以前相關博文鏈接:
https://blog.csdn.net/u012271055/article/details/84672691 #有涉及httpd的yum安裝的目錄層級介紹
https://blog.csdn.net/u012271055/article/details/84675204 #有涉及如何製作httpd2.4版本的httpd的rpm包在centos6.x上安裝使用
https://blog.csdn.net/u012271055/article/details/84491365 #有設計如何編譯安裝httpd以及如何寫SysV的腳本文件以及systemd管理的unit文件
https://blog.csdn.net/u012271055/article/details/84576344 #有設計自建CA以及頒發證書的
一、實驗環境
1、本次httpd的實驗環境說明
[root@localhost ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# ifconfig | sed -rn 's/^[[:space:]]+inet addr:(.*)[[:space:]]+Bcast.*$/\1/p'
192.168.56.96
#httpd的版本(之前自己製作的httpd2.4版本的rpm包,在CentOS 6.x上使用)
[root@localhost ~]# httpd -v
Server version: Apache/2.4.37 (Unix)
Server built: Dec 1 2018 18:17:27
PS:配置本小結,要對http的知識點有些基礎概念,而且要了解httpd的配置語法。我這裏是只簡單的演示自建CA,然後配置httpd使用。
2、CA服務
[root@localhost ~]# cat /etc/redhat-release
CentOS release 6.10 (Final)
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# ifconfig | sed -rn 's/^[[:space:]]+inet addr:(.*)[[:space:]]+Bcast.*$/\1/p'
192.168.56.98
二、關於httpd的ssl配置簡單說明
參考官網索引:
中文:http://httpd.apache.org/docs/current/ssl/
英文:http://httpd.apache.org/docs/current/en/ssl/
說明:
Apache HTTP 服務器模塊 mod_ssl 提供了與 OpenSSL 的接口,它使用安全套接字層和傳輸層安全協議提供了強加密。
(1) 基本配置示例:
LoadModule ssl_module modules/mod_ssl.so
Listen 443 #
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/www.example.com.cert"
SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>
Listen指令語法格式:
Listen [IP-address:]portnumber [protocol]
a> 省略IP表示爲0.0.0.0;
b> Listen指令可重複出現多次;
c> 修改監聽socket,重啓服務進程方可生效;
d> 限制其必須通過ssl通信時,protocol需要定義爲https;
5> 如果省略後邊的協議參數,表示默認http使用80標準端口,https使用443標準端口
如果要設置https爲非標準端口,需要限制指明協議,例如:
Listen 192.170.2.1:8443 https
<VirtualHost *:443>
</VirtualHost>
表示一組,這個配置就不詳解來,這個*:443表示監聽到所有接口上的443端口。
ServerName指令語法:
ServerName [scheme://]domain-name|ip-address[:port]
ServerName可以指定爲:[方案://]域名|ip地址[:端口]
SSLCertificateFile指令指定用於特定域名的證書;
SSLCertificateKeyFile 指令指定證書對應的私鑰。
(2) 自帶的默認的httpd-ssl.conf配置文件內容
[root@localhost extra]# grep -Ev '^#|^$' /etc/httpd/conf/extra/httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
SSLEngine on
SSLCertificateFile "/etc/httpd/conf/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
(3) 默認ssl模塊引用和ssl站點都是註釋掉的
[root@localhost extra]# grep -E 'mod_ssl.so|httpd-ssl' /etc/httpd/conf/httpd.conf
#LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
#Include /etc/httpd/conf/extra/httpd-ssl.conf
三、自建CA以及頒發證書
不單獨生成私鑰,自籤時或簽署證書請求時候一次生成所需密鑰。
以下步驟在ca主機上執行:
(1) 生成自簽證書(會生成所需要的私鑰)
[root@localhost ~]# (umask 077;openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655)
Generating a 4096 bit RSA private key
...............................................++
...............................................................++
writing new private key to '/etc/pki/CA/private/cakey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FuJian
Locality Name (eg, city) [Default City]:FuZhou
Organization Name (eg, company) [Default Company Ltd]:yanhui
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.yanhui.com
Email Address []:[email protected]
[root@localhost ~]# ls -l /etc/pki/CA/private/cakey.pem
-rw-------. 1 root root 3272 Dec 1 19:59 /etc/pki/CA/private/cakey.pem
[root@localhost ~]# ls -l /etc/pki/CA/cacert.pem
-rw-------. 1 root root 2106 Dec 1 19:59 /etc/pki/CA/cacert.pem
