开启左侧

Discuz! X3.2 实现全站 HTTPS 终极教程 [

[复制链接] 10
回复
26512
查看
打印 上一主题 下一主题
楼主
跳转到指定楼层
发表于 2017-4-5 17:36 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?注册

x
discuz X3.2在系统上是支持https的,不过需要手动修改几个地方。首先确保服务器端已开启https,且正确配置了SSL证书。* t4 U' O3 Q  [6 S

4 V8 ]/ G3 [& d, m: ]+ ~6 }discuz X3.2开启支持https主要需要修改一下几个地方:; v2 H( ]8 V8 Z

+ v/ r' \5 {) o1、查找修改文件discuz_application.php :
) w. q5 [. A% v6 }( v# H# Q8 {source/class/discuz/discuz_application.php (约第 187 行处): 查找:) v3 a. J' A3 K0 Z
$_G['isHTTPS'] = ($_SERVER['HTTPS'] && strtolower($_SERVER['HTTPS']) != 'off') ? true : false;* o% f! R8 g" _% e" s" A- Q3 T

* u: M9 p$ l1 D- x% S& p  c* Z, _- x, O# A& ]. s" ~
修改为:
9 Z6 {6 i- D& X6 j0 X# W: \7 T$_G['isHTTPS'] = ($_SERVER['SERVER_PORT'] == 443 || $_SERVER['HTTPS'] && strtolower($_SERVER['HTTPS']) != 'off') ? true : false;) u( ^) r. t# R. z0 l5 `! h7 X
0 ~4 c- K6 ?$ P' d

* V8 G- K  m+ Y, V8 Y. N2、查找修改文件avatar.php :
# a  j) [) U8 K. ~' k6 Puc_server/avatar.php (约第 13 行处)查找:4 J! g6 O" _9 G1 \

: E. E; f; @5 D

0 G: o9 a0 u6 x% \, T% b+ I8 J: v8 B3 edefine('UC_API', strtolower(($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/'))));/ f( Y4 t- |8 t! H8 c$ j; m
/ k1 u8 T# d. h3 B, O

$ N: ]; B5 H$ h7 i3 q
8 m# K8 Q6 D" Z* R# U  W, y+ A* V1 C
( G1 p7 N, H8 R- ?9 g0 q
" G0 ^( T9 k8 x& B$ i
修改为:
1 r  J  f8 l+ ^0 ]) U6 j" ^define('UC_API', strtolower(($_SERVER['SERVER_PORT'] == 443 || $_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/'))));
: g0 W2 T0 _9 I6 K/ J& N: }8 j5 B: A: E# _& r7 w  @
% Z4 ^+ C9 `% U; {! s- Q+ Z
3、除去非 HTTPS 内容避免提示”不安全内容“
! C9 b6 \( x2 P4 P/ BSource/plugin/manyou/Service/DiscuzTips.php ,最后的那段 JS 加载脚本删除就行。
+ c" q0 B: b: \非楼主层如果有点评,那么点评者头像不是 HTTPS 开头,也需要修改一个文件来适配: template/default/forum/viewthread_node_body.htm (约 180 行),搜索 div class="psta vm">,将下面一行注释掉或者删除。2 R, k6 `, S; V3 J1 x
打开浏览器,使用开发者工具或者查看源码逐一排查加载的非 HTTPS 资源并修改。% W% q+ y1 j4 S7 [6 M" y, y) e
9 j6 V+ u$ H& R9 |0 R) V  v
4、后台设置的修改完善4 D/ \% E9 k9 [9 ~' l$ L
在后台还有一些设置,可能会干扰 https 的使用。
; o: c" m6 Z* b/ G+ Y

2 \+ w7 b: u2 W% K后台 >全局 > 站点 URL ,改为 https 开头的

5 J+ U! q2 u8 i, B: R* H  n: \$ B; r% R' k
后台 > 站长 > UCenter 设置 > UCenter 访问地址,修改为 https 开头的

8 A( K9 d. M; @  l% o6 T
% O# g8 K# E7 z+ t4 dUCenter 后台 > 应用管理 > 应用的主 URL ,修改为 https 开头。
4 L% I2 }4 T: k) N: W+ u* p3 [4 V
修改后可能会显示通讯失败,如果 UC 和论坛程序安装在同一机器,此失败可无视,实测可以和 UC 正常通讯不影响(测试是否正常通讯程序的 Bug ),如果 UC 和论坛程序不在一台机器上,有可能不能通讯。 另外在 后台 > 全局 > 域名设置 中的一些设置也可能使 https 失效,如果更新缓存后论坛默认连接还是 HTTP ,请删除 后台 > 全局 > 域名设置 > 应用域名 > 默认 里面的默认域名(一般去 forum.php 尾巴这里会有内容,为了 HTTPS 请删除)。  b' G! J" m5 P/ |2 @

# p' d, H5 x: ^5、模板的调整
8 @, q9 U8 g, a! G主要在模板的 foot.html 以及 header.html 等文件中,使用工具逐一排查模板文件中写死的 HTTP 链接,修改为 HTTPS 。
5 x  s1 g4 X) ?$ R1 M9 o% Y! ]

6 T& F6 s, M" \7 Q: m

  Y* g% t2 Q" t: p6 g6、数据库的调整8 }) N5 F) p% @% f
在论坛这种交互社区中,经常回复发帖时会有出现主域名的链接,在没有 HTTPS 之前,链接都是 HTTP 开头,这个时候,我们需要修改数据库,运行下面的 mysql 命令更新数据库,将 HTTP 替换为 HTTPS :! t" q, N- L9 [
进入 DZ 后台:站长 – 数据库 – 升级
4 z4 v1 f7 d, |' E7 {5 v
UPDATE pre_forum_post SET message=REPLACE(message,'http://你的网址','https://你的网址');
1 b1 g+ b2 U* Z& K8 ^( o
  ^8 Z8 h2 O, }+ L% M# T- k5 G1 d: a, Y% H) H" |$ Z

3 Y1 {( y8 [1 t; P需要注意的是,出于安全考虑, Discuz 后台默认情况下禁止 SQL 语句直接执行,只能使用常用 SQL 当中的内容,如果想自己随意书写 SQL 升级语句,需要将程序文件 config/config_global.php 当中的$_config[admincp][runquery] 设置修改为 1 。+ L3 F  M7 j3 U9 p) f: [

1 }8 q7 \) [. V9 L

( M+ h. V7 z* ~5 S6 I5 \& b3 {" Z到此,discuz X3.2已经开启支持https了 。
& Y, {# {. R2 L7 \$ i+ B/ b3 O9 m! g. e- g  K* P/ x

3 _+ n' z$ P# L! k+ V6 H2 m3 G; O6 x当然,你还需要申请SSL证书、在服务器端部署SSL证书。  l: L3 \1 C7 `( k& C6 G6 _
4 Y% m3 n4 h( t, x. j3 v
) z( H$ ?- L6 l8 ~  Y- Z
服务器端部署https的SSL证书可以看我的这个教程:4 v" J9 M! y6 p/ n
$ v5 v' D( o3 Q$ j7 q. Y/ N
2 X1 U& O: b6 t; i$ a1 a
http://www.aitiancheng.com/article-246.html

