网站部署(二):为网站添加 SSL 证书
统计数据加载中...
前言
在当今互联网环境中,网站安全变得越来越重要。使用HTTPS协议不仅能保护用户数据传输安全,还能提升搜索引擎排名。本文将详细介绍如何为网站添加SSL证书,实现从HTTP到HTTPS的升级。
我的网站部署是使用Apache服务器,因此以下步骤适用于Apache服务器。主要有两个站点:blog.alcmaple.cn和www.alcmaple.cn。以下是为这两个站点添加SSL证书的全过程。
命令参数简解
在开始前,先了解一些将要用到的基本命令:
sudo a2enmod ssl # 检查并启动ssl模块
sudo systemctl restart apache2 # 重启apache服务器
ls -la | grep alcmaple # 查看含有alcmaple的所有文件
cat /etc/apache2/sites-available/000-default.conf # 查看通用配置文件内容
sudo a2dissite blog.alcmaple.cn-new-ssl.conf # 禁用该配置文件的站点配置
sudo a2ensite blog.alcmaple.cn-ssl.conf # 启用该配置文件的站点配置
find / -name "*.crt" | grep alcmaple # 查找证书位置SSL模块检查
首先,确认Apache的SSL模块是否已启用:
sudo a2enmod ssl如果显示"Module ssl already enabled",则表示SSL模块已启用。接下来重启Apache服务器以确保所有更改生效:
sudo systemctl restart apache2a2enmod是Apache在Ubuntu/Debian系统上的工具命令,全称是"Apache2 Enable Module",用于启用Apache模块,比如a2enmod ssl就是启用SSL模块。systemctl是管理系统服务的命令。
Apache配置文件概述
在Apache中,配置文件通常有两种类型:
- HTTP配置文件:
example.com.conf - HTTPS配置文件:
example.com-ssl.conf
Apache的配置文件存放在两个目录中:
/etc/apache2/sites-available/:存储所有配置文件/etc/apache2/sites-enabled/:只包含指向已启用配置的符号链接(就是告诉你有哪些配置文件启用了)
如果有多个SSL配置文件,可能会造成冲突,需要特别注意。
检查Apache配置
我们首先检查现有的配置文件:
cd /etc/apache2/sites-available/
ls -la | grep alcmaple- la 是显示所有文件的详细信息
- |是管道符,将左侧命令传递给右侧命令
- grep alcmaple 是过滤出含有 alcmaple 的(域名是查找配置文件和证书的关键)
执行这些命令后,可以看到类似以下输出:
-rw-r--r-- 1 root root 587 Apr 22 21:11 blog.alcmaple.cn.conf
-rw-r--r-- 1 root root 799 Apr 21 17:55 blog.alcmaple.cn-new-ssl.conf
-rw-r--r-- 1 root root 886 Apr 22 21:36 blog.alcmaple.cn-ssl.conf注意blog是你子域名,www才是本尊
但是这个是不会看到www的,因为www通常包含在默认配置中或者通用配置文件中(当然有是最好了,为每个站点单独配置是最好的)
如果你没有看到 www 的配置文件,说明了它存储在默认配置或者通用配置文件中
输入命令(这个命令可以不用管,我只是为了给你看 www 在哪里而已):ls -la /etc/apache2/sites-available/
你可以看到以下信息
total 56
drwxr-xr-x 2 root root 4096 Apr 22 22:50 .
drwxr-xr-x 9 root root 4096 Apr 21 17:55 ..
