2. 程式人生 > >httpd配置詳解(四)

httpd配置詳解(四)

阿新 發佈:2019-01-29

https的配置(httpd+mod_ssl)

1.安裝Apache的mod_ssl模組

[[email protected]_k ~]# yum -y install mod_ssl

[[email protected]_k html]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

2.配置CA服務端

修改配置檔案:

[root@CA ~]# vim /etc/pki/tls/openssl.cnf

[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # CA的預設路徑
certs           = $dir/certs            # 客戶端證書
 

crl_dir         = $dir/crl              # 證書吊銷列表
database        = $dir/index.txt        # 給那些人發過證書
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # 新生成證書的存放位置
 


certificate     = $dir/cacert.pem       # CA 的證書
serial          = $dir/serial           # 序列號
crlnumber       = $dir/crlnumber        # 證書吊銷列表的工作號
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # 當前的證書吊銷列表
private_key     = $dir/private/cakey.pem # CA的私鑰
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

default_days    = 365                   # 預設的認證時間是365天
default_crl_days= 30                    # 吊銷列表中內容的儲存時間
default_md      = default               # use public key default MD
preserve        = no      



[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN   # 設定預設的國家
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = BeiJing  #設定預設的省份

localityName                    = Locality Name (eg, city)
localityName_default    = BeiJing     #設定預設的城市

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = CA    #設定公司(組織)名稱

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IT  #設定部門(單位)
2.1 生成CA的私鑰
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
................................................................................................+++
e is 65537 (0x10001)
2.2 生成CA的自簽證書
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [CA]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:ca.miner_k.com
Email Address []:[email protected]_k.com
2.3 將CA伺服器下建立需要的檔案
[root@CA CA]# touch index.txt
[root@CA CA]# echo 01 > serial
[root@CA CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

3.在Apache的伺服器

3.1 生成金鑰對
[root@miner_k ~]# cd /etc/httpd/
[root@miner_k httpd]# ls
conf  conf.d  logs  modules  run
[root@miner_k httpd]# mkdir ssl
[root@miner_k httpd]# cd ssl/
[root@miner_k ssl]# (umask 077;openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
....................++++++
.......................++++++
e is 65537 (0x10001)
3.2 生成證書頒發請求(.csr)【Certificate signing request】
[[email protected]_k ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [CA]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:www.miner_k.com        #必須是這臺web伺服器的域名
Email Address []:[email protected]_k.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

注意:由於是私有的CA伺服器,關於預設的城市以及機構等都必須和CA的是一樣的

3.3 將證書傳送給CA的伺服器
[[email protected]_k ssl]# scp httpd.csr 101.200.87.99:/root
The authenticity of host '101.200.87.99 (101.200.87.99)' can't be established.
RSA key fingerprint is c8:bb:dc:fc:d0:27:4d:48:d2:0a:0f:db:a2:51:10:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '101.200.87.99' (RSA) to the list of known hosts.
[email protected]101.200.87.99's password: 
httpd.csr                                                                                          100%  696     0.7KB/s   00:00

4.在CA伺服器上的操作

4.1 簽署Apache傳送的證書請求
[[email protected] ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 24 06:12:47 2017 GMT
            Not After : May 24 06:12:47 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = CA
            organizationalUnitName    = IT
            commonName                = www.miner_k.com
            emailAddress              = [email protected]_k.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                ED:E8:48:9D:30:0F:95:0B:19:63:D8:F9:9C:70:5C:7E:26:36:DA:30
            X509v3 Authority Key Identifier: 
                keyid:12:0E:C7:0F:0B:A6:06:3D:27:A1:5B:A7:EA:3D:C3:36:07:BE:77:13

Certificate is to be certified until May 24 06:12:47 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.2 將簽署的證書傳送給Apache伺服器
[root@CA ~]# scp httpd.crt   114.*.*.229:/etc/httpd/ssl/

5. 在Apache伺服器上httpd的配置

[root@miner_k ssl]# cd /etc/httpd/conf.d/
[root@miner_k conf.d]# ls
README  ssl.conf  welcome.conf
[root@miner_k conf.d]# cp ssl.conf{,.bak} 
[root@miner_k conf.d]# ls
README  ssl.conf  ssl.conf.bak  welcome.conf

修改配置檔案ssl.conf
[root@miner_k conf.d]# grep -v "^#" ssl.conf | grep -v "^$"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>    #預設主機,可以設定為IP地址
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt    #修改內容,證書位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #修改內容,私鑰位置
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

6.測試

6.1 直接使用瀏覽器測試https的網頁

重新啟動httpd服務:
[[email protected]_k conf.d]# service httpd restart
這裡寫圖片描述
使用https協議訪問,但是可以看出是不安全的。

6.2 在客戶端載入CA的證書
  • 1.將CA中的cacert.pem下載到本地然後改為為cacert.crt
    這裡寫圖片描述
  • 2.將證書匯入到瀏覽器中

這裡寫圖片描述

這裡寫圖片描述

這裡寫圖片描述

這裡寫圖片描述

這裡寫圖片描述

這裡寫圖片描述

相關推薦

httpd配置

https的配置(httpd+mod_ssl) 1.安裝Apache的mod_ssl模組 [[email protected]_k ~]# yum -y install mod_ssl [[email protected]_k

CentOS 7.4 Tengine安裝配置

【SpringBoot學習之路】08.Springboot配置檔案

轉載宣告:商業轉載請聯絡作者獲得授權,非商業轉載請註明出處.原文來自 © 呆萌鍾【SpringBoot學習之路】08.Springboot配置檔案詳解(四)  自動配置原理 配置檔案到底能寫什麼?怎麼寫?自動配置原理; 配置檔案能配置的屬性參照

elastic-job:失效轉移

shard out utm monit 設置 borde 點滴 title 等於 elastic-job中最關鍵的特性之一就是失效轉移。配置了失效轉移之後,如果在任務執行過程中有一個執行實例掛了,那麽之前被分配到這個實例的任務(或者分片)會在下次任務執行之前被重新分配到其他