转载请保留当前帖子的链接:https://www.beimeilife.com/thread-46275-1-1.html 谢谢
沙发
发表于 2017-4-5 18:02 | 只看该作者


Discuz X3.* 全站开启 SSL / HTTPS 后需解决的问题

http://www.vdazhang.com/wenzhang-1587.html/2


一、全站资源 https 化。

1、UCenter地址、本地附件 URL 地址、风格图片地址需全部开启https访问,否则浏览器会出现类似“网站内存在不安全的资源”的警告。如果这部分链接全部是相对链接,则请忽略本项。

若“风格管理”中将“界面基础图片目录 {IMGDIR}”和“扩展图片目录 {STYLEIMGDIR}” 地址设置为 https 开头的绝对链接,需要修复一处BUG,否则会导致这部分风格图片无法显示。

打开 source/function/cache/cache_styles.php ,查找以下三项:

$cssdata = !preg_match('/^http:\/\//i', $data['styleimgdir'])
: \- ^+ P: c; o$cssdata = !preg_match('/^http:\/\//i', $data['imgdir'])
; Y" e; N: ^8 R$cssdata = !preg_match('/^http:\/\//i', $data['staticurl'])

将其中的 /^http:\/\//i 替换为 /^http/i ,保存覆盖。

注意:修改后,若将来要使用相对链接,需要确保目录不以 http 开头。

2、解决 DiscuzTips 造成的不安全资源提示。

打开 source/plugin/manyou/Service/DiscuzTips.php ,在 echo $jsCode; 前加 // 将其注释掉。

3、百度结构化插件暂不支持 https ,将造成浏览器提示存在不安全资源。暂停使用该插件。

4、使用浏览器的开发者工具逐一排查是否存在其他 http:// 资源(包括图片、JS、CSS的,A链接无影响)。

5、清理用户签名位中的 http:// 图片,清理帖子中存在的外链图片。


二、解决QQ互联登录问题。

截至2015年12月,Discuz的QQ互联仍不支持 https 站点,我们可以进行以下操作,将QQ互联链接调整为 http:// ,QQ互联登录跳转回 http:// 后再在站点内部301到 https:// 页面。

1、考虑到防止屏蔽等因素,建议启用一个独立域名,并在论坛所在服务器新建一个该域名的站点,站点目录中使用软链接链接论坛的以下目录:api config data source static 和以下文件:admin.php api.php connect.php ,即相当于对论坛做一个镜像但仅限于QQ互联相关文件。

2、打开 source/plugin/qqconnect/connect.class.php 文件,将 40-46 行中的:

$_G['siteurl'].'

替换为:

'http://上面创建的专用网址/

3、打开 connect.php 文件,在最前方加入:

if($_SERVER['HTTP_HOST'] != 'www.你的网址.com' || ($_SERVER['HTTP_HOST'] == 'www.你的网址.com' && $_SERVER['SERVER_PORT'] != '443')) {
header('HTTP/1.1 301 Moved Permanently');
header('Location: https://www.你的网址.com'.$_SERVER['REQUEST_URI']);
exit;
}

三、解决后台应用中心无法访问的问题

在第2步基础上,访问第2步中专用域名下的 admin.php 登录后台即可正常进入应用中心。

四、禁止在第2步专用域名下更新缓存(否则前台部分图标地址会使用该域名)。

打开 source/admincp/admincp_tools.php 文件,查找:

	showtips('tools_updatecache_tips');
7 ^* T* b# j: t) a: ], V  D9 R5 l
	if($step == 1) {4 j" d& U# i1 q. V8 A/ E: L
		cpmsg("<input type=\"checkbox\" name=\"type[]\" value=\"data\" id=\"datacache\" class=\"checkbox\" checked /><label for=\"datacache\">".$lang[tools_updatecache_data]."</label><input type=\"checkbox\" name=\"type[]\" value=\"tpl\" id=\"tplcache\" class=\"checkbox\" checked /><label for=\"tplcache\">".$lang[tools_updatecache_tpl]."</label><input type=\"checkbox\" name=\"type[]\" value=\"blockclass\" id=\"blockclasscache\" class=\"checkbox\" /><label for=\"blockclasscache\">".$lang[tools_updatecache_blockclass].'</label>', 'action=tools&operation=updatecache&step=2', 'form', '', FALSE);

替换为:

	showtips('tools_updatecache_tips');2 C; u  ], l) J  d2 A
	echo '<br>';
0 H* l  ^: L& ?  R  ]" k% M. i3 y. l5 f: N" f2 u
	if($step == 1) {
6 Q: Z% I, w7 T- H/ V		if($_G['siteurl'] == $_G['setting'][siteurl]) {
# H3 \$ `; M' a			cpmsg("<input type=\"checkbox\" name=\"type[]\" value=\"data\" id=\"datacache\" class=\"checkbox\" checked /><label for=\"datacache\">".$lang[tools_updatecache_data]."</label><input type=\"checkbox\" name=\"type[]\" value=\"tpl\" id=\"tplcache\" class=\"checkbox\" checked /><label for=\"tplcache\">".$lang[tools_updatecache_tpl]."</label><input type=\"checkbox\" name=\"type[]\" value=\"blockclass\" id=\"blockclasscache\" class=\"checkbox\" /><label for=\"blockclasscache\">".$lang[tools_updatecache_blockclass].'</label>', 'action=tools&operation=updatecache&step=2', 'form', '', FALSE);  p/ c% d2 C$ I% O. X5 I- V
		} else {
4 A: P6 H9 |- D/ K& A- Q			cpmsg('请切换到主域名下更新缓存', '', 'succeed', '', FALSE);



五、http:// 跳转至 https://

打开 source/class/class_core.php 文件,在

set_exception_handler(array('core', 'handleException'));

后面加入:

if($_SERVER['SERVER_PORT'] != '443' && $_SERVER['PHP_SELF'] != '/api/uc.php') {+ A4 ?: a6 U6 D$ W7 J( w0 i
	if(!preg_match("/(Zidingyi|Bot|Crawl|Spider|slurp|sohu-search|lycos|robozilla)/i", $_SERVER['HTTP_USER_AGENT'])) {
+ R. q8 A" b6 @- f6 ]! k! t		header('HTTP/1.1 301 Moved Permanently');
/ f- Y% r! Y4 b! R/ C		header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
' |6 i& Y$ _8 W# G6 y9 b		exit;
% ^$ Q) f( u  C4 T7 O! i	} elseif(preg_match("/(Baidu|Google)/i", $_SERVER['HTTP_USER_AGENT'])) {
* r8 h7 b1 b% \8 H) ?- {. K* o		header('HTTP/1.1 403 Forbidden');
! E2 d$ r' Z. _, d4 P" E		exit;
( I& `% [3 y% m& b; j$ o	}
+ z1 H& p' c7 A7 D+ S}

说明:当访问端口不为443(即https)时,如果不是搜索引擎则跳转到https页面,否则如果是百度或Google蜘蛛(这两个搜索引擎已支持收录https)则返回403禁止访问,避免重复收录 http 和 https 或优先收录了 http ,其它搜索引擎未定义,正常返回 http 页面(其它搜索引擎可能不支持收录 https ,因此开放 http 给他们)。

