Apache 配置https虛擬主機
阿新 • • 發佈:2018-12-27
一、安裝帶ssl的Apache2.2.21
1、安裝apache之前需要先檢查openssl是否安裝完畢,yum
list "*openssl*",如果沒有用yum安裝下即可
2、apache安裝,網上文件很多,以下是專門針對ssl的編譯引數
二、生成證書
1、生成證書存放目錄
# cd /usr/local/src/tarbag # wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz # tar xzvf httpd-2.2.21.tar.gz -C ../software # cd ../software/httpd-2.2.21 # ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all # make && make install # rm -rf /etc/init.d/httpd # cp /usr/local/apache/bin/apachectl /etc/init.d/httpd # sed -i '2c#chkconfig: 35 85 15' /etc/init.d/httpd # sed -i '3c#description: apache' /etc/init.d/httpd # chmod x /etc/init.d/httpd # chkconfig --add httpd # chkconfig httpd on # rm -rf /sbin/apachectl # ln -s /usr/local/apache/bin/apachectl /sbin
安裝好apache後,第一時間生成證書,在生成證書之前先準備生成一個證書存放的目錄
# cd /usr/local/apache/conf # mkdir ssl.key # cd ssl.key/2、分3步生成伺服器簽名的證書
step.1
首先要生成伺服器端的私鑰(key檔案)
# openssl genrsa -des3 -out server.key 1024
執行時會提示輸入密碼,此密碼用於加密key檔案,去除key檔案口令的命令:
....................... ................................................. e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
step.2
生成Certificate Signing Request(CSR),生成的csr檔案交給CA簽名後形成服務端自己的證書.螢幕上將有提示,依照其指示一步一步輸入要求的個人資訊即可.
# openssl req -new -key server.key -out server.csr
看到如下提示,並按照提示輸入相關資訊即可生成金鑰
Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:FJ Locality Name (eg, city) [Newbury]:FZ Organization Name (eg, company) [My Company Ltd]:company Organizational Unit Name (eg, section) []:company Common Name (eg, your name or your server's hostname) []:ty Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:company An optional company name []:company
如果要生成客戶端證書,那麼對客戶端也作同樣的命令生成key及csr檔案:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
這裡就不做演示了,有興趣的朋友可以去嘗試下。
step.3
CSR檔案必須有CA的簽名才可形成證書.可將此檔案傳送到verisign等地方由它驗證.自己生成
# openssl req -new -key server.key -out server.csr
看到如下提示,輸入密碼,即可完成
Signature ok subject=/C=CN/ST=FJ/L=FZ/O=poppace/OU=poppace/CN=ty/[email protected] Getting Private key Enter pass phrase for server.key:
為了安全起見要將證書相關檔案的訪問許可權降到最低
# chmod 400 *
證書生成完畢,接下來可以配置apache了。
三、配置apache 1、在httpd.conf中開啟vhosts和ssl的配置檔案# vi /usr/local/apache/conf/httpd.conf
開啟vhosts配置,跳轉到447行和459行,取消掉Include conf/extra/httpd-vhosts.conf和Include conf/extra/httpd-ssl.conf之前的註釋
2、配置vhosts# vi /usr/local/apache/conf/extra/httpd-vhosts.conf
特別需要注意443段的配置,可在httpd-ssl.conf中找到相關說明
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot "/data/www/" ServerName 192.168.1.201 <Directory /data/www/> Order allow,deny Allow from all Options -Indexes FollowSymLinks AllowOverride All </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot "/data/www/" ServerName 192.168.1.201:443 SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP: eNULL SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert" SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key" <FilesMatch ".(cgi|shtml|phtml|php)$"> SSLOptions StdEnvVars </FilesMatch> <Directory /data/www/> Order allow,deny Allow from all Options -Indexes FollowSymLinks AllowOverride All </Directory> BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost>3、修改httpd-ssl.conf的相關配置
# vi /usr/local/apache/conf/extra/httpd-ssl.conf
搜尋SSLCertificateFile
並將:(99行)SSLCertificateFile "/usr/local/apache/conf/server.crt"
改為:SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
搜尋SSLCertificateKeyFile
並將:(107行)SSLCertificateKeyFile "/usr/local/apache/conf/server.key"4、重啟apache
改為:SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
# service httpd start Apache/2.2.21 mod_ssl/2.2.21 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.example.com:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful.
現在用瀏覽器訪問下https://192.168.1.201,即大告大功。