1、使用SSL加固Apache

SSL概述:
使用具有SSL功能的Web服务器,可以提高网站的安全性能。SSL协议工作在Linux TCP/IP协议和HTTP协议之间。SSL使用加密方法来保护Web服务器和浏览器之间的信息流。SSL不仅用于加密在互联网上传递的数据流,而且还提供双方身份验证。这样就可以安全地在线购物而不必担心别人窃取信用卡的信息。这种特性使得SSL适用于那些交换重要信息的地方,像电子商务和基于Web的邮件。① 用户使用浏览器,访问Web服务器站点,发出SSL握手信号;② Web服务器发出回应,并出示服务器证书(公钥),显示系统Web服务器站点身份;③ 浏览器验证服务器证书,并生成一个随机的会话密钥,密钥长度达到128位;④ 浏览器用Web服务器的公钥加密该会话密钥;⑤ 浏览器将会话密钥的加密结果发送Web服务器;⑥ Web服务器用自己的私钥解密得出真正的会话密钥;⑦ 现在浏览器和Web服务器都拥有同样的会话密钥,双方可以放心使用这个会话密钥来加密通信内容;⑧ 安全通信通道建立成功。实现SSL安全通信(即基于Apache的https(证书,密钥)的实现):
方式1:由证书服务器(CA)为WEB服务器签发证书
<1>:根CA配置:
要确保openssl的软件包已安装,如下图所示:
 
