配置https

配置httpd

mkdir /etc/ssl/private
chmod 700 /etc/ssl/private
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt

vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
. . .
DocumentRoot "/var/www/your_dir"
ServerName www.example.com:443

#然后是配置flask，当然flask是必须用wsgi来搞apache了,官网有http的例子http://flask.pocoo.org/docs/0.12/deploying/mod_wsgi/
#这里其实只需要在/etc/httpd/conf.d/ssl.conf做这些工作就行啦 在上一步的后面中加入

WSGIDaemonProcess your_web_group user=apache group=apache threads=2
WSGIScriptAlias / /var/www/your_dir/your_web.wsgi

<Directory /var/www/your_dir>
    WSGIProcessGroup your_web_group
    WSGIApplicationGroup %{GLOBAL}
    Order deny,allow
    Allow from all
</Directory>

注释两行：
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

改两个地方：
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key


设置http强制proxy到https

vi /etc/httpd/conf.d/non-ssl.conf
<VirtualHost *:80>
        ServerName www.example.com
        Redirect "/" "https://www.example.com/"
</VirtualHost>

检查配置，重启服务，设置防火墙

apachectl configtest

systemctl restart httpd.service

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

访问ip，如果没有问题就ok了，注意防火墙和selinux的问题

关闭selinux
vim /etc/selinux/config
设置为disable

reboot