File manager

File manager - Edit - /usr/local/lswsbak/docs/zh-CN/VHSSL_Help.html

Back
<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>OpenLiteSpeed Users' Manual - 虚拟主机SSL</title> <meta name="description" content="OpenLiteSpeed Users' Manual - 虚拟主机SSL." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="../img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="../css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/ols_logo.svg" alt="openlitespeed logo" width="150px"/> </figure> <h2 class="ls-text-thin"> OpenLiteSpeed Web Server <a href="index.html"> Users' Manual</a> </h2> <h3 class="ls-text-muted">Version 1.8  — Rev. 3</h3> <hr/> <div> <ul> <li><a href="license.html">License</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class="level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><a href="ServSecurity_Help.html">Server Security</a></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Module_Help.html">Module Configuration</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><a href="VHSecurity_Help.html">Virtual Host Security</a></li> <li><span class="current"><a href="VHSSL_Help.html">Virtual Host SSL</a></span></li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Module_Context.html">Module Handler Context</a></li> </ul> <li><a href="VHWebSocket_Help.html">Web Socket Proxy</a></li> </ul> </li> <li><a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">&#171 <a href="VHSecurity_Help.html">虚拟主机安全</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="Rewrite_Help.html">重写帮助</a> »</div></div> <h1>虚拟主机SSL</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header><a href="#sslCert">SSL私钥和证书</a></header><p> <a href="#keyFile">私钥文件</a> \| <a href="#certFile">证书文件</a> \| <a href="#certChain">证书链</a> \| <a href="#CACertPath">CA证书路径</a> \| <a href="#CACertFile">CA证书文件</a></p></section> <section class="toc-row"><header><a href="#sslProtocolSetting">SSL协议</a></header><p> <a href="#ciphers">密码套件</a> \| <a href="#enableECDHE">启用ECDH密钥交换</a> \| <a href="#enableDHE">启用DH密钥交换</a> \| <a href="#DHParam">DH参数</a></p></section> <section class="toc-row"><header>安全与功能</header><p> <a href="#renegProtection">SSL密钥重新协商保护</a> \| <a href="#sslSessionCache">启用SSL会话缓存</a> \| <a href="#sslSessionTickets">启用会话记录单</a> \| <a href="#enableSpdy">启用 SPDY/HTTP2/HTTP3</a> \| <a href="#vhEnableQuic">Enable HTTP3/QUIC</a></p></section> <section class="toc-row"><header><a href="#sslOCSP">OCSP装订</a></header><p> <a href="#enableStapling">启用 OCSP 装订</a> \| <a href="#ocspRespMaxAge">OCSP响应最大有效时间（秒）</a> \| <a href="#ocspResponder">OCSP响应服务器</a> \| <a href="#ocspCACerts">OCSP CA证书</a></p></section> <section class="toc-row"><header>Client Verification</header><p> <a href="#clientVerify">Client Verification</a> \| <a href="#verifyDepth">验证深度</a> \| <a href="#crlPath">客户端吊销路径</a> \| <a href="#crlFile">客户端吊销文件</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="sslCert"><h3>SSL私钥和证书<span class="ls-permlink"><a href="#sslCert"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>每个SSL侦听器都需要成对的SSL私钥和SSL证书。多个SSL侦听器可以共享相同的密钥和证书。<br/> 您可以使用SSL软件包自行生成SSL私钥，例如OpenSSL。 SSL证书也可以从授权证书颁发机构（如VeriSign或Thawte）购买。您也可以自己签署证书。自签名证书将不受Web浏览器的信任，并且不应在公共网站上使用。但是，自签名证书足以供内部使用，例如用于加密到LiteSpeed Web服务器的WebAdmin控制台的流量。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="keyFile"><h3>私钥文件<span class="ls-permlink"><a href="#keyFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>SSL私钥文件的文件名。密钥文件不应被加密。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> <h4>提示</h4><p>[安全建议] 私钥文件应放在一个安全的目录中，该目录应允许对运行服务器的用户具有只读的访问权限。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="certFile"><h3>证书文件<span class="ls-permlink"><a href="#certFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>SSL证书文件的文件名。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> <h4>提示</h4><p>[安全建议] 私钥文件应放在一个安全的目录中，该目录应允许对运行服务器的用户具有只读的访问权限。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="certChain"><h3>证书链<span class="ls-permlink"><a href="#certChain"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定证书是否为证书链。存储证书链的文件必须为PEM格式，并且证书必须按照从最低级别（实际的客户端或服务器证书）到最高级别（Root）CA的链接顺序。</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CACertPath"><h3>CA证书路径<span class="ls-permlink"><a href="#CACertPath"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定证书颁发机构（CA）证书的目录。