How to Make debian websites correctly use the SSL Security Protocol

Source: Internet
Author: User
Google will improve the ranking of HTTPSSSL websites. How can we make websites correctly use the SSL security protocol? Google provides several suggestions.

Google will improve the ranking of websites using HTTPS/SSL,
How can I make websites correctly use the SSL security protocol? Google provides several suggestions.

Select the type of certificate you need: single domain, multi-domain, General Certificate

Use a 2048-bit encrypted Certificate

Use relative URLs for resources under the same security domain name

Use relative Protocol URLs for all other domain names

Carefully read the tutorials officially provided by Google

Do not use the robot file to prohibit crawlers from crawling your HTTPS website.

Finally, Google recommends using Qualys Lab tool to test whether your SSL protocol is correct.
A2enmod ssl
A2ensite default-ssl
Openssl req-nodes-newkey rsa: 2048-days 365-keyout www.xxx.com. key-out www.xxx.com. csr
Openssl req-newkey: indicates to generate a certificate request using OpenSSL suites;-nodes: "No DES" stands for "No DES", indicating that the private key is not encrypted using DES; otherwise, the password is entered every time Apache is started; rsa: 2048: generate a 2048-bit RSA encrypted private key;-keyout: Private Key Generation file.

ThisCommandTwo files are generated. "myserver. key" contains the private key to generate the CSR (Certificate Signing Request) file. Please keep this file properly and do not disclose it to anyone. Next we need to input personal information into the CSR file:. com. csr
Enter the country, city, company, and department information as prompted (Blank box can be entered at Will); use the "Common Name" option
The Host Name of the Web server. If you want to attach a domain name, enter the complete domain name information. The following two options are displayed after the domain name is complete. Leave them blank;
After the preceding steps, the private Key file Key and the certificate application file CSR are generated in the user directory. open the file in a text editor and copy and paste the content to the blank area on the Namecheap website application page, click OK to complete the certificate application.
Then, the certificate will be sent to your mailbox.

Certificate merge SSLCACertificateFile settings shocould be used on Apache1.x. SSLCertificateChainFile shocould be used on Apache2 instead.

Http://billpatrianakos.me/blog/2014/04/04/installing-comodo-positive-ssl-certs-on-apache-and-openssl/

Cat COMODORSADomainValidationSecureServerCA. crt COMODORSAAddTrustCA. crt> yourdomain.com. cer


SSLEngine On
SSLCertificateFile/etc/apache2/ssl/www_xxx_com.crt
SSLCertificateKeyFile/etc/apache2/ssl/www.xxx.com. key
SSLCertificateChainFile/etc/apache2/ssl/yourdomain.com. cer


ServerName xxx.com
ServerAlias www.xxx.com
DocumentRoot/srv/www/xxx.com/public_html/
ErrorLog/srv/www/xxx.com/logs/error.log

RewriteEngine On
RewriteCond % {HTTPS} off
RewriteRule (. *) https: // % {HTTP_HOST }%{ REQUEST_URI} [L, R = 301]


Jump to https from port 80 to port 301. Do not forget to enable port 443 on the firewall.
Add NameVirtualHost *: 443 to the ports. conf file.
A2enmod headers enable headers
Add apache2.conf
ServerName localhost: 80
ServerName localhost: 443

You can disable sslv3 to edit the/etc/apache2/mod-available/ssl. conf file.
SSLProtocol all-SSLv2-SSLv3
SSLHonorCipherOrder on
Export "EECDH + ECDSA + inclueecdh + aRSA + inclueecdh + ECDSA + SHA384 EECDH + region + SHA256 EECDH + aRSA + SHA384 region + aRSA + SHA256 EECDH + aRSA + RC4 EECDH EDH aRSA RC4! ANULL! ENULL! LOW! 3DES! MD5! EXP! PSK! SRP! DSS"

Enable spdy to accelerate https
Wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_i386.deb #32-bit
Wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_amd64.deb #64-bit
Dpkg-I mod-spdy-*. deb
Apt-get-f install
Http://spdycheck.org/test whether spdy is enabled
Hrome: // net-internals/# spdy

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.