阿里云-云小站(无限量代金券发放中)
【腾讯云】云服务器、云数据库、COS、CDN、短信等热卖云产品特惠抢购

Apache 配置https虚拟主机

80次阅读
没有评论

共计 4253 个字符,预计需要花费 11 分钟才能阅读完成。

一、安装带 ssl 的 Apache2.2.21
1、安装 apache 之前需要先检查 openssl 是否安装完毕,yum list “*openssl*”,如果没有用 yum 安装下即可
2、apache 安装,网上文档很多,以下是专门针对 ssl 的编译参数
# cd  /usr/local/src/tarbag
# wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz
# tar xzvf httpd-2.2.21.tar.gz -C ../software
# cd ../software/httpd-2.2.21
# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all
# make && make install
# rm -rf /etc/init.d/httpd
# cp /usr/local/apache/bin/apachectl /etc/init.d/httpd
# sed -i '2c#chkconfig: 35 85 15' /etc/init.d/httpd
# sed -i '3c#description: apache' /etc/init.d/httpd
# chmod  x /etc/init.d/httpd
# chkconfig --add httpd
# chkconfig httpd on
# rm -rf /sbin/apachectl
# ln -s /usr/local/apache/bin/apachectl /sbin
二、生成证书
1、生成证书存放目录

安装好 apache 后,第一时间生成证书,在生成证书之前先准备生成一个证书存放的目录

# cd /usr/local/apache/conf
# mkdir ssl.key
# cd ssl.key/
2、分 3 步生成服务器签名的证书

step.1

首先要生成服务器端的私钥 (key 文件)

# openssl genrsa -des3 -out server.key 1024

运行时会提示输入密码, 此密码用于加密 key 文件,去除 key 文件口令的命令:

.......................      
.................................................      
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

step.2

生成 Certificate Signing Request(CSR), 生成的 csr 文件交给 CA 签名后形成服务端自己的证书. 屏幕上将有提示, 依照其指示一步一步输入要求的个人信息即可.

# openssl req -new -key server.key -out server.csr

看到如下提示,并按照提示输入相关信息即可生成密钥

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:FJ
Locality Name (eg, city) [Newbury]:FZ
Organization Name (eg, company) [My Company Ltd]:company
Organizational Unit Name (eg, section) []:company
Common Name (eg, your name or your server's hostname) []:ty
Email Address []:ty@company.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:company
An optional company name []:company

如果要生成客户端证书,那么对客户端也作同样的命令生成 key 及 csr 文件:

openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf

这里就不做演示了,有兴趣的朋友可以去尝试下。

step.3

CSR 文件必须有 CA 的签名才可形成证书. 可将此文件发送到 verisign 等地方由它验证. 自己生成

# openssl req -new -key server.key -out server.csr

看到如下提示,输入密码,即可完成

Signature ok
subject=/C=CN/ST=FJ/L=FZ/O=poppace/OU=poppace/CN=ty/emailAddress=ty@poppace.com
Getting Private key
Enter pass phrase for server.key:

为了安全起见要将证书相关文件的访问权限降到最低

# chmod 400 *

证书生成完毕,接下来可以配置 apache 了。

三、配置 apache
1、在 httpd.conf 中打开 vhosts 和 ssl 的配置文件
# vi /usr/local/apache/conf/httpd.conf

打开 vhosts 配置,跳转到 447 行和 459 行,取消掉 Include conf/extra/httpd-vhosts.conf 和 Include conf/extra/httpd-ssl.conf 之前的注释

2、配置 vhosts
# vi /usr/local/apache/conf/extra/httpd-vhosts.conf

特别需要注意 443 段的配置,可在 httpd-ssl.conf 中找到相关说明

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
DocumentRoot "/data/www/"
ServerName 192.168.1.201
<Directory /data/www/>
Order allow,deny
Allow from all
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/data/www/"
ServerName 192.168.1.201:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP: eNULL
SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions  StdEnvVars
</FilesMatch>
<Directory /data/www/>
Order allow,deny
Allow from all
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
BrowserMatch ".*MSIE.*" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0
</VirtualHost>
3、修改 httpd-ssl.conf 的相关配置
# vi /usr/local/apache/conf/extra/httpd-ssl.conf

搜索 SSLCertificateFile

 并将:(99 行)SSLCertificateFile "/usr/local/apache/conf/server.crt"
改为:SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"

搜索 SSLCertificateKeyFile

 并将:(107 行)SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
改为:SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
4、重启 apache
# service httpd start
Apache/2.2.21 mod_ssl/2.2.21 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

现在用浏览器访问下 https://192.168.1.201,即大告大功。

阿里云 2 核 2G 服务器 3M 带宽 61 元 1 年,有高配

腾讯云新客低至 82 元 / 年,老客户 99 元 / 年

代金券:在阿里云专用满减优惠券

正文完
星哥玩云-微信公众号
post-qrcode
 0
星锅
版权声明:本站原创文章,由 星锅 于2024-07-24发表,共计4253字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
【腾讯云】推广者专属福利,新客户无门槛领取总价值高达2860元代金券,每种代金券限量500张,先到先得。
阿里云-最新活动爆款每日限量供应
评论(没有评论)
验证码
【腾讯云】云服务器、云数据库、COS、CDN、短信等云产品特惠热卖中