一、背景:
web網站需要搭建https,計劃使用apache做代理,同時使用https加密傳輸
二、工具:
作業系統:Red Hat Enterprise Linux Server release 6.5 (Santiago)
Apache:httpd-2.4.39
openssl:openssl-devel-1.0.1e-57.el6.x86_64.rpm,openssl-1.0.1e-57.el6.x86_64.rpm(這個版本解決了出血漏洞)
三、安裝過程:
httpd的編譯,我們需要用到apr,pcre,ssl。以下是httpd的configure語句:
./configure --prefix="/opt/apache2" --enable-so --enable-ssl --enable-headers --enable-proxy --with-ssl="/usr/bin" --with-apr=/usr/local/apr/ --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre
apr的安裝包從http://archive.apache.org/dist/apr/擷取。
pcre安裝需要先安裝libtool和gcc-c++。
3.1)安裝過程
1)apr-1.4.2.tar.gz
tar -zxvf apr-1.4.2.tar.gz
cd apr-1.4.2
./configure
make
make install
2)apr-util-1.3.9.tar.gz
tar -zxvf apr-util-1.3.9.tar.gz
cd apr-util-1.3.9
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make
make install
3)gcc,g++(安裝pcre之前,如沒有安裝gcc,g++,需要先安裝)
安裝流程如下所示:
rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm
rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm
rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm
rpm -ivh cpp-4.4.7-4.el6.x86_64.rpm --force
rpm -ivh kernel-headers-2.6.32-431.el6.x86_64.rpm
rpm -ivh glibc-headers-2.12-1.132.el6.x86_64.rpm --force
rpm -ivh glibc-devel-2.12-1.132.el6.x86_64.rpm --force
rpm -ivh gcc-4.4.7-4.el6.x86_64.rpm --force
rpm -ivh libstdc++-devel-4.4.7-4.el6.x86_64.rpm
rpm -ivh gcc-c++-4.4.7-4.el6.x86_64.rpm
如有出現沖突,可以使用force參數強制更新。相關安裝包可以在http://vault.centos.org/6.5/os/x86_64/Packages/和http://mirrors.yun-idc.com/centos/6.10/os/x86_64/Packages/找到。
4)pcre-8.36.tar.gz
tar -zxvf pcre-8.36.tar.gz
cd pcre-8.36
./configure --prefix=/usr/local/pcre
make
make install
5)httpd-2.4.39.tar.gz
tar -zxvf httpd-2.4.39.tar.gz
cd ./httpd-2.4.39
./configure --prefix="/opt/apache2" --enable-so --enable-ssl --enable-headers --enable-proxy --with-ssl="/usr/bin" --with-apr=/usr/local/apr/ --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre
make
make install
3.2)配置ssl密鑰
在/opt/apache2/conf下建立一個ssl.key目錄
#cd ../apache2/
#cd conf/
#mkdir ssl.key
然後在該目錄下生成證書:
#cd ssl.key/
生成伺服器私鑰:
#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: //密碼=abc123456@!
Verifying - Enter pass phrase for server.key: //确認和上面密碼相同
生成伺服器證書請求,并按要求填些相關證書資訊:
#openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: //上面的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangDong
Locality Name (eg, city) []:GZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXXXXXA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:a.test.com//行使 SSL 加密的網站位址。請注意這裡并不是單指您的域名,而是直接使 用 SSL 的網站名稱 例如:pay.abc.com。 一個網站這裡的定是:abc.com是一個網站;www.abc.com 是另外一個網站;pay.abc.com 又是另外一個網站。
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**********abc123456@!
An optional company name []:BAT
簽證:
# openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=Some-State/L=tyl/O=tz/OU=tz/CN=tyl/[email protected]
Getting Private key
Enter pass phrase for server.key: //輸入建立key時的密碼
3.3)配置httpd.conf和httpd-ssl.conf
httpd.conf在conf目錄下,httpd-ssl.conf在conf/extra/目錄下
cd /opt/apache2/conf
vi httpd.conf
#################主要修改點######################
#放開LoadModule
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule ssl_module modules/mod_ssl.so
ServerName 127.0.0.1:80#按照自己本機設定
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
#######################################
vi extra/httpd-ssl.conf
#################主要修改點######################
#注釋以下項
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
#修改以下項
# General setup for the virtual host
DocumentRoot "/opt/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog "/opt/apache2/logs/error_log"
TransferLog "/opt/apache2/logs/access_log"
SSLCertificateFile "/opt/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/apache2/conf/server.key"
#######################################
之後啟動
cd ../bin
./httpd
輸入ssl密鑰密碼
說明:
注意:可以去掉每次啟動時要輸入證書私鑰的 pass phrase
#cd /opt/apache2/conf/ssl.key
#cp server.key server.key.secure
#openssl rsa -in server.key.secure -out server.key