Apache httpd国密支持

Apache httpd国密支持

简介

GMSSL提供一个国密版OpenSSL支持Apache httpd,支持单向/双向认证,支持标准SSL/国密SSL自适应。
国密OpenSSL库基于OpenSSL实现,OpenSSL的许可协议是Apache License V2.0。

运行环境

Centos7 x86_64
Apache httpd-2.4.46

下载:参见“国密web服务器下载”

编译部署

1)下载gmssl_openssl_1.1_b4.tar.gz到/root/下

[root@localhost ~]# ls
gmssl_openssl_1.1_b4.tar.gz

2)解压

[root@localhost ~]# tar xf gmssl_openssl_1.1_b4.tar.gz -C /usr/local/

3)安装依赖包

[root@localhost ~]# yum -y install pcre-devel expat-devel gcc

4)安装apr

[root@localhost ~]# wget https://mirrors.bfsu.edu.cn/apache/apr/apr-1.7.0.tar.gz
[root@localhost ~]# tar xf apr-1.7.0.tar.gz 
[root@localhost ~]# cd apr-1.7.0/
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr/apr
[root@localhost apr-1.7.0]# make install

5)安装apr-util

[root@localhost ~]# cd
[root@localhost ~]# wget https://mirrors.bfsu.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# tar xf apr-util-1.6.1.tar.gz 
[root@localhost ~]# cd apr-util-1.6.1
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr/util --with-apr=/usr/local/apr/apr
[root@localhost apr-util-1.6.1]# make install 

6)安装httpd

[root@localhost ~]# cd
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//httpd/httpd-2.4.46.tar.gz
[root@localhost ~]# tar xf httpd-2.4.46.tar.gz 
[root@localhost ~]# cd httpd-2.4.46/
[root@localhost httpd-2.4.46]# ./configure \
--prefix=/usr/local/httpd \
--enable-so --enable-ssl \
--enable-cgi \
--enable-rewrite \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork \
--with-zlib \
--with-apr=/usr/local/apr/apr \
--with-apr-util=/usr/local/apr/util \
--with-ssl=/usr/local/gmssl \
LDFLAGS=-lm
[root@localhost httpd-2.4.46]# vim build/config_vars.mk 
找到ab_LIBS = -L/usr/local/gmssl/lib -lssl -lcrypto -lrt -lcrypt -lpthread -ldl
其中-L/usr/local/gmssl/lib -lssl -lcrypto
替换为 /usr/local/gmssl/lib/libssl.a /usr/local/gmssl/lib/libcrypto.a
[root@localhost httpd-2.4.46]# make install 

#直接部署

[root@localhost ~]# wget https://gmssl.cn/gmssl/Tool_Down?File=gmssl_httpd_2.4.46_b8.tar.gz
[root@localhost ~]# tar xf gmssl_httpd_2.4.46_b8.tar.gz -C /usr/local

7)配置示例(国密/RSA单向自适应)

#配置/usr/local/httpd/conf/httpd.conf
[root@localhost httpd-2.4.46]# vim /usr/local/httpd/conf/httpd.conf
取掉注释
LoadModule ssl_module modules/mod_ssl.so
取消注释
Include conf/extra/httpd-ssl.conf

#配置/usr/local/httpd/conf/extra/httpd-ssl.conf
[root@localhost httpd-2.4.46]# vim /usr/local/httpd/conf/extra/httpd-ssl.conf
SSLCipherSuite ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3

SSLCertificateFile "/usr/local/httpd/conf/extra/demo1.sm2.sig.crt.pem"
SSLCertificateKeyFile "/usr/local/httpd/conf/extra/demo1.sm2.sig.key.pem"
SSLCertificateFile "/usr/local/httpd/conf/extra/demo1.sm2.enc.crt.pem"
SSLCertificateKeyFile "/usr/local/httpd/conf/extra/demo1.sm2.enc.key.pem"

你可能感兴趣的:(linux,apache,ssl,centos)