这些证书用于客户端证书身份验证和构建服务器证书链，除了服务器证书之外，这些证书还将发送到浏览器。</p> <h4>Syntax</h4><p>path</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CACertFile"><h3>CA证书文件<span class="ls-permlink"><a href="#CACertFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定包含证书颁发机构（CA）证书的证书链文件。按照优先顺序，此文件只是PEM编码的证书文件的串联。这可以用作替代或除了<span class="tagl"><a href="#CACertPath">CA证书路径</a></span>。这些证书用于客户端证书身份验证和构建服务器证书链，除了服务器证书之外，这些证书还将发送到浏览器。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslProtocolSetting"><h3>SSL协议<span class="ls-permlink"><a href="#sslProtocolSetting"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>自定义侦听器接受的SSL协议。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ciphers"><h3>密码套件<span class="ls-permlink"><a href="#ciphers"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the cipher suite to be used when negotiating the SSL handshake. LSWS supports cipher suites implemented in SSL v3.0, TLS v1.0, TLS v1.2, and TLS v1.3.</p> <h4>Syntax</h4><p>Colon-separated string of cipher specifications.</p> <h4>例子</h4><div class="ls-example">ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH</div><h4>提示</h4><p><span title="Security" class="ls-icon-security"></span> We recommend leaving this field blank to use our default cipher which follows SSL cipher best practices.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableECDHE"><h3>启用ECDH密钥交换<span class="ls-permlink"><a href="#enableECDHE"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>允许使用Diffie-Hellman密钥交换进行进一步的SSL加密。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p>[安全建议] ECDH密钥交换比仅使用RSA密钥更安全。 ECDH和DH密钥交换安全性相同。<br/><br/> [性能] 启用ECDH密钥交换会增加CPU负载，并且比仅使用RSA密钥要慢。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableDHE"><h3>启用DH密钥交换<span class="ls-permlink"><a href="#enableDHE"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>允许使用Diffie-Hellman密钥交换进行进一步的SSL加密。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p>[安全建议] DH密钥交换比仅使用RSA密钥更安全。 ECDH和DH密钥安全性相同。<br/><br/> [x性能] 启用DH密钥交换将增加CPU负载，并且比ECDH密钥交换和RSA都慢。如果可用，则首选ECDH密钥交换。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="DHParam"><h3>DH参数<span class="ls-permlink"><a href="#DHParam"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定DH密钥交换所需的Diffie-Hellman参数文件的位置。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="renegProtection"><h3>SSL密钥重新协商保护<span class="ls-permlink"><a href="#renegProtection"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定是否启用SSL密钥重新协商保护以防御基于SSL握手的攻击。默认值为“是”。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> 可以在侦听器和虚拟主机级别启用此设置。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslSessionCache"><h3>启用SSL会话缓存<span class="ls-permlink"><a href="#sslSessionCache"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>使用OpenSSL的默认设置启用会话ID缓存。服务器级别设置必须设置为“是”才能使虚拟主机设置生效。<br/> 默认值:<br/> <b>服务器级别:</b> Yes<br/> <b>虚拟主机级别:</b> Yes</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslSessionTickets"><h3>启用会话记录单<span class="ls-permlink"><a href="#sslSessionTickets"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>使用OpenSSL的默认会话票证设置启用会话记录单。服务器级别设置必须设置为“是”才能使虚拟主机设置生效。<br/> 默认值:<br/> <b>服务器级别:</b> Yes<br/> <b>虚拟主机级别:</b> Yes</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableSpdy"><h3>启用 SPDY/HTTP2/HTTP3<span class="ls-permlink"><a href="#enableSpdy"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>有选择地启用HTTP/3，HTTP/2和SPDY HTTP网络协议。<br/><br/> 如果要禁用SPDY，HTTP/2和HTTP3，请选中“无”，并取消选中所有其他框。<br/> Default value: All enabled</p> <h4>Syntax</h4><p>从复选框中选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> 可以在侦听器和虚拟主机级别上设置此设置。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="vhEnableQuic"><h3>Enable HTTP3/QUIC<span class="ls-permlink"><a href="#vhEnableQuic"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enables the HTTP3/QUIC network protocol for this virtual host. For this setting to take effect, both <span class="tagl"><a href="ServTuning_Help.html#quicEnable">启用HTTP3/QUIC</a></span> and <span class="tagl"><a href="Listeners_SSL_Help.html#allowQuic">打开HTTP3/QUIC (UDP) 端口</a></span> must also be set to <span class="val">Yes</span> at the server and listener levels respectively. Default value is <span class="val">Yes</span>.