在CentOS上优化Apache的SSL性能可从以下方面入手:
启用SSL模块与证书配置
确保已安装mod_ssl
模块,通过sudo a2enmod ssl
启用(若为CentOS 7需手动安装模块包),并在配置文件中指定证书路径:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/cert.key
</VirtualHost>
优化SSL协议与加密套件
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
启用SSL会话缓存
减少握手次数,提升性能:
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)" # 缓存大小512KB
SSLSessionCacheTimeout 300 # 缓存超时300秒
启用OCSP Stapling
减少客户端证书验证延迟:
SSLUseStapling on
SSLStaplingCache "shmcb:/var/run/stapling_cache(128000)"
调整MPM(多处理模块)参数
根据服务器负载优化进程/线程数(以prefork
模块为例):
<IfModule mpm_prefork_module>
StartServers 10
MinSpareServers 5
MaxSpareServers 20
MaxRequestWorkers 150
</IfModule>
启用压缩与KeepAlive
SetOutputFilter DEFLATE
(需先安装mod_deflate
)KeepAlive On
,并设置MaxKeepAliveRequests
和KeepAliveTimeout
内核参数调优
编辑/etc/sysctl.conf
,优化TCP连接参数(如增大连接队列、启用端口复用):
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_syn_backlog = 8192
注意:修改配置后需重启Apache服务(sudo systemctl restart httpd
),并使用工具(如SSL Labs)验证配置有效性。定期更新系统和软件以修复安全漏洞。