详解在Ubuntu上的Apache配置SSL(https证书)的正确姿势

#loadmodule ssl_module modules/mod_ssl.so (如果找不到请确认是否编译过 openssl 插件)
#include conf/extra/httpd-ssl.conf

# 添加 ssl 协议支持协议，去掉不安全的协议
sslprotocol all -sslv2 -sslv3
# 修改加密套件如下
sslciphersuite high:!rc4:!md5:!anull:!enull:!null:!dh:!edh:!exp:+medium
sslhonorcipherorder on
# 证书公钥配置
sslcertificatefile cert/public.pem
# 证书私钥配置
sslcertificatekeyfile cert/xxxxxxx.key
# 证书链配置，如果该属性开头有 '#'字符，请删除掉
sslcertificatechainfile cert/chain.pem

# it is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#

<ifmodule ssl_module>
 listen 443
</ifmodule>
 
<ifmodule mod_gnutls.c>
 listen 443
</ifmodule>

# depends: setenvif mime socache_shmcb
loadmodule ssl_module /usr/lib/apache2/modules/mod_ssl.so
ssl.conf长这样：
<ifmodule mod_ssl.c>
 
 # pseudo random number generator (prng):
 # configure one or more sources to seed the prng of the ssl library.
 # the seed data should be of good random quality.
 # warning! on some platforms /dev/random blocks if not enough entropy
 # is available. this means you then cannot use the /dev/random device
 # because it would lead to very long connection times (as long as
 # it requires to make more entropy available). but usually those
 # platforms additionally provide a /dev/urandom device which doesn't
 # block. so, if available, use this one instead. read the mod_ssl user
 # manual for more details.
 #
 sslrandomseed startup builtin
 sslrandomseed startup file:/dev/urandom 512
 sslrandomseed connect builtin
 sslrandomseed connect file:/dev/urandom 512
 
 ##
 ## ssl global context
 ##
 ## all ssl configuration in this context applies both to
 ## the main server and all ssl-enabled virtual hosts.
 ##
 
 #
 # some mime-types for downloading certificates and crls
 #
 addtype application/x-x509-ca-cert .crt
 addtype application/x-pkcs7-crl .crl
 
 # pass phrase dialog:
 # configure the pass phrase gathering process.
 # the filtering dialog program (`builtin' is a internal
 # terminal dialog) has to provide the pass phrase on stdout.
 sslpassphrasedialog exec:/usr/share/apache2/ask-for-passphrase
 
 # inter-process session cache:
 # configure the ssl session cache: first the mechanism 
 # to use and second the expiring timeout (in seconds).
 # (the mechanism dbm has known memory leaks and should not be used).
 #sslsessioncache dbm:${apache_run_dir}/ssl_scache
 sslsessioncache shmcb:${apache_run_dir}/ssl_scache(512000)
 sslsessioncachetimeout 300
 
 # semaphore:
 # configure the path to the mutual exclusion semaphore the
 # ssl engine uses internally for inter-process synchronization. 
 # (disabled by default, the global mutex directive consolidates by default
 # this)
 #mutex file:${apache_lock_dir}/ssl_mutex ssl-cache
 
 
 # ssl cipher suite:
 # list the ciphers that the client is permitted to negotiate. see the
 # ciphers(1) man page from the openssl package for list of all available
 # options.
 # enable only secure ciphers:
 sslciphersuite high:!rc4:!md5:!anull:!enull:!null:!dh:!edh:!exp:+medium
 
 # ssl server cipher order preference:
 # use server priorities for cipher algorithm choice.
 # clients may prefer lower grade encryption. you should enable this
 # option if you want to enforce stronger encryption, and can afford
 # the cpu cost, and did not override sslciphersuite in a way that puts
 # insecure ciphers first.
 # default: off
 sslhonorcipherorder on
 
 # the protocols to enable.
 # available values: all, sslv3, tlsv1, tlsv1.1, tlsv1.2
 # ssl v2 is no longer supported
 sslprotocol all -sslv2 -sslv3
 
 # allow insecure renegotiation with clients which do not yet support the
 # secure renegotiation protocol. default: off
 #sslinsecurerenegotiation on
 
 # whether to forbid non-sni clients to access name based virtual hosts.
 # default: off
 #sslstrictsnivhostcheck on
 
</ifmodule>
 
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<ifmodule mod_ssl.c>
 <virtualhost _default_:443>
 servername 
 
 ################加入你自己的站点配置##########
 
 
 
 # available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 # error, crit, alert, emerg.
 # it is also possible to configure the loglevel for particular
 # modules, e.g.
 #loglevel info ssl:warn
 
 errorlog ${apache_log_dir}/error.log
 customlog ${apache_log_dir}/access.log combined
 
 # for most configuration files from conf-available/, which are
 # enabled or disabled at a global level, it is possible to
 # include a line for only one particular virtual host. for example the
 # following line enables the cgi configuration for this host only
 # after it has been globally disabled with "a2disconf".
 #include conf-available/serve-cgi-bin.conf
 
