?> 老大求解啊,还是昨天那个ssl问题 - lamp|lnmp|lnamp|一键安装包 - WDlinux官方论坛 Linux服务器架构,性能优化.免费CDN系统,智能DNS,负载均衡,集群分流等应用
无标题文档
wdCP系统 (介绍,功能特性,运行环境,安装说明,演示,常见问题,使用教程) wdCDN系统 (介绍,功能特性,运行环境,安装说明,演示,常见问题,使用手册)
wdOS系统 (介绍,功能特性,运行环境,安装说明,演示,常见问题,使用教程) wdDNS系统 (介绍,功能特性,运行环境,安装说明,演示,常见问题,使用手册)
注册 发贴 提问 回复-必看必看 wddns免费智能 DNS 开通 本地或虚拟机使 用wdcp 一键包在mysql编 译时"卡住"
【300G高防】双线 无视攻击 wdcp官方技术支持/服务 阿里云8折优惠券 无敌云 腾讯云优惠中,现注册更有260代金额券赠送
返回列表 发帖
zhxuri

Rank: 2
1# 跳转到 » 倒序看帖
打印
tT
发表于 2012-6-13 09:32 | 只看该作者
提问三步曲: 提问先看教程/FAQ索引(wdcp,wdcp_v3,一键包)及搜索,会让你更快解决问题
1 提供详细,如系统版本,wdcp版本,软件版本等及错误的详细信息,贴上论坛或截图发论坛
2 做过哪些操作或改动设置等

温馨提示:信息不详,很可能会没人理你!论坛有教程说明的,也可能没人理!因为,你懂的

[求助] 老大求解啊,还是昨天那个ssl问题

我昨天照着老大发的链接配置ssl出现了报错httpd无法启动
提示是/www/wdlinux/httpd-2.2.22/conf/extra/httpd-ssl.conf里有错误
我根据报错的位置一个一个注释下去,报错的问题就一个一个的出来
SSLPassPhraseDialog 第一次报错是提示这个
SSLSessionCache 第二次
SSLMutex 第三次
SSLEngine 的四次
第五次我崩溃了,我又来发帖求助了,ssl很有用,目前也很棘手,老大
收藏 分享

zhxuri

Rank: 2
2#
发表于 2012-6-13 09:41 | 只看该作者
这个问题是给httpd.conf下的Include conf/extra/httpd-ssl.conf去掉注释后出现的
然后问题就出在httpd-ssl.conf里了
下面是我的httpd-ssl.conf大家帮忙看看是哪里出了问题啊,我的是最新的lanmp包啊是阿里云的vps

TOP

zhxuri

Rank: 2
3#
发表于 2012-6-13 09:42 | 只看该作者

  2. #
  3. # This is the Apache server configuration file providing SSL support.
  4. # It contains the configuration directives to instruct the server how to
  5. # serve pages over an https connection. For detailing information about these
  6. # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
  7. #
  8. # Do NOT simply read the instructions in here without understanding
  9. # what they do. They're here only as hints or reminders. If you are unsure
  10. # consult the online docs. You have been warned.
  11. #
  12. #
  13. # Pseudo Random Number Generator (PRNG):
  14. # Configure one or more sources to seed the PRNG of the SSL library.
  15. # The seed data should be of good random quality.
  16. # WARNING! On some platforms /dev/random blocks if not enough entropy
  17. # is available. This means you then cannot use the /dev/random device
  18. # because it would lead to very long connection times (as long as
  19. # it requires to make more entropy available). But usually those
  20. # platforms additionally provide a /dev/urandom device which doesn't
  21. # block. So, if available, use this one instead. Read the mod_ssl User
  22. # Manual for more details.
  23. #
  24. #SSLRandomSeed startup file:/dev/random 512
  25. #SSLRandomSeed startup file:/dev/urandom 512
  26. #SSLRandomSeed connect file:/dev/random 512
  27. #SSLRandomSeed connect file:/dev/urandom 512