</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> When this setting is set to <span class="val">No</span>, the HTTP3/QUIC advertisement will no longer be sent. If a browser still contains cached HTTP3/QUIC information and HTTP3/QUIC is still enabled at the server and listener levels, an HTTP3/QUIC connection will continue to be used until this information is no longer cached or an HTTP3/QUIC protocol error is encountered.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslOCSP"><h3>OCSP装订<span class="ls-permlink"><a href="#sslOCSP"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>在线证书状态协议（OCSP）是更加有效的检查数字证书是否有效的方式。它通过与另一台服务器（OCSP响应服务器）通信，以获取证书有效的验证，而不是通过证书吊销列表（CRL）进行检查。<br/><br/> OCSP装订是对该协议的进一步改进，允许服务器以固定的时间间隔而不是每次请求证书时与OCSP响应程序进行检查。有关更多详细信息，请参见<a href=" https://zh.wikipedia.org/wiki/%E5%9C%A8%E7%BA%BF%E8%AF%81%E4%B9%A6%E7%8A%B6%E6%80%81%E5%8D%8F%E8%AE%AE " target="_blank" rel="noopener noreferrer"> OCSP Wikipedia页面 </a>。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableStapling"><h3>启用 OCSP 装订<span class="ls-permlink"><a href="#enableStapling"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>确定是否启用OCSP装订，这是一种更有效的验证公钥证书的方式。</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ocspRespMaxAge"><h3>OCSP响应最大有效时间（秒）<span class="ls-permlink"><a href="#ocspRespMaxAge"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>此选项设置OCSP响应的最大有效时间。如果OCSP响应早于该最大使用期限，则服务器将与OCSP响应服务器联系以获取新的响应。默认值为<span class="val">86400 </span>。通过将此值设置为<span class="val">-1</span>，可以关闭最大有效时间。</p> <h4>Syntax</h4><p>Integer of seconds</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ocspResponder"><h3>OCSP响应服务器<span class="ls-permlink"><a href="#ocspResponder"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定要使用的OCSP响应服务器的URL。如果未设置，则服务器将尝试联系OCSP响应服务器在证书颁发机构的颁发者证书中有详细说明。某些颁发者证书可能未指定OCSP服务器URL。</p> <h4>Syntax</h4><p>URL starting with <span class="val">http://</span></p> <h4>例子</h4><div class="ls-example"><span class="val">http://rapidssl-ocsp.geotrust.com </span></div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ocspCACerts"><h3>OCSP CA证书<span class="ls-permlink"><a href="#ocspCACerts"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定存储OCSP证书颁发机构（CA）证书的文件的位置。这些证书用于检查OCSP响应服务器的响应（并确保这些响应不被欺骗或以其他方式被破坏）。该文件应包含整个证书链。如果该文件不包含根证书，则LSWS无需将根证书添加到文件中就应该能够在系统目录中找到该根证书，但是，如果此验证失败，则应尝试将根证书添加到此文件中。<br/><br/> This setting is optional. If this setting is not set, the server will automatically check <span class="tagl"><a href="#CACertFile">CA证书文件</a></span>.</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="clientVerify"><h3>Client Verification<span class="ls-permlink"><a href="#clientVerify"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies the type of client certifcate authentication. Available types are: <ul> <li><b>None:</b> No client certificate is required.</li> <li><b>Optional:</b> Client certificate is optional.</li> <li><b>Require:</b> The client must has valid certificate.</li> <li><b>Optional_no_ca:</b> Same as optional.</li> </ul> The default is "None".</p> <h4>Syntax</h4><p>从列表中选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> "None" or "Require" are recommended.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="verifyDepth"><h3>验证深度<span class="ls-permlink"><a href="#verifyDepth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies how deeply a certificate should be verified before determining that the client does not have a valid certificate. The default is "1".</p> <h4>Syntax</h4><p>从列表中选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="crlPath"><h3>客户端吊销路径<span class="ls-permlink"><a href="#crlPath"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies the directory containing PEM-encoded CA CRL files for revoked client certificates. The files in this directory have to be PEM-encoded. These files are accessed through hash filenames, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename.</p> <h4>Syntax</h4><p>path</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="crlFile"><h3>客户端吊销文件<span class="ls-permlink"><a href="#crlFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies the file containing PEM-encoded CA CRL files enumerating revoked client certificates. This can be used as an alternative or in addition to <span class="tagl"><a href="#crlPath">客户端吊销路径</a></span>.</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> 版权所有.</footer> </div></div> </body> </html>

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.02 | proxy | phpinfo | Settings