一、安裝Apache與設定
1.安裝 yum install httpd -y
2.設定 apache 設定檔
vi /etc/httpd/conf/httpd.conf
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost <==改成你自己的系統管理者電子郵件信箱
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName www.example.com:80
ServerName www.example.com:80 <==改成你自己的主機名稱
<Directory "/var/www/html">
#Options Indexes FollowSymLinks
Options FollowSymLinks <==拿掉 Indexes,當找不到index.html時,不顯示整個目錄下的檔案
AllowOverride None
Order allow,deny
Allow from all
</Directory>
2.開啟防火牆80 port
vi /etc/sysconfig/iptables 新增這一行
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80-j ACCEPT //:wq儲存離開
3.重新啟動iptables
service iptables restart
4.設定SELinux規則,以免某些php程式無法執行
setsebool -P httpd_read_user_content 1
5.重新啟動 apache
service httpd start
6.apache設定為開機自動啟動
chkconfig httpd on
二、建立SSL連線
1.安裝SSL相關元件
yum install mod_ssl openssl
2.建立self-signed certificate
2.1.#建立自己存放產生的憑證目錄
mkdir /etc/pki/idindon
2.2.cd idindon
2.3.#Generate private key產生私鑰
openssl genrsa -out idindon.key 1024
2.4.# Generate CSR 產生CSR檔案
openssl req -new -key idindon.key -out idindon.csr
2.5.#填入憑證資料
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan Republic Of China
Locality Name (eg, city) [Default City]:Taipei
Organization Name (eg, company) [Default Company Ltd]:idindon
Organizational Unit Name (eg, section) []:idindon
Common Name (eg, your name or your server's hostname) []:idindon.idv.tw
Email Address []:idindon@idindon.idv.tw
Please enter the following 'extra' attributes
to be sent with your certificate request (按下enter鍵略過)
A challenge password []: (按下enter鍵略過)
An optional company name []: (按下enter鍵略過)
2.6.#Generate Self Signed Key 產生自我簽署的金鑰
openssl x509 -req -days 365 -in idindon.csr -signkey idindon.key -out idindon.crt
2.7.# Copy the files to the correct locations 將檔案複製到下略目錄
cp idindon.crt /etc/pki/tls/certs/idindon.crt
cp idindon.key /etc/pki/tls/private/idindon.key
cp idindon.csr /etc/pki/tls/private/idindon.csr
三、設定/etc/httpd/conf.d/ssl.conf 設定新建立的憑證位置
找到下列文字:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
將紅色文字修改為自己新建立的憑證檔
SSLCertificateFile /etc/pki/tls/certs/idindon.crt
SSLCertificateKeyFile /etc/pki/tls/private/idindon.key
四、啟用SSL
方法一、設定Apache虛擬主機
1.備份/etc/httpd/conf/httpd.conf
2.於/etc/httpd/conf/httpd.conf
檔案後面加上下列字串
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/idindon.crt
SSLCertificateKeyFile /etc/pki/tls/private/idindon.key
<Directory /var/www/html/受保護的目錄>
AllowOverride All
</Directory>
DocumentRoot /var/www/html/受保護的目錄
ServerName idindon.idv.tw
</VirtualHost>
3. 重新啟動apache
service httpd restart
方法二、
編輯/etc/httpd/conf.d/ssl.conf
Listen 443
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
DocumentRoot "/var/www/受保護的目錄"
ServerName *:443
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/idindon.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/certs/idindon.key
</VirtualHost>
參考資料:
http://wiki.centos.org/HowTos/Https
# Generate private key openssl genrsa -out ca.key 1024 # Generate CSR openssl req -new -key ca.key -out ca.csr # Generate Self Signed Key openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt # Copy the files to the correct locations cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr
留言列表
軟體開發 (1)
{{ article.title }}