  29. #
  30. # When we also provide SSL we have to listen to the
  31. # standard HTTP port (see above) and to the HTTPS port
  32. #
  33. # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
  34. # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
  35. #
  36. Listen 443
  37. ##
  38. ## SSL Global Context
  39. ##
  40. ## All SSL configuration in this context applies both to
  41. ## the main server and all SSL-enabled virtual hosts.
  42. ##
  43. #
  44. # Some MIME-types for downloading Certificates and CRLs
  45. #
  46. AddType application/x-x509-ca-cert .crt
  47. AddType application/x-pkcs7-crl .crl
  48. # Pass Phrase Dialog:
  49. # Configure the pass phrase gathering process.
  50. # The filtering dialog program (`builtin' is a internal
  51. # terminal dialog) has to provide the pass phrase on stdout.
  52. SSLPassPhraseDialog builtin
  53. # Inter-Process Session Cache:
  54. # Configure the SSL Session Cache: First the mechanism
  55. # to use and second the expiring timeout (in seconds).
  56. #SSLSessionCache "dbm:/www/wdlinux/httpd-2.2.22/logs/ssl_scache"
  57. SSLSessionCache "shmcb:/www/wdlinux/httpd-2.2.22/logs/ssl_scache(512000)"
  58. SSLSessionCacheTimeout 300
  59. # Semaphore:
  60. # Configure the path to the mutual exclusion semaphore the
  61. # SSL engine uses internally for inter-process synchronization.
  62. SSLMutex "file:/www/wdlinux/httpd-2.2.22/logs/ssl_mutex"
  63. ##
  64. ## SSL Virtual Host Context
  65. ##
复制代码

TOP

zhxuri

Rank: 2
4#
发表于 2012-6-13 09:43 | 只看该作者
  1. <VirtualHost _default_:443>

  3. # General setup for the virtual host
  4. DocumentRoot "/www/wdlinux/httpd-2.2.22/htdocs"
  5. ServerName www.example.com:443
  6. ServerAdmin fjsh@fjsh.com
  7. ErrorLog "/www/wdlinux/httpd-2.2.22/logs/error_log"
  8. TransferLog "/www/wdlinux/httpd-2.2.22/logs/access_log"

  10. # SSL Engine Switch:
  11. # Enable/Disable SSL for this virtual host.
  12. SSLEngine on

  14. # SSL Protocol support:
  15. # List the protocol versions which clients are allowed to
  16. # connect with. Disable SSLv2 by default (cf. RFC 6176).
  17. SSLProtocol all -SSLv2

  19. # SSL Cipher Suite:
  20. # List the ciphers that the client is permitted to negotiate.
  21. # See the mod_ssl documentation for a complete list.
  22. SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

  24. # Speed-optimized SSL Cipher configuration:
  25. # If speed is your main concern (on busy HTTPS servers e.g.),
  26. # you might want to force clients to specific, performance
  27. # optimized ciphers. In this case, prepend those ciphers
  28. # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
  29. # Caveat: by giving precedence to RC4-SHA and AES128-SHA
  30. # (as in the example below), most connections will no longer
  31. # have perfect forward secrecy - if the server's key is
  32. # compromised, captures of past or future traffic must be
  33. # considered compromised, too.
  34. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
  35. #SSLHonorCipherOrder on

  37. # Server Certificate:
  38. # Point SSLCertificateFile at a PEM encoded certificate. If
  39. # the certificate is encrypted, then you will be prompted for a
  40. # pass phrase. Note that a kill -HUP will prompt again. Keep
  41. # in mind that if you have both an RSA and a DSA certificate you
  42. # can configure both in parallel (to also allow the use of DSA
  43. # ciphers, etc.)
  44. SSLCertificateFile "/www/wdlinux/httpd-2.2.22/conf/server.crt"
  45. #SSLCertificateFile "/www/wdlinux/httpd-2.2.22/conf/server-dsa.crt"

