Linux 搭建APache http_ssl(https)

 搭建APache http_ssl(https)

網站服務器(192.168.4.3)

1 網站服務器配置

運行網站服務 並編寫網頁文件 index.html

[root@WEB ~]# yum -y install httpd

[root@WEB ~]# echo www.test.com > /var/www/html/index.html

[root@WEB ~]# systemctl start httpd

[root@WEB ~]# systemctl stop firewalld

[root@WEB ~]# netstat -pantu | grep httpd

tcp6       0      0 :::80                   :::*                    LISTEN      6016/httpd    

客戶端訪問網站服務器

[root@test ~]# vim /etc/hosts

[root@test ~]# sed -n '3p' /etc/hosts

192.168.4.3 www.test.com

[root@test ~]# ping -c 2 www.test.com

PING www.test.com (192.168.4.3) 56(84) bytes of data.

64 bytes from www.test.com (192.168.4.3): icmp_seq=1 ttl=64 time=0.769 ms

64 bytes from www.test.com (192.168.4.3): icmp_seq=2 ttl=64 time=0.360 ms

客戶端測試

[root@test ~]# firefox http://www.test.com

2 建立私鑰文件 web.key

[root@WEB ~]# cd /etc/pki/tls/private/

[root@WEB private]# openssl genrsa 2048 > web.key

3 建立證書請求文件 web.csr

[root@WEB private]# openssl req -new -key web.key > /root/web.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:Xuenqlve

Organizational Unit Name (eg, section) []:ope

Common Name (eg, your name or your server's hostname) []:www.test.com

Email Address []:Xuenqlve@163.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4 上傳證書請求文件給CA服務器 (192.168.4.1)

[root@WEB private]# scp /root/web.csr 192.168.4.1:/root/

CA服務器 (192.168.4.1)

            CA服務器具體配置 http://www.javashuo.com/article/p-yhogusrk-kx.html

5 審覈證書請求文件，並簽發數字證書

[root@CA certs]# openssl ca -in /root/web.csr > web.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Jan  5 05:15:56 2018 GMT

            Not After : Jan  5 05:15:56 2019 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = beijing

            organizationName          = Xuenqlve

            organizationalUnitName    = ope

            commonName                = www.test.com

            emailAddress              = Xuenqlve@163.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                85:43:06:A3:7E:41:E5:15:AC:2C:ED:80:81:37:FE:BD:5F:5F:A1:8C

            X509v3 Authority Key Identifier: 

                keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7

Certificate is to be certified until Jan  5 05:15:56 2019 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@CA certs]# cat ../index.txt

V190105051556Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=www.test.com/emailAddress=Xuenqlve@163.com

[root@CA certs]# cat ../serial

02

6 下發證書給網站服務器(192.168.4.3)

[root@CA certs]# scp web.crt 192.168.4.3:/tmp/

7 配置服務運行時調用私鑰文件和數字證書文件

[root@WEB ~]# yum -y install mod_ssl.x86_64

[root@WEB ~]# vim /etc/httpd/conf.d/ssl.conf 

[root@WEB ~]# sed -n '100p;107p' /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/web.crt

SSLCertificateKeyFile /etc/pki/tls/private/web.key

[root@WEB ~]# cp /tmp/web.crt /etc/pki/tls/certs/web.crt

[root@WEB ~]# systemctl restart httpd

[root@WEB ~]# netstat -pantu | grep httpd

tcp6       0      0 :::80                   :::*                    LISTEN      6459/httpd          

tcp6       0      0 :::443                  :::*                    LISTEN      6459/httpd   

客戶端進行測試

[root@test ~]# firefox https://www.test.com

單擊'我已充分了解可能風險' ----> 單擊 '添加例外' 

單擊'確認安全例外'

而後就能夠看見網頁能夠正常訪問

在證書管理 --- 服務器  會添加這次訪問例外

這是一種臨時的方法 

8.下載並安裝根證書

[root@test ~]# wget http://192.168.4.1/ca/my-ca.crt

--2018-01-05 01:15:07--  http://192.168.4.1/ca/my-ca.crt

正在鏈接 192.168.4.1:80... 已鏈接。

已發出 HTTP 請求，正在等待迴應... 200 OK

長度：1424 (1.4K)

正在保存至: 「my-ca.crt」

100%[===================================================================>] 1,424       --.-K/s 用時 0s      

2018-01-05 01:15:07 (66.0 MB/s) - 已保存 「my-ca.crt」 [1424/1424])

在瀏覽器中添加證書可信  具體添加步驟見 http://www.javashuo.com/article/p-yhogusrk-kx.html

查看證書具體信息

9.修改配置文件 使得當用戶訪問http時 自動跳轉到https

[root@WEB certs]# vim /etc/httpd/conf/httpd.conf 

[root@WEB certs]# tail -7 /etc/httpd/conf/httpd.conf

<IfModule ssl_module>

    SSLRandomSeed  startup  builtin

    SSLRandomSeed  connect  builtin

</IfModule>

RewriteEngine  on#啓用模塊

RewriteCond  %{SERVER_PORT}  !^443$#當變量SERVER_PORT 不是 443時 

RewriteRule  (.*)  https://%{SERVER_NAME}/$1  [R]#將訪問網站url 跳轉爲https：