17/09/2018 08:32:45 PM

Bài viết sưu tầm

Apache HTTPS

1. Install Apache httpd

Install httpd to configure Web server.

[1]	Install httpd.

[root@www ~]# yum -y install httpd

# remove welcome page

[root@www ~]# rm -f /etc/httpd/conf.d/welcome.conf

# remove default error page

[root@www ~]# rm -f /var/www/error/noindex.html

[2]	Configure httpd. Replace the Server name to your own one.

[root@www ~]# vi /etc/httpd/conf/httpd.conf

# line 44: change

ServerTokens Prod

# line 76: change to ON

KeepAlive On

# line 262: Admin's address

ServerAdmin root@srv.world

# line 338: change

AllowOverride All

# line 276: change to your server's name

ServerName www.srv.world:80

# line 402: add file name that it can access only with directory's name

DirectoryIndex index.html index.htm

# line 536: change

ServerSignature Off

[root@www ~]# /etc/rc.d/init.d/httpd start

Starting httpd: [ OK ]
[root@www ~]# chkconfig httpd on

[3]	If IPTables is running, allow HTTP port. HTTP uses 80/TCP. For "-I INPUT 5" section below, Replace it to your own environment.

[root@www ~]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

[4]	Create a HTML test page and access to it with a web browser on Client to make sure it works normally.

[root@www ~]# vi /var/www/html/index.html

Test Page

2. Create SSL Certificates

Create a your server's original SSL Certificate. If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.

[root@www ~]# cd /etc/pki/tls/certs

[root@www certs]# make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase: (duytan2017) # set passphrase

Verifying - Enter pass phrase: (duytan2017) # confirm

# remove passphrase from private key

[root@www certs]# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key: (duytan2017) # input passphrase

writing RSA key
[root@www certs]#
[root@www certs]# make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: JP # country

State or Province Name (full name) [e]: Hiroshima # state

Locality Name (eg, city) [Default City]: Hiroshima # city

Organization Name (eg, company) [Default Company Ltd]: GTS # company

Organizational Unit Name (eg, section) []: Server World # department

Common Name (eg, your server's hostname) []: www.srv.world # server's FQDN

Email Address []: xxx@srv.world # email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # Enter

An optional company name []: # Enter

[root@www certs]#
[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world Getting Private key
[root@www certs]# chmod 400 server.*

3. Configure httpd for SSL

[1]	Configure httpd for SSL.

[root@www ~]# yum -y install mod_ssl

[root@www ~]# vi /etc/httpd/conf.d/ssl.conf

# line 77: uncomment

DocumentRoot "/var/www/html"

# line 78: uncomment and specify the server name

ServerName www.srv.world:443

# line 93: change

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

# line 105: change to the one created in [1]

SSLCertificateFile /etc/pki/tls/certs/server.crt

# line 112: change to the one created in [1]

SSLCertificateKeyFile /etc/pki/tls/certs/server.key

[root@www ~]# /etc/rc.d/init.d/httpd restart

Stopping httpd: [ OK ]
Starting httpd: [ OK ]

[2]	If IPTables is running, allow HTTPS port. HTTPS uses 443/TCP. For "-I INPUT 5" section below, Replace it to your own environment.

[root@www ~]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

[3]	Access to the test page from a client computer with a Web browser via HTTPS. The examample below is the Fiorefix. Following screen is shown because Certificates is own created one, but it's no ploblem, Proceed to next.