ssl - apache - linux安全访问设置

转自：微点阅读  https://www.weidianyuedu.com

Apache SSL 配置

文档内所有命令依据系统环境为：

JAVA: jdk1.6.0_30 System: centoS release 5.7 Apache:httpd-2.2.3 openssl:openssl-0.9.8e

1. 安装Apache与 openSSL： 略。其中Apache需使用带有MoD_SSL模块的版本

2. KEY生成： 进入/usr/local/httpd/conf/sign目录下执行按顺序执行以下命令： 1>openssl genrsa -des3 1024 > /usr/local/httpd/conf/server.key←建立服务器密钥 Generating RSA private key, 1024 bit long modulus ................++++++ ...........................................................................++++++ e is 65537 (0x10001) Enter pass phrase: ←在这里输入口令 Verifying - Enter pass phrase: ←确认口令，再次输入 2>openssl rsa -in /usr/local/httpd/conf/server.key > /usr/local/httpd/conf/server2.key←从密钥中删除密码（以避免系统启动后被询问口令） Enter pass phrase for ssl.key/server.key: ←输入口令 writing RSA key

3>mv /usr/local/httpd/conf/server2.key/usr/local/httpd/conf/server.key

4>openssl req -new -key /usr/local/httpd/conf/server.key -out /usr/local/httpd/conf/server.csr←建立服务器密钥请求文件 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished name or a Dn. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- country name (2 letter code) [GB]:cn ←输入国名 State or Province name (full name) [Berkshire]:GD ←输入省名 Locality name (eg, city) [newbury]:Foshan ←输入城市名 organization name (eg, company) [My company Ltd]:cdcgs ←输入组织名（任意） organizational Unit name (eg, section) []: ←不输入，直接回车 common name (eg, your name or your server"s hostname) []: ←输入通称（任意） Email Address []:yourname@yourserver.com ←输入电子邮箱地址 Please enter the following "extra" attributes to be sent with your certificate request A challenge password []: ←不输入，直接回车 An optional company name []: ←不输入，直接回车 5>openssl x509 -in /usr/local/httpd/conf/server.csr -out /usr/local/httpd/conf/server.crt -req -signkey /usr/local/httpd/conf/server.key -days 365←建立服务器证书 Signature ok subject=/c=cn/ST=GD/L=Foshan/o=cdcgs/cn=/\\ emailAddress=yourname@yourserver.com Getting Private key 3. Apache添加SSL支持： 1>关闭Apache: ./ usr/local/httpd/bin/httpd –k stop 2>增加支持SSL,执行 vi /usr/local/httpd/conf/httpd.conf: ＃Include conf/extra/httpd-ssl.conf←找到这一行，将行首的“#”去掉 ↓ Include conf/extra/httpd-ssl.conf 3>启动重定向(可选)，使用用户HTTP访问自动重定向为HTTPS，在httpd.conf文件尾加入如下内容： RewriteEngine on Rewritecond %{SERVER_PoRT} !^443$ RewriteRule ^/?(.*)$ https://%{SERVER_nAME}/$1 [L,R] 4>设置加密文件，在文件/usr/local/httpd/conf/extra/httpd-ssl.cnf中，将以下几行的注释去掉，并修改相应路径如下： SSLcertificateFile \SSLcertificateKeyFile \DocumentRoot \４．启动apache: ./usr/local/httpd/bin/httpd –k start ６．测试HTTPS： 打开浏览器，在地址栏输入“你的域名”或者“https://你的域名”后，如果浏览器自动跳转成htts://?，并且能继续访问成功，则表示服务器已经可以支持SSL. 微点阅读  



https://www.weidianyuedu.com