ApacheのSSL対応
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
]
開始行:
Apache2は[[こちら:http://www.stackasterisk.jp/tech/system...
Apache-SSL+OpenSSL でも構築できるがモジュールとして使える...
#contents
*必要なパッケージの入手 [#vc9270ef]
apache_1.3.33.tar.gz -> http://www.apache.org/~
mod_ssl-2.8.22-1.3.33.tar.gz -> http://www.modssl.org/
*OpenSSLのインストール [#n46c7a4f]
opensslとopenssl-develはrpmパッケージでインストールされて...
*mod_sslのコンパイルとApacheのインストール [#y97d290d]
RedHat9でKerberosのヘッダが /usr/kerberos/include にある...
export CPPFLAGS=-I/usr/kerberos/include や export CPPFLAG...
# cp /usr/kerberos/include/*.h /usr/include
# tar xvzf apache_1.3.33.tar.gz
# tar xvzf mod_ssl-2.8.22-1.3.33.tar.gz
# cd mod_ssl-2.8.22-1.3.33
# OPTIM="-O2" ./configure --with-apache=../apache_1.3.33...
--with-layout=Apache --enable-module=so --enable-module=...
# cd ../apache_1.3.33
# make
# make certificate
Signature Algorithm ((R)SA or (D)SA) [R]:R
1. Country Name (2 letter code) [XY]:JP ... 国コード(日...
2. State or Province Name (full name) [Snake Desert]:Shi...
3. Locality Name (eg, city) [Snake Town]:Otsu ... 市区郡...
4. Organization Name (eg, company) [Snake Oil, Ltd]:Self...
5. Organizational Unit Name (eg, section) [Webserver Tea...
6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.example...
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:root...
8. Certificate Validity (days) [365]:365
Certificate Version (1 or 3) [3]:3
Encrypt the private key 2005-11-21 (月) 19:39:18 [Y/n]: y
Enter PEM pass phrase: ... パスフレーズ
Verifying password - Enter PEM pass phrase: ... 再入力
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you config...
with the 'SSLCertificateKeyFile' directive (automatic...
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you conf...
with the 'SSLCertificateFile' directive (automaticall...
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request fil...
you can send to an official Certificate Authority (CA...
to request a real server certificate (signed by this ...
of our demonstration-only Snake Oil CA) which later c...
the conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
# make install
*セキュア・サーバID申請準備 [#a814a7ac]
$ su
; 乱数ファイルの作成
# openssl md5 * > rand.dat
; 秘密鍵の作成
# openssl genrsa -rand rand.dat -des3 1024 > key.pem
; パスフレーズを2回入力
# rm -f rand.dat
; CSR作成(ベリサイン入力用)
# openssl req -new -key key.pem -out csr.pem
; さきほどのパスフレーズを入力
Country Name : JP
State or Province Name : Shiga
Locality Name : Otsu
Organization Unit Name : system-1
Common Name : www.example.com
Email Address
A challenge password
An optional company name
; key.pem, csr.pemは外部メディアに保管します
; csr.pemの内容よりベリサインからcert.pemを取得します
# rm -f csr.pem
# chmod 400 /usr/local/apache/conf/ssl.crt/cert.pem
# chmod 400 key.pem
# mv key.pem /usr/local/apache/conf/ssl.key
*httpd.confの設定 [#ob915c0d]
# vi httpd.conf
<IfDefine SSL>
Listen 80 # HTTP用
Listen 443 # SSL用
</IfDefine>
## ----- ここからの設定意味理解してません
## ----- とりあえずdefaultに書いてあったのでそのままコピ...
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on s...
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:/usr/local/apache/logs/ssl...
#SSLSessionCache shmcb:/usr/local/apache/logs/ssl...
SSLSessionCache dbm:/usr/local/apache/logs/ssl_s...
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore...
# SSL engine uses internally for inter-process synchro...
SSLMutex file:/usr/local/apache/logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random ...
