使用Ubuntu OpenSSL保护网站安全的核心步骤如下:
更新软件包并安装OpenSSL及开发库:
sudo apt update
sudo apt install openssl libssl-dev
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt
-x509:生成自签名证书-nodes:不加密私钥(避免交互式输入密码)-days 365:证书有效期(生产环境建议缩短)使用Let’s Encrypt等CA获取证书,需先安装Certbot:
sudo apt install certbot
sudo certbot certonly --standalone -d yourdomain.com
证书路径:/etc/letsencrypt/live/yourdomain.com/
编辑配置文件(如/etc/nginx/sites-available/yourdomain):
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /var/www/html;
}
}
启用配置并重启Nginx:
sudo ln -s /etc/nginx/sites-available/yourdomain /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl restart nginx
编辑配置文件(如/etc/apache2/sites-available/yourdomain.conf):
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
<Directory /var/www/html>
AllowOverride All
</Directory>
</VirtualHost>
启用配置并重启Apache:
sudo a2ensite yourdomain.conf
sudo systemctl restart apache2
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
sudo ufw allow 443/tcp
测试HTTPS连接:
https://yourdomain.com,确认无证书警告(自签名证书会提示不安全,生产环境需用CA证书)。openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
证书续期(仅CA证书需操作):
sudo certbot renew --dry-run
sudo apt update && sudo apt upgrade openssl确保版本安全。通过以上步骤,可利用Ubuntu OpenSSL为网站建立基础的HTTPS加密通信,保护数据传输安全。