I didn't want to go to https at all, because it's unnecessary and affects the access speed. However, recently, the visit of the website seems to be disturbed by a wall, and according to the specific performance, it seems to be filtered by keywords.
Considering that https can be encrypted and can resist the interference of a wall, I decided to add https support to my blog.
The whole process is still very simple. I use the free certificate of Let's Encrypt and refer to Jerry Qu's Let's Encrypt, a free and easy-to-use HTTPS certificate This article.
He uses acme tiny, an open source software, for automatic certificate management, which is very convenient. However, his subsequent operations take Nginx as an example, and I recently changed the system from CentOS 6 to Ubuntu 14.04 LTS, and the server software from Nginx to Apache (using XAMPP suite).
So here I record my configuration on Apache.
1 create account private key
First, create a directory to store all key files.
I logged in with the root account, so I created an ssl folder ~ / ssl in the root directory, that is, / root/ssl.
Then create an account key, named account.key. The specific commands are as follows:
openssl genrsa 4096 > account.key
This key is used to authenticate the Let's Encrypt website.
2 create CSR file
The following steps are to prepare for generating SSL certificates.
First, use the following command to generate the domain name key.
openssl genrsa 4096 > domain.key
After that, the CSR file is generated. Here, the domain name requiring SSL should be filled in. Taking my website as an example, I added the top-level domain name and www domain name.
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:fanzheng.org,DNS:www.fanzheng.org")) > domain.csr
3 domain name verification
Before Let's Encrypt issues the certificate, we need to verify the ownership of our website. Specifically, he will visit the /. Well-known / acme challenge / directory of the website to see if there are any files he requires.
Here, we just need to create the folder under the root directory of the website.
4 create certificate
First, download the acme tiny automated certificate management script.
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
Next, specify the account key, domain name key, and directory to use when verifying the ownership of the website.
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /opt/lampp/htdocs/.well-known/acme-challenge/ > ./signed.crt
Finally, you need to merge the intermediate certificate and the website certificate:
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem
In this way, our final certificate is chained.pem.
5 enable Apache SSL support
Find the httpd-ssl.conf file and modify the SSLCertificateFile and SSLCertificateKeyFile. There is no need to modify the others.
Specifically, change to SSLCertificateFile "/root/ssl/chained.pem" and SSLCertificateKeyFile "/root/ssl/domain.key".
6 configure automatic certificate update
As the certificate of Let's Encrypt is only valid for 90 days, it needs to be updated regularly. The following script is actually a combination of the above commands and an automation scheme for restarting xampp. It can be executed every 90 days or regularly using crontab.
cd /root/ssl/ python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /opt/lampp/htdocs/.well-known/acme-challenge/ > ./signed.crt || exit wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem cat signed.crt intermediate.pem > chained.pem /opt/lampp/xampp restart
7 set site redirection
Now the last step is to redirect the original http to https. We create a. htaccess file in the root directory of the website and write the redirection rules in it.
Specific to my website is:
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://fanzheng.org/$1 [L,R=301] RewriteCond %{HTTP_HOST} ^www.fanzheng.org$ [NC] RewriteRule ^(.*)$ https://fanzheng.org/$1 [L,R=301]
It means that all accesses to port 80 are redirected to the https top-level domain name, and all accesses to the www domain name are also redirected to the https top-level domain name.