Apache开启Https

Posted 2020-08-27

1.安装openssl

[[email protected] ~]# yum install -y openssl openssl-devel

___________________________________________________________   yum安装方式

http://www.openssl.org/source/   #下载openssl
[[email protected]_server src]# tar xf openssl-1.0.1s.tar.gz
[[email protected]_server src]# cd openssl-1.0.1s
[[email protected]_server openssl-1.0.1s]# ./config 
[[email protected]_server openssl-1.0.1s]# make && make install

------------------------------------源码安装方式

[[email protected]_server src]# wget http://mirrors.cnnic.cn/apache/httpd/httpd-2.2.31.tar.gz
[[email protected]_server src]# tar xvf httpd-2.2.31.tar.gz
[[email protected]_server src]#cd httpd-2.2.31
[[email protected]_server httpd-2.2.31]#./configure --prefix=/usr/local/apache2 --with-included-apr --enable-so --enable-deflate=shared --enable-expires=shared --enable-rewrite=shared --with-pcre --enable-ssl=shared --with-ssl=/usr/local/ssl     #此处选择动态模式，--enable-ssl=static --with-ssl=/usr/local/ssl选择静态

------------------------------------添加扩展模块方式

[[email protected]_server openssl-1.0.1s]# cd /usr/local/src/httpd-2.2.31/modules/ssl   #务必进入httpd源码目录
[[email protected]_server ssl]# /usr/local/apache2/bin/apxs  -i -c -a -D HAVE_OPENSSL=1 -I /usr/lib/openssl/engines/lib -lcrypto -lssl -ldl *.c     #

错误一、error "Unrecognized SSL Toolkit!、declaration for parameter ‘XXXXXX‘ but no such parameter 

解决：添加-D HAVE_OPENSSL=1

错误二、undefined symbol: ssl_cmd_SSLMutex 

解决：apxs编译追加模块成功，但是apache启动失败。出现这个错误后，我把运行apxs时指定mod_ssl.c改成*.c 。和添加mod_deflate不一样，ssl中包含多个源代码文件

错误三、undefined symbol: X509_INFO_free

解决：由于静态连接了 openssl的库造成的(默认），解决办法是添加-lcrypto -lssl -ldl参数

2.创建证书

■ 创建私钥

___________________________________________________________

[[email protected]_server modules]# cd /usr/local/ssl/bin/          
[[email protected]_server bin]# openssl genrsa -out server.key 2048
[[email protected]_server bin]# cp server.key  /usr/local/apache2/conf/ssl.key

■ 生成证书请求（CSR）文件

___________________________________________________________

[[email protected]_server bin]# openssl req -new -key server.key -out certreq.csr 
Country Name (2 letter code) [XX]:cn                 #所在国家的ISO标准代号，中国为CN
State or Province Name (full name) []:zj            #单位所在地省/自治区/直辖市
Locality Name (eg, city) [Default City]:zs            #单位所在地的市/县/区
Organization Name (eg, company) [Default Company Ltd]:dx      #单位/机构/企业合法的名称
Organizational Unit Name (eg, section) []:zwy                #部门名称 
Common Name (eg, your name or your server‘s hostname) []:zwy    #此项必须与访问提供SSL服务的服务器时所应用的域名完全匹配   
Email Address []:       #邮件地址，不必输入，直接回车跳过
"extra"attributes                        #以下信息不必输入，回车跳过直到命令执行完毕
[[email protected] conf]#  cp server.key server.key.ori
[[email protected] conf]# openssl rsa -in server.key.ori -out server.key
writing RSA key
[[email protected] conf]#  openssl x509 -req -days 365 -in certreq.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=ZJ/L=ZS/O=DX/OU=ZWY/CN=ZWY/[email protected]
Getting Private key

3. Apache配置

___________________________________________________________ 

[[email protected]_server ~]# vim /usr/local/apache2/conf/httpd.conf 
Include conf/extra/httpd-ssl.conf

#取消前面注释  

[[email protected]_server ~]#  vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [L,R]

#在需要开启的虚拟主机配置文件中，加上http自动重定向为https

[[email protected]_server ~]#  mv /usr/local/apache2/conf/extra/httpd-ssl.conf  /usr/local/apache2/conf/extra/httpd-ssl.conf.bak    #备份默认配置文件
[[email protected]_server ~]#  > /usr/local/apache2/conf/extra/httpd-ssl.conf  
[[email protected] ~]# vim /usr/local/apache2/conf/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLCryptoDevice builtin
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!RC4:
<VirtualHost *:443>
    DocumentRoot "/data/www"
    ServerName www.szk.com:443
    ErrorLog "logs/dummy-host.example.com-error_log"
    CustomLog "logs/dummy-host.example.com-access_log" common
    <IfModule mod_ssl.c>
        SSLEngine on
        SSLCertificateFile /usr/local/apache2/conf/server.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/server.key
        #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediatebundle.crt
    </IfModule>
</VirtualHost>

错误：curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

解决：把443的VirtualHost 放到80的VirtualHost 前面；80 部分 NameVirtualHost *443部分NameVirtualHost *:443

本文出自 “卫斯理” 博客，请务必保留此出处http://szk5043.blog.51cto.com/8456440/1890646