郵件實現------JavaMail 發送帶圖片和附件和接收郵件

發送 網絡圖 發送對象 true n) com 訪問權限 sub map   好了,進入這個系列教程最主要的步驟了,前面郵件的理論知識我們都了解了,那麽這篇博客我們將用代碼完成郵件的發送。這在實際項目中應用的非常廣泛,比如註冊需要發送郵件進行賬號激活,再比如OA項目中利用郵

log4j的配置

version let imp err pro 字符 bug rom 程序 轉自:http://blog.sina.com.cn/s/blog_5ed94d710101go3u.html 最近使用log4j寫log時候發現網上的寫的都是千篇一律,寫的好的嘛不

Quartz學習——SSMM(Spring+SpringMVC+Mybatis+Mysql)和Quartz集成

webapp cron表達式 msi 接口 cli post 定時 報錯 gets Quartz學習——SSMM(Spring+SpringMVC+Mybatis+Mysql)和Quartz集成詳解(四) 當任何時候覺你得難受了,其實你的大腦是在進化,當任何時候你覺得

07-Linux中DNS

用戶 mail all 驗證 src 更改 條目 http nslookup 接“06-Linux中DNS詳解(三)” 九、配置主從DNS服務器實現域名解析容錯 1、實驗環境zhangyujia.com(192.168.80.100)為主區域,com(192.168.8

編碼原理---之字形掃描

便是 集中 img 詳解 工作 -- 漢字 如何 編碼原理 上一篇我們講到,經過量化後得到了諸多零值和整數值,本篇接下來講講編碼過程中過對這些值如何組織和處理,那就是ZigZag掃描嘍。 一、簡介 ZigZag掃描也稱作之字形掃描,何以得此稱謂,是因為其掃描的路徑特

Nginx模塊

nginx https fastcgi 一、Nginx之目錄瀏覽二、Nginx之log模塊三、Ning之gzip模塊四、Nginx之https服務五、Nginx之fastCGI模塊 一、配置Nginx提供目錄瀏覽功能 1.修改nginx配置文件 server { listen

CentOS 7.4 Tengine安裝配置

tengine nginx 一、安裝配置Tengine:Tengine是由淘寶網發起的Web服務器項目。它在Nginx的基礎上,針對大訪問量網站的需求,添加了很多高級功能和特性。Tengine的性能和穩定性已經在大型的網站如淘寶網,天貓商城等得到了很好的檢驗。它的最終目標是打造一個高效、穩定、安全、易

CentOS 7.4 Tengine安裝配置

tengine、虛擬主機、IP、訪問控制三、配置虛擬主機:1、配置基於端口的虛擬主機:(1)在http{}配置段中新增如下server:server {listen 8000;server_name localhost;access_log /usr/local/tengine/logs/localhost8

CentOS 7.4 Tengine安裝配置

location、echo、fancy九、根據HTTP響應狀態碼自定義錯誤頁:1、未配置前訪問一個不存在的頁面:http://192.168.1.222/abc/def.html,按F12後刷新頁面2、在server{}配置段中新增如下location:server {listen 80;server_nam

Spring Boot中使用MyBatis註解配置1

sql type .org 實體 sch 整合 PE 匯總 同傳 之前在Spring Boot中整合MyBatis時,采用了註解的配置方式,相信很多人還是比較喜歡這種優雅的方式的,也收到不少讀者朋友的反饋和問題,主要集中於針對各種場景下註解如何使用,下面就對幾種常見的情況舉

Zookeeper:Zookeeper中的zkCli.sh客戶端使用

zkCli.sh zookeeper客戶端 最好配置上環境變量連接操作:zkCli.sh -timeout 1000 -r -server 127.0.0.1 # -timeout 設置客戶端和服務器之間的超時時長,單位毫秒 # -r 只讀模式,不加就是讀寫模式 # -server IP:PORT 要

CentOS 7.4 Tengine安裝配置

tengine nginx https 十四、配置Tengine支持HTTPS1、演示環境:IP操作系統角色 192.168.1.222 CentOS 7.4 Tengine服務器 192.168.1.145 CentOS 6.9 自建CA服務器備註:Teng

CentOS 7.4 Tengine安裝配置

tengine 反向代理 十五、反向代理:1、演示環境:IP操作系統節點角色192.168.1.222CentOS 7.4node1Tengine服務器192.168.1.144CentOS 6.9node2Apache服務器2、node2安裝Apache服務,並創建測試頁:# yum -y inst

CentOS 7.4 Tengine安裝配置

tengine cache purge 十六、緩存及緩存清理1、修改node1配置文件nginx.conf:(1)在http配置段中增加如下代碼:proxy_cache_path /usr/local/tengine/cache levels=1:1:2 keys_zone=mycache:200

Keepalived

mysql pan 節點 ios all -s 關閉 定義 interval 一.通過vrrp_script實現對集群資源的監控: Keepalived基礎HA功能時用到了vrrp_script這個模塊,此模塊專門用於對集群中服務資源進行監控。與此模塊一起使用

NGINX源碼安裝配置./configure,最全解析

unzip roo without rpc服務 所有 googl 版本 並且 大文件 NGINX ./configure詳解 在"./configure"配置中,"--with"表示啟用模塊,也就是說這些模塊在編譯時不會自動構建&qu