⚝
One Hat Cyber Team
⚝
Your IP:
216.73.216.155
Server IP:
57.129.66.90
Server:
Linux vps-7f548908 5.15.0-160-generic #170-Ubuntu SMP Wed Oct 1 10:06:56 UTC 2025 x86_64
Server Software:
LiteSpeed
PHP Version:
8.2.27
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
proc
/
self
/
root
/
usr
/
local
/
lsws
/
docs
/
zh-CN
/
Edit File: VHSSL_Help.html
<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>OpenLiteSpeed Users' Manual - 虚拟主机SSL</title> <meta name="description" content="OpenLiteSpeed Users' Manual - 虚拟主机SSL." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="../img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="../css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/ols_logo.svg" alt="openlitespeed logo" width="150px"/> </figure> <h2 class="ls-text-thin"> OpenLiteSpeed Web Server <a href="index.html"> Users' Manual</a> </h2> <h3 class="ls-text-muted">Version 1.8 — Rev. 3</h3> <hr/> <div> <ul> <li><a href="license.html">License</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class="level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><a href="ServSecurity_Help.html">Server Security</a></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Module_Help.html">Module Configuration</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><a href="VHSecurity_Help.html">Virtual Host Security</a></li> <li><span class="current"><a href="VHSSL_Help.html">Virtual Host SSL</a></span></li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Module_Context.html">Module Handler Context</a></li> </ul> <li><a href="VHWebSocket_Help.html">Web Socket Proxy</a></li> </ul> </li> <li><a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">« <a href="VHSecurity_Help.html">虚拟主机安全</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="Rewrite_Help.html">重写帮助</a> »</div></div> <h1>虚拟主机SSL</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header><a href="#sslCert">SSL私钥和证书</a></header><p> <a href="#keyFile">私钥文件</a> | <a href="#certFile">证书文件</a> | <a href="#certChain">证书链</a> | <a href="#CACertPath">CA证书路径</a> | <a href="#CACertFile">CA证书文件</a></p></section> <section class="toc-row"><header><a href="#sslProtocolSetting">SSL协议</a></header><p> <a href="#ciphers">密码套件</a> | <a href="#enableECDHE">启用ECDH密钥交换</a> | <a href="#enableDHE">启用DH密钥交换</a> | <a href="#DHParam">DH参数</a></p></section> <section class="toc-row"><header>安全与功能</header><p> <a href="#renegProtection">SSL密钥重新协商保护</a> | <a href="#sslSessionCache">启用SSL会话缓存</a> | <a href="#sslSessionTickets">启用会话记录单</a> | <a href="#enableSpdy">启用 SPDY/HTTP2/HTTP3</a> | <a href="#vhEnableQuic">Enable HTTP3/QUIC</a></p></section> <section class="toc-row"><header><a href="#sslOCSP">OCSP装订</a></header><p> <a href="#enableStapling">启用 OCSP 装订</a> | <a href="#ocspRespMaxAge">OCSP响应最大有效时间(秒)</a> | <a href="#ocspResponder">OCSP响应服务器</a> | <a href="#ocspCACerts">OCSP CA证书</a></p></section> <section class="toc-row"><header>Client Verification</header><p> <a href="#clientVerify">Client Verification</a> | <a href="#verifyDepth">验证深度</a> | <a href="#crlPath">客户端吊销路径</a> | <a href="#crlFile">客户端吊销文件</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="sslCert"><h3>SSL私钥和证书<span class="ls-permlink"><a href="#sslCert"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>每个SSL侦听器都需要成对的SSL私钥和SSL证书。 多个SSL侦听器可以共享相同的密钥和证书。<br/> 您可以使用SSL软件包自行生成SSL私钥, 例如OpenSSL。 SSL证书也可以从授权证书颁发机构(如VeriSign或Thawte)购买。 您也可以自己签署证书。 自签名证书将不受Web浏览器的信任,并且不应在公共网站上使用。 但是,自签名证书足以供内部使用,例如 用于加密到LiteSpeed Web服务器的WebAdmin控制台的流量。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="keyFile"><h3>私钥文件<span class="ls-permlink"><a href="#keyFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>SSL私钥文件的文件名。 密钥文件不应被加密。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> <h4>提示</h4><p>[安全建议] 私钥文件应放在一个安全的目录中,该目录应 允许对运行服务器的用户具有只读的访问权限。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="certFile"><h3>证书文件<span class="ls-permlink"><a href="#certFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>SSL证书文件的文件名。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> <h4>提示</h4><p>[安全建议] 私钥文件应放在一个安全的目录中,该目录应 允许对运行服务器的用户具有只读的访问权限。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="certChain"><h3>证书链<span class="ls-permlink"><a href="#certChain"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定证书是否为证书链。 存储证书链的文件必须为PEM格式, 并且证书必须按照从最低级别(实际的客户端或服务器证书)到最高级别(Root)CA的链接顺序。