配置httpd
mkdir /etc/ssl/private
chmod 700 /etc/ssl/private
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt
vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
. . .
DocumentRoot "/var/www/your_dir"
ServerName www.example.com:443
#然后是配置flask,当然flask是必须用wsgi来搞apache了,官网有http的例子http://flask.pocoo.org/docs/0.12/deploying/mod_wsgi/
#这里其实只需要在/etc/httpd/conf.d/ssl.conf做这些工作就行啦 在上一步的后面中加入
WSGIDaemonProcess your_web_group user=apache group=apache threads=2
WSGIScriptAlias / /var/www/your_dir/your_web.wsgi
<Directory /var/www/your_dir>
WSGIProcessGroup your_web_group
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
注释两行:
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
改两个地方:
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
设置http强制proxy到https
vi /etc/httpd/conf.d/non-ssl.conf
<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>
检查配置,重启服务,设置防火墙
apachectl configtest
systemctl restart httpd.service
iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
访问ip,如果没有问题就ok了,注意防火墙和selinux的问题
关闭selinux
vim /etc/selinux/config
设置为disable
reboot