *:443>

ssl证书配置代码如下：

SSLEngine on
SSLCertificateFile "/Users/xiangzeping/Desktop/12/testa.crt"
SSLCertificateKeyFile "/Users/xiangzeping/Desktop/12/testa.key"

若是阿里云上购买的证书、服务器，配置代码如下：

<VirtualHost *:443> 
 ServerName #修改为申请证书时绑定的域名。 
 SSLCertificateFile cert/domain_name_public.crt # 将domain_name_public.crt替换成您证书文件名。
 SSLCertificateKeyFile cert/domain_name.key # 将domain_name.key替换成您证书的密钥文件名。
 SSLCertificateChainFile cert/domain_name_chain.crt # 将domain_name_chain.crt替换成您证书的证书链文件名。
 
 #自定义设置使用的TLS协议的类型以及加密套件（以下为配置示例，请您自行评估是否需要配置）
 #TLS协议版本越高，HTTPS通信的安全性越高，但是相较于低版本TLS协议，高版本TLS协议对浏览器的兼容性较差。
 #SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议，去掉不安全的协议。
 #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。
</VirtualHost>

#如果证书包含多个域名，复制VirtualHost参数，并将ServerName修改为第二个域名。 
<VirtualHost *:443> 
 ServerName #修改为申请证书时绑定的第二个域名。 
 SSLCertificateFile cert/domain_name2_public.crt # 将domain_name2替换成您申请证书时的第二个域名。
 SSLCertificateKeyFile cert/domain_name2.key # 将domain_name2替换成您申请证书时的第二个域名。
 SSLCertificateChainFile cert/domain_name2_chain.crt # 将domain_name2替换成您申请证书时的第二个域名。
 
 SSLEngine on 
 SSLHonorCipherOrder on
 #自定义设置使用的TLS协议的类型以及加密套件（以下为配置示例，请您自行评估是否需要配置）
 #TLS协议版本越高，HTTPS通信的安全性越高，但是相较于低版本TLS协议，高版本TLS协议对浏览器的兼容性较差。
 #SSLProtocol all -SSLv2 -SSLv3 # 添加SSL协议支持协议，去掉不安全的协议。
 #SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 修改加密套件。
</VirtualHost>

如果需要HTTP请求自动跳转HTTPS，那么在“httpd.conf”文件，下面加入如下代码：

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]