  47. # Server Private Key:
  48. # If the key is not combined with the certificate, use this
  49. # directive to point at the key file. Keep in mind that if
  50. # you've both a RSA and a DSA private key you can configure
  51. # both in parallel (to also allow the use of DSA ciphers, etc.)
  52. SSLCertificateKeyFile "/www/wdlinux/httpd-2.2.22/conf/server.key"
  53. #SSLCertificateKeyFile "/www/wdlinux/httpd-2.2.22/conf/server-dsa.key"

  55. # Server Certificate Chain:
  56. # Point SSLCertificateChainFile at a file containing the
  57. # concatenation of PEM encoded CA certificates which form the
  58. # certificate chain for the server certificate. Alternatively
  59. # the referenced file can be the same as SSLCertificateFile
  60. # when the CA certificates are directly appended to the server
  61. # certificate for convinience.
  62. #SSLCertificateChainFile "/www/wdlinux/httpd-2.2.22/conf/server-ca.crt"

  64. # Certificate Authority (CA):
  65. # Set the CA certificate verification path where to find CA
  66. # certificates for client authentication or alternatively one
  67. # huge file containing all of them (file must be PEM encoded)
  68. # Note: Inside SSLCACertificatePath you need hash symlinks
  69. # to point to the certificate files. Use the provided
  70. # Makefile to update the hash symlinks after changes.
  71. #SSLCACertificatePath "/www/wdlinux/httpd-2.2.22/conf/ssl.crt"
  72. #SSLCACertificateFile "/www/wdlinux/httpd-2.2.22/conf/ssl.crt/ca-bundle.crt"

  74. # Certificate Revocation Lists (CRL):
  75. # Set the CA revocation path where to find CA CRLs for client
  76. # authentication or alternatively one huge file containing all
  77. # of them (file must be PEM encoded)
  78. # Note: Inside SSLCARevocationPath you need hash symlinks
  79. # to point to the certificate files. Use the provided
  80. # Makefile to update the hash symlinks after changes.
  81. #SSLCARevocationPath "/www/wdlinux/httpd-2.2.22/conf/ssl.crl"
  82. #SSLCARevocationFile "/www/wdlinux/httpd-2.2.22/conf/ssl.crl/ca-bundle.crl"

  84. # Client Authentication (Type):
  85. # Client certificate verification type and depth. Types are
  86. # none, optional, require and optional_no_ca. Depth is a
  87. # number which specifies how deeply to verify the certificate
  88. # issuer chain before deciding the certificate is not valid.
  89. #SSLVerifyClient require
  90. #SSLVerifyDepth 10

  92. # Access Control:
  93. # With SSLRequire you can do per-directory access control based
  94. # on arbitrary complex boolean expressions containing server
  95. # variable checks and other lookup directives. The syntax is a
  96. # mixture between C and Perl. See the mod_ssl documentation
  97. # for more details.
  98. #<Location />
  99. #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
  100. # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
  101. # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
  102. # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
  103. # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
  104. # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
  105. #</Location>

  107. # SSL Engine Options:
  108. # Set various options for the SSL engine.
  109. # o FakeBasicAuth:
  110. # Translate the client X.509 into a Basic Authorisation. This means that
  111. # the standard Auth/DBMAuth methods can be used for access control. The
  112. # user name is the `one line' version of the client's X.509 certificate.
  113. # Note that no password is obtained from the user. Every entry in the user
  114. # file needs this password: `xxj31ZMTZzkVA'.
  115. # o ExportCertData:
  116. # This exports two additional environment variables: SSL_CLIENT_CERT and
  117. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  118. # server (always existing) and the client (only existing when client
  119. # authentication is used). This can be used to import the certificates
  120. # into CGI scripts.
  121. # o StdEnvVars:
  122. # This exports the standard SSL/TLS related `SSL_*' environment variables.
  123. # Per default this exportation is switched off for performance reasons,
  124. # because the extraction step is an expensive operation and is usually
  125. # useless for serving static content. So one usually enables the
  126. # exportation for CGI and SSI requests only.
  127. # o StrictRequire:
  128. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  129. # under a "Satisfy any" situation, i.e. when it applies access is denied
  130. # and no other module can change it.
  131. # o OptRenegotiate:
  132. # This enables optimized SSL connection renegotiation handling when SSL
  133. # directives are used in per-directory context.
  134. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  135. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  136. SSLOptions +StdEnvVars
  137. </FilesMatch>
  138. <Directory "/www/wdlinux/httpd-2.2.22/cgi-bin">
  139. SSLOptions +StdEnvVars
  140. </Directory>

