Slackware 13.0 Apache https配置

最新推荐文章于 2024-09-14 09:06:38 发布

zh_baolong

最新推荐文章于 2024-09-14 09:06:38 发布

阅读量419

点赞数

文章标签： apache ssl web服务服务器 mysql 加密

本文链接：https://blog.csdn.net/zh_baolong/article/details/5767199

版权

我们都知道：

http协议的安全威胁主要是明文传输，为了保证客户端与WEB服务器端的数据传输安全，就要对它们的传输服务进行加密。

SSL是在WEB浏览器与WEB server之间加密的安全传输协议.只有在服务器端进行身份验证，客户端与服务器端，一旦连接才能保证它们的连接是安全的。

SSL工作方式：

客户端连接WEB服务器,服务器端随机选一个密钥对，并将公钥签名使其受信任给客户端，

客户端依据此凭证与自己的CA校验。客户端得到公钥加密数据并随机产生一个序列号发送到服务器端，此时客户端拥有的仅仅是个序列号。

WEB服务器得到客户端的加密数据依据密钥对的私钥对数据进行解密。

客户端与服务器端都是随机的工作方式。

1.测试Apache是否成功运行：

cd /etc/httpd

php.in_recommend 与 php.ini 是互为备份

mod_php.confi.example 与 mod_php.conf 是互为备份

vi /etc/httpd/httpd.conf

include /etc/httpd/mod_php.conf
DirectoryIndex index.html index.htm index.php

cd /etc/rc.d

. rc.httpd start

cd /srv/httpd/htdocs/

vi info.php

<html><head><title>php test script</title>

</head><body>

<?php

phpinfo();

</body></html>

http://localhost/info.php

2. 以root身份初始化mysql:

su mysql

mysql_install_db

chown -R mysql:mysql /var/lib/mysql

. rc.mysqld start

mysqladmin -u root password XXX

mysqladmin-u root -p create testdb

mysql -u root -p

php也支持Mysql:

vi /etc/httpd/php.ini

extension=mysql.so

3. ssl生成密钥对和证书：

To get a certificate signed by a CA, you first need to create a keypair and a certificate request:

openssl req -new -sha1 -newkey rsa:1024 -nodes /
-keyout server.key -out www.example.com.csr /
-subj '/O=Company/OU=Department/CN=www.example.com'

出于测试目的小型局域网来说，生成一个自签名的证书

For testing purposes, or for small LANs, you can create a self-signed certificate. This can be done by issuing this command:

openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 /
-nodes -keyout server.key -out server.crt /
-subj '/O=Company/OU=Department/CN=www.example.com'

重命名为server.crt ：

openssl verify -CAfile /path/to/trusted_ca.crt -purpose sslserver server.crt

检查这两个命令的输出是相同的，即该证书对应的私钥：

openssl x509 -noout -modulus -in server.pem | openssl sha1
openssl rsa -noout -modulus -in server.key | openssl sha1

将生成的凭证和密钥拷贝至httpd目录：

cp myserver.cert /etc/httpd/server.crt

cp myserver.key /etc/httpd/server.key

vi /etc/httpd/httpd.conf

LoadModule ssl_module lib/httpd/modules/mod_ssl.so

配置apache和ssl:

listen 80

listen 443

# =================================================
# SSL/TLS settings
# =================================================
#NameVirtualHost *:443

<VirtualHost *:443>
    DocumentRoot "/srv/httpd/htdocs"
    SSLEngine on
    SSLOptions +StrictRequire
    <Directory />
        SSLRequireSSL
    </Directory>
    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

    SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
    SSLSessionCacheTimeout 600

    SSLCertificateFile /etc/httpd/server.crt
    SSLCertificateKeyFile /etc/httpd/server.key

    SSLVerifyClient none
    SSLProxyEngine off

    <IfModule mime.c>
        AddType application/x-x509-ca-cert      .crt
        AddType application/x-pkcs7-crl         .crl
    </IfModule>

    SetEnvIf User-Agent ".*MSIE.*" /
      nokeepalive ssl-unclean-shutdown /
      downgrade-1.0 force-response-1.0
</VirtualHost>

#NameVirtualHost *:80

<VirtualHost *:80>
    DocumentRoot "/srv/httpd/htdocs"
    # Host-specific directory setup, options, etc
    # Most of these options are likely to be set outside the VirtualHosts
    # sections.
</VirtualHost>

测试ssl:

apachectl configtest

apachectl stop

apachectl start

netstat -tpan |grep 443

https://localhost