网站升级SSL的一种方法
1、申请证书
打开 http://freessl.cn/ 进行用户注册
keymanager下载 https://keymanager.org/
打开keymanager并登陆在freessl上注册的邮件地址与密码
在证书申请页面进行证书申请
输入要https化的域名后,选择验证类型为http
点击申请证书
可获得验证信息
复制文件内容
找到信息中在网页端的物理地址(如果没有该目录则需要新增)
新增文件fileauth.txt
将复制的文件内容粘贴完毕后,点击我已完成配置(网站会验证域名的有效性,验证通过则会生成相应的pem文件,可根据系统进行导出)
2、在nginx上部署证书并开启ssl
打开相应的nginx.conf文件,xlusong.com主页的为/usr/local/nginx/conf/nginx.conf
根据情况添加如下内容 以www.xlusong.com为例
server {
listen 443 ssl;
server_name www.xlusong.com xlusong.com;
ssl on;ssl_certificate /usr/local/nginx/sslcrt/www.xlusong.com_chain.crt;
ssl_certificate_key /usr/local/nginx/sslcrt/www.xlusong.com_key.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /home/wwwroot/xlusong.com;
include xlusong.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location /nginx_status
{ stub_status on;
access_log off;
} location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{ expires 30d;
} location ~ .*\.(js|css)?$
{ expires 12h;
} location ~ /.well-known { allow all;
} location ~ /\.
{ deny all;
} access_log /home/wwwlogs/access.log;
}
注:include enable-php.conf;及下方内容同原有80端口的配置一致
完成后重启nginx服务即可
如需重定向(将http定向到https)
则将80端口部分内容进行修改,修改后的命令段如下
server {
listen 80;
server_name www.abc.com abc.com;
rewrite ^(.*)$ https://$host$1 permanent;
index index.php index.html index.htm;
root /home/wwwroot/abc.com;
include xlusong.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location /nginx_status
{ stub_status on;
access_log off;
} location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{ expires 30d;
} location ~ .*\.(js|css)?$
{ expires 12h;
} location ~ /.well-known { allow all;
} location ~ /\.
{ deny all;
} access_log /home/wwwlogs/access.log;
}
完成后重启nginx服务即可
如有发现升级后网页错误按F12提示有类似信息
如本次报错的文件为server下index.php
php可在index.php中添加如下内容
header("Content-Security-Policy: upgrade-insecure-requests");
header('Upgrade-Insecure-Requests: 1');
html可添加
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
3、在apache2上部署证书并开启ssl
加载Apache2 sslmod
a2enmod ssl
打开相应的apache2conf文件
如本次打开的是/etc/apache2/sites-available/000-default.conf
添加如下内容(以www.abc.com为例)
<virtualhost *:443> ServerName www.abc.com <proxy> Order deny,allow Allow from all </proxy> SSLEngine On SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLCertificateFile "/axx/www.abc.com.crt" SSLCertificateKeyFile "/axx/www.abc.com.key" ErrorLog "/zzl/error.log" ProxyRequests Off ProxyPreserveHost On ProxyPass /abc/ http://127.0.0.1:8083/abc/ ProxyPassReverse /abc/ http://127.0.0.1:8083/abc/ ProxyPass / http://127.0.0.1:5000/ ProxyPassReverse / </virtualhost>
重启apache2后即可通过https打开网站,如碰到http报错情况可参照nginx报错进行网站调整 此处没有强制重定向 需要重定向 添加如下配置即可
<VirtualHost *:80>
#配置站点的域名
ServerName www.abc.com #配置站点的管理员信息
serveralias www.abc.com RewriteEngine On
RewriteRule ^/(.*?)$ https://www.abc.com/$1 [R]</VirtualHost>
目录 返回
首页