-rw-r--r-- 1 root root 1332 Dec 5 2023 000-default.conf
-rw-r--r-- 1 root root 1332 Mar 30 02:09 000-default.conf.bak
-rw-r--r-- 1 root root 587 Apr 22 21:11 blog.alcmaple.cn.conf
-rw-r--r-- 1 root root 886 Apr 22 21:36 blog.alcmaple.cn-ssl.conf
-rw-r--r-- 1 root root 847 Apr 21 17:17 blog.hgyjllk.top.conf
-rw-r--r-- 1 root root 698 Apr 21 17:15 blog.hgyjllk.top-ssl.conf
-rw-r--r-- 1 root root 6684 Nov 24 19:03 default-ssl.conf
-rw-r--r-- 1 root root 283 Apr 14 10:26 py.hgyjllk.top.conf
-rw-r--r-- 1 root root 583 Apr 21 15:16 py.hgyjllk.top-ssl.conf
-rw-r--r-- 1 root root 898 Apr 21 16:30 todo.hgyjllk.top.conf
-rw-r--r-- 1 root root 637 Apr 21 09:53 todo.hgyjllk.top-ssl.conf
root@iZwz9j8zxkvd2prt3nxihbZ:/etc/apache2/sites-available#- 看到default.conf和default-ssl.conf没有,就是www啦
此外,还需要检查哪些配置文件已被启用:
ls -la /etc/apache2/sites-enabled/我们还需要查看默认配置文件:
cat /etc/apache2/sites-available/000-default.conf
cat /etc/apache2/sites-available/default-ssl.conf- 以下是输出结果
root@*******************:~# cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
root@*******************:~# ls -la /etc/apache2/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 Apr 22 21:40 .
drwxr-xr-x 9 root root 4096 Apr 21 17:55 ..
lrwxrwxrwx 1 root root 35 Nov 14 10:54 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 40 Mar 30 02:32 blog.alcmaple.cn.conf -> ../sites-available/blog.alcmaple.cn.conf
lrwxrwxrwx 1 root root 48 Apr 21 17:40 blog.alcmaple.cn-new-ssl.conf -> ../sites-available/blog.alcmaple.cn-new-ssl.conf
lrwxrwxrwx 1 root root 40 Mar 30 02:32 blog.hgyjllk.top.conf -> ../sites-available/blog.hgyjllk.top.conf
lrwxrwxrwx 1 root root 44 Apr 21 17:17 blog.hgyjllk.top-ssl.conf -> ../sites-available/blog.hgyjllk.top-ssl.conf
lrwxrwxrwx 1 root root 38 Apr 14 09:54 py.hgyjllk.top.conf -> ../sites-available/py.hgyjllk.top.conf
lrwxrwxrwx 1 root root 42 Apr 21 15:14 py.hgyjllk.top-ssl.conf -> ../sites-available/py.hgyjllk.top-ssl.conf
lrwxrwxrwx 1 root root 40 Apr 14 09:54 todo.hgyjllk.top.conf -> ../sites-available/todo.hgyjllk.top.conf
lrwxrwxrwx 1 root root 44 Apr 21 09:54 todo.hgyjllk.top-ssl.conf -> ../sites-available/todo.hgyjllk.top-ssl.conf
root@*******************:~# cat /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
ServerName blog.alcmaple.cn
#�뽫example.com�滻Ϊ��֤������������ַ�����û�и����ò�������Ҫ�ֶ���ӡ�
SSLCertificateFile /etc/apache2/ssl/blog.alcmaple.cn_public.crt
#֤���ļ�·�������滻Ϊʵ��֤���ļ�·����
SSLCertificateKeyFile /etc/apache2/ssl/blog.alcmaple.cn.key
#֤��˽Կ�ļ�·�������滻Ϊʵ��֤��˽Կ�ļ�·����
SSLCertificateChainFile /etc/apache2/ssl/blog.alcmaple.cn_chain.crt
#֤�����ļ�·�������滻Ϊʵ��֤�����ļ�·����
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet- 在我的情况中,发现没有为www.alcmaple.cn配置ssl证书
