Apache SSL/TLS配置
Apache SSL/TLS Configuration
概述 (Overview)
SSL/TLS加密是保护Web通信安全的关键技术。本文将详细介绍Apache中SSL/TLS的配置方法,包括证书申请、虚拟主机配置、安全加固和性能优化等核心技术。
SSL/TLS encryption is a key technology for protecting web communication security. This article will detail the configuration methods for SSL/TLS in Apache, including certificate application, virtual host configuration, security hardening, and performance optimization core technologies.
1. SSL/TLS基础配置 (SSL/TLS Basic Configuration)
1.1 启用SSL模块 (Enabling SSL Module)
# 启用SSL模块
sudo a2enmod ssl
# 启用Headers模块(用于安全头)
sudo a2enmod headers
# 启用rewrite模块(用于重定向)
sudo a2enmod rewrite
# 重启Apache
sudo systemctl restart apache2
1.2 基本SSL虚拟主机配置 (Basic SSL Virtual Host Configuration)
# 监听HTTPS端口
Listen 443
# SSL虚拟主机配置
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/example
# 启用SSL
SSLEngine on
# 证书文件配置
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.ca-bundle
# SSL协议和加密套件
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
# 安全设置
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# 日志配置
ErrorLog /var/log/apache2/example_ssl_error.log
CustomLog /var/log/apache2/example_ssl_access.log combined
</VirtualHost>
2. 证书申请和管理 (Certificate Application and Management)
2.1 使用Let's Encrypt免费证书 (Using Let's Encrypt Free Certificates)
# 安装Certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-apache
# 申请证书
sudo certbot --apache -d example.com -d www.example.com
# 自动续期
sudo certbot renew --dry-run
# 设置自动续期定时任务
echo "0 12 * * * /usr/bin/certbot renew --quiet" | sudo crontab -
2.2 手动创建自签名证书 (Manually Creating Self-Signed Certificates)
# 生成私钥
sudo openssl genrsa -out /etc/ssl/private/example.com.key 2048
# 生成证书签名请求
sudo openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.csr
# 生成自签名证书
sudo openssl x509 -req -days 365 -in /etc/ssl/certs/example.com.csr -signkey /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.crt
# 设置权限
sudo chmod 600 /etc/ssl/private/example.com.key
sudo chmod 644 /etc/ssl/certs/example.com.crt
3. 高级SSL/TLS配置 (Advanced SSL/TLS Configuration)
3.1 现代SSL配置 (Modern SSL Configuration)
# 现代SSL配置(推荐)
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/example
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.ca-bundle
# 现代协议配置
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder off
SSLSessionTickets off
# OCSP Stapling
SSLUseStapling on
SSLStaplingCache "shmcb:/var/run/ocsp(128000)"
# HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# 其他安全头
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# 日志配置
ErrorLog /var/log/apache2/example_ssl_error.log
CustomLog /var/log/apache2/example_ssl_access.log combined
</VirtualHost>
3.2 HTTP到HTTPS重定向 (HTTP to HTTPS Redirect)
# HTTP虚拟主机重定向到HTTPS
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
# 重定向所有请求到HTTPS
Redirect permanent / https://www.example.com/
</VirtualHost>
# 或者使用重写规则
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
4. SSL/TLS安全加固 (SSL/TLS Security Hardening)
4.1 禁用不安全协议和加密套件 (Disabling Insecure Protocols and Cipher Suites)
# SSL协议配置
SSLProtocol -all +TLSv1.2 +TLSv1.3
# 强制使用安全加密套件
SSLCipherSuite ECDHE+AESGCM:ECDHE+CHACHA20:!DSS:!RSA:!aNULL:!eNULL:!LOW:!MD5:!RC4:!3DES
# 禁用不安全的特性
SSLCompression off
SSLHonorCipherOrder off
SSLSessionTickets off
SSLInsecureRenegotiation off
4.2 证书透明度和OCSP Stapling (Certificate Transparency and OCSP Stapling)
# 启用OCSP Stapling
SSLUseStapling on
SSLStaplingCache "shmcb:/var/run/ocsp(128000)"
# 设置OCSP超时
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# 启用证书状态请求
SSLStrictSNIVHostCheck on
5. 性能优化 (Performance Optimization)
5.1 SSL会话缓存 (SSL Session Caching)
# 启用SSL会话缓存
SSLSessionCache "shmcb:/var/cache/apache2/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# 启用会话票据(TLS 1.3)
SSLSessionTickets on
5.2 HTTP/2支持 (HTTP/2 Support)
# 启用HTTP/2模块
sudo a2enmod http2
# 在SSL虚拟主机中启用HTTP/2
<VirtualHost *:443>
ServerName www.example.com
Protocols h2 http/1.1
# 其他SSL配置...
</VirtualHost>
6. 多域名SSL配置 (Multi-Domain SSL Configuration)
6.1 SAN证书配置 (SAN Certificate Configuration)
# 单证书支持多个域名
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com shop.example.com blog.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