以上代码中“Zidingyi”可以任意修改,管理员使用以下UA可以不跳转到https,便于对http版进行调测:
Mozilla/5.0 (compatible; Zidingyi/2015; +http://www.xxx.com)


六、其它问题


解决 Discuz! X3.* “允许发表的域名列表”中的域名在非http协议下失效的问题

BUG描述: 在 后台/全局/注册与访问控制/访问控制/允许发表的域名列表 中添加域名后,该域名只在http协 … 继续阅读解决 Discuz! X3.* “允许发表的域名列表”中的域名在非http协议下失效的问题



Discuz! X3.* 开启SSL后手机版图片链接替换为https地址

应用场景:后台“本地附件 URL 地址”设置为绝对链接(第三方域名、http://)情况下,当论坛应用SSL后 … 继续阅读


解决启用HTTPS后IE6/7下频繁报告“含有不安全的内容”以及“证书名称不一致”的问题

首先检查页面中所有非https链接的附件(图片、JS、CSS等),全部替换为https链接。 完成这一步后,在 … 继续阅读




板凳
发表于 2017-4-6 11:55 | 只看该作者

How To Set Up Apache with a Free Signed SSL Certificate on a VPS

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps
Note: You may want to consider using Let's Encrypt instead of the StartSSL.com process below. Let's Encrypt is a new certificate authority that provides a free and easy way of creating SSL/TLS certificates that are trusted in most web browsers. Check out the tutorial to get started: How To Secure Apache with Let's Encrypt on Ubuntu 14.04

Prerequisites

Before we get started, here are the web tools you need for this tutorial:

  1. Google Chrome browser
  2. Apache installed on your VPS (cloud server)
  3. A domain name you own
  4. Access to an email address at that domain, either:
    1. postmaster@duable.co
    2. hostmaster@duable.co
    3. webmaster@duable.co

StartSSL.com offers completely free verified (your users won't have to see those scary red screens saying "this site isn't trusted" anymore) SSL certificates that you can use on your website. This is a great deal as most companies charge $50-$60 for similar services. The free version is a bit tricky to set up, but it's well worth it.

To get started, browse to StartSSL.com and using the toolbar on the left, navigate to StartSSL Products and then to StartSSL™ Free. Choose the link for Control Panel from the top of the page.

Make sure you are using Google Chrome

  1. Choose the Express Signup. option
  2. Enter your personal information, and click continue.
  3. You'll get an email with a verification code inside it shortly. Copy and paste that email into the form on StartSSL's page.
  4. They will review your request for a certificate and then send you an email with the new info. This process might take as long as 6 hours though, so be patient.
  5. Once the email comes, use the link provided and the new authentication code (at the bottom of the email) to continue to the next step.
  6. They will ask you to Generate a private key and you will be provided with the choice of "High" or "Medium" grade. Go ahead and choose "High".
  7. Once your key is ready, click Install.
  8. Chrome will show a popdown that says that the certificate has been succesfully installed to Chrome.

This means your browser is now authenticated with your new certificate and you can log into the StartSSL authentication areas using your new certificate. Now, we need to get a properly formatted certificate set up for use on your VPS. Click on the Control panel link again, and choose the Authenticate option. Chrome will show a popup asking if you want to authenticate and will show the certificate you just installed. Go ahead and authenticate with that certificate to enter the control panel.

You will need to validate your domain name to prove that you own the domain you are setting up a certificate for. Click over to the Validations Wizard in the Control panel and set Type to Domain Name Validation. You'll be prompted to choose from an email at your domain, something like [email]postmaster@yourdomain.com[/email].

StartSSL

Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.

Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate.

Start SSL

Hit continue and then enter in a secure password, leaving the other settings as is.

You will be shown a textbox that contains your private key. Copy and paste the contents into a text editor and save the data into a file called ssl.key.

Private Key

When you click continue, you will be asked which domain you want to create the certificate for:

Choose Domain

Choose your domain and proceed to the next step.

You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www here, but if you'd like to use a different subdomain with SSL, then enter that here instead:

Add Subdomain

StartSSL will provide you with your new certificate in a text box, much as it did for the private key:

Save Certificate

Again, copy and paste into a text editor, this time saving it as ssl.crt.

You will also need the StartCom Root CA and StartSSL's Class 1 Intermediate Server CA in order to authenticate your website though, so for the final step, go over to the Toolbox pane and choose StartCom CA Certificates:

Startcome CA Certs

At this screen, right click and Save As two files:

  • StartCom Root CA (PEM Encoded) (save to ca.pem)
  • Class 1 Intermediate Server CA (save to sub.class1.server.ca.pem)

For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site's encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:

openssl rsa -in ssl.key -out private.key

OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL's website.

At this point you should have five files. If you're missing any, double-check the previous steps and re-download them:

  • ca.pem - StartSSL's Root certificate
  • private.key - The unencrypted version of your private key (be very careful no one else has access to this file!)
  • sub.class1.server.ca.pem - The intermediate certificate for StartSSL
  • ssl.key - The encrypted version of your private key (does not need to be copied to server)
  • ssl.crt - Your new certificate

You can discard the ssl.key file. If you haven't already copied the others onto your server you upload them there now:

scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} YOURSERVER:~ 4 ~5 t2 n# `8 |& k4 m1 K

Activating the certificate in Apache

Having a certificate isn't any good if you can't actually use it. This section explains how to configure Apache to use your new SSL certificate. These instructions are for Apache running on recent versions of Ubuntu VPS. For other Linux-based distros or web servers, you'll have to adjust accordingly.

First, create the folders where we'll store the keys. Enable Apache's SSL module, and restart Apache.

sudo a2enmod ssl" H4 [& r1 ~" v7 `3 j, p
sudo service apache2 restart6 Q* B) O. F/ {1 f
sudo mkdir -p /etc/apache2/ssl9 h3 \4 x1 s, j6 B! N

Copy the files you set up in the previous section into the /etc/apache2/ssl folder on your VPS.

sudo mkdir -p /etc/apache2/ssl+ W+ @! }5 V5 Y% ?. n* p
cp ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl
( W. h/ e8 g4 j6 J4 r6 H. j

Execute:

ls /etc/apache2/ssl

And it should return:

ca.pem
4 R* N" z7 `; f+ ]) mssl.crt
$ D# W5 _0 t" ~0 j7 A- f0 R* ]private.key
& ^- d! h& X  L5 k1 U: isub.class1.server.ca.pem

Now, open your apache2 configuration file. Unless you've already modified the default configuration, input:

nano /etc/apache2/sites-enabled/000-default

It should look something like this:

<VirtualHost *:80>
; z; J# v5 B, R5 U# ]0 ~( N# Z    ServerAdmin webmaster@localhost+ [: O; w- q1 r1 M  J/ M8 q

