共计 4253 个字符,预计需要花费 11 分钟才能阅读完成。
一、安装带 ssl 的 Apache2.2.21
1、安装 apache 之前需要先检查 openssl 是否安装完毕,yum list “*openssl*”,如果没有用 yum 安装下即可
2、apache 安装,网上文档很多,以下是专门针对 ssl 的编译参数
| cd /usr/local/src/tarbag | |
| wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz | |
| tar xzvf httpd-2.2.21.tar.gz -C ../software | |
| cd ../software/httpd-2.2.21 | |
| ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all | |
| make && make install | |
| rm -rf /etc/init.d/httpd | |
| cp /usr/local/apache/bin/apachectl /etc/init.d/httpd | |
| sed -i '2c#chkconfig: 35 85 15' /etc/init.d/httpd | |
| sed -i '3c#description: apache' /etc/init.d/httpd | |
| chmod x /etc/init.d/httpd | |
| chkconfig --add httpd | |
| chkconfig httpd on | |
| rm -rf /sbin/apachectl | |
| ln -s /usr/local/apache/bin/apachectl /sbin |
二、生成证书
1、生成证书存放目录
安装好 apache 后,第一时间生成证书,在生成证书之前先准备生成一个证书存放的目录
| cd /usr/local/apache/conf | |
| mkdir ssl.key | |
| cd ssl.key/ |
2、分 3 步生成服务器签名的证书
step.1
首先要生成服务器端的私钥 (key 文件)
# openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码, 此密码用于加密 key 文件,去除 key 文件口令的命令:
| ....................... | |
| ................................................. | |
| e is 65537 (0x10001) | |
| Enter pass phrase for server.key: | |
| Verifying - Enter pass phrase for server.key: |
step.2
生成 Certificate Signing Request(CSR), 生成的 csr 文件交给 CA 签名后形成服务端自己的证书. 屏幕上将有提示, 依照其指示一步一步输入要求的个人信息即可.
# openssl req -new -key server.key -out server.csr
看到如下提示,并按照提示输入相关信息即可生成密钥
| Enter pass phrase for server.key: | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| ----- | |
| Country Name (2 letter code) [GB]:CN | |
| State or Province Name (full name) [Berkshire]:FJ | |
| Locality Name (eg, city) [Newbury]:FZ | |
| Organization Name (eg, company) [My Company Ltd]:company | |
| Organizational Unit Name (eg, section) []:company | |
| Common Name (eg, your name or your server's hostname) []:ty | |
| Email Address []:ty@company.com | |
| Please enter the following 'extra' attributes | |
| to be sent with your certificate request | |
| A challenge password []:company | |
| An optional company name []:company |
如果要生成客户端证书,那么对客户端也作同样的命令生成 key 及 csr 文件:
| openssl genrsa -des3 -out client.key 1024 | |
| openssl req -new -key client.key -out client.csr -config openssl.cnf |
这里就不做演示了,有兴趣的朋友可以去尝试下。
step.3
CSR 文件必须有 CA 的签名才可形成证书. 可将此文件发送到 verisign 等地方由它验证. 自己生成
# openssl req -new -key server.key -out server.csr
看到如下提示,输入密码,即可完成
| Signature ok | |
| subject=/C=CN/ST=FJ/L=FZ/O=poppace/OU=poppace/CN=ty/emailAddress=ty.com | |
| Getting Private key | |
| Enter pass phrase for server.key: |
为了安全起见要将证书相关文件的访问权限降到最低
# chmod 400 *
证书生成完毕,接下来可以配置 apache 了。
三、配置 apache
1、在 httpd.conf 中打开 vhosts 和 ssl 的配置文件
# vi /usr/local/apache/conf/httpd.conf
打开 vhosts 配置,跳转到 447 行和 459 行,取消掉 Include conf/extra/httpd-vhosts.conf 和 Include conf/extra/httpd-ssl.conf 之前的注释
2、配置 vhosts
# vi /usr/local/apache/conf/extra/httpd-vhosts.conf
特别需要注意 443 段的配置,可在 httpd-ssl.conf 中找到相关说明
| NameVirtualHost *:80 | |
| NameVirtualHost *:443 | |
| <VirtualHost *:80> | |
| DocumentRoot "/data/www/" | |
| ServerName 192.168.1.201 | |
| <Directory /data/www/> | |
| Order allow,deny | |
| Allow from all | |
| Options -Indexes FollowSymLinks | |
| AllowOverride All | |
| </Directory> | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| DocumentRoot "/data/www/" | |
| ServerName 192.168.1.201:443 | |
| SSLEngine on | |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP: eNULL | |
| SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert" | |
| SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key" | |
| <FilesMatch ".(cgi|shtml|phtml|php)$"> | |
| SSLOptions StdEnvVars | |
| </FilesMatch> | |
| <Directory /data/www/> | |
| Order allow,deny | |
| Allow from all | |
| Options -Indexes FollowSymLinks | |
| AllowOverride All | |
| </Directory> | |
| BrowserMatch ".*MSIE.*" | |
| nokeepalive ssl-unclean-shutdown | |
| downgrade-1.0 force-response-1.0 | |
| </VirtualHost> |
3、修改 httpd-ssl.conf 的相关配置
# vi /usr/local/apache/conf/extra/httpd-ssl.conf
搜索 SSLCertificateFile
| 并将:(99 行)SSLCertificateFile "/usr/local/apache/conf/server.crt" | |
| 改为:SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert" |
搜索 SSLCertificateKeyFile
| 并将:(107 行)SSLCertificateKeyFile "/usr/local/apache/conf/server.key" | |
| 改为:SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key" |
4、重启 apache
| # service httpd start | |
| Apache/2.2.21 mod_ssl/2.2.21 (Pass Phrase Dialog) | |
| Some of your private key files are encrypted for security reasons. | |
| In order to read them you have to provide the pass phrases. | |
| Server www.example.com:443 (RSA) | |
| Enter pass phrase: | |
| OK: Pass Phrase Dialog successful. |
现在用浏览器访问下 https://192.168.1.201,即大告大功。
正文完
星哥玩云-微信公众号
