CentOS/Redhat Apache mod_ssl配置
mod_ssl模块通过安全套接字层(SSL)和传输层安全性(TLS)协议为Apache Web服务器提供了强大的加密功能。
如何在CentOS/Fedora/Redhat Enterprise Linux下安装和配置mod_ssl?
mod_ssl是Apache HTTP服务器的SSL/TLS模块。
您可以使用自签名证书或者第三方SSL证书。
该模块为Apache HTTP Server提供SSL v2/v3和TLS v1支持。
它是由Ralf S. Engeschall基于他的mod_ssl项目贡献的,最初是从Ben Laurie的工作中获得的。
该模块依靠OpenSSL提供加密引擎。
步骤1:安装mod_ssl
以root用户身份输入以下命令来安装mod_ssl,执行:
# yum install mod ssl
步骤2:创建SSL证书
执行以下命令:
# cd /etc/pki/tls/certs # openssl genrsa -des3 -out apachekey.pem 2048
输出示例:
Generating RSA private key, 2048 bit long modulus ..................+++ ...................................+++ e is 65537 (0x10001) Enter pass phrase for apachekey.pem: Verifying - Enter pass phrase for apachekey.pem:
注意输入一个强密码短语来保护Apache Web服务器密钥对。
生成证书签名请求(CSR)
执行以下命令:
# openssl req -new -key apachekey.pem -out apachekey.csr
输出示例:
Enter pass phrase for apachekey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [GB]:IN State or Province Name (full name) [Berkshire]:MH Locality Name (eg, city) [Newbury]:Poona Organization Name (eg, company) [My Company Ltd]:theitroad LTD Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:www.theitroad.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
您需要提供信息填充或者按[Enter]键以接受默认值,但是"通用名称"字段非常重要。
您必须完全匹配服务器的完全限定域名(例如www.theitroad.com),否则证书将不起作用。
无需输入质询密码。
创建Web服务器证书
您必须签署CSR才能创建Web服务器证书,输入(您可以将其发送到CA进行签署)。
要使用CA签署httpserver.csr,请执行以下操作:
# openssl ca -in apachekey.csr -out apachecert.pem
安装SSL证书
复制服务器密钥和证书文件/etc/pki/tls/http /,执行:
# cp apachecert.pem /etc/pki/tls/http/ # cp apachekey.pem /etc/pki/tls/http/
编辑/etc/httpd/conf.d/ssl.conf,执行:
# vi /etc/httpd/conf.d/ssl.conf
侦听HTTPS端口,执行:
Listen 10.10.29.68:443
如下更新它以适当地播种,执行:
SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024
如下更新VirtualHost:
<VirtualHost www.theitroad.com:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/http/apachecert.pem
SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
DocumentRoot "/var/www/html/ssl"
ServerName www.theitroad.com:443
</VirtualHost>
保存并关闭文件。
确保/var/www/html/ssl退出,执行:
# mkdir -p /var/www/html/ssl
编辑/etc/httpd/conf/httpd.conf,执行:
# vi /etc/httpd/conf/httpd.conf
确保SSL用于/var/www/html/ssl并设置其他选项,执行:
<Directory /var/www/html/ssl>
SSLRequireSSL
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq "www.theitroad.com"
ErrorDocument 403 https://www.theitroad.com/sslerror.html
</Directory>
现在,您可以在/var/www/html/ssl目录中上载ssl特定的php或者html页面,并可以通过访问https://www.theitroad.com/url来访问它们。
不要忘记重启Apache:
# service httpd restart
防火墙配置
编辑/etc/sysconfig/iptables。
添加以下行,确保它们出现在最后的DROP行之前:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
保存并关闭文件。
重新启动防火墙:
# service iptables restart