* H, J8 Z& t% ]1 y7 r    DocumentRoot /var/www
" p# m2 w: g/ g9 S2 V    <Directory />
/ L0 E# k4 P7 F) x6 U# |3 |        Options FollowSymLinks
# |' A, R4 u3 ]1 w8 D4 I8 r        AllowOverride None$ T) p" U) U6 e4 n2 h4 j. _/ K/ L
    </Directory>
" R+ E2 Z7 _0 v0 @    <Directory /var/www/>. B+ c7 B7 S8 y: B) \: f6 F5 S$ W
        Options Indexes FollowSymLinks MultiViews: {3 _& Z) F8 i, r& j+ p% ^
        AllowOverride None) [2 Z3 a- |0 s3 G, J* P6 ]
        Order allow,deny
: a6 {9 h) g) m3 k2 N" r2 ?        allow from all
4 s7 y- |8 ?" `0 }# Z    </Directory>6 C% Y- {% `1 k9 f

3 _: j% H$ Y/ ^0 m7 q, b; }    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
3 }, s* A3 H- c% A* ^& ?( C# \$ l    <Directory "/usr/lib/cgi-bin">
4 V8 C4 H2 j( `7 t4 b, r) |        AllowOverride None
7 _1 H0 l, D( V: I) _' F        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
4 \* C- _2 X% T: E  L        Order allow,deny
- P+ q9 j* }- {9 W/ n7 X, A& z9 D- Q* j        Allow from all
( ~% o1 q8 u. u$ J    </Directory>+ a$ Y# A$ Q  V

% V. n# \: y! q* d/ h* R    ErrorLog ${APACHE_LOG_DIR}/error.log
3 u* Z/ A- Y1 l+ _, W, b4 a
2 d+ |3 Q6 x$ \2 [% N    # Possible values include: debug, info, notice, warn, error, crit,
' P+ {+ b+ V4 o4 O2 {& L0 a    # alert, emerg.
6 {; z9 n6 R& `# l5 D7 g; u0 Q    LogLevel warn/ J2 j7 l8 ^. i( i: Z

! P2 x* Z  q8 V3 A    CustomLog ${APACHE_LOG_DIR}/access.log combined
/ k, x$ \& |+ j- O9 ^% M
  Z' H* W; L5 s0 V; i; s8 y- k    Alias /doc/ "/usr/share/doc/"
# ^) v8 @1 Y; B. ^) |    <Directory "/usr/share/doc/">
/ A+ C9 P$ T' ]+ U0 P        Options Indexes MultiViews FollowSymLinks
7 \( j* J# H  c        AllowOverride None
; \0 L$ \: i/ z( |- N( D+ k/ }        Order deny,allow
2 w3 b1 z3 c+ o( r* r6 ^4 W* J        Deny from all+ y- l; E5 c) l8 ]( k
        Allow from 127.0.0.0/255.0.0.0 ::1/128: h5 S8 _# Q/ e! V
    </Directory>
' |/ ~+ z) x! M  z. i& v1 B/ s+ Q( n9 W3 [* ?! c( |, M
</VirtualHost>$ d, G* G, T/ F3 B% t

Copy the entire script above (from <VirtualHost *:80> to </VirtualHost>), paste it below the existing one, and change the top line from:

<VirtualHost *:80>

to

<VirtualHost *:443>

And add the following lines after the <VirtualHost *:443> line:

SSLEngine on                                                                . @, n% u; D) c) V
SSLProtocol all -SSLv2                                                      9 N! N* ~" b% z7 B: A. {" g
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                2 I5 @& J+ T/ R+ D9 W0 J% P3 z/ P# s

& I- P7 A9 \$ X) R2 i+ q" V+ KSSLCertificateFile /etc/apache2/ssl/ssl.crt                           " a- N+ D" ~  Y
SSLCertificateKeyFile /etc/apache2/ssl/private.key                        
; i& P2 `0 k6 g1 R# OSSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem 

The end result should look like this:

<VirtualHost *:80>
/ W! F  Q3 x$ K! {7 u( [* s    ServerAdmin webmaster@localhost$ w$ b2 v  u) @5 f/ s8 a5 W

: Z8 S7 c$ t$ Q3 `" G    DocumentRoot /var/www& q8 m2 T& i! {. K. K3 H
    <Directory />
- q+ |3 b* Y3 \2 _" o4 m% E+ h& a        Options FollowSymLinks
" l" M, S: z- e9 W        AllowOverride None5 z2 a7 G9 Y2 N$ G! n
    </Directory>4 }: z3 D& d  E0 H' h0 |. i3 g7 \
    <Directory /var/www/>- d* Y0 e0 X; R" C! {; ]
        Options Indexes FollowSymLinks MultiViews
* R( Y! S7 ~) J, c) \* v0 n        AllowOverride None
6 m/ x$ n8 o. N* i& E  @        Order allow,deny$ w  q2 y/ M7 g+ F9 V
        allow from all
1 ^1 w9 \) C$ ~0 x: }! y% |    </Directory>* q$ b4 `+ e0 K' P

' x2 R9 b) o3 x( I3 ?    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  t# }% R" q; A0 C    <Directory "/usr/lib/cgi-bin">
5 M& N0 y1 ?+ H! @. Y" k        AllowOverride None2 Z; I& L5 [. a# j1 S! @, l' C
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# K: @" z# G2 @  F        Order allow,deny
( f- d4 h* A# ~1 A4 _7 E        Allow from all' O2 u+ a1 W# X2 }2 W2 A/ w' ^# A
    </Directory>
, w/ x7 r* K$ B1 H- F  M- U0 P* h7 w7 m& X) ^& X4 d
    ErrorLog ${APACHE_LOG_DIR}/error.log" Q! u( n+ F0 i9 S" W3 Y
9 c$ X" ?* a: q( g! l. A; z
    # Possible values include: debug, info, notice, warn, error, crit,
+ ^6 ?( w0 \3 j  B" {. {0 X9 D4 D    # alert, emerg.
; e/ s2 }0 ]2 ]* H' S. }    LogLevel warn
( w" w) }) l! L8 f& y1 y9 h2 Z) Y# j8 ^* i. Z
    CustomLog ${APACHE_LOG_DIR}/access.log combined3 G* g' I! F( f) B& ?$ U2 `
8 n: s9 U! a# q: o$ i
    Alias /doc/ "/usr/share/doc/"
2 D4 [9 b+ _' L; e# D! |    <Directory "/usr/share/doc/">
% f4 V7 d: d9 b3 s9 I        Options Indexes MultiViews FollowSymLinks7 K4 L; Z/ W. y( F+ Q5 p+ i, m
        AllowOverride None
0 z$ _3 ~" e& B. s" x1 M        Order deny,allow* J- ~5 r$ m, f" ]+ O* R6 b
        Deny from all
# N# G2 g  O/ W# d1 d0 ~        Allow from 127.0.0.0/255.0.0.0 ::1/128, V6 d; V- q. u/ |
    </Directory>
- B% N7 e, ^# y$ R7 E0 W" u. M, J. j1 E+ l- V2 i% ^1 z
</VirtualHost>
3 S' c) c" M" Z
2 Q7 U' u& J) C; [& {<VirtualHost *:443>4 O3 b1 {7 T% L+ g- O& D1 B: |8 `
    SSLEngine on                                                                & D2 N! ^: x$ {  w& _1 T
    SSLProtocol all -SSLv2                                                      
7 @1 ?- I: a7 j0 ~7 s    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                ' L( x4 I0 T! l  }" n* E1 X