- 并且ssl的默认配置中包含了
blog.alcmaple.cn的配置,但它没有被启用 - 同时
blog.alcmaple.cn-new-ssl.conf被启用了,然后现在的new-ssl是不存在的(之前删掉了 - 现在要做的就是先禁用这个配置文件并启动正确的配置文件
# 禁用new-ssl配置文件
sudo a2dissite blog.alcmaple.cn-new-ssl.conf
# 启动ssl配置文件
sudo a2ensite blog.alcmaple.cn-ssl.conf- 前者会删除
/etc/apache2/sites-enabled/中的符号链接,如果返回的结果像这样,"removing dangling symlink"表示这个链接指向的文件可能已经不存在了 - 后者会在
sites-enabled目录创建一个指向sites-available中配置文件的符号链接
为每个网站单独设置站点
- 首先cp一份默认配置证书给www.alcmaple.cn-ssl
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/www.alcmaple.cn-ssl.conf
sudo nano /etc/apache2/sites-available/www.alcmaple.cn-ssl.conf然后编辑这个默认配置证书给www,之前也看到包含了blog.alcmaple.cn,所以要改一下,指得太乱了
将
ServerName blog.alcmaple.cn改为ServerName www.alcmaple.cn然后还检查到了
DocumentRoot指向正确目录:/var/www/html
查找并配置SSL证书
要为网站配置SSL,首先需要找到证书文件的位置:
find / -name "*.crt" | grep alcmaple
find / -name "*.key" | grep alcmaple通过这些命令,我找到了证书文件位于以下位置:
/etc/ssl/alcmaple.cn/alcmaple.cn_public.crt
/etc/ssl/alcmaple.cn/alcmaple.cn_chain.crt
/etc/ssl/alcmaple.cn/blog.alcmaple.cn_fullchain.crt
/etc/ssl/alcmaple.cn/blog.alcmaple.cn_public.crt
/etc/ssl/alcmaple.cn/blog.alcmaple.cn_chain.crt
/etc/ssl/alcmaple.cn/blog.alcmaple.cn.key
/etc/ssl/alcmaple.cn/alcmaple.cn.key修复配置与启用HTTPS
现在我们需要修改SSL配置文件,使其指向正确的证书文件。(注意观察规律)
- 为
blog.alcmaple.cn创建SSL配置:
sudo nano /etc/apache2/sites-available/blog.alcmaple.cn-ssl.conf配置内容应包含:
SSLCertificateFile /etc/ssl/alcmaple.cn/blog.alcmaple.cn_public.crt
SSLCertificateKeyFile /etc/ssl/alcmaple.cn/blog.alcmaple.cn.key
SSLCertificateChainFile /etc/ssl/alcmaple.cn/blog.alcmaple.cn_chain.crt- 为主域名创建SSL配置:
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/www.alcmaple.cn-ssl.conf
sudo nano /etc/apache2/sites-available/www.alcmaple.cn-ssl.conf修改配置内容为:
ServerName www.alcmaple.cn
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/alcmaple.cn/alcmaple.cn_public.crt
SSLCertificateKeyFile /etc/ssl/alcmaple.cn/alcmaple.cn.key
SSLCertificateChainFile /etc/ssl/alcmaple.cn/alcmaple.cn_chain.crt- 启用这些配置并重载Apache:
sudo a2ensite www.alcmaple.cn-ssl.conf
sudo a2ensite blog.alcmaple.cn-ssl.conf
sudo systemctl reload apache2- 好了,你的网站正常了,指向的网站是正确的了,并且🔐(https 成功
补充:重启与重载Apache的区别
在配置Apache时,了解reload和restart的区别很重要:
reload (重新加载)
- 只重新加载配置文件,不重启服务进程
- 不会断开现有的连接和会话
- 对用户几乎无感知,网站持续可用
- 适用于大多数配置文件变更
- 速度更快,对生产环境影响小
restart (重启)
- 完全停止然后重新启动整个Apache服务
- 会断开所有现有连接
- 用户可能会短暂无法访问网站
- 适用于模块加载/卸载、修改主配置文件等核心更改
- 能确保所有配置更改全部生效
使用建议!
- 对于大多数配置更改,优先使用reload
- 如果reload后配置没有生效,再使用restart
- 在维护期间或流量低谷时进行restart操作
总结
通过本文的步骤,我们成功为网站添加了SSL证书,实现了HTTPS访问。主要步骤包括:
- 检查并启用SSL模块
- 检查现有Apache配置
- 查找证书文件位置
- 创建或修改SSL配置文件
- 启用配置并重载Apache服务
添加SSL证书不仅提升了网站的安全性,也为用户提供了更可靠的浏览体验。在网站维护过程中,SSL证书的配置一般不需要频繁更改,只需在证书到期前更新即可。
如果你遇到问题,请在评论区交流。
暂无评论