Bài viết sưu tầm

[1]

Install httpd.

[root@www ~]# yum -y install httpd

# remove welcome page

[root@www ~]# rm -f /etc/httpd/conf.d/welcome.conf

# remove default error page

[root@www ~]# rm -f /var/www/error/noindex.html

[2]

Configure httpd. Replace the Server name to your own one.

[root@www ~]# vi /etc/httpd/conf/httpd.conf

# line 44: change

ServerTokens Prod

# line 76: change to ON

KeepAlive On

# line 262: Admin's address

ServerAdmin root@srv.world

# line 338: change

AllowOverride All

# line 276: change to your server's name

ServerName www.srv.world:80

# line 402: add file name that it can access only with directory's name

DirectoryIndex index.html index.htm

# line 536: change

ServerSignature Off

[root@www ~]# /etc/rc.d/init.d/httpd start 

Starting httpd:     [ OK ]
[root@www ~]# chkconfig httpd on 

[3]

If IPTables is running, allow HTTP port. HTTP uses 80/TCP.
For "-I INPUT 5" section below, Replace it to your own environment.

[root@www ~]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 

[4]

Create a HTML test page and access to it with a web browser on Client to make sure it works normally.

[root@www ~]# vi /var/www/html/index.html

[root@www ~]# cd /etc/pki/tls/certs 

[root@www certs]# make server.key 

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key 

Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase: (duytan2017) # set passphrase

Verifying - Enter pass phrase: (duytan2017) # confirm

# remove passphrase from private key

[root@www certs]# openssl rsa -in server.key -out server.key 

Enter pass phrase for server.key: (duytan2017)  # input passphrase

writing RSA key
[root@www certs]#
[root@www certs]# make server.csr 

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: JP # country

State or Province Name (full name) [e]: Hiroshima # state

Locality Name (eg, city) [Default City]: Hiroshima # city

Organization Name (eg, company) [Default Company Ltd]: GTS  # company

Organizational Unit Name (eg, section) []: Server World # department

Common Name (eg, your server's hostname) []: www.srv.world # server's FQDN

Email Address []: xxx@srv.world # email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # Enter

An optional company name []: # Enter

[root@www certs]#
[root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world Getting Private key
[root@www certs]# chmod 400 server.*

[1]

Configure httpd for SSL.

[root@www ~]# yum -y install mod_ssl

[root@www ~]# vi /etc/httpd/conf.d/ssl.conf

# line 77: uncomment

DocumentRoot "/var/www/html"

# line 78: uncomment and specify the server name

ServerName www.srv.world:443

# line 93: change

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

# line 105: change to the one created in [1]

SSLCertificateFile /etc/pki/tls/certs/server.crt

# line 112: change to the one created in [1]

SSLCertificateKeyFile /etc/pki/tls/certs/server.key

[root@www ~]# /etc/rc.d/init.d/httpd restart 

Stopping httpd:     [ OK ]
Starting httpd:     [ OK ]

[2]

If IPTables is running, allow HTTPS port. HTTPS uses 443/TCP.
For "-I INPUT 5" section below, Replace it to your own environment.

[root@www ~]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 

[3]

Access to the test page from a client computer with a Web browser via HTTPS. The examample below is the Fiorefix. Following screen is shown because Certificates is own created one, but it's no ploblem, Proceed to next.