% i7 ]5 |! {4 m  V4 v7 u9 C4 U: u    SSLCertificateFile /etc/apache2/ssl/ssl.crt                           
' g7 m$ g" }, E5 g( }    SSLCertificateKeyFile /etc/apache2/ssl/private.key                        - d! C* V+ N# r2 p' @
    SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem 
6 l  n& e( _# w9 S    ServerAdmin webmaster@localhost- J- E% r# Q1 v4 L

- Y2 y. k% f. ]3 b5 e0 S* Q$ w    DocumentRoot /var/www( o1 M' g' y4 @, T% L: w
    <Directory />
. _9 p8 S# @& S1 x0 o        Options FollowSymLinks
2 \: e7 b, b9 h4 ?8 m9 M8 t        AllowOverride None
, E( h; @; X! K# B& R- \! r' t* o% R    </Directory>
5 n. n! O8 M/ Z' }# {  i9 h    <Directory /var/www/>1 r( @: {: R- |0 \* a7 v
        Options Indexes FollowSymLinks MultiViews' r4 j" f& Z% \& c
        AllowOverride None: y; H( y' v  X* {8 x4 V( M1 O* ^
        Order allow,deny+ w/ V+ l$ U0 o, H# W6 ?3 h; m
        allow from all
5 @$ {( q( \8 w    </Directory>
$ p  ^7 a5 o& [" t( Z/ @0 X, P) V# w8 p& M/ T" p
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
8 e$ V3 m2 b' w! A5 R6 {, b    <Directory "/usr/lib/cgi-bin">' v) T4 Y; }# A9 h
        AllowOverride None1 u- h) Y# F& Z' C) ~0 c
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
, Z, s# v: w7 R% g. A        Order allow,deny6 g! ?/ V9 c- [, r1 t; C' I; Q. a
        Allow from all' X; \$ Z  M# P- l7 G
    </Directory>3 S/ ~# B9 v: _) |' y9 I

' a/ V' h6 z$ I0 I    ErrorLog ${APACHE_LOG_DIR}/error.log! b6 R- f9 g7 w* H% I# a7 ^

6 Y- S5 P( \# c( G4 {5 ]0 D$ G- ~    # Possible values include: debug, info, notice, warn, error, crit,
* d$ b3 s: ]8 ^; q- i9 ]& V( _    # alert, emerg.
: M$ `4 d) B9 f) m    LogLevel warn" y( V( |9 o+ M& x! R- C

$ T+ g: R9 C- ~$ M    CustomLog ${APACHE_LOG_DIR}/access.log combined0 `& s2 V3 h9 ~# z
0 \, K- C! a; G+ C: \5 T+ {' V
    Alias /doc/ "/usr/share/doc/"
! |  J! ^8 m  t' M0 E    <Directory "/usr/share/doc/">
! Q( C/ a7 Z- ?- g. J4 Q9 o. R. {        Options Indexes MultiViews FollowSymLinks
8 X9 r# x2 H8 I6 k. w        AllowOverride None; [! @+ `/ P# d  ]! Z
        Order deny,allow5 b8 a- O* `8 i; u2 g- `# m
        Deny from all' j0 ~" S1 _) Y+ E4 |3 O
        Allow from 127.0.0.0/255.0.0.0 ::1/128  t/ q( o" V8 B: g  U
    </Directory>" ~# W& Y) E+ d0 X4 Y
$ {. |( R* X+ t* z0 b
</VirtualHost>

Save your files and restart Apache with:

sudo service apache2 restart

You can check Apache's log files to see if there are any show stopping errors with this command:

cat /var/log/apache2/error.log( o; j8 G7 q, i& C% G3 l

If everything looks good, try accessing your site in your web browser using an HTTPS URL (e.g. https://www.YOURSITE.com). When your site loads, you should see a little green padlock icon next to the URL. Click on it and you should see the following. The connections tab should show that the site's identity has been verified by StartCom.

Congratulations! You are all set!

Reference Links:

Here are some of the other posts I consulted when putting this together. If you run into any problems they might be a source of inspiration on how to fix them:

地板
发表于 2017-4-6 12:02 | 只看该作者
How To Secure Apache with Let's Encrypt on Ubuntu 14.04https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
4 e* L8 U% K; s4 F
5 V1 c( G4 [0 R. m4 D% c/ T5 I/ _0 K' O7 o7 G$ X( z' t
Introduction

This tutorial will show you how to set up a TLS/SSL certificate from https://letsencrypt.org/ on an Ubuntu 14.04 server running Apache as a web server. We will also cover how to automate the certificate renewal process using a cron job.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

# z. s! U+ ?) j  n( d
Prerequisites

In order to complete this guide, you will need:

  • An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04 guide
  • The Apache web server installed with https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts properly configured0 e# \7 g8 W4 z6 q; ~4 S; B$ d  L% `

When you are ready to move on, log into your server using your sudo account.

6 S0 Z" h+ g, U, R3 ^
Step 1 — Download the Let’s Encrypt Client

First, we will download the certbot-auto Let’s Encrypt client from the EFF download site. The client will automatically pull down available updates as necessary after installation.

We can download the certbot-auto Let’s Encrypt client to the /usr/local/sbin directory by typing:

  • cd /usr/local/sbin
  • sudo wget https://dl.eff.org/certbot-auto
    , ]& T' R# b3 X' t; ]

You should now have a copy of certbot-auto in the /usr/local/sbin directory.

Make the script executable by typing:

  • sudo chmod a+x /usr/local/sbin/certbot-auto
    6 j% a/ a; R, k) h! i" f! F' F

The certbot-auto client should now be ready to use.


) a9 x9 [# e  G6 j" jStep 2 — Set Up the SSL Certificate

Generating the SSL Certificate for Apache using the certbot-auto Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot-auto command with:

  • certbot-auto --apache -d example.com
    % W7 ]: ~3 J0 u- o3 }: U

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:

  • certbot-auto --apache -d example.com -d www.example.com
    . |4 i% z2 t( T3 n, G$ T0 N5 \$ h/ U

For this example, the base domain will be example.com.

After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or force all requests to redirect to https.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

You should now be able to access your website using a https prefix.


& Q' n# j2 t% B* O- s. |Step 3 — Set Up Auto Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The certbot-auto Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

To trigger the renewal process for all installed domains, you should run:

certbot-auto renew

Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:

Checking for new version...Requesting root privileges to run letsencrypt...   /home/sammy/.local/share/letsencrypt/bin/letsencrypt renewProcessing /etc/letsencrypt/renewal/example.com.confThe following certs are not due for renewal yet:  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)No renewals were attempted.

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

  • sudo crontab -e: N/ k" \0 N' }. H! z- g

Include the following content, all in one line:

[color=rgba(0, 0, 0, 0.298039)]crontab; ~$ x7 n# n9 N6 O, S, M  ^
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log

Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

For more information on how to create and schedule cron jobs, you can check our https://www.digitalocean.com/community/tutorials/how-to-use-cron-to-automate-tasks-on-a-vps guide.