[root@localhost ~]# file /etc/pki/CA/cacert.pem
/etc/pki/CA/cacert.pem: ASCII text
[root@localhost ~]# file /etc/pki/CA/private/cakey.pem
/etc/pki/CA/private/cakey.pem: ASCII text
用到的選項再次解釋:
-x509 表示自簽證書用到的一個比較特殊的選項
-newkey rsa:4096 表示創建一個新的證書請求和一個新的RSA的4096長度的私鑰
-nodes 表示生成的私鑰不加使用密碼
-keyout 表示指明私鑰的路徑和名字,一定要與默認配置文件中ca所需要的私鑰路徑和名字一致
-out 指明創建ca 新的證書的路徑和名字,一定要與默認配置文件中ca所需要的證書路徑和名字一致
-days表示這裏給ca自簽證書的使用天數爲3655一天
(2) 爲CA提供所需的目錄及文件
[root@localhost ~]# mkdir -p /etc/pki/CA/{certs,crl,newcerts}
[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt}
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]#
以下步驟在web主機上執行:
(1) 生成證書籤署請求(會生成所需的私鑰)
[root@localhost tmp]# (umask 077;openssl req -newkey rsa:2048 -nodes -keyout /var/tmp/httpd.key -out /var/tmp/httpd.csr -days 365)
Generating a 2048 bit RSA private key
..+++
.............+++
writing new private key to '/var/tmp/httpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FuJian
Locality Name (eg, city) [Default City]:FuZhou
Organization Name (eg, company) [Default Company Ltd]:yanhui
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.yanhui.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost tmp]#
(2) 將證書籤署請求文件通過工具(ftp或scp或rsync等)傳遞給ca主機
[root@localhost tmp]# scp -P22 -p /var/tmp/httpd.csr [email protected]:/var/tmp/
The authenticity of host '192.168.56.98 (192.168.56.98)' can't be established.
RSA key fingerprint is f7:2d:c2:e7:a5:0c:7b:4e:da:91:f8:65:9a:d4:5f:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.98' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 1054 1.0KB/s 00:00
[root@localhost tmp]#
以下步驟在ca主機上執行:
(1) 在ca主機上完成證書籤署請求並提供給站點主機下載或者傳遞給站點主機
[root@localhost tmp]# openssl ca -in /var/tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 1 12:18:24 2018 GMT
Not After : Dec 1 12:18:24 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = FuJian
organizationName = yanhui
organizationalUnitName = ops
commonName = www.yanhui.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B2:C8:5F:A0:34:F9:76:E6:57:0D:1C:1E:A3:1B:61:AF:27:7D:6A:E6
X509v3 Authority Key Identifier:
keyid:97:FB:AE:F0:F5:B4:97:4D:BD:A0:00:E7:48:DB:3C:1C:1D:71:7D:68
Certificate is to be certified until Dec 1 12:18:24 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(2) 把簽署的證書傳遞給站點服務器
[root@localhost tmp]# scp -P22 -p /etc/pki/CA/certs/httpd.crt [email protected]:/var/tmp/
The authenticity of host '192.168.56.96 (192.168.56.96)' can't be established.
RSA key fingerprint is 33:7f:49:19:73:6e:7a:f4:f1:36:23:e3:92:0e:8a:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.96' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 5862 5.7KB/s 00:00
[root@localhost tmp]#
四、配置到httpd站點上,檢測測試走https訪問
(1) 啓用ssl模塊以及打開include包含的httpd-ssl.conf配置文件
[root@localhost tmp]# ls -l /etc/httpd/modules/mod_ssl.so
-rwxr-xr-x 1 root root 227928 Dec 1 18:19 /etc/httpd/modules/mod_ssl.so
[root@localhost tmp]# ls -ld /etc/httpd
drwxr-xr-x 4 root root 4096 Dec 1 18:48 /etc/httpd
[root@localhost tmp]# ls -l /etc/httpd
total 8
drwxr-xr-x 4 root root 4096 Dec 1 20:27 conf
drwxr-xr-x 2 root root 4096 Dec 1 18:18 conf.d
lrwxrwxrwx 1 root root 19 Dec 1 18:48 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 29 Dec 1 18:48 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 13 Dec 1 18:48 run -> ../../var/run
