Apache服务的HTTPS支持配置
附加题:u 案例需求
1. 基于编译安装的httpd服务器,添加HTTPS协议支持以提高安全性。
2. 当客户机通过HTTP方式访问站点时,能够自动跳转为HTTPS方式访问。
u 知识提示
HTTPS指的是Hyper Text Transfer Protocol Secure,安全超文本传输协议。HTTPS实际上使用了SSL(安全套接字层)作为HTTP应用层的子层,针对明文传输的HTTP通信流进行加密,从而避免敏感信息被捕获或窃听,因此HTTPS协议在网上银行、安全邮箱等Web访问场合比较常见。
1. 确认系统中已安装有openssl软件包,用来为服务器生成证书
# rpm -qa | grep openssl
openssl-0.9.8e-12.el5_4.6
openssl-devel-0.9.8e-12.el5_4.6
2. 确认在编译httpd软件包时添加了ssl支持选项、rewrite支持选项
# ./configure --prefix=/usr/local/httpd --enable-so --enable-rewrite --enable-charset-lite --enable-cgi --with-ssl=/usr/lib --enable-ssl
# make
# make install
3. 生成KEY密钥文件和签发CRT证书
为了降低实验复杂度,这里可直接使用RHEL5系统中的localhost.crt、localhost.key文件:
# cd /etc/pki/tls/
# cp certs/localhost.crt /usr/local/httpd/conf/server.crt
# cp private/localhost.key /usr/local/httpd/conf/server.key
—— 或者,也可以使用openssl工具来生成新的密钥和证书文件:
# cd /usr/local/httpd/conf/
# openssl genrsa -out server.key 1024 //生成服务器密钥文件
Generating RSA private key, 1024 bit long modulus
.......................................................................................++++++
..........++++++
e is 65537 (0x10001)
# chmod 600 server.key
# openssl req -new -key server.key -out server.csr
//生成服务器证书文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :China
Locality Name (eg, city) :Beijing
Organization Name (eg, company) :Aptech
Organizational Unit Name (eg, section) []:Benet4.0
Common Name (eg, your name or your server's hostname) []:mail.benet.com
Email Address []:root@benet.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls -l server.key server.csr
-rw-r--r-- 1 root root 700 12-06 19:52 server.csr
-rw------- 1 root root 887 12-06 19:46 server.key
#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
//签署服务器证书
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Aptech/OU=BENET/CN=mail.benet.com/emailAddress=root@benet.com
Getting Private key
# ls -l server.key server.csr server.crt
-rw-r--r-- 1 root root 944 12-06 19:55 server.crt
-rw-r--r-- 1 root root 700 12-06 19:52 server.csr
-rw------- 1 root root 887 12-06 19:46 server.key
4. 调整httpd服务配置,添加SSL、Rewrite支持
# vi httpd.conf
…… //省略部分内容
Include conf/extra/httpd-ssl.conf //启用默认SSL配置文件
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
RewriteEngine on //启用并添加地址重写策略
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/
# /usr/local/httpd/bin/apachectl restart
5. 在客户机浏览器中访问测试
当访问http://your_server_ip/ 时会自动跳转为https://your_server_ip/ 。本案例中所用的网站证书为服务器自行签发,而并非来自于权威证书管理机构,因此在访问时提示证书错误(如图1所示),只要点击“继续浏览此网站(不推荐)”链接就可以继续访问了(如图2所示)。
图1 第一次访问时提示证书错误
图2 接受证书后转为HTTPS访问
页:
[1]