Apache2¤Ï¤³¤Á¤é
Apache-SSL+OpenSSL ¤Ç¤â¹½ÃۤǤ­¤ë¤¬¥â¥¸¥å¡¼¥ë¤È¤·¤Æ»È¤¨¤ë mod_ssl+OpenSSL ¤Ç¹½ÃÛ¤¹¤ë¤³¤È¤Ë¤¹¤ë

ɬÍפʥѥ屡¼¥¸¤ÎÆþ¼ê

apache_1.3.33.tar.gz -> http://www.apache.org/
mod_ssl-2.8.22-1.3.33.tar.gz -> http://www.modssl.org/

OpenSSL¤Î¥¤¥ó¥¹¥È¡¼¥ë

openssl¤Èopenssl-devel¤Ïrpm¥Ñ¥Ã¥±¡¼¥¸¤Ç¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤¤¤ë¤â¤Î¤È¤¹¤ë

mod_ssl¤Î¥³¥ó¥Ñ¥¤¥ë¤ÈApache¤Î¥¤¥ó¥¹¥È¡¼¥ë

RedHat9¤ÇKerberos¤Î¥Ø¥Ã¥À¤¬ /usr/kerberos/include ¤Ë¤¢¤ë¤¿¤ámake¥¨¥é¡¼¤¬È¯À¸¤·¤Þ¤¹
export CPPFLAGS=-I/usr/kerberos/include ¤ä export CPPFLAGS="-DOPENSSL_NO_KRB5" ¤ò»î¤·¤¿¤±¤É¤¦¤Þ¤¯¤¤¤«¤Ê¤¤¤Î¤Ç¡¢°Ê²¼¤Î¤è¤¦¤Ë¥Ø¥Ã¥À¥Õ¥¡¥¤¥ë¤ò¥³¥Ô¡¼¤·¤Þ¤·¤¿

# cp /usr/kerberos/include/*.h /usr/include
# tar xvzf apache_1.3.33.tar.gz
# tar xvzf mod_ssl-2.8.22-1.3.33.tar.gz
# cd mod_ssl-2.8.22-1.3.33
# OPTIM="-O2" ./configure --with-apache=../apache_1.3.33 --with-ssl=SYSTEM --enable-rule=SHARED_CORE \
--with-layout=Apache --enable-module=so --enable-module=rewrite
# cd ../apache_1.3.33
# make
# make certificate

Signature Algorithm ((R)SA or (D)SA) [R]:R
1. Country Name (2 letter code) [XY]:JP ... ¹ñ¥³¡¼¥É(ÆüËܤʤΤÇJP)
2. State or Province Name (full name) [Snake Desert]:Shiga ... ½£¤â¤·¤¯¤ÏÅÔÆ»Éܸ©
3. Locality Name (eg, city) [Snake Town]:Otsu ... »Ô¶è·´Ä®Â¼
4. Organization Name (eg, company) [Snake Oil, Ltd]:Self ... ÁÈ¿¥Ì¾¤ä²ñ¼Ò̾
5. Organizational Unit Name (eg, section) [Webserver Team]:Engineer ... ÁÈ¿¥Æâ̾¾Î
6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.example.com ... ¥µ¡¼¥Ð¡¼Ì¾
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:root@example.com ... ´ÉÍý¼Ô¥á¡¼¥ë¥¢¥É¥ì¥¹
8. Certificate Validity (days) [365]:365

Certificate Version (1 or 3) [3]:3
Encrypt the private key 2005-11-21 (·î) 19:39:18 [Y/n]: y
Enter PEM pass phrase: ... ¥Ñ¥¹¥Õ¥ì¡¼¥º
Verifying password - Enter PEM pass phrase: ... ºÆÆþÎÏ

RESULT: Server Certification Files

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our demonstration-only Snake Oil CA) which later can replace
   the conf/ssl.crt/server.crt file.