  142. # SSL Protocol Adjustments:
  143. # The safe and default but still SSL/TLS standard compliant shutdown
  144. # approach is that mod_ssl sends the close notify alert but doesn't wait for
  145. # the close notify alert from client. When you need a different shutdown
  146. # approach you can use one of the following variables:
  147. # o ssl-unclean-shutdown:
  148. # This forces an unclean shutdown when the connection is closed, i.e. no
  149. # SSL close notify alert is send or allowed to received. This violates
  150. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
  151. # this when you receive I/O errors because of the standard approach where
  152. # mod_ssl sends the close notify alert.
  153. # o ssl-accurate-shutdown:
  154. # This forces an accurate shutdown when the connection is closed, i.e. a
  155. # SSL close notify alert is send and mod_ssl waits for the close notify
  156. # alert of the client. This is 100% SSL/TLS standard compliant, but in
  157. # practice often causes hanging connections with brain-dead browsers. Use
  158. # this only for browsers where you know that their SSL implementation
  159. # works correctly.
  160. # Notice: Most problems of broken clients are also related to the HTTP
  161. # keep-alive facility, so you usually additionally want to disable
  162. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
  163. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
  164. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  165. # "force-response-1.0" for this.
  166. BrowserMatch "MSIE [2-5]" \
  167. nokeepalive ssl-unclean-shutdown \
  168. downgrade-1.0 force-response-1.0

  170. # Per-Server Logging:
  171. # The home of a custom SSL log file. Use this when you want a
  172. # compact non-error SSL logfile on a virtual host basis.
  173. CustomLog "/www/wdlinux/httpd-2.2.22/logs/ssl_request_log" \
  174. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  176. </VirtualHost>
复制代码

TOP

zhxuri

Rank: 2
5#
发表于 2012-6-13 09:45 | 只看该作者
老大昨天发的那个链接我在lamp包里测试没啥问题 但是到了我的这个lnamp就悲剧了。这个事怎么回事呢。
怎么弄都是在报错

TOP

admin

Rank: 9Rank: 9Rank: 9
6#
发表于 2012-6-13 10:01 | 只看该作者
用到lnamp后,apache成了后端的服务,前端是nginx

你在nginx里,加上对SSL的转发试试
看清提问三步曲及多看教程/FAQ索引(wdcp,v3,一键包,wdOS),益处多多.wdcp工具集 阿里云主机8折优惠码

TOP

zhxuri

Rank: 2
7#
发表于 2012-6-13 11:38 | 只看该作者
我去试试看 拿nginx做ssl看下行不行

TOP

zhxuri

Rank: 2
8#
发表于 2012-6-13 15:36 | 只看该作者
感谢老大!成功了就是nginx。lanmp里面还有个nginx我竟然忘了,好惭愧啊!
现在去申请一个免费证书玩下,哈哈哈哈哈哈

TOP

admin

Rank: 9Rank: 9Rank: 9
9#
发表于 2012-6-13 18:50 | 只看该作者
把具体的操作也说明下,方便后来人参考
看清提问三步曲及多看教程/FAQ索引(wdcp,v3,一键包,wdOS),益处多多.wdcp工具集 阿里云主机8折优惠码

TOP

374399415

Rank: 2
10#
发表于 2013-10-24 08:27 | 只看该作者
老大把lanmp ssl设置说明写一下么。。。

TOP

返回列表