</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CACertPath"><h3>CA证书路径<span class="ls-permlink"><a href="#CACertPath"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定证书颁发机构(CA)证书的目录。 这些证书用于客户端证书身份验证和构建服务器证书链,除了服务器证书之外,这些证书还将发送到浏览器。</p> <h4>Syntax</h4><p>path</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CACertFile"><h3>CA证书文件<span class="ls-permlink"><a href="#CACertFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定包含证书颁发机构(CA)证书的证书链文件。 按照优先顺序,此文件只是PEM编码的证书文件的串联。 这可以用作替代或 除了<span class="tagl"><a href="#CACertPath">CA证书路径</a></span>。 这些证书用于客户端证书身份验证和构建服务器证书链,除了服务器证书之外,这些证书还将发送到浏览器。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslProtocolSetting"><h3>SSL协议<span class="ls-permlink"><a href="#sslProtocolSetting"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>自定义侦听器接受的SSL协议。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ciphers"><h3>密码套件<span class="ls-permlink"><a href="#ciphers"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the cipher suite to be used when negotiating the SSL handshake. LSWS supports cipher suites implemented in SSL v3.0, TLS v1.0, TLS v1.2, and TLS v1.3.</p> <h4>Syntax</h4><p>Colon-separated string of cipher specifications.</p> <h4>例子</h4><div class="ls-example">ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH</div><h4>提示</h4><p><span title="Security" class="ls-icon-security"></span> We recommend leaving this field blank to use our default cipher which follows SSL cipher best practices.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableECDHE"><h3>启用ECDH密钥交换<span class="ls-permlink"><a href="#enableECDHE"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>允许使用Diffie-Hellman密钥交换进行进一步的SSL加密。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p>[安全建议] ECDH密钥交换比仅使用RSA密钥更安全。 ECDH和DH密钥交换安全性相同。<br/><br/> [性能] 启用ECDH密钥交换会增加CPU负载,并且比仅使用RSA密钥要慢。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableDHE"><h3>启用DH密钥交换<span class="ls-permlink"><a href="#enableDHE"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>允许使用Diffie-Hellman密钥交换进行进一步的SSL加密。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p>[安全建议] DH密钥交换比仅使用RSA密钥更安全。 ECDH和DH密钥安全性相同。<br/><br/> [x性能] 启用DH密钥交换将增加CPU负载,并且比ECDH密钥交换和RSA都慢。 如果可用,则首选ECDH密钥交换。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="DHParam"><h3>DH参数<span class="ls-permlink"><a href="#DHParam"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定DH密钥交换所需的Diffie-Hellman参数文件的位置。</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="renegProtection"><h3>SSL密钥重新协商保护<span class="ls-permlink"><a href="#renegProtection"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定是否启用SSL密钥重新协商保护以 防御基于SSL握手的攻击。 默认值为“是”。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> 可以在侦听器和虚拟主机级别启用此设置。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslSessionCache"><h3>启用SSL会话缓存<span class="ls-permlink"><a href="#sslSessionCache"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>使用OpenSSL的默认设置启用会话ID缓存。 服务器级别设置必须设置为“是”才能使虚拟主机设置生效。<br/> 默认值:<br/> <b>服务器级别:</b> Yes<br/> <b>虚拟主机级别:</b> Yes</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslSessionTickets"><h3>启用会话记录单<span class="ls-permlink"><a href="#sslSessionTickets"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>使用OpenSSL的默认会话票证设置启用会话记录单。 服务器级别设置必须设置为“是”才能使虚拟主机设置生效。<br/> 默认值:<br/> <b>服务器级别:</b> Yes<br/> <b>虚拟主机级别:</b> Yes</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableSpdy"><h3>启用 SPDY/HTTP2/HTTP3<span class="ls-permlink"><a href="#enableSpdy"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>有选择地启用HTTP/3,HTTP/2和SPDY HTTP网络协议。<br/><br/> 如果要禁用SPDY,HTTP/2和HTTP3,请选中“无”,并取消选中所有其他框。<br/> Default value: All enabled</p> <h4>Syntax</h4><p>从复选框中选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> 可以在侦听器和虚拟主机级别上设置此设置。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="vhEnableQuic"><h3>Enable HTTP3/QUIC<span class="ls-permlink"><a href="#vhEnableQuic"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enables the HTTP3/QUIC network protocol for this virtual host. For this setting to take effect, both <span class="tagl"><a href="ServTuning_Help.html#quicEnable">启用HTTP3/QUIC</a></span> and <span class="tagl"><a href="Listeners_SSL_Help.html#allowQuic">打开HTTP3/QUIC (UDP) 端口</a></span> must also be set to <span class="val">Yes</span> at the server and listener levels respectively. Default value is <span class="val">Yes</span>.