# V: ~/ f3 y2 c& S( ^- ^

; G2 @  r" H% c9 Q. h0 e
5#
发表于 2017-4-6 12:06 | 只看该作者
How To Use Cron To Automate Tasks On a VPS6 m: r5 X( c1 N, \# K7 Q; J
https://www.digitalocean.com/community/tutorials/how-to-use-cron-to-automate-tasks-on-a-vps
: C- w* k8 x' o5 v/ b: w! H- H8 r+ {6 r- N6 [: H
Introduction

One of the most standard ways to run tasks in the background on Linux machines is with cron jobs. They’re useful for scheduling tasks on the VPS and automating different maintenance-related jobs. “Cron” itself is a daemon (or program) that runs in the background. The schedule for the different jobs that are run is in a configuration file called “crontab.”

+ ^: C. H! G, S
Installation

Almost all distros have a form of cron installed by default. However, if you’re using a system that doesn’t have it installed, you can install it with the following commands:

For Ubuntu/Debian:

sudo apt-get updatesudo apt-get install cron

For Cent OS/Red Hat Linux:

sudo yum updatesudo yum install vixie-cron crontabs

You’ll need to make sure it runs in the background too:

sudo /sbin/chkconfig crond onsudo /sbin/service crond start
0 e7 G9 x* _3 d" P% Z) B" x5 K1 qSyntax

Here is an example task we want to have run:

5 * * * * curl http://www.google.com

The syntax for the different jobs we’re going to place in the crontab might look intimidating. It’s actually a very succinct and easy-to-parse if you know how to read it. Every command is broken down into:

  • Schedule
  • Command
    ! R5 T9 h* Y; P# s

The command can be virtually any command you would normally run on the command line. The schedule component of the syntax is broken down into 5 different options for scheduling in the following order:

  • minute
  • hour
  • day of the month
  • month
  • day of the week6 `: E% ?' T* @3 q. Q+ Q- o

: p5 r, q8 L3 Z5 ?8 h# s$ x7 @Examples

Here is a list of examples for some common schedules you might encounter while configuring cron.

To run a command every minute:

* * * * *

To run a command every 12th minute on the hour:

12 * * * *

You can also use different options for each placeholder. To run a command every 15 minutes:

0,15,30,45 * * * *

To run a command every day at 4:00am, you’d use:

0 4 * * *

To run a command every Tuesday at 4:00am, you’d use:

0 4 * * 2

You can use division in your schedule. Instead of listing out 0,15,30,45, you could also use the following:

*/4 2-6 * * *

Notice the “2-6” range. This syntax will run the command between the hours of 2:00am and 6:00am.

The scheduling syntax is incredibly powerful and flexible. You can express just about every possible time imaginable.

( q5 G( W, g& Q/ g1 }
Configuration

Once you’ve settled on a schedule and you know the job you want to run, you’ll have to have a place to put it so your daemon will be able to read it. There are a few different places, but the most common is the user’s crontab. If you’ll recall, this is a file that holds the schedule of jobs cron will run. The files for each user are located at /var/spool/cron/crontab, but they are not supposed to be edited directly. Instead, it's best to use the crontab command.

You can edit your crontab with the following command:

crontab -e

This will bring up a text editor where you can input your schedule with each job on a new line.

If you’d like to view your crontab, but not edit it, you can use the following command:

crontab -l

You can erase your crontab with the following command:

crontab -r

If you’re a privileged user, you can edit another user’s by specifying crontab -u <user> -e


/ k' w5 D; Q' q' b: O- cOutput

For every cron job that gets executed, the user’s email address that’s associated with that user will get emailed the output unless it is directed into a log file or into /dev/null. The email address can be manually specified if you provide a “MAILTO” setting at the top of the crontab. You can also specify the shell you’d like run, the path where to search for the cron binary and the home directory with the following example:

First, let’s edit the crontab:

crontab -e

Then, we’ll edit it like so:

SHELL=/bin/bashHOME=/MAILTO=”[email]example@digitalocean.com[/email]”#This is a comment* * * * * echo ‘Run this command every minute’

This particular job will output "Run this command every minute." That output will get emailed every minute to the “mailto:example@digitalocean.com” email address I specified. Obviously, that might not be an ideal situation. As mentioned, we can also pipe the output into a log file or into an empty location to prevent getting an email with the output.

To append to a log file, it’s as simple as:

* * * * * echo ‘Run this command every minute’ >> file.log

Note: “>>” appends to a file.

If you want to pipe into an empty location, use /dev/null. Here is a PHP script that gets executed and runs in the background.

* * * * * /usr/bin/php /var/www/domain.com/backup.php > /dev/null 2>&1
$ x4 }8 u' O+ h* k  l: YRestricting Access

Restricting access to cron is easy with the /etc/cron.allow and /etc/cron.deny files. In order to allow or deny a user, you just need to place their username in one of these files, depending on the access required. By default, most cron daemons will assume all users have access to cron unless one of these file exists. To deny access to all users and give access to the user tdurden, you would use the following command sequence:

echo ALL >>/etc/cron.denyecho tdurden >>/etc/cron.allow

First, we lock out all users by appending "ALL" to the deny file. Then, by appending the username to the allow file, we give the user access to execute cron jobs.


8 E% K$ _$ V7 H+ q+ f9 JSpecial Syntax

There are several shorthand commands you can use in your crontab file to make administering a little easier. They are essential shortcuts for the equivalent numeric schedule specified:

  • @hourly - Shorthand for 0 * * * *
  • @daily - Shorthand for 0 0 * * *
  • @weekly - Shorthand for 0 0 * * 0
  • @monthly - Shorthand for 0 0 1 * *
  • @yearly - Shorthand for 0 0 1 1 *1 b1 Z7 `! S- j

and @reboot, which runs the command once at startup.

Note: Not all cron daemons can parse this syntax (particularly older versions), so double-check it works before you rely on it.

To have a job that runs on start up, you would edit your crontab file (crontab -e) and place a line in the file similar to the following:

@reboot echo "System start up"

This particular command would get executed and then emailed out to the user specified in the crontab.