SSLCertificateChainFile /etc/ssl/certs/wildcard.example.com.ca-bundle
# 其他配置...
</VirtualHost>
6.2 SNI虚拟主机 (SNI Virtual Hosts)
# 第一个SSL虚拟主机
<VirtualHost *:443>
ServerName www.siteA.com
DocumentRoot /var/www/siteA
SSLEngine on
SSLCertificateFile /etc/ssl/certs/siteA.com.crt
SSLCertificateKeyFile /etc/ssl/private/siteA.com.key
# 启用SNI
SSLStrictSNIVHostCheck on
</VirtualHost>
# 第二个SSL虚拟主机
<VirtualHost *:443>
ServerName www.siteB.com
DocumentRoot /var/www/siteB
SSLEngine on
SSLCertificateFile /etc/ssl/certs/siteB.com.crt
SSLCertificateKeyFile /etc/ssl/private/siteB.com.key
# 启用SNI
SSLStrictSNIVHostCheck on
</VirtualHost>
7. SSL/TLS监控和测试 (SSL/TLS Monitoring and Testing)
7.1 SSL配置测试脚本 (SSL Configuration Test Script)
#!/bin/bash
# ssl-test.sh
test_ssl() {
local domain=${1:-localhost}
local port=${2:-443}
echo "=== SSL/TLS Configuration Test ==="
echo "Testing: $domain:$port"
echo
# 检查证书信息
echo "1. Certificate Information:"
echo | openssl s_client -connect $domain:$port 2>/dev/null | openssl x509 -noout -text | grep -E "(Subject:|Issuer:|Validity|Signature Algorithm)"
echo
echo "2. Supported Protocols:"
for proto in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
result=$(echo | openssl s_client -connect $domain:$port -$proto 2>&1 | grep -E "(SSL-Session|Cipher is)")
if [ -n "$result" ]; then
echo " ✓ $proto supported"
else
echo " ✗ $proto not supported"
fi
done
echo
echo "3. Cipher Suites:"
openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep -E "(TLS_AES|ECDHE|DHE)" | head -10
echo
echo "4. Security Headers:"
curl -s -I https://$domain | grep -E "(Strict-Transport-Security|X-Frame-Options|X-Content-Type-Options)"
echo
echo "Test completed!"
}
test_ssl $1 $2
7.2 SSL证书续期监控 (SSL Certificate Renewal Monitoring)
#!/bin/bash
# ssl-monitor.sh
monitor_certificates() {
local cert_dir="/etc/ssl/certs"
local days_warning=30
echo "=== SSL Certificate Monitoring ==="
# 检查所有证书的过期时间
for cert in $cert_dir/*.crt; do
if [ -f "$cert" ]; then
echo "Certificate: $cert"
expiry_date=$(openssl x509 -in "$cert" -noout -enddate | cut -d= -f2)
expiry_seconds=$(date -d "$expiry_date" +%s)
current_seconds=$(date +%s)
days_until_expiry=$(( (expiry_seconds - current_seconds) / 86400 ))
echo " Expiry Date: $expiry_date"
echo " Days until expiry: $days_until_expiry"
if [ $days_until_expiry -lt $days_warning ]; then
echo " ⚠️ WARNING: Certificate expires in less than $days_warning days!"
elif [ $days_until_expiry -lt 0 ]; then
echo " ❌ CRITICAL: Certificate has expired!"
else
echo " ✅ Certificate is valid"
fi
echo
fi
done
}
monitor_certificates
8. 故障排除 (Troubleshooting)
8.1 常见SSL错误 (Common SSL Errors)
# 1. 检查SSL配置语法
sudo apache2ctl configtest
# 2. 检查SSL模块是否加载
apache2ctl -M | grep ssl
# 3. 查看SSL错误日志
sudo tail -f /var/log/apache2/error.log | grep ssl
# 4. 测试SSL连接
openssl s_client -connect example.com:443 -servername example.com
# 5. 检查证书链
openssl s_client -connect example.com:443 -showcerts
8.2 SSL调试配置 (SSL Debug Configuration)
# 启用SSL调试日志
LogLevel ssl:info
# 或者更详细的调试
LogLevel ssl:trace4
# 在虚拟主机中添加调试信息
<VirtualHost *:443>
# ... 其他配置 ...
# 添加SSL调试头
Header set X-SSL-Debug "Enabled"
# 记录更多SSL信息
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" ssl_combined
CustomLog /var/log/apache2/ssl_debug.log ssl_combined
</VirtualHost>
小结 (Summary)
通过本文学习,你应该掌握:
- Apache SSL/TLS模块的启用和基本配置
- 证书申请和管理方法(包括Let's Encrypt)
- 现代SSL/TLS安全配置最佳实践
- HTTP到HTTPS重定向配置
- SSL/TLS安全加固技术
- 性能优化和HTTP/2支持
- 多域名SSL配置和SNI技术
- SSL/TLS监控和测试工具
- 常见SSL错误的诊断和解决方法
SSL/TLS配置是现代Web服务器的必备技能,正确的配置不仅能保护用户数据安全,还能提升搜索引擎排名。在下一篇文章中,我们将详细介绍Apache的认证与授权机制。