一、背景:
web网站需要搭建https,计划使用apache做代理,同时使用https加密传输
二、工具:
操作系统:Red Hat Enterprise Linux Server release 6.5 (Santiago)
Apache:httpd-2.4.39
openssl:openssl-devel-1.0.1e-57.el6.x86_64.rpm,openssl-1.0.1e-57.el6.x86_64.rpm(这个版本解决了出血漏洞)
三、安装过程:
httpd的编译,我们需要用到apr,pcre,ssl。以下是httpd的configure语句:
./configure --prefix="/opt/apache2" --enable-so --enable-ssl --enable-headers --enable-proxy --with-ssl="/usr/bin" --with-apr=/usr/local/apr/ --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre
apr的安装包从http://archive.apache.org/dist/apr/获取。
pcre安装需要先安装libtool和gcc-c++。
3.1)安装过程
1)apr-1.4.2.tar.gz
tar -zxvf apr-1.4.2.tar.gz
cd apr-1.4.2
./configure
make
make install
2)apr-util-1.3.9.tar.gz
tar -zxvf apr-util-1.3.9.tar.gz
cd apr-util-1.3.9
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make
make install
3)gcc,g++(安装pcre之前,如没有安装gcc,g++,需要先安装)
安装流程如下所示:
rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm
rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm
rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm
rpm -ivh cpp-4.4.7-4.el6.x86_64.rpm --force
rpm -ivh kernel-headers-2.6.32-431.el6.x86_64.rpm
rpm -ivh glibc-headers-2.12-1.132.el6.x86_64.rpm --force
rpm -ivh glibc-devel-2.12-1.132.el6.x86_64.rpm --force
rpm -ivh gcc-4.4.7-4.el6.x86_64.rpm --force
rpm -ivh libstdc++-devel-4.4.7-4.el6.x86_64.rpm
rpm -ivh gcc-c++-4.4.7-4.el6.x86_64.rpm
如有出现冲突,可以使用force参数强制更新。相关安装包可以在http://vault.centos.org/6.5/os/x86_64/Packages/和http://mirrors.yun-idc.com/centos/6.10/os/x86_64/Packages/找到。
4)pcre-8.36.tar.gz
tar -zxvf pcre-8.36.tar.gz
cd pcre-8.36
./configure --prefix=/usr/local/pcre
make
make install
5)httpd-2.4.39.tar.gz
tar -zxvf httpd-2.4.39.tar.gz
cd ./httpd-2.4.39
./configure --prefix="/opt/apache2" --enable-so --enable-ssl --enable-headers --enable-proxy --with-ssl="/usr/bin" --with-apr=/usr/local/apr/ --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre
make
make install
3.2)配置ssl密钥
在/opt/apache2/conf下建立一个ssl.key目录
#cd ../apache2/
#cd conf/
#mkdir ssl.key
然后在该目录下生成证书:
#cd ssl.key/
生成服务器私钥:
#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: //密码=abc123456@!
Verifying - Enter pass phrase for server.key: //确认和上面密码相同
生成服务器证书请求,并按要求填些相关证书信息:
#openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: //上面的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangDong
Locality Name (eg, city) []:GZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXXXXXA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:a.test.com//行使 SSL 加密的网站地址。请注意这里并不是单指您的域名,而是直接使 用 SSL 的网站名称 例如:pay.abc.com。 一个网站这里的定是:abc.com是一个网站;www.abc.com 是另外一个网站;pay.abc.com 又是另外一个网站。
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**********abc123456@!
An optional company name []:BAT
签证:
# openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=Some-State/L=tyl/O=tz/OU=tz/CN=tyl/[email protected]
Getting Private key
Enter pass phrase for server.key: //输入创建key时的密码
3.3)配置httpd.conf和httpd-ssl.conf
httpd.conf在conf目录下,httpd-ssl.conf在conf/extra/目录下
cd /opt/apache2/conf
vi httpd.conf
#################主要修改点######################
#放开LoadModule
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule ssl_module modules/mod_ssl.so
ServerName 127.0.0.1:80#按照自己本机设置
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
#######################################
vi extra/httpd-ssl.conf
#################主要修改点######################
#注释以下项
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
#修改以下项
# General setup for the virtual host
DocumentRoot "/opt/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog "/opt/apache2/logs/error_log"
TransferLog "/opt/apache2/logs/access_log"
SSLCertificateFile "/opt/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/apache2/conf/server.key"
#######################################
之后启动
cd ../bin
./httpd
输入ssl密钥密码
说明:
注意:可以去掉每次启动时要输入证书私钥的 pass phrase
#cd /opt/apache2/conf/ssl.key
#cp server.key server.key.secure
#openssl rsa -in server.key.secure -out server.key