. i9 H- v6 _  I1 ~4 f

& \; Y+ H1 E. n9 Z* q0 A
6#
发表于 2017-4-6 12:10 | 只看该作者
https://debian-administration.org/article/349/Setting_up_an_SSL_server_with_Apache2- l! U9 v9 d, V* }

8 D3 R1 I" }3 e+ gSetting up an SSL server with Apache2
' z8 U7 f* t1 `$ h0 _& W! _; P
- m1 F1 f2 p5 t* y" W
With the introduction of the Apache2 packages in Debian it is much simpler to create and use a secure SSL protected webserver than in the old days http://www.debian-administration.org/articles/31, here we'll show how it is done.
If you have Apache 2.x installed already then you're good to go as you don't need anything extra installed.
If you haven't got it installed then you can do so easily:
earth:~# apt-get install apache2Reading Package Lists... DoneBuilding Dependency Tree... DoneThe following extra packages will be installed:  apache2-common apache2-mpm-worker apache2-utils openssl ssl-certSuggested packages:  apache2-doc ca-certificatesThe following NEW packages will be installed:  apache2 apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.Need to get 2040kB of archives.After unpacking 6218kB of additional disk space will be used.Do you want to continue? [Y/n]
Once the server is installed you need to do three things to get a working SSL setup:
  • Generate, or import, a certificate.
  • Enable Apaches SSL support.
  • Configure your SSL options.
    ! Q7 U& ?$ C" A" g: p- `
Generating A Certificate
Generating a certificate from scratch will give you something which will be used to protect the traffic exchanged between clients and your server, however it will be signed by a untrusted certificate authority so it will generate warnings.
Importing a paid and "trusted" certificate will avoid this problem, but that is beyond the scope of this simple introduction.
Generating an SSL certificate for Apache2 may be accomplished using the apache2-ssl-certificate script. This will ask you questions interactively then generate the certificate file appropriately.
Here's a sample session:
earth:~# apache2-ssl-certificatecreating selfsigned certificatereplace it with one signed by a certification authority (CA)enter your ServerName at the Common Name promptIf you want your certificate to expire after x days call this programmwith -days xGenerating a 1024 bit RSA private key............++++++..........................++++++writing new private key to '/etc/apache2/ssl/apache.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:State or Province Name (full name) [Some-State]:ScotlandLocality Name (eg, city) []:EdinburghOrganization Name (eg, company; recommended) []:Steve KempOrganizational Unit Name (eg, section) []:server name (eg. ssl.domain.tld; required!!!) []:earthEmail Address []: [email]earth-admin@steve.org.uk[/email]
Enabling SSL Support
To use the SSL facilities of Apache2 you must enable the module mod_ssl, this can be achieved using the helper tool a2enmod (We've previously http://www.debian-administration.org/articles/207.)
As root run:
earth:~# a2enmod sslModule ssl installed; run /etc/init.d/apache2 force-reload to enable.
Once this is done you'll have Apache setup to accept SSL connections, but the server will still only be listening for incoming HTTP requests on port 80 - and not SSL connections on port 443. To fix this you must add a line to the file /etc/apache2/ports.conf:
Listen 443
With these two steps out of the way you now have an Apache setup which will listen for and accept SSL connections. The next step is to modify your virtualhosts to use it.
Configuring your SSL Hosts
With a certificate setup, and the server updated to load and listen for incoming SSL connections you're almost finished. The final step is to ensure that your virtual hosts, or main host, will accept SSL options.
I use virtual hosts upon my machine and this just means adding a couple of options to each one I wish to use SSL:
SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.pem
For reference here is a complete example which should be easy to modify/understand:
NameVirtualHost *:443NameVirtualHost *:80<VirtualHost *:80>        ServerName earth.my.flat        DocumentRoot /var/www/        ErrorLog /var/log/apache2/error.log        CustomLog /var/log/apache2/access.log combined</VirtualHost><VirtualHost *:443>        ServerName earth.my.flat        DocumentRoot /var/www/        ErrorLog /var/log/apache2/error.log        CustomLog /var/log/apache2/access.log combined        SSLEngine on        SSLCertificateFile /etc/apache2/ssl/apache.pem</VirtualHost>/ [( Q3 b$ Q+ C3 |
7#
发表于 2017-4-6 12:12 | 只看该作者
Redirect HTTP to HTTPS automatically. i; @8 I" o9 E  K
https://ca.godaddy.com/help/redirect-http-to-https-automatically-8828
3 |1 S% L% D2 i/ i2 S* A7 B4 P3 `0 S  X6 t( l

+ v; n: x7 `& o& P9 R
If you have a secure certificate (SSL) on your website, you can automatically redirect visitors to the secured (HTTPS) version of your website to make sure their information is protected.
How you redirect traffic depends on https://ca.godaddy.com/help/what-type-of-hosting-account-do-i-have-6971.
Linux & cPanel
Linux-based accounts use .htaccess files to handle redirection.
If you need to create a .htaccess file, you can use your control panel's file manager (https://ca.godaddy.com/help/managing-your-hosting-accounts-files-12426 / https://ca.godaddy.com/help/create-files-16278).
Using the following code in your .htaccess file automatically redirects visitors to the HTTPS version of your site:
RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If you have an existing .htaccess file:
  • Do not duplicate RewriteEngine On.
  • Make sure the lines beginning RewriteCond and RewriteRule immediately follow the already-existing RewriteEngine On.
    / T/ D" `3 k" r/ e* r5 I5 I0 s
Windows & Plesk
Windows-based accounts use web.config files to handle redirection.
If you need to create a web.config file, you can use your control panel's file manager (https://ca.godaddy.com/help/managing-your-hosting-accounts-files-12426 / https://ca.godaddy.com/help/create-files-16279).
Using the following code in your web.config file automatically redirects visitors to the HTTPS version of your site:
<configuration><system.webServer><rewrite>    <rules>        <rule name="HTTP to HTTPS redirect" stopProcessing="true">         <match url="(.*)" />         <conditions>                 <add input="{HTTPS}" pattern="off" ignoreCase="true" />        </conditions>         <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" /></rule>       </rules></rewrite></system.webServer></configuration>
If you have an existing web.config file:
  • Ensure you have sections (i.e. opening and closing tags) for:
    • system.webServer (which contains rewrite)
    • rewrite (which contains rules)
    • rules (which contains one or more rule sections); y4 r( n% v. s
    Insert any of those sections that do not exist.
  • Insert the entire rule section, including match, conditions, and action, inside the rules section.
    You're inserting the rule (without an 's') inside the rules (with an 's') section.
    ' J9 B( V' l% ], S: X9 b" i5 [

' P, Q: h6 F0 c/ {* }  T7 [$ f9 @9 ^7 Z5 y' ?* F0 x( f$ I# H
8#
发表于 2017-4-6 14:51 | 只看该作者
DISCUZ x3.2 开启301强制跳转https后 门户栏目出现302死循环
9 y1 Z+ Z% M' U" ~
! I8 K6 N# P2 e$ A. d, j/ ?1 L. f1 E
自己测试figureed out:4 L5 \& I. b: ~( u& W: {

* H" O7 {# C$ O, I3 [" j3 u) u1:全局---域名设置---应用域名---全部清除0 E; R0 P2 [0 a  f' o

1 F# \% L" I. c$ q/ B( ]8 i2:全局---域名设置----根域名设置---频道---留空
5 x6 X8 g1 o0 `# s- J7 I$ X/ [
+ G. Q* K  r* k: l* |2 M/ S: u4 U
也可参考:) N+ ?+ J; ]" G, ]7 K% `

7 L- \" t# E3 D* c2 J6 |& FDISCUZ x3.2 开启301强制跳转https后 门户栏目出现302死循环  ?( m. D3 ~) F0 Q4 o3 I
' x6 ^/ y2 |% t9 V5 z1 `' c% r
http://bbs.zhanzhang.baidu.com/thread-166634-1-1.html) q2 _7 z6 w2 N6 G& Z% w