 # ssl engine switch:
 # enable/disable ssl for this virtual host.
 sslengine on
 
 # a self-signed (snakeoil) certificate can be created by installing
 # the ssl-cert package. see
 # /usr/share/doc/apache2/readme.debian.gz for more info.
 # if both key and certificate are stored in the same file, only the
 # sslcertificatefile directive is needed.
 sslcertificatefile /etc/apache2/cert/public.pem
 sslcertificatekeyfile /etc/apache2/cert/xxxxxxx.key
 
 # server certificate chain:
 # point sslcertificatechainfile at a file containing the
 # concatenation of pem encoded ca certificates which form the
 # certificate chain for the server certificate. alternatively
 # the referenced file can be the same as sslcertificatefile
 # when the ca certificates are directly appended to the server
 # certificate for convinience.
 sslcertificatechainfile /etc/apache2/cert/chain.pem
 
 # certificate authority (ca):
 # set the ca certificate verification path where to find ca
 # certificates for client authentication or alternatively one
 # huge file containing all of them (file must be pem encoded)
 # note: inside sslcacertificatepath you need hash symlinks
 # to point to the certificate files. use the provided
 # makefile to update the hash symlinks after changes.
 #sslcacertificatepath /etc/ssl/certs/
 #sslcacertificatefile /etc/apache2/ssl.crt/ca-bundle.crt
 
 # certificate revocation lists (crl):
 # set the ca revocation path where to find ca crls for client
 # authentication or alternatively one huge file containing all
 # of them (file must be pem encoded)
 # note: inside sslcarevocationpath you need hash symlinks
 # to point to the certificate files. use the provided
 # makefile to update the hash symlinks after changes.
 #sslcarevocationpath /etc/apache2/ssl.crl/
 #sslcarevocationfile /etc/apache2/ssl.crl/ca-bundle.crl
 
 # client authentication (type):
 # client certificate verification type and depth. types are
 # none, optional, require and optional_no_ca. depth is a
 # number which specifies how deeply to verify the certificate
 # issuer chain before deciding the certificate is not valid.
 #sslverifyclient require
 #sslverifydepth 10
 
 # ssl engine options:
 # set various options for the ssl engine.
 # o fakebasicauth:
 # translate the client x.509 into a basic authorisation. this means that
 # the standard auth/dbmauth methods can be used for access control. the
 # user name is the `one line' version of the client's x.509 certificate.
 # note that no password is obtained from the user. every entry in the user
 # file needs this password: `xxj31zmtzzkva'.
 # o exportcertdata:
 # this exports two additional environment variables: ssl_client_cert and
 # ssl_server_cert. these contain the pem-encoded certificates of the
 # server (always existing) and the client (only existing when client
 # authentication is used). this can be used to import the certificates
 # into cgi scripts.
 # o stdenvvars:
 # this exports the standard ssl/tls related `ssl_*' environment variables.
 # per default this exportation is switched off for performance reasons,
 # because the extraction step is an expensive operation and is usually
 # useless for serving static content. so one usually enables the
 # exportation for cgi and ssi requests only.
 # o optrenegotiate:
 # this enables optimized ssl connection renegotiation handling when ssl
 # directives are used in per-directory context.
 #ssloptions +fakebasicauth +exportcertdata +strictrequire
 <filesmatch "\.(cgi|shtml|phtml|php)$">
 ssloptions +stdenvvars
 </filesmatch>
 <directory /usr/lib/cgi-bin>
 ssloptions +stdenvvars
 </directory>
 
 # ssl protocol adjustments:
 # the safe and default but still ssl/tls standard compliant shutdown
 # approach is that mod_ssl sends the close notify alert but doesn't wait for
 # the close notify alert from client. when you need a different shutdown
 # approach you can use one of the following variables:
 # o ssl-unclean-shutdown:
 # this forces an unclean shutdown when the connection is closed, i.e. no
 # ssl close notify alert is send or allowed to received. this violates
 # the ssl/tls standard but is needed for some brain-dead browsers. use
 # this when you receive i/o errors because of the standard approach where
 # mod_ssl sends the close notify alert.
 # o ssl-accurate-shutdown:
 # this forces an accurate shutdown when the connection is closed, i.e. a
 # ssl close notify alert is send and mod_ssl waits for the close notify
 # alert of the client. this is 100% ssl/tls standard compliant, but in
 # practice often causes hanging connections with brain-dead browsers. use
 # this only for browsers where you know that their ssl implementation
 # works correctly.
 # notice: most problems of broken clients are also related to the http
 # keep-alive facility, so you usually additionally want to disable
 # keep-alive for those clients, too. use variable "nokeepalive" for this.
 # similarly, one has to force some clients to use http/1.0 to workaround
 # their broken http/1.1 implementation. use variables "downgrade-1.0" and
 # "force-response-1.0" for this.
 # browsermatch "msie [2-6]" \
 # nokeepalive ssl-unclean-shutdown \
 # downgrade-1.0 force-response-1.0
 
 </virtualhost>
</ifmodule>
 
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet