讓CentOS服務器支持https（安全http協議）

 咱們一般用「http://」這樣的方式來訪問網站，而此時傳輸的內容是可能被別人截獲的，由於其內容是經過明文傳輸，因此在傳遞一些隱私、以及密碼相關的信息時，就顯得很是的不安全。在一些比較正式的網站、以及一些銀行相關的網站中，一些須要提交隱私或者重要級別比較高的密碼時，都採用「https://」的方式，來將傳輸內容加密，從而保證用戶安全和避免隱私的泄漏。

今天在這裏，我就經過mod_ssl來使咱們的服務器也支持https。（環境：centos 5.5）

一、安裝mod_ssl

經過yum來在線安裝mod_ssl

[root@300second ~]# yum -y install mod_ssl      ← 在線安裝mod_ssl

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: data.nicehosting.co.kr
 * extras: data.nicehosting.co.kr
 * updates: data.nicehosting.co.kr
addons                                                   |  951 B     00:00
addons/primary                                           |  202 B     00:00
http://data.nicehosting.co.kr/os/CentOS/5.7/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 403: Forbidden
Trying other mirror.
base                                                     | 1.1 kB     00:00
base/primary                                             | 961 kB     00:40
base                                                                  2705/2705
http://data.nicehosting.co.kr/os/CentOS/5.7/extras/i386/repodata/repomd.xml: [Errno 14] HTTP Error 403: Forbidden
Trying other mirror.
extras                                                   | 2.1 kB     00:00
extras/primary_db                                        | 156 kB     00:06
http://data.nicehosting.co.kr/os/CentOS/5.7/updates/i386/repodata/repomd.xml: [Errno 14] HTTP Error 403: Forbidden
Trying other mirror.
updates                                                  | 1.9 kB     00:00
updates/primary_db                                       | 290 kB     00:12
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-53.el5.centos.3 set to be updated
--> Processing Dependency: httpd = 2.2.3-53.el5.centos.3 for package: mod_ssl
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
---> Package httpd.i386 0:2.2.3-53.el5.centos.3 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package         Arch       Version                         Repository     Size
================================================================================
Installing:
 mod_ssl         i386       1:2.2.3-53.el5.centos.3         updates        93 k
Installing for dependencies:
 distcache       i386       1.4.5-14.1                      base          119 k
Updating for dependencies:
 httpd           i386       2.2.3-53.el5.centos.3           updates       1.2 M

Transaction Summary
================================================================================
Install       2 Package(s)
Upgrade       1 Package(s)

Total download size: 1.4 M
Downloading Packages:
(1/3): mod_ssl-2.2.3-53.el5.centos.3.i386.rpm            |  93 kB     00:03
(2/3): distcache-1.4.5-14.1.i386.rpm                     | 119 kB     00:05
(3/3): httpd-2.2.3-53.el5.centos.3.i386.rpm              | 1.2 MB     00:53
--------------------------------------------------------------------------------
Total                                            23 kB/s | 1.4 MB     01:02
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID e8562897
updates/gpgkey                                           | 1.5 kB     00:00
Importing GPG key 0xE8562897 "CentOS-5 Key (CentOS 5 Official Signing Key) <centos-5-key@centos.org>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : distcache                                                1/4
  Updating       : httpd                                                    2/4
  Installing     : mod_ssl                                                  3/4
  Cleanup        : httpd                                                    4/4

Installed:
  mod_ssl.i386 1:2.2.3-53.el5.centos.3

Dependency Installed:
  distcache.i386 0:1.4.5-14.1

Dependency Updated:
  httpd.i386 0:2.2.3-53.el5.centos.3

Complete!

二、HTTP 服務器上配置mod_ssl

[1] 創建服務器密鑰

[root@300second ~]#  cd /etc/pki/tls/certs/　 ← 進入HTTP服務器配置文件所在目錄

[root@300second certs]#  make server.key　 ← 創建服務器密鑰
umask 77 ; \
               /usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase:　                     ← 在這裏輸入口令
Verifying - Enter pass phrase:　  ← 確認口令，再次輸入

[root@300second certs]#  openssl rsa -in server.key -out server.key　 ← 從密鑰中刪除密碼（以免系統啓動後被詢問口令）

Enter pass phrase for server.key:　 ← 輸入口令
writing RSA key

[2] 創建服務器公鑰

[root@300second certs]#  make server.csr　 ← 創建服務器密鑰

umask 77 ; \
                /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN　 ← 輸入國名
State or Province Name (full name) [Berkshire]:Fujian　 ← 輸入省名
Locality Name (eg, city) [Newbury]:Quanzhou　 ← 輸入城市名
Organization Name (eg, company) [My Company Ltd]:www.51cto.com　 ← 輸入組織名（任意）
Organizational Unit Name (eg, section) []:　 ← 不輸入，直接回車
Common Name (eg, your name or your server's hostname) []:www.51cto.com　 ← 輸入通稱（任意）
Email Address []:300second@163.com 　 ← 輸入電子郵箱地址 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:　 ← 不輸入，直接回車
An optional company name []: 　 ← 不輸入，直接回車

[3] 創建服務器證書

[root@300second certs]#  openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365　 ← 創建服務器證書

Signature ok
subject=/C=CN/ST=Fujian/L=Quanzhou/O=www.51cto.com/CN=www.51cto.com/emailAddress=300second@163.com
Getting Private key

[root@300second certs]#  chmod 400 server.*    ← 修改權限爲400

[4] 設置SSL

[root@300second certs]#  vi /etc/httpd/conf.d/ssl.conf　 ← 修改SSL的設置文件

#DocumentRoot "/var/www/html"　 ← 找到這一行，將行首的「#」去掉
　↓
DocumentRoot "/var/www/html"　 ← 變爲此狀態

[5] 從新啓動HTTP服務，讓SSL生效

[root@300second certs]#  /etc/rc.d/init.d/httpd restart 　← 從新啓動HTTP服務器 

中止  httpd: 　　　　　　　　　　　　　  [ 肯定 ]
啓動 httpd:　　　　　　　　　　　　　　[ 肯定]

三、測試SSL

打開瀏覽器，在地址欄輸入「https://服務器IP地址」或者「https://你的域名」後，若是出現提示安裝服務器安全證書的窗口（以下所示），說明服務器已經支持SSL。