自从wdcp出了V3.2之后,apache版本升级为2.4了,php可以多版本了,后台也可以直接管理ssl了,今天就想折腾一下apache的https访问,把网站的证书什么配置好了之后,打开网站,总是提示我说被拒绝连接,跑去进程一看httpd竟然还没启动,真是郁闷了。
登陆ssh,执行命令service httpd restart,竟然说”Invalid command ‘SSLEngine’ ,意思就是说没有安装SSL,那么安装吧,执行命令yum install mod_ssl,告诉我这个模块已经安装了,这就奇怪了。
进入httpd的modules目录:/www/wdlinux/apache/modules ,mod_ssl.so静静的躺在那里,看来这个是没有问题的。
打开httpd配置文件/www/wdlinux/apache/conf/httpd.conf,找到mod_ssl.so位置
LoadModule ssl_module modules/mod_ssl.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule session_module modules/mod_session.so #LoadModule session_cookie_module modules/mod_session_cookie.so #LoadModule session_crypto_module modules/mod_session_crypto.so #LoadModule session_dbd_module modules/mod_session_dbd.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #LoadModule ssl_module modules/mod_ssl.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
原来wdcp的后台apache默认是没有开启SSL模块的,把#LoadModule ssl_module modules/mod_ssl.so前面的#去掉。但是仅仅这样,还不能启动apache的https,下面还有很多坑,经过好几个小时的调试,总算是全部搞明白了。
在WDCP下正确使用apache的https有好几个地方需要注意。
第一步,把域名的3个apache相关证书传到“SSL证书管理”处,上传的时候类型选择apache,文件名输入域名,这样就自动重命名了
第二步,按照wdcp的提示:单A引擎启用https证书时,需在“系统设置”里的“web服务端口”增加443,以及防火墙开放443端口。当单独使用apache+mysql时候需要将443端口加入”web服务端口“,同时在防火墙开放443端口。另外在网站的配置方面选择启用“https支持”,那么wdcp后台的几个ssl的事情就做完了。
第三步,配置httpd,打开/www/wdlinux/apache/conf/httpd.conf,除了打开前面已经说过的#LoadModule ssl_module modules/mod_ssl.so 以外,我们还需要打开另外几个参数,具体如下:
# Include conf/extra/httpd-ssl.conf #LoadModule ssl_module modules/mod_ssl.so #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so
把这4行前面的#去掉,代表加载这4个文件。
之后打开/www/wdlinux/apache/conf/extra/httpd-ssl.conf文件,
去掉下面这部分内容,也就是<VirtualHost _default_:443>和</VirtualHost>之间的内容,
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/www/wdlinux/httpd-2.4.23/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/www/wdlinux/httpd-2.4.23/logs/error_log"
TransferLog "/www/wdlinux/httpd-2.4.23/logs/access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "/www/wdlinux/httpd-2.4.23/conf/server.crt"
#SSLCertificateFile "/www/wdlinux/httpd-2.4.23/conf/server-dsa.crt"
#SSLCertificateFile "/www/wdlinux/httpd-2.4.23/conf/server-ecc.crt"
省略无数个字.................................................................
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/www/wdlinux/httpd-2.4.23/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
因为这一部分配置,已经在vhost目录中的网站配置文件加载了,比如:/www/wdlinux/apache/conf/vhost/baishujun_com.conf
这时候执行命令service httpd restart,会提示重启失败,但是在/www/wdlinux/apache/conf/vhost目录生成了一个port.conf文件,内容如下
Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLHonorCipherOrder on SSLSessionCache "shmcb:logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:logs/ssl_mutex"
很明显,这个就是监听443端口的配置文件,但是SSLMutex自apache 2.2之后已经丢弃,我用的是apache 2.4,所以无法识别此命令,把SSLMutex替换为Mutex,同时在/www/wdlinux/apache/logs目录建立一个ssl_mutex文件夹,再来执行service httpd restart,绿色的ok就出来了。
网站也可以打开了,apache的https开启成功。