(1)编辑/etc/pki/tls/openssl.cnf 文件首先备份成openssl.cnf.raw
[CA_default]
default_days = 3650    证书有效期为十年 (第73行)最好设置时间要长一些,否则过期后所有的都要重新设置
[req]
default_bits = 1024  改为 2048   密钥的长度 (第106行)
[usr_cert]
basicConstraints=CA: FALSE  改为 CA:TRUE  可以签发下级证书 (第172行)
[v3_req]
basicConstraints = CA : FALSE 改为 CA:TRUE (第223行)
编辑后改名openssl.cnf.rootca 制作根CA的配置文件
#cp /etc/pki/tls/openssl.cnf  /etc/pki/tls/openssl.cnf.rootca
使其能够签发下级证书。
(2)进入/etc/pki/tls/misc 目录。
在该目录中有一个CA脚本文件可以用它来制作根CA。
编辑CA文件找到DAY=“-days ” 和CADAY=“-days  ” (第63行和第64行)
配置为  DAYS=“—days  3650”#10years
         CADAYS=“—days  3650”#10years
创建根CA机构
这里关系到两个目录,/etc/pki/tls/misc是工作目录,/etc/pki/CA是存放所有CA相关文件的目录。完成此步骤后,会在/etc/pki/CA目录下生成一系列文件,其中最重要的是/etc/pki/CA/private/cakey.pem   CA的私钥文件/etc/pki/CA/cacert.pem  CA的证书文件注意:如果脚本检测到/etc/pki/CA下面有文件存在,那么script会安静的退出,不会创建任何东西。把/etc/pki/CA下的文件全部删除,script就可以正常工作了#rm  -rf  /etc/pki/CA/ 
#cd /etc/pki/tls/misc/
执行脚本文件CA创建根CA机构(为根CA申请证书)
#./CA –newca
需要特别注意的是创建证书时,输入Common Name的时候如果输入FQDN,客户端就指定FQDN连,如果输入IP,客户端就指定IP连。如果指定的FQDN,就全部用FQDN,否则全部用IP地址
创建过程如下:
CA certificate filename (or enter to create)
Making CA certificate ...Generating a 1024 bit RSA private key..................................++++++.....++++++writing new private key to '../../CA/private/cakey.pem'Enter PEM pass phrase:  ――输入rootca的私钥密码Verifying - Enter PEM pass phrase:   ――确认密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:     ――国家区域号(如US、CN等)State or Province Name (full name) [Berkshire]:  ――国家或省市名Locality Name (eg, city) [Newbury]:   ――城市名Organization Name (eg, company) [My Company Ltd]:  ――单位名Organizational Unit Name (eg, section) []:   ――部门名Common Name (eg, your name or your server's hostname) []:  ――证书的名称一般书写根CA服务器的完全合格名如 slave-redis
Email Address []: ―― 联系邮箱
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: ――申请书的密码,直接跳过An optional company name []: ――×××公司的名称,直接跳过Using configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ../../CA/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details:        Serial Number:      c4:87:8a:c3:fd:11:b2:61        Validity      Not Before: Jul 23 06:43:39 2010 GMT      Not After : Jul 22 06:43:39 2013 GMT        Subject:      countryName         = GB      stateOrProvinceName       = Berkshire      organizationName    = My Company Ltd      commonName          = svr.example.com        X509v3 extensions:      X509v3 Subject Key Identifier:          4B:11:F1:EE:53:DC:74:2A:66:F4:C5:E4:5A:15:61:8B:7A:4D:1F:2D      X509v3 Authority Key Identifier:          keyid:4B:11:F1:EE:53:DC:74:2A:66:F4:C5:E4:5A:15:61:8B:7A:4D:1F:2D          DirName:/C=GB/ST=Berkshire/O=My Company Ltd/CN=ldapm.dh.cn          serial:C4:87:8A:C3:FD:11:B2:61
      X509v3 Basic Constraints:          CA:TRUECertificate is to be certified until Jul 22 06:43:39 2013 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
创建成功后转入/etc/pki/CA/private/目录,有cakey.pem密钥。(权限设为400)
/etc/pki/CA/下有根CA的证书cacert.pem。
#cd /etc/pki/CA
#openssl x509 –noout –text –in cacert.pem
必须要显示  X509V3  Basic Constraints:
              CA:TRUE  表示可以签发下级证书。
<2>签发WEB服务器证书:
WEB服务器证书也由根CA签发,不过该证书在扩展结构上应该是一张
终端用户证书,所以必须修改/etc/pki/tls/openssl.cnf文件适应变化
服务器签发证书文件配置
[CA_default]
default_days=3650
[req]
default_bits=1024
[usr_cert]
basicConstraints=CA:FALSE
[v3_req]
basicContraints=CA:FALSE
#cd  /etc/pki/tls/misc/
#./CA  -newreq   (与创建根CA证书过程类似)
Generating a 1024 bit RSA private key...............++++++.++++++writing new private key to 'newkey.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:State or Province Name (full name) [Berkshire]:Locality Name (eg, city) [Newbury]:Organization Name (eg, company) [My Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:――证书的名称一般书写WEB服务器的完全合格名如svr.example.com,很重要后面会用到Email Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Request is in newreq.pem, private key is in newkey.pem对证书进行签证:#./CA  -sign   (对证书签证)Using configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ../../CA/private/cakey.pem:――输入密码 (Rootca 的 Private key 密码)Check that the request matches the signatureSignature okCertificate Details:        Serial Number:      c4:87:8a:c3:fd:11:b2:62        Validity      Not Before: Jul 23 06:52:31 2010 GMT      Not After : Jul 23 06:52:31 2011 GMT        Subject:      countryName         = GB      stateOrProvinceName       = Berkshire      localityName        = Newbury      organizationName    = My Company Ltd      commonName          = svr.example.com        X509v3 extensions:      X509v3 Basic Constraints:          CA:FALSE      Netscape Comment:          OpenSSL Generated Certificate      X509v3 Subject Key Identifier:          BE:21:BD:4C:39:C1:B4:26:B4:EB:ED:B6:42:36:97:1F:97:49:15:49      X509v3 Authority Key Identifier:          keyid:4B:11:F1:EE:53:DC:74:2A:66:F4:C5:E4:5A:15:61:8B:7A:4D:1F:2D
Certificate is to be certified until Jul 23 06:52:31 2011 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcert.pem
这样WEB服务器证书就制作完毕了,不过一定要确定是一张终端证书
验证WEB服务器端证书:
#openssl x509 –noout –text –in newcert.pem 
           X509V3  Basic  Constraints:
             CA:FALSE   表明是一张终端证书。
#cd /etc/pki/tls/misc
#openssl verify –CAfile /etc/pki/CA/cacert.pem  newcert.pem
成功会显示newcert.pem:OK  表明新证书newcert.pem是由根证书cacert.pem授权。
运行完上面两个步骤后,会发现当前目录下创建了3个文件:newreq.pem 创建证书请求文件,没什么用了newcert.pem CA签发的证书newkey.pem 证书对应的私钥,(权限设为400)
<3>:事先将YUM配置好(光盘源YUM即可)
1):确认Web-server 软件组或httpd的相关包已安装,可以通YUM安装
如:yum  –y  groupinstall  Web-server
2):安装mod_ssl包,让apache支持SSL
如:yum  –y  mod_ssl
编辑配置文件:/etc/http/conf .d/ssl.conf×××和密钥文件的路径为我们创建的证书和密钥的所在位置。#vi  /etc/httpd/conf.d/ssl.conf
 
 重新启动httpd服务:
# service httpd restart停止 httpd:                                               [确定]启动 httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)Some of your private key files are encrypted for security reasons.In order to read them you have to provide the pass phrases.
Server rhce.cn:443 (RSA)Enter pass phrase:                  //输入我们创建WEB服务器的证书和密钥时的密码。
OK: Pass Phrase Dialog successful.

<4>:测试:https基于443端口,注意防火墙要开通此端口)
window主机上以https://slave-redis

若想访问https//slave-redis,域名直接跳转到https://slave-redis域名,需要在httpd.conf配置文件添加RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^/?(.*)$ https://slave-redis/$1 [L,R]