: ~/ F1 b6 D) R
! }: ]* m; I& M! C7 ]; Q- J  g此方法并不能彻底解决此问题,正确解决方案:
) R0 F" w; {4 m3 L/ ^* u# k$ l$ Z$ l
; T2 i* _, C" g2 [9 F用最新版DiscuzX3.3的方法移植3.2上面即可解决' M  J) m# p( K$ A6 H8 v& k/ q
打开
- _2 K  ~1 d# K' B, zsource/function/cache/cache_portalcategory.php
) O/ `  A1 {8 t* D& p/ F查找- K8 A3 L& [0 h
  • $portaldomain = 'http://'.$domain['app']['portal'].$_G['siteroot'];
    * y# N' X4 L3 `" u; O+ P
* e5 m0 W9 j) o4 r
[color=rgb(51, 102, 153) !important]复制代码
2 v; `8 j3 p/ }0 N. s4 Z0 S
替换为
# P! ]5 V2 ]& i& `
  • $portaldomain = $_G['scheme'].'://'.$domain['app']['portal'].$_G['siteroot'];7 n/ n3 C6 x/ [  B5 X: n

7 S+ u0 W% l9 B" ]4 X4 z( U5 E[color=rgb(51, 102, 153) !important]复制代码
, ?. l5 a5 A5 m2 z8 S( T

# X4 R% D9 P$ A% j" ^9 _& q2 Q" p7 B4 O4 M
查找
' H& E$ I: U$ _9 h4 e8 [) o. f
  • $portaldomain = 'http://'.$domain['app']['default'].$_G['siteroot'];( u) R+ G% v$ A! }: M$ N
. T0 n0 G. S% K' h& n, w
[color=rgb(51, 102, 153) !important]复制代码

+ W  o9 Z' k1 g4 k) E1 I替换为
4 A3 M2 R* n; J
  • $portaldomain = $_G['scheme'].'://'.$domain['app']['default'].$_G['siteroot'];2 \' N2 W4 T" r6 q4 v0 r0 u

6 b) @3 o$ U; Z% S# B[color=rgb(51, 102, 153) !important]复制代码

3 ]# d3 B8 v  R
" q2 }9 e+ ?# X8 P8 X  c; ^$ e
& x- }$ X7 f& G4 U$ X6 e查找
% ]" L4 }8 u+ X' W/ k$ O3 n
  • $url = 'http://'.$data[$topid]['domain'].'.'.$channelrootdomain.'/';# ^" @& y2 I& X( O% [/ o/ {

: Z6 r# |6 ]$ g0 a4 _, W[color=rgb(51, 102, 153) !important]复制代码
) k* c& Z! W0 j3 s/ H3 o
替换为- @' i# e* N: R  k8 \
  • $url = $_G['scheme'].'://'.$data[$topid]['domain'].'.'.$channelrootdomain.'/';
    3 J( e2 r8 J2 T0 d
7 f/ L: Z- z0 Z$ F0 T$ o+ W4 p7 k; I
[color=rgb(51, 102, 153) !important]复制代码

( W; {: P0 z: s3 J  {. n
# N7 y  U. L4 g  I/ o! O7 Q7 v: {2 O7 i( m" C
关于楼主的步骤二的一个特殊解决方案:
- O' H9 ]. M9 @& k打开& W9 C; S) d% ^! {9 V$ B
source/admincp/admincp_domain.php( O+ ?5 @& O2 x& X8 _
删除或者注释此段代码
  •    if(!empty($domain) && in_array($domain, $_G['setting']['domain']['app'])) {
  •                                 cpmsg('setting_domain_repeat_error', '', 'error');
  •                         }! n8 |* y7 d5 H* u: B6 W  \

+ U* ~1 O. Z: A! H( L) m1 g: E[color=rgb(51, 102, 153) !important]复制代码

$ [9 e0 b1 [* y! ~8 `% v/ f  t9 q; s& t- e6 p1 h7 n' S
此修改是去除“配置中存在重复的域名”检测
# Y1 @/ [* R1 K然后在后台——全局——域名设置8 B$ X" F( g1 I  F# G/ _
把首页和默认设置成同样的域名即可
. c1 K9 g/ y6 j& W5 G此方法仅限于门户为首页时可去除 portal.php 包括导航栏中的 portal.php
0 }. |, b- T7 l. ^8 G1 F; g2 E2 @* t* q$ L
\template\模板文件夹\portal\
1 m% d- n2 X) r8 H( V: B* G+ Q, S" g$ h# `( q
list_xxxx.htm (这对应频道文章列表页面中首页对应的链接) # P5 x9 Q* j% n8 T6 k& n3 M
view_xxxxx.htm(这对应文章页面包屑中首页对应的链接)
$ q0 B/ \# G! c8 y/ _6 H7 z7 q4 }- e/ M/ u7 M3 q5 i( x  Y
把所有在<a href=  也就是有关于输出链接里的
) S  W+ I+ d* k* Z$ ]2 y; [$ H
  • {lang portal}
    + m& ^! N. w: f! f0 w; R

( L# |6 @0 s9 [[color=rgb(51, 102, 153) !important]复制代码

8 O) D6 x" a# u, W; T改为
* S$ K/ u1 F& B3 G  S, j0 x* [
  • ./8 e$ F7 X4 j, _& I. F9 l$ Y
6 K! t9 q4 Y4 b* ]; F9 ]
[color=rgb(51, 102, 153) !important]复制代码
) i9 O5 `/ j8 Z7 c
即可
7 x$ h* c  L8 ^9 x. f) g  q! ^: o0 B- [3 {  B
后台更新缓冲即可解决!& k0 k, v, Z4 J/ v
9#
发表于 2017-4-14 20:41 | 只看该作者
解决:. t. T- a, |  \& A, b
<IfModule mod_headers.c> % G+ g; h& d/ q) }! P/ F
  Header set X-XSS-Protection "1; mode=block" 8 `' t8 Y) \0 e
</IfModule># P1 v2 w8 a- J+ a# C
4 _& W& g+ E3 S: u, ^) w! x
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection4 k7 W! a' k. _

* R/ S4 T( N. T! Q<IfModule mod_headers.c> + I/ y3 V3 s0 t/ v8 [
  Header set X-XSS-Protection "0" + o: v* ?# w7 L8 f
</IfModule>  u  q( d2 |* S, @) n
- T9 b* y0 P2 h; q
  n0 R  R8 i& j; k4 D6 U' @0 h# U7 }9 y
将博客文章推荐出现,chrome --X-XSS-Protection
10#
发表于 2017-4-14 20:43 | 只看该作者
This page isn’t working
2 y" g8 L$ {, l$ a3 Z
- ?# I, l1 U- j& b" ?Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).
" g1 f6 c3 C: ^$ j" x$ b$ k  fTry visiting the site's homepage.3 U! U& Y+ y7 @+ S+ h! ?/ @* ?% a, `
ERR_BLOCKED_BY_XSS_AUDITOR

使用高级回帖 (可批量传图、插入视频等)快速回复

您需要登录后才可以回帖 登录 | 注册

本版积分规则   Ctrl + Enter 快速发布  

发帖时请遵守我国法律,网站会将有关你发帖内容、时间以及发帖IP地址等记录保留,只要接到合法请求,即会将信息提供给有关政府机构。
快速回复 返回顶部 返回列表