WARNING: Do not use this for real-life/production systems

# make install

¥»¥­¥å¥¢¡¦¥µ¡¼¥ÐID¿½ÀÁ½àÈ÷

$ su
; Íð¿ô¥Õ¥¡¥¤¥ë¤ÎºîÀ®
# openssl md5 * > rand.dat
; ÈëÌ©¸°¤ÎºîÀ®
# openssl genrsa -rand rand.dat -des3 1024 > key.pem
; ¥Ñ¥¹¥Õ¥ì¡¼¥º¤ò2²óÆþÎÏ

# rm -f rand.dat

; CSRºîÀ®(¥Ù¥ê¥µ¥¤¥óÆþÎÏÍÑ)
# openssl req -new -key key.pem -out csr.pem
; ¤µ¤­¤Û¤É¤Î¥Ñ¥¹¥Õ¥ì¡¼¥º¤òÆþÎÏ
Country Name : JP
State or Province Name : Shiga
Locality Name : Otsu
Organization Unit Name : system-1
Common Name : www.example.com
Email Address
A challenge password
An optional company name

; key.pem, csr.pem¤Ï³°Éô¥á¥Ç¥£¥¢¤ËÊݴɤ·¤Þ¤¹
; csr.pem¤ÎÆâÍƤè¤ê¥Ù¥ê¥µ¥¤¥ó¤«¤écert.pem¤ò¼èÆÀ¤·¤Þ¤¹

# rm -f csr.pem
# chmod 400 /usr/local/apache/conf/ssl.crt/cert.pem
# chmod 400 key.pem
# mv key.pem /usr/local/apache/conf/ssl.key

httpd.conf¤ÎÀßÄê

# vi httpd.conf

<IfDefine SSL>
Listen 80  # HTTPÍÑ
Listen 443 # SSLÍÑ
</IfDefine>

## ----- ¤³¤³¤«¤é¤ÎÀßÄê°ÕÌ£Íý²ò¤·¤Æ¤Þ¤»¤ó
## ----- ¤È¤ê¤¢¤¨¤ºdefault¤Ë½ñ¤¤¤Æ¤¢¤Ã¤¿¤Î¤Ç¤½¤Î¤Þ¤Þ¥³¥Ô¡¼ 
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shmht:/usr/local/apache/logs/ssl_scache(512000)
#SSLSessionCache        shmcb:/usr/local/apache/logs/ssl_scache(512000)
SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
SSLMutex  file:/usr/local/apache/logs/ssl_mutex 

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog      /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info

</IfModule>

## ----- ¤³¤³¤«¤é¥Ð¡¼¥Á¥ã¥ë¥É¥á¥¤¥óÀßÄê
NameVirtualHost *:80

# HTTPÍÑ
<VirtualHost *:80>
    ServerAdmin root@example.com
    DocumentRoot /home/user/public_html
    ServerName www.example.com
    ErrorLog /usr/local/apache/logs/error_log
    CustomLog /usr/local/apache/logs/access_log combined
</VirtualHost>

# SSLÍÑ
<IfDefine SSL>
  <VirtualHost *:443>
      SSLEngine on
      SSLCertificateFile /usr/local/apache/conf/ssl.crt/cert.pem
      SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/key.pem
      ServerAdmin root@example.com
      DocumentRoot /home/user/ssl_public_html
      ServerName www.example.com
      ErrorLog /usr/local/apache/logs/error_log
      CustomLog /usr/local/apache/logs/ssl_access_log combined

     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
         SSLOptions +StdEnvVars
     </Files>

     SetEnvIf User-Agent ".*MSIE.*" \
              nokeepalive ssl-unclean-shutdown \
              downgrade-1.0 force-response-1.0

     CustomLog /usr/local/apache/logs/ssl_request_log \
               "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  </VirtualHost>
</IfDefine>

ºÆµ¯Æ°Á°¤Î½àÈ÷

Ëè²óµ¯Æ°»þ¤Ë¥Ñ¥¹¥Õ¥ì¡¼¥º¤òʹ¤«¤ì¤ë¤Î¤Ï¤á¤ó¤É¤¤¤·¡¢¼«Æ°µ¯Æ°¤âÌÌÅݤʤΤǥѥ¹¥Õ¥ì¡¼¥º¤òºï½ü¤¹¤ë

# openssl rsa -in /usr/local/apache/conf/ssl.key/server.key -out /usr/local/apache/conf/ssl.key/server.key

PHP¤òÍøÍѤ·¤Æ¤¤¤ë¾ì¹ç¤ÏPHP¤â¥¤¥ó¥¹¥È¡¼¥ë¤·¤Ê¤ª¤¹É¬Íפ¬¤¢¤ê¤Þ¤¹
apacheµ¯Æ°»þ¤Ë -DEAPI ¤¦¤ó¤Á¤ã¤é¤ÇÅܤé¤ì¤Þ¤¹

