本文详细介绍了在SUSE系统中如何通过tar.gz方式安装Apache,解决APR找不到问题,以及编译安装Apache依赖的apr、apr-utils、pcre库。接着讲述了配置Apache SSL模块,编译安装mod_ssl,修改httpd.conf和httpd-ssl.conf文件,放置证书,以及启动Apache服务的过程。在实现HTTPS访问的过程中,特别提到了一些常见错误和解决办法,包括模块加载错误和端口配置。文章最后总结了实现HTTPS的难点,并给出了相关参考资料。
1、suse安装apache可以直接用zypper in apache,这样安装之后我不知道怎么实现https访问,所以就用tar.gz方式安装
2、下载apache的tar包,然后执行编译,如果编译时报错configure: error: APR not found . Please read the documentation
那么参考这篇文章:http://blog.csdn.net/u011350541/article/details/62419344
但是这篇文章里说的pcre版本存在问题,编译的时候报错,因此我重新在网上狭隘了pcre包
地址为:https://ftp.pcre.org/pub/pcre/
3、apache的依赖安装好后,到apache的解压目录(httpd-2.4.25)中,执行如下命令:
./configure --prefix=/usr/local/apache --enable-rewrite --enable-so --enable-modules=all --enable-mods-shared=all --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre --with-ssl=/usr/local/openssl/ssl
再make && make install
4、完成apache的安装,启动apache服务/usr/loca/apache/bin/apachectl start 访问该节点的地址出现It Works!即表示成功
5、下一步是想以https访问apache,按照网上的教程修改配置文件,把相关的证书放到指定目录下。很快就报错说找不到mod_ssl.so模块。
因此需要先按照下这个模块,在Apache源文件的目录下执行如下命令:
/usr/local/apache/bin/apxs -i -a -c mod_ssl.c
6、如果安装时出现如下报错:
bajie02:/opt/httpd-2.4.25/modules/ssl # /usr/local/apache/bin/apxs -i -a -c mod_ssl.c
/usr/local/apr/build-1/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -D_REENTRANT -D_GNU_SOURCE -g -O2 -pthread -I/usr/local/apache/include -I/usr/local/apr/include/apr-1 -I/usr/local/apr-util/include/apr-1 -c -o mod_ssl.lo mod_ssl.c && touch mod_ssl.slo
In file included from mod_ssl.c:27:0:
ssl_private.h:85:30: fatal error: openssl/opensslv.h: No such file or directory
#include <openssl/opensslv.h>
^
compilation terminated.
apxs:Error: Command failed with rc=65536
7、那是因为缺少ssl的依赖包,执行如下命令安装依赖包:
zypper in openssl-devel8、到此ssl模块编译成功。到/usr/local/apache/module下就能看到编译出的mod_ssl.so模块
9、修改httpd.conf文件,增加一行
loadModule ssl_module modules/mod_ssl.so
取消这一行的注释:Include conf/extra/httpd-ssl.conf
10、按照配置文件的要求把证书放到相关位置即可。
11、有时候真的要拼人品,我执行了三次make & make install 才把apachemake成功....之后还需要
make clean && make distclean
12、我前面之所以会出现mod_ssl没有加载的情况是因为 --enable-modules=all --enable-mods-shared=all
我写成了 --enable-so --enable-modules=most --enable-mods-shared=most
所以说网上有些东西也是害人啦!
13、到这里就实现了整个apache实现https的访问,浏览器地址旁边出现了一把带×的小锁,我很是欣慰。
总结下来,实现的难点在于
1、apache模块的安装,因为我参数错误的原因,强行自己去编译mod_ssl模块,最后还不被Apache认可。
2、依然软件的安装,我前后一共安装了4个apache的依赖包、还有一个openssl的依赖包。分别为:
apr、apr-utis、pcre、openssl、openssl-devel
3、启动apache的时候建议用全路径加变量如:(还要输证书密码)
bajie02:/usr/local/apache/bin # /usr/local/apache/bin/apachectl start
Apache/2.4.25 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Private key 172.16.15.15:443:0 (/usr/local/apache/conf/server.key)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
4、在httpd.conf中注释掉80端口,该网站就只能通过https访问了
配置文件:
httpd.conf
ServerRoot "/usr/local/apache"
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
loadModule ssl_module modules/mod_ssl.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
ServerAdmin you@example.com
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/usr/local/apache/htdocs"
<Directory "/usr/local/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache/htdocs"
ServerName 172.16.15.15:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
剩下的就是制作证书了:参考http://blog.csdn.net/fyang2007/article/details/6180361即可【注意:它的client端证书生成方式是错的!】
双向和单向通信原理:http://blog.csdn.net/lonelyrains/article/details/17397347
最佳的理解文章:http://blog.csdn.net/until_v/article/details/40889565参考文档:
http://blog.csdn.net/cy_cai/article/details/9070459
http://blog.csdn.net/leexide/article/details/21654489
http://blog.csdn.net/zouqingfang/article/details/51484357
http://blog.csdn.net/agonie201218/article/details/54866268【客户端证书生成方式参考这个链接】
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
