一、安裝Apache與設定

      1.安裝 yum install httpd -y

      2.設定 apache 設定檔

        vi /etc/httpd/conf/httpd.conf

        

        #
        # ServerAdmin: Your address, where problems with the server should be
        # e-mailed. This address appears on some server-generated pages, such
        # as error documents. e.g. admin@your-domain.com
        #
        ServerAdmin root@localhost <==改成你自己的系統管理者電子郵件信箱

        #
        # ServerName gives the name and port that the server uses to identify itself.
        # This can often be determined automatically, but we recommend you specify
        # it explicitly to prevent problems during startup.
        #
        # If this is not set to valid DNS name for your host, server-generated
        # redirections will not work. See also the UseCanonicalName directive.
        #
        # If your host doesn't have a registered DNS name, enter its IP address here.
        # You will have to access it by its address anyway, and this will make
        # redirections work in a sensible way.
        #
        #ServerName www.example.com:80
        ServerName www.example.com:80 <==改成你自己的主機名稱

        <Directory "/var/www/html">
          #Options Indexes FollowSymLinks
          Options FollowSymLinks <==拿掉 Indexes,當找不到index.html時,不顯示整個目錄下的檔案
          AllowOverride None
          Order allow,deny
          Allow from all
        </Directory>

 

 

      2.開啟防火牆80 port

       vi /etc/sysconfig/iptables
       新增這一行
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80-j ACCEPT //:wq儲存離開

3.重新啟動iptables
       service iptables restart

    4.設定SELinux規則,以免某些php程式無法執行
setsebool -P httpd_read_user_content 1

5.重新啟動 apache
       service httpd start

6.apache設定為開機自動啟動
      chkconfig httpd on


二、建立SSL連線
1.安裝SSL相關元件
yum install mod_ssl openssl

2.建立self-signed certificate

2.1.#建立自己存放產生的憑證目錄
mkdir /etc/pki/idindon
2.2.cd idindon

2.3.#Generate private key產生私鑰
openssl genrsa -out idindon.key 1024

2.4.# Generate CSR  產生CSR檔案
openssl req -new -key idindon.key -out idindon.csr
2.5.#填入憑證資料
              Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan Republic Of China
Locality Name (eg, city) [Default City]:Taipei
Organization Name (eg, company) [Default Company Ltd]:idindon
Organizational Unit Name (eg, section) []:idindon
Common Name (eg, your name or your server's hostname) []:idindon.idv.tw
Email Address []:idindon@idindon.idv.tw

Please enter the following 'extra' attributes
to be sent with your certificate request (按下enter鍵略過)
A challenge password []: (按下enter鍵略過)
An optional company name []: (按下enter鍵略過)
2.6.#Generate Self Signed Key 產生自我簽署的金鑰
            openssl x509 -req -days 365 -in idindon.csr -signkey idindon.key -out idindon.crt

2.7.# Copy the files to the correct locations 將檔案複製到下略目錄
               cp idindon.crt /etc/pki/tls/certs/idindon.crt
cp idindon.key /etc/pki/tls/private/idindon.key
cp idindon.csr /etc/pki/tls/private/idindon.csr

三、設定/etc/httpd/conf.d/ssl.conf 設定新建立的憑證位置
找到下列文字:
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

將紅色文字修改為自己新建立的憑證檔
SSLCertificateFile /etc/pki/tls/certs/idindon.crt
SSLCertificateKeyFile /etc/pki/tls/private/idindon.key

四、啟用SSL
方法一、設定Apache虛擬主機

1.備份/etc/httpd/conf/httpd.conf

2.於
/etc/httpd/conf/httpd.conf
       檔案後面加上下列字串

NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/idindon.crt
SSLCertificateKeyFile /etc/pki/tls/private/idindon.key
<Directory /var/www/html/受保護的目錄>
AllowOverride All
</Directory>
DocumentRoot /var/www/html/受保護的目錄
ServerName idindon.idv.tw
</VirtualHost>

3. 重新啟動apache

service httpd restart

  方法二、
編輯
/etc/httpd/conf.d/ssl.conf

    Listen 443
    <VirtualHost _default_:443>
      # General setup for the virtual host, inherited from global configuration
      #DocumentRoot "/var/www/html"
      #ServerName www.example.com:443
      DocumentRoot "/var/www/受保護的目錄"
      ServerName *:443
      # SSL Engine Switch:
      # Enable/Disable SSL for this virtual host.
      SSLEngine on
      # SSL Cipher Suite:
      # List the ciphers that the client is permitted to negotiate.
      # See the mod_ssl documentation for a complete list.
      SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
     # Server Certificate:
     # Point SSLCertificateFile at a PEM encoded certificate. If
     # the certificate is encrypted, then you will be prompted for a
     # pass phrase. Note that a kill -HUP will prompt again. A new
     # certificate can be generated using the genkey(1) command.
     #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
     SSLCertificateFile /etc/pki/tls/certs/idindon.crt
     # Server Private Key:
     # If the key is not combined with the certificate, use this
     # directive to point at the key file. Keep in mind that if
     # you've both a RSA and a DSA private key you can configure
     # both in parallel (to also allow the use of DSA ciphers, etc.)
     #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
     SSLCertificateKeyFile /etc/pki/tls/certs/idindon.key
   </VirtualHost>

 



 參考資料:

http://wiki.centos.org/HowTos/Https

# Generate private key 
openssl genrsa -out ca.key 1024 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Copy the files to the correct locations
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr
, ,

K 發表在 痞客邦 PIXNET 留言(0) 人氣()