# WARNING! On some platforms /dev/random blocks if not...
# is available. This means you then cannot use the /de...
# because it would lead to very long connection times ...
# it requires to make more entropy available). But usu...
# platforms additionally provide a /dev/urandom device...
# block. So, if available, use this one instead. Read ...
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Erro...
# additionally duplicated in the general error log fil...
# this somewhere where it cannot be used for symlink a...
# a real server (i.e. somewhere where only root can wr...
# Log levels are (ascending order: higher ones include...
# none, error, warn, info, trace, debug.
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
</IfModule>
## ----- ここからバーチャルドメイン設定
NameVirtualHost *:80
# HTTP用
<VirtualHost *:80>
ServerAdmin root@example.com
DocumentRoot /home/user/public_html
ServerName www.example.com
ErrorLog /usr/local/apache/logs/error_log
CustomLog /usr/local/apache/logs/access_log combined
</VirtualHost>
# SSL用
<IfDefine SSL>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/...
SSLCertificateKeyFile /usr/local/apache/conf/ssl.k...
ServerAdmin root@example.com
DocumentRoot /home/user/ssl_public_html
ServerName www.example.com
ErrorLog /usr/local/apache/logs/error_log
CustomLog /usr/local/apache/logs/ssl_access_log co...
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"...
</VirtualHost>
</IfDefine>
*再起動前の準備 [#da987caf]
毎回起動時にパスフレーズを聞かれるのはめんどいし、自動起...
# openssl rsa -in /usr/local/apache/conf/ssl.key/server....
&color(red){PHPを利用している場合はPHPもインストールしな...
apache起動時に -DEAPI うんちゃらで怒られます
あとは以下を変更
-ログローテーションの追加~
-rc.local に記述している起動コマンドを startssl へ~
-mrtgでhttpdプロセス数を監視している場合は snmpd.conf フ...
バーチャルホストの設定を確認するには
$ /usr/local/apache/bin/httpd -S
*Apacheの起動 [#w8fc4c9f]
# /usr/local/apache/bin/apachectl startssl
でスタート~
普通にstartすればSSLはサポートされず~
とめるときは stop で同じ
https:// でアクセスし画面が表示されればOK
*ネームベースからIPベースのバーチャルホストに移行する [#g...
SSLはプロトコルの特徴によりネームベースのバーチャルホスト...
ネームベースはHTTPリクエストヘッダに含まれるHostを参照し...
http://httpd.apache.org/docs/vhosts/name-based.html#namevip
すでにIP192.168.0.1でネームベースで運営しているドメインex...
...
Port 80
ServerName www.example.com
DocumentRoot /www/example
NameVirtualHost 192.168.0.1
<VirtualHost 192.168.0.1 192.168.0.2>
DocumentRoot /www/example2
ServerName www.example2.com
...
</VirtualHost>
<VirtualHost 192.168.0.1>
DocumentRoot /www/example
ServerName www.example.com
...
</VirtualHost>
参考:http://httpd.apache.org/docs/vhosts/examples.html#m...
#exlink
終了行:
Apache2は[[こちら:http://www.stackasterisk.jp/tech/system...
Apache-SSL+OpenSSL でも構築できるがモジュールとして使える...
#contents
*必要なパッケージの入手 [#vc9270ef]
apache_1.3.33.tar.gz -> http://www.apache.org/~
mod_ssl-2.8.22-1.3.33.tar.gz -> http://www.modssl.org/
*OpenSSLのインストール [#n46c7a4f]
opensslとopenssl-develはrpmパッケージでインストールされて...
*mod_sslのコンパイルとApacheのインストール [#y97d290d]
RedHat9でKerberosのヘッダが /usr/kerberos/include にある...
export CPPFLAGS=-I/usr/kerberos/include や export CPPFLAG...
# cp /usr/kerberos/include/*.h /usr/include
# tar xvzf apache_1.3.33.tar.gz
# tar xvzf mod_ssl-2.8.22-1.3.33.tar.gz
# cd mod_ssl-2.8.22-1.3.33
# OPTIM="-O2" ./configure --with-apache=../apache_1.3.33...
--with-layout=Apache --enable-module=so --enable-module=...
