我们都知道:
http协议的安全威胁主要是明文传输,为了保证客户端与WEB服务器端的数据传输安全,就要对它们的传输服务进行加密。
SSL是在WEB浏览器与WEB server之间加密的安全传输协议.只有在服务器端进行身份验证,客户端与服务器端,一旦连接才能保证它们的连接是安全的。
SSL工作方式:
客户端连接WEB服务器,服务器端随机选一个密钥对,并将公钥签名使其受信任给客户端,
客户端依据此凭证与自己的CA校验。客户端得到公钥加密数据并随机产生一个序列号发送到服务器端,此时客户端拥有的仅仅是个序列号。
WEB服务器得到客户端的加密数据依据密钥对的私钥对数据进行解密。
客户端与服务器端都是随机的工作方式。
1.测试Apache是否成功运行:
cd /etc/httpd
php.in_recommend 与 php.ini 是互为备份
mod_php.confi.example 与 mod_php.conf 是互为备份
vi /etc/httpd/httpd.conf
include /etc/httpd/mod_php.conf
DirectoryIndex index.html index.htm index.php
cd /etc/rc.d
. rc.httpd start
cd /srv/httpd/htdocs/
vi info.php
<html><head><title>php test script</title>
</head><body>
<?php
phpinfo();
?>
</body></html>
2. 以root身份初始化mysql:
su mysql
mysql_install_db
chown -R mysql:mysql /var/lib/mysql
. rc.mysqld start
mysqladmin -u root password XXX
mysqladmin-u root -p create testdb
mysql -u root -p
php也支持Mysql:
vi /etc/httpd/php.ini
extension=mysql.so
3. ssl生成密钥对和证书:
To get a certificate signed by a CA, you first need to create a keypair and a certificate request:
openssl req -new -sha1 -newkey rsa:1024 -nodes /
-keyout server.key -out www.example.com.csr /
-subj '/O=Company/OU=Department/CN=www.example.com'
出于测试目的小型局域网来说,生成一个自签名的证书
For testing purposes, or for small LANs, you can create a self-signed certificate. This can be done by issuing this command:
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 /
-nodes -keyout server.key -out server.crt /
-subj '/O=Company/OU=Department/CN=www.example.com'
重命名为server.crt :
openssl verify -CAfile /path/to/trusted_ca.crt -purpose sslserver server.crt
检查这两个命令的输出是相同的,即该证书对应的私钥:
openssl x509 -noout -modulus -in server.pem | openssl sha1
openssl rsa -noout -modulus -in server.key | openssl sha1
将生成的凭证和密钥拷贝至httpd目录:
cp myserver.cert /etc/httpd/server.crt
cp myserver.key /etc/httpd/server.key
vi /etc/httpd/httpd.conf
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
配置apache和ssl:
listen 80
listen 443
# =================================================
# SSL/TLS settings
# =================================================
#NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/srv/httpd/htdocs"
SSLEngine on
SSLOptions +StrictRequire
<Directory />
SSLRequireSSL
</Directory>
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLVerifyClient none
SSLProxyEngine off
<IfModule mime.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
SetEnvIf User-Agent ".*MSIE.*" /
nokeepalive ssl-unclean-shutdown /
downgrade-1.0 force-response-1.0
</VirtualHost>
#NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot "/srv/httpd/htdocs"
# Host-specific directory setup, options, etc
# Most of these options are likely to be set outside the VirtualHosts
# sections.
</VirtualHost>
测试ssl:
apachectl configtest
apachectl stop
apachectl start
netstat -tpan |grep 443