¤¢¤È¤Ï°Ê²¼¤òÊѹ¹

  • ¥í¥°¥í¡¼¥Æ¡¼¥·¥ç¥ó¤ÎÄɲÃ
  • rc.local ¤Ëµ­½Ò¤·¤Æ¤¤¤ëµ¯Æ°¥³¥Þ¥ó¥É¤ò startssl ¤Ø
  • mrtg¤Çhttpd¥×¥í¥»¥¹¿ô¤ò´Æ»ë¤·¤Æ¤¤¤ë¾ì¹ç¤Ï snmpd.conf ¥Õ¥¡¥¤¥ë¤òÊÔ½¸¤¹¤ëɬÍפ¬¤¢¤ë¤«¤â

¥Ð¡¼¥Á¥ã¥ë¥Û¥¹¥È¤ÎÀßÄê¤ò³Îǧ¤¹¤ë¤Ë¤Ï

$ /usr/local/apache/bin/httpd -S

Apache¤Îµ¯Æ°

# /usr/local/apache/bin/apachectl startssl 

¤Ç¥¹¥¿¡¼¥È
ÉáÄ̤Ëstart¤¹¤ì¤ÐSSL¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤º
¤È¤á¤ë¤È¤­¤Ï stop ¤ÇƱ¤¸

https:// ¤Ç¥¢¥¯¥»¥¹¤·²èÌ̤¬É½¼¨¤µ¤ì¤ì¤ÐOK

¥Í¡¼¥à¥Ù¡¼¥¹¤«¤éIP¥Ù¡¼¥¹¤Î¥Ð¡¼¥Á¥ã¥ë¥Û¥¹¥È¤Ë°Ü¹Ô¤¹¤ë

SSL¤Ï¥×¥í¥È¥³¥ë¤ÎÆÃħ¤Ë¤è¤ê¥Í¡¼¥à¥Ù¡¼¥¹¤Î¥Ð¡¼¥Á¥ã¥ë¥Û¥¹¥È¤Ç¤ÏÍøÍѤǤ­¤Ê¤¤
¥Í¡¼¥à¥Ù¡¼¥¹¤ÏHTTP¥ê¥¯¥¨¥¹¥È¥Ø¥Ã¥À¤Ë´Þ¤Þ¤ì¤ëHost¤ò»²¾È¤·¤ÆȽÊ̤¹¤ë¤¬¡¢¤½¤ì°ÊÁ°¤Ë¾ÚÌÀ½ñ¤ò¸ò¤ï¤¹É¬Íפ¬¤¢¤ë¤¿¤á¤Ç¤¹
http://httpd.apache.org/docs/vhosts/name-based.html#namevip

¤¹¤Ç¤ËIP192.168.0.1¤Ç¥Í¡¼¥à¥Ù¡¼¥¹¤Ç±¿±Ä¤·¤Æ¤¤¤ë¥É¥á¥¤¥óexample2.com¤òIP192.168.0.2¤ÎIP¥Ù¡¼¥¹¤Ë°Ü¹Ô¤¹¤ë¾ì¹ç

...
Port 80
ServerName www.example.com
DocumentRoot /www/example

NameVirtualHost 192.168.0.1

<VirtualHost 192.168.0.1 192.168.0.2>
DocumentRoot /www/example2
ServerName www.example2.com
...
</VirtualHost>

<VirtualHost 192.168.0.1>
DocumentRoot /www/example
ServerName www.example.com
...
</VirtualHost>

»²¹Í¡§http://httpd.apache.org/docs/vhosts/examples.html#migrate


¥È¥Ã¥×   ÊÔ½¸ Åà·ë º¹Ê¬ ¥Ð¥Ã¥¯¥¢¥Ã¥× źÉÕ Ê£À½ ̾Á°Êѹ¹ ¥ê¥í¡¼¥É   ¿·µ¬ °ìÍ÷ ¸¡º÷ ºÇ½ª¹¹¿·   ¥Ø¥ë¥×   ºÇ½ª¹¹¿·¤ÎRSS
Last-modified: 2021-09-19 (Æü) 19:09:16