Apache Httpd安装with ssl 以及OpenSSL心脏出血漏洞修复

一、背景:

web网站需要搭建https,计划使用apache做代理,同时使用https加密传输

二、工具:

操作系统:Red Hat Enterprise Linux Server release 6.5 (Santiago)

Apache:httpd-2.4.39

openssl:openssl-devel-1.0.1e-57.el6.x86_64.rpm,openssl-1.0.1e-57.el6.x86_64.rpm(这个版本解决了出血漏洞)

 

三、安装过程:

httpd的编译,我们需要用到apr,pcre,ssl。以下是httpd的configure语句:

./configure --prefix="/opt/apache2" --enable-so --enable-ssl --enable-headers --enable-proxy --with-ssl="/usr/bin" --with-apr=/usr/local/apr/ --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre

apr的安装包从http://archive.apache.org/dist/apr/获取。

pcre安装需要先安装libtool和gcc-c++。

3.1)安装过程

1)apr-1.4.2.tar.gz

tar -zxvf apr-1.4.2.tar.gz
cd apr-1.4.2
./configure
make
make install

2)apr-util-1.3.9.tar.gz

tar -zxvf apr-util-1.3.9.tar.gz
cd apr-util-1.3.9
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make
make install

3)gcc,g++(安装pcre之前,如没有安装gcc,g++,需要先安装)

安装流程如下所示:

rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm
rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm
rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm
rpm -ivh cpp-4.4.7-4.el6.x86_64.rpm --force
rpm -ivh kernel-headers-2.6.32-431.el6.x86_64.rpm
rpm -ivh glibc-headers-2.12-1.132.el6.x86_64.rpm --force
rpm -ivh glibc-devel-2.12-1.132.el6.x86_64.rpm --force
rpm -ivh gcc-4.4.7-4.el6.x86_64.rpm --force
rpm -ivh libstdc++-devel-4.4.7-4.el6.x86_64.rpm
rpm -ivh gcc-c++-4.4.7-4.el6.x86_64.rpm

如有出现冲突,可以使用force参数强制更新。相关安装包可以在http://vault.centos.org/6.5/os/x86_64/Packages/和http://mirrors.yun-idc.com/centos/6.10/os/x86_64/Packages/找到。

4)pcre-8.36.tar.gz

tar -zxvf pcre-8.36.tar.gz
cd pcre-8.36
./configure --prefix=/usr/local/pcre
make
make install

5)httpd-2.4.39.tar.gz

tar -zxvf httpd-2.4.39.tar.gz
cd ./httpd-2.4.39
./configure --prefix="/opt/apache2" --enable-so --enable-ssl --enable-headers --enable-proxy --with-ssl="/usr/bin" --with-apr=/usr/local/apr/ --with-apr-util=/usr/local/apr-util/ --with-pcre=/usr/local/pcre
make
make install

3.2)配置ssl密钥

在/opt/apache2/conf下建立一个ssl.key目录
#cd ../apache2/
#cd conf/
#mkdir ssl.key
然后在该目录下生成证书:
#cd ssl.key/
生成服务器私钥:
#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: //密码=abc123456@!
Verifying - Enter pass phrase for server.key: //确认和上面密码相同
生成服务器证书请求,并按要求填些相关证书信息:
#openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: //上面的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangDong
Locality Name (eg, city) []:GZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXXXXXA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:a.test.com//行使 SSL 加密的网站地址。请注意这里并不是单指您的域名,而是直接使 用 SSL 的网站名称 例如:pay.abc.com。 一个网站这里的定是:abc.com是一个网站;www.abc.com 是另外一个网站;pay.abc.com 又是另外一个网站。
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**********abc123456@!
An optional company name []:BAT

签证:
# openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=Some-State/L=tyl/O=tz/OU=tz/CN=tyl/[email protected]
Getting Private key
Enter pass phrase for server.key: //输入创建key时的密码

 

3.3)配置httpd.conf和httpd-ssl.conf

httpd.conf在conf目录下,httpd-ssl.conf在conf/extra/目录下

cd /opt/apache2/conf

vi httpd.conf

#################主要修改点######################

#放开LoadModule

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule ssl_module modules/mod_ssl.so

ServerName 127.0.0.1:80#按照自己本机设置

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

#######################################

vi extra/httpd-ssl.conf

#################主要修改点######################

#注释以下项

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLHonorCipherOrder on

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLPassPhraseDialog  builtin

#修改以下项

#   General setup for the virtual host
DocumentRoot "/opt/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog "/opt/apache2/logs/error_log"
TransferLog "/opt/apache2/logs/access_log"

SSLCertificateFile "/opt/apache2/conf/server.crt"

SSLCertificateKeyFile "/opt/apache2/conf/server.key"

#######################################

之后启动

cd ../bin

./httpd

输入ssl密钥密码

说明:

注意:可以去掉每次启动时要输入证书私钥的 pass phrase 

#cd /opt/apache2/conf/ssl.key

#cp server.key  server.key.secure 

#openssl rsa -in server.key.secure  -out server.key

 

你可能感兴趣的:(httpd)