简介

有时候内部网络不能对公网开放（即使有登陆限制），又不希望网站内容被嗅探。使用https技术可以实现网站与浏览器的内容加密，但是根证书机构无法访问内网服务器。

大多数内网https的实现方案是用自签证书，所有浏览器需要添加根证书，在使用上存在困难。

思路

利用手头的公网服务器，先将域名放到公网服务器上，签过证书后再解析到内网服务器。

步骤

1. 创建公网网站

到域名服务商处修改域名指向到公网服务器，网站指向默认路径，内容可有可无。

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName icloud.stackoverflow.club

        ServerAdmin wenfengand@gmail.com
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        #This section is written by the apache gui do not manually edit apacheguilogholder
        LogFormat "%h\",\"%{User-agent}i\",\"%r\",\"%>s\",\"%B" apacheguilogholder
        CustomLog "|\"/usr/bin/java\" -jar \"/home/ubuntu/download/ApacheGUI/tomcat/bin/LogParser.jar\" \"/home/ubuntu/download/ApacheGUI/tomcat\"" apacheguilogholder

</VirtualHost>

2. 生成证书

在命令行输入

certbot

会有对话框出现，选择要签名的域名，并设置跳转。

3. 拷贝文件到内网

将/etc/letsencrypt/live/icloud.stackoverflow.club/文件夹和/etc/letsencrypt/options-ssl-apache.conf拷贝到内网服务器，我这里是将所有文件放到了内网服务器的/home/pi/workspace/icloud.stackoverflow.club/目录。

将/etc/apache2/sites-available/icloud-le-ssl.conf拷贝到内网服务器对应目录。

4. 更新内网网站配置

内网服务器可能需要激活一些模块

sudo a2enmod rewrite
sudo a2enmod ssl

修改icloud-le-ssl.conf和icloud.conf使其符合自身需求。

启用https

sudo a2ensite icloud-le-ssl.conf`

将下述配置添加到http的conf文件中，实现http跳转https

RewriteEngine on
RewriteCond %{SERVER_NAME} =icloud.stackoverflow.club
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

重启apache

sudo service apache2 restart

在域名服务商处改回原有DNS配置，稍等片刻，检查https是否配置成功。