多种情况
1.先写各种可能的情况:
老式的SSL证书是一个证书一个站点一个IP的一一对应,但后来有了改进;
可以配置为一台服务器多个IP,分别对应不同的站点、不同的证书;
还可以配置为一台服务器一个IP,多个端口号对应不同的站点、不同的证书;
后来出现SNI(Server Name Indication服务器名称指示)技术,让https与http一样实现一台服务器多个虚拟站点,每个站点都可以对应不同的证书,无需多个IP、无需多个端口(全部都用https标准的端口号443),多个域名、泛域名都支持。
设置过程
2.设置的过程:
代码示范
下面是一个修改httpd-ssl.conf文件的例子:
Listen 443
#Listen 8081
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
<VirtualHost default:443>
DocumentRoot "/usr/local/apache/htdocs/example.com"
ServerName example.com
ServerAlias subdomain.example.com
ServerAdmin you@example.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
SSLCertificateChainFile "/usr/local/apache/conf/1_root_bundle.crt"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/htdocs/example.com">
AllowOverride All
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/usr/local/apache/htdocs/example2.com"
ServerName example2.com
ServerAlias subdomain.example2.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/usr/local/apache/conf/server2.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server2.key"
SSLCertificateChainFile "/usr/local/apache/conf/1_root_bundle2.crt"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/htdocs/example2.com">
AllowOverride All
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
修改.htaccess文件实现301永久重定向的例子:
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
补充:日志问题,为了简化可以把httpd-ssl.conf中的日志都关闭:
#ErrorLog "/usr/local/apache/logs/error_log"
#TransferLog "/usr/local/apache/logs/access_log"
#CustomLog "/usr/local/apache/logs/ssl_request_log" \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
然后修改httpd.conf中的设置,添加port:%p,从端口号是80还是443来分辨http和https:
LogFormat "%h %l %u %t port:%p \"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "|/usr/local/apache/bin/rotatelogs /usr/local/apache/logs/access_%Y-%m-%d.log 800 480" combined
重启httpd服务后生效,日志文件依然是以前的。
再补充:在部分阿里云国内服务器上使用get_headers(' (link is external));这样的语句报错:
Warning: get_headers(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 在 eval() (行 6 在 /mnt/gb/www/drupal.chahaoba.com/modules/php/php.module(80) : eval()'d code).
Warning: get_headers(): Failed to enable crypto 在 eval() (行 6 在 /mnt/gb/www/drupal.chahaoba.com/modules/php/php.module(80) : eval()'d code).
Warning: get_headers(): failed to open stream: operation failed 在 eval() (行 6 在 /mnt/gb/www/drupal.chahaoba.com/modules/php/php.module(80) : eval()'d code).
用print_r(openssl_get_cert_locations());打印出来是这样的:
(
[default_cert_file] => /usr/local/ssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /usr/local/ssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /usr/local/ssl/private
[default_default_cert_area] => /usr/local/ssl
[ini_cafile] =>
[ini_capath] =>
)
而不报错的国外服务器上打印出来是这样的:
(
[default_cert_file] => /etc/pki/tls/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /etc/pki/tls/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /etc/pki/tls/private
[default_default_cert_area] => /etc/pki/tls
[ini_cafile] =>
[ini_capath] =>
)
原因可能是安装的Centos版本及php版本上有小的差别,修改/alidata/server/php5/etc/php.ini强制设置证书路径:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
;curl.cainfo =
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
openssl.cafile="/etc/pki/tls/cert.pem"
