安装必要软件
yum install mod_ssl openssl
生成相关文件
# Generate private key
openssl genrsa -out server.key 2048
# Generate CSR
openssl req -new -key server.key -out server.csr
# Generate Self Signed Key
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
# Copy the files to the correct locations
cp server.crt /etc/pki/tls/certs
cp server.key /etc/pki/tls/private/server.key
cp server.csr /etc/pki/tls/private/server.csr
selinux设置
restorecon -RvF /etc/pki
配置Apache
vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
更改下列条目
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
防火墙设置
firewall-cmd --permanent --zone=public --add-service=https
配置vhost
以blog.mxawei.cn.conf为例,内容如下
<VirtualHost *:443>
ServerAdmin awei@mxawei.cn
ServerName blog.mxawei.cn
DocumentRoot /home/data/www/html/wordpress
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLCertificateFile /etc/pki/tls/certs/2_blog.mxawei.cn.crt
SSLCertificateKeyFile /etc/pki/tls/private/3_blog.mxawei.cn.key
SSLCertificateChainFile /etc/pki/tls/certs/1_root_bundle.crt
<Directory "/home/data/www/html/wordpress/">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/blog.mxawei.cn/logs/error.log
CustomLog /var/log/httpd/blog.mxawei.cn/logs/access.log combined
</VirtualHost>
强制访问HTTPS
多创建个80端口口文件,内容如下:
<VirtualHost *:80>
ServerName blog.mxawei.cn
Redirect permanent / https://blog.mxawei.cn/
</VirtualHost>
另:要正确设置好防火墙,让80口正常开放,保证跳转的成功。
重启服务,一切OK。
本文参考CentOS官方HowToS
Related content
- 在Centos7上通过certbot自动为Apache部署Let’s Encrypt SSL证书
- 通过HTTPS域名访问PLEX服务
- Centos7.1下搭建邮件服务器(Postfix+Dovecot+SSL+SquirrelMail)