我有一个使用 Let's Encrypt 的 TLS 证书(使用 CertBot 安装)的 Apache 2 Web 服务器。操作系统是 Amazon Linux 2。我无法使用端口 443 访问网站。如果没有证书,它只能在端口 80 上运行。
我尝试在 httpd.conf 中添加 VirtualHost 部分,在端口 8080 上使用 Express.js 的代理,尝试 Express.js 单独监听端口 443(httpd 已停止),尝试使用和不使用 IP 绑定(IPv4 和 6),将 ssl.conf 中 VirtualHost 的默认名称更改为 *,并确保证书和密钥由 root 拥有。我浏览了至少十几个论坛,但无法让这个工作。我在这里遗漏了什么?
这是 httpd.conf(我删除了所有注释):
ServerRoot "/etc/httpd"
Listen 0.0.0.0:443
Listen [::]:443
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin [email protected]
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
<IfModule mod_http2.c>
Protocols h2 h2c http/1.1
</IfModule>
IncludeOptional conf.d/*.conf
<VirtualHost *:443>
ServerName step9productions.com
ServerAlias step9productions.com
DocumentRoot "/var/www/html"
SSLEngine on
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/letsencrypt/live/step9productions.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/step9productions.com/privkey.pem
</VirtualHost>
这是 ssl.conf 文件:
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice builtin
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName step9productions.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/step9productions.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/step9productions.com/privkey.pem
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSV1.1 +TLSv1.2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/letsencrypt/live/step9productions.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/step9productions.com/privkey.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
谢谢您的帮助。
答案1
新事物:您必须在 AWS 安全组中打开端口 443。
你必须解释“不工作”是什么意思。
- 服务器没有监听?
- 显示错误的网站?
- 浏览器抱怨证书?
(我刚刚删除了一个错误的答案)
您已ServerName step9productions.com:443在 ssl.conf 和ServerName step9productions.comhttpd.conf 中列出,这会使服务器像您一样感到困惑 ;-)
我会将所有特定于站点的设置保留在 /etc/apache2/sites-available/step9.conf 文件中,然后使用以下命令启用它a2ensite step9
然后,当您让 letsencrypt 生成证书时,让它管理 step9-le-ssl 的设置。