</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> When this setting is set to <span class="val">No</span>, the HTTP3/QUIC advertisement will no longer be sent. If a browser still contains cached HTTP3/QUIC information and HTTP3/QUIC is still enabled at the server and listener levels, an HTTP3/QUIC connection will continue to be used until this information is no longer cached or an HTTP3/QUIC protocol error is encountered.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="sslOCSP"><h3>OCSP装订<span class="ls-permlink"><a href="#sslOCSP"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>在线证书状态协议(OCSP)是更加有效的检查数字证书是否有效的方式。 它通过与另一台服务器(OCSP响应服务器)通信,以获取证书有效的验证,而不是通过证书吊销列表(CRL)进行检查。<br/><br/> OCSP装订是对该协议的进一步改进,允许服务器以固定的时间间隔而不是每次请求证书时与OCSP响应程序进行检查。 有关更多详细信息,请参见<a href=" https://zh.wikipedia.org/wiki/%E5%9C%A8%E7%BA%BF%E8%AF%81%E4%B9%A6%E7%8A%B6%E6%80%81%E5%8D%8F%E8%AE%AE " target="_blank" rel="noopener noreferrer"> OCSP Wikipedia页面 </a>。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableStapling"><h3>启用 OCSP 装订<span class="ls-permlink"><a href="#enableStapling"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>确定是否启用OCSP装订,这是一种更有效的验证公钥证书的方式。</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ocspRespMaxAge"><h3>OCSP响应最大有效时间(秒)<span class="ls-permlink"><a href="#ocspRespMaxAge"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>此选项设置OCSP响应的最大有效时间。 如果OCSP响应早于该最大使用期限,则服务器将与OCSP响应服务器联系以获取新的响应。 默认值为<span class="val">86400 </span>。 通过将此值设置为<span class="val">-1</span>,可以关闭最大有效时间。</p> <h4>Syntax</h4><p>Integer of seconds</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ocspResponder"><h3>OCSP响应服务器<span class="ls-permlink"><a href="#ocspResponder"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定要使用的OCSP响应服务器的URL。 如果未设置,则服务器将尝试联系OCSP响应服务器 在证书颁发机构的颁发者证书中有详细说明。 某些颁发者证书可能未指定OCSP服务器URL。</p> <h4>Syntax</h4><p>URL starting with <span class="val">http://</span></p> <h4>例子</h4><div class="ls-example"><span class="val">http://rapidssl-ocsp.geotrust.com </span></div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ocspCACerts"><h3>OCSP CA证书<span class="ls-permlink"><a href="#ocspCACerts"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定存储OCSP证书颁发机构(CA)证书的文件的位置。 这些证书用于检查OCSP响应服务器的响应(并确保这些响应不被欺骗或以其他方式被破坏)。 该文件应包含整个证书链。 如果该文件不包含根证书,则LSWS无需将根证书添加到文件中就应该能够在系统目录中找到该根证书, 但是,如果此验证失败,则应尝试将根证书添加到此文件中。<br/><br/> This setting is optional. If this setting is not set, the server will automatically check <span class="tagl"><a href="#CACertFile">CA证书文件</a></span>.</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="clientVerify"><h3>Client Verification<span class="ls-permlink"><a href="#clientVerify"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies the type of client certifcate authentication. Available types are: <ul> <li><b>None:</b> No client certificate is required.</li> <li><b>Optional:</b> Client certificate is optional.</li> <li><b>Require:</b> The client must has valid certificate.</li> <li><b>Optional_no_ca:</b> Same as optional.</li> </ul> The default is "None".</p> <h4>Syntax</h4><p>从列表中选择</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> "None" or "Require" are recommended.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="verifyDepth"><h3>验证深度<span class="ls-permlink"><a href="#verifyDepth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies how deeply a certificate should be verified before determining that the client does not have a valid certificate. The default is "1".</p> <h4>Syntax</h4><p>从列表中选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="crlPath"><h3>客户端吊销路径<span class="ls-permlink"><a href="#crlPath"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies the directory containing PEM-encoded CA CRL files for revoked client certificates. The files in this directory have to be PEM-encoded. These files are accessed through hash filenames, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename.</p> <h4>Syntax</h4><p>path</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="crlFile"><h3>客户端吊销文件<span class="ls-permlink"><a href="#crlFile"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p> Specifies the file containing PEM-encoded CA CRL files enumerating revoked client certificates. This can be used as an alternative or in addition to <span class="tagl"><a href="#crlPath">客户端吊销路径</a></span>.</p> <h4>Syntax</h4><p>文件名可以是绝对路径,也可以是相对于$SERVER_ROOT的相对路径。</p> </article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> 版权所有.</footer> </div></div> </body> </html>
Simpan