[root@localhost tmp]# ls -l /usr/lib64/httpd/modules/mod_ssl.so
-rwxr-xr-x 1 root root 227928 Dec 1 18:19 /usr/lib64/httpd/modules/mod_ssl.so
[root@localhost tmp]# grep -E 'mod_ssl|httpd-ssl' /etc/httpd/conf/httpd.conf
LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
Include /etc/httpd/conf/extra/httpd-ssl.conf
# but a statically compiled-in mod_ssl.
(2) 創建證書和私鑰的路徑
[root@localhost tmp]# mkdir -pv /etc/httpd/ssl_key
mkdir: created directory `/etc/httpd/ssl_key'
[root@localhost tmp]# ls -l /etc/httpd/ssl_key/
total 0
[root@localhost tmp]# cp -a /var/tmp/httpd.* /etc/httpd/ssl_key/
[root@localhost tmp]# ls -l
total 20
-rw-r--r-- 1 root root 5862 Dec 1 20:18 httpd.crt
-rw------- 1 root root 1054 Dec 1 20:12 httpd.csr
-rw------- 1 root root 1704 Dec 1 20:12 httpd.key
drwx------. 2 root root 4096 Dec 1 18:40 yum-root-K6gOZI
PS:要確保httpd的運行管理進程的用戶對證書有訪問的權限,對私鑰有讀的權限即可(注意不能有執行權限,而且只能給用戶屬主權限)
(3) 配置ssl的配置
#創建我們的ssl文檔的路徑,然後寫一個默認的配置測試主頁文件
[root@localhost html]# cd /var/www/
[root@localhost www]# ls
cgi-bin error html icons manual
[root@localhost www]# mkdir ssl_atop
[root@localhost www]# cat ssl_atop/index.html
<html><body><h1>SSL test Successfully!</h1></body></html>
#保存一份我們默認的模板文件,然後清空,填入我們配置的內容
[root@localhost www]# cp /etc/httpd/conf/extra/httpd-ssl.conf{,.bak}
[root@localhost www]# >/etc/httpd/conf/extra/httpd-ssl.conf
[root@localhost www]# cat /etc/httpd/conf/extra/httpd-ssl.conf
Listen 443 https
<VirtualHost *:443>
DocumentRoot "/var/www/ssl_atop"
SSLEngine on
ServerName www.yanhui.com
SSLCertificateFile "/etc/httpd/ssl_key/httpd.crt"
SSLCertificateKeyFile "/etc/httpd/ssl_key/httpd.key"
#SSLCACertificateFile "/etc/httpd/ssl_key/"
<Directory "/var/www/ssl_atop">
Require all granted
</Directory>
</VirtualHost>
#因爲我們是模擬的域名,所以這裏我們要向/etc/hosts中寫域名對應ip的映射關係,
[root@localhost www]# echo "192.168.56.96 www.yanhui.com" >>/etc/hosts
[root@localhost www]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.96 www.yanhui.com
#檢測httpd配置文件語法,然後啓動服務
[root@localhost www]# service httpd configtest
Syntax OK
[root@localhost www]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@localhost www]# ss -nltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 100 ::1:25 :::*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 128 :::443 :::*
[root@localhost www]# ps aux|grep httpd
root 1779 0.0 0.3 107676 3660 ? Ss 20:49 0:00 /usr/sbin/httpd
daemon 1781 0.0 0.4 452068 4892 ? Sl 20:49 0:00 /usr/sbin/httpd
daemon 1782 0.0 0.4 452068 4896 ? Sl 20:49 0:00 /usr/sbin/httpd
daemon 1783 0.0 0.4 452068 4896 ? Sl 20:49 0:00 /usr/sbin/httpd
root 1867 0.0 0.0 103260 876 pts/1 S+ 20:49 0:00 grep httpd
(4) 把ca的證書傳到windows系統,然後安裝到可信賴ca列表中
如果是pem後綴,windows不識別的話,可以改成crt後綴。
選擇常規菜單中的"安裝證書":
#上面是一個安全警告,說是否要把這個無法確認來源可靠性的ca證書安裝,因爲我們是自己建的CA,所以我們直接是即可。
導入成功就行了。
然後把windows的hosts文件寫一條域名到ip的映射關係:
路徑:C:\Windows\System32\drivers\etc
然後用ie瀏覽器測試,google和firefox因爲內置安全模塊,版本審查比較嚴,自建CA貌似測試通過不了,所以用自帶IE測試訪問:
