hello , 大家好,我是咖啡汪
今天刚好给服务器配置了 SSL 证书,所以写这篇文章来分享下心得。
以下文件包括了80 端口监听代理映射 和 443 端口监听代理映射
1、下载下来的ssl 证书截图如下:
2、修改 httpd.conf,内容如下:
这个不用动直接粘贴就行
# 这个用来定义根路径
Define SRVROOT "C:\Apache\Apache24"
ServerRoot "${SRVROOT}"
# 监听80端口, 80端口对应的是 http 请求
Listen 80
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule http2_module modules/mod_http2.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule lua_module modules/mod_lua.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
ServerAdmin admin@example.com
ServerName localhost:80
<Directory />
AllowOverride none
Require all granted
Header set Access-Control-Allow-Origin *
</Directory>
DocumentRoot "${SRVROOT}/htdocs"
<Directory "${SRVROOT}/htdocs">
Options Indexes FollowSymLinks
AllowOverride FileInfo
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error.log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access.log" common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "${SRVROOT}/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "${SRVROOT}/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-vhosts.conf
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Include conf/extra/httpd-ssl.conf
</IfModule>
3、配置 httpd-vhosts.conf 文件, 对应的是80 端口的代理,案例如下:
# 配置80 端口的代理
<VirtualHost *:80>
ServerName www.tjxstech.com
ServerAlias www.tjxstech.com
ProxyPass / http://127.0.0.1:9090/technology/
ProxyPassReverse / http://127.0.0.1:9090/technology/
ErrorLog "logs/lbtest-error.log"
CustomLog "logs/lbtest-access.log" common
</VirtualHost>
<VirtualHost *:80>
ServerName www.chaijin.wang
ServerAlias www.chaijin.wang
ProxyPass / http://127.0.0.1:9090/technology/
ProxyPassReverse / http://127.0.0.1:9090/technology/
ErrorLog "logs/lbtest-error.log"
CustomLog "logs/lbtest-access.log" common
</VirtualHost>
<VirtualHost *:80>
ServerName m.tjxstech.com
ServerAlias m.tjxstech.com
ProxyPass / http://127.0.0.1:8090/
ProxyPassReverse / http://127.0.0.1:8090/
ErrorLog "logs/lbtest-error.log"
CustomLog "logs/lbtest-access.log" common
</VirtualHost>
<VirtualHost *:80>
ServerName git.tjxstech.com
ServerAlias git.tjxstech.com
ProxyPass / http://127.0.0.1:8611/
ProxyPassReverse / http://127.0.0.1:8611/
ErrorLog "logs/lbtest-error.log"
CustomLog "logs/lbtest-access.log" common
</VirtualHost>
4、配置 httpd-ssl.conf 文件, 对应的是443 端口的代理,案例如下:
Define SSL_PORT 443
Listen ${SSL_PORT}
ProtocolsHonorOrder On
Protocols h2 http/1.1
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!3DES:!MD5:!ADH:!RC4:!DH:!DHE
SSLProxyCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
#SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # 使用此加密套件。
SSLHonorCipherOrder on
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLPassPhraseDialog builtin
#SSLSessionCache "dbm:${SRVROOT}/logs/ssl_scache"
SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
#配置443 端口的代理
<VirtualHost *:443>
DocumentRoot "${SRVROOT}/htdocs"
ServerName weiui.tjxstech.com:443
ServerAdmin admin@weiui.tjxstech.com
ErrorLog "${SRVROOT}/logs/error.log"
SSLEngine on
ProxyPass / http://localhost:9103/
ProxyPassReverse / http://localhost:9103/
SSLCertificateFile "C:/Apache/Apache24/conf/ssl/7260082_weiui.tjxstech.com_public.crt"
SSLCertificateKeyFile "C:/Apache/Apache24/conf/ssl/7260082_weiui.tjxstech.com.key"
SSLCertificateChainFile "C:/Apache/Apache24/conf/ssl/7260082_weiui.tjxstech.com_chain.crt"
<FilesMatch "\.(cgi|html|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "${SRVROOT}/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "${SRVROOT}/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
</VirtualHost>
测试服务的本地访问:
测试服务的外网访问:
