Apache 配置https虚拟主机
Posted Linux就该这么学
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Apache 配置https虚拟主机相关的知识,希望对你有一定的参考价值。
纯手工打造每一篇开源资讯与技术干货,数十万程序员和Linuxer已经关注。
一、安装带ssl的Apache2.2.21
1、安装apache之前需要先检查openssl是否安装完毕,yum list "*openssl*",如果没有用yum安装下即可
2、apache安装,网上文档很多,以下是专门针对ssl的编译参数
# cd /usr/local/src/tarbag
# wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz
# tar xzvf httpd-2.2.21.tar.gz -C ../software
# cd ../software/httpd-2.2.21
# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all
# make && make install
# rm -rf /etc/init.d/httpd
# cp /usr/local/apache/bin/apachectl /etc/init.d/httpd
# sed -i '2c#chkconfig: 35 85 15' /etc/init.d/httpd
# sed -i '3c#description: apache' /etc/init.d/httpd
# chmod x /etc/init.d/httpd
# chkconfig --add httpd
# chkconfig httpd on
# rm -rf /sbin/apachectl
# ln -s /usr/local/apache/bin/apachectl /sbin
二、生成证书
1、生成证书存放目录
安装好apache后,第一时间生成证书,在生成证书之前先准备生成一个证书存放的目录
# cd /usr/local/apache/conf
# mkdir ssl.key
# cd ssl.key/
2、分3步生成服务器签名的证书
step.1
首先要生成服务器端的私钥(key文件)
# openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件,去除key文件口令的命令:
.......................
.................................................
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
step.2
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
# openssl req -new -key server.key -out server.csr
看到如下提示,并按照提示输入相关信息即可生成密钥
如果要生成客户端证书,那么对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
这里就不做演示了,有兴趣的朋友可以去尝试下。
step.3
CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证.自己生成
# openssl req -new -key server.key -out server.csr
看到如下提示,输入密码,即可完成
Signature ok
subject=/C=CN/ST=FJ/L=FZ/O=poppace/OU=poppace/CN=ty/emailAddress=ty@poppace.com
Getting Private key
Enter pass phrase for server.key:
为了安全起见要将证书相关文件的访问权限降到最低
# chmod 400 *
证书生成完毕,接下来可以配置apache了。
三、配置apache
1、在httpd.conf中打开vhosts和ssl的配置文件
# vi /usr/local/apache/conf/httpd.conf
打开vhosts配置,跳转到447行和459行,取消掉Include conf/extra/httpd-vhosts.conf和Include conf/extra/httpd-ssl.conf之前的注释
2、配置vhosts
# vi /usr/local/apache/conf/extra/httpd-vhosts.conf
特别需要注意443段的配置,可在httpd-ssl.conf中找到相关说明
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
DocumentRoot "/data/www/"
ServerName 192.168.1.201
<Directory /data/www/>
Order allow,deny
Allow from all
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/data/www/"
ServerName 192.168.1.201:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP: eNULL
SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions StdEnvVars
</FilesMatch>
<Directory /data/www/>
Order allow,deny
Allow from all
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
BrowserMatch ".*MSIE.*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
</VirtualHost>
3、修改httpd-ssl.conf的相关配置
# vi /usr/local/apache/conf/extra/httpd-ssl.conf
搜索SSLCertificateFile
并将:(99行)SSLCertificateFile "/usr/local/apache/conf/server.crt"
改为:SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
搜索SSLCertificateKeyFile
并将:(107行)SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
改为:SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
4、重启apache
# service httpd start
Apache/2.2.21 mod_ssl/2.2.21 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
现在用浏览器访问下https://192.168.1.201,即大告大功。
原文来自:
点击左下角查看更多热门技术
以上是关于Apache 配置https虚拟主机的主要内容,如果未能解决你的问题,请参考以下文章
运维学习之Apache的配置访问控制虚拟主机和加密访问https