设置主机间的加密通信mod_ssl
[root@r2cn ~]# yum -y install mod_ssl
← 安装mod_ssl
生成密匙和证明书
[root@r2cn ~]# cd /etc/pki/tls/certs/
← 移动
[root@r2cn certs]# sed -i 's/365/3650/g' Makefile ← 将证明书的有限期限的1年改为10年
[root@r2cn certs]# make server.crt ← 主机用的密匙和证明书的生成
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase: ← 随意的密码※不会表示出来的
Verifying - Enter pass phrase: ← 确认密码
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -x509 -days 3650 -out server.crt -set_serial 0
Enter pass phrase for server.key: ← 重复输入上面的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN ← 国家
State or Province Name (full name) [Berkshire]:Liaoning ← 省
Locality Name (eg, city) [Newbury]:Shenyang ← 市
Organization Name (eg, company) [My Company Ltd]:R2CN.net ← 网站名称
Organizational Unit Name (eg, section) []: ← 空格ENTER
Common Name (eg, your name or your server's hostname) []:r2cn.net ← 主机名
Email Address []:webmaster@r2cnsrv.com ← 管理员邮件地址
[root@r2cn certs]# openssl rsa -in server.key -out server.key ← 从主机密匙中删除密码
Enter pass phrase for server.key: ← 输入密码
writing RSA key
[root@r2cn certs]# sed -i 's/365/3650/g' Makefile ← 将证明书的有限期限的1年改为10年
[root@r2cn certs]# make server.crt ← 主机用的密匙和证明书的生成
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase: ← 随意的密码※不会表示出来的
Verifying - Enter pass phrase: ← 确认密码
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -x509 -days 3650 -out server.crt -set_serial 0
Enter pass phrase for server.key: ← 重复输入上面的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN ← 国家
State or Province Name (full name) [Berkshire]:Liaoning ← 省
Locality Name (eg, city) [Newbury]:Shenyang ← 市
Organization Name (eg, company) [My Company Ltd]:R2CN.net ← 网站名称
Organizational Unit Name (eg, section) []: ← 空格ENTER
Common Name (eg, your name or your server's hostname) []:r2cn.net ← 主机名
Email Address []:webmaster@r2cnsrv.com ← 管理员邮件地址
[root@r2cn certs]# openssl rsa -in server.key -out server.key ← 从主机密匙中删除密码
Enter pass phrase for server.key: ← 输入密码
writing RSA key
設定SSL
[root@r2cn certs]# vi /etc/httpd/conf.d/ssl.conf
← ApacheSSL设定文件编辑
SSLCertificateFile /etc/pki/tls/certs/server.crt ← 指定主机证明书
SSLCertificateKeyFile /etc/pki/tls/certs/server.key ← 指定主机密匙
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html" ← 删除#(接触注释)
↓
DocumentRoot "/var/www/html"
SSLCertificateFile /etc/pki/tls/certs/server.crt ← 指定主机证明书
SSLCertificateKeyFile /etc/pki/tls/certs/server.key ← 指定主机密匙
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html" ← 删除#(接触注释)
↓
DocumentRoot "/var/www/html"
重启Apache
[root@r2cn ~]# /etc/rc.d/init.d/httpd restart
← 重启Apach
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
以下设定是针对一个IP下多个域名的情况下,我们可以如下对应。
举例说明:两个域名 r2cn.com 和 r2cn.net
r2cn.com 为主host,访问https://r2cn.com时正常走https,访问https://r2cn.net时自动转为http://r2cn.net
我已经实际反映到主机,大家可以看到演示
[root@r2cn ~]# vi /etc/httpd/conf.d/ssl.conf
← 编辑主机SSL设定文件
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
--以下追加内容--
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog "logs/rewrite_log"
RewriteLogLevel 0
RewriteCond %{HTTP_HOST} !^r2cn.com$ ← 指定主域名
RewriteRule ^/(.*)?$ http://%{HTTP_HOST}/$1 [L,R]
</IfModule>
--结束--
</VirtualHost>
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
--以下追加内容--
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog "logs/rewrite_log"
RewriteLogLevel 0
RewriteCond %{HTTP_HOST} !^r2cn.com$ ← 指定主域名
RewriteRule ^/(.*)?$ http://%{HTTP_HOST}/$1 [L,R]
</IfModule>
--结束--
</VirtualHost>