# cd ../apache_1.3.33
# make
# make certificate
Signature Algorithm ((R)SA or (D)SA) [R]:R
1. Country Name (2 letter code) [XY]:JP ... 国コード(日...
2. State or Province Name (full name) [Snake Desert]:Shi...
3. Locality Name (eg, city) [Snake Town]:Otsu ... 市区郡...
4. Organization Name (eg, company) [Snake Oil, Ltd]:Self...
5. Organizational Unit Name (eg, section) [Webserver Tea...
6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.example...
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:root...
8. Certificate Validity (days) [365]:365
Certificate Version (1 or 3) [3]:3
Encrypt the private key 2005-11-21 (月) 19:39:18 [Y/n]: y
Enter PEM pass phrase: ... パスフレーズ
Verifying password - Enter PEM pass phrase: ... 再入力
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you config...
with the 'SSLCertificateKeyFile' directive (automatic...
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you conf...
with the 'SSLCertificateFile' directive (automaticall...
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request fil...
you can send to an official Certificate Authority (CA...
to request a real server certificate (signed by this ...
of our demonstration-only Snake Oil CA) which later c...
the conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
# make install
*セキュア・サーバID申請準備 [#a814a7ac]
$ su
; 乱数ファイルの作成
# openssl md5 * > rand.dat
; 秘密鍵の作成
# openssl genrsa -rand rand.dat -des3 1024 > key.pem
; パスフレーズを2回入力
# rm -f rand.dat
; CSR作成(ベリサイン入力用)
# openssl req -new -key key.pem -out csr.pem
; さきほどのパスフレーズを入力
Country Name : JP
State or Province Name : Shiga
Locality Name : Otsu
Organization Unit Name : system-1
Common Name : www.example.com
Email Address
A challenge password
An optional company name
; key.pem, csr.pemは外部メディアに保管します
; csr.pemの内容よりベリサインからcert.pemを取得します
# rm -f csr.pem
# chmod 400 /usr/local/apache/conf/ssl.crt/cert.pem
# chmod 400 key.pem
# mv key.pem /usr/local/apache/conf/ssl.key
*httpd.confの設定 [#ob915c0d]
# vi httpd.conf
<IfDefine SSL>
Listen 80 # HTTP用
Listen 443 # SSL用
</IfDefine>
## ----- ここからの設定意味理解してません
## ----- とりあえずdefaultに書いてあったのでそのままコピ...
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on s...
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:/usr/local/apache/logs/ssl...
#SSLSessionCache shmcb:/usr/local/apache/logs/ssl...
SSLSessionCache dbm:/usr/local/apache/logs/ssl_s...
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore...
# SSL engine uses internally for inter-process synchro...
SSLMutex file:/usr/local/apache/logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random ...
# WARNING! On some platforms /dev/random blocks if not...
# is available. This means you then cannot use the /de...
# because it would lead to very long connection times ...
# it requires to make more entropy available). But usu...
# platforms additionally provide a /dev/urandom device...
# block. So, if available, use this one instead. Read ...
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Erro...
# additionally duplicated in the general error log fil...
# this somewhere where it cannot be used for symlink a...
# a real server (i.e. somewhere where only root can wr...
# Log levels are (ascending order: higher ones include...
# none, error, warn, info, trace, debug.
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
</IfModule>
## ----- ここからバーチャルドメイン設定
NameVirtualHost *:80
# HTTP用
<VirtualHost *:80>
ServerAdmin root@example.com
DocumentRoot /home/user/public_html
ServerName www.example.com
ErrorLog /usr/local/apache/logs/error_log
CustomLog /usr/local/apache/logs/access_log combined
</VirtualHost>
# SSL用
<IfDefine SSL>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/...
SSLCertificateKeyFile /usr/local/apache/conf/ssl.k...
ServerAdmin root@example.com
DocumentRoot /home/user/ssl_public_html
ServerName www.example.com
ErrorLog /usr/local/apache/logs/error_log
CustomLog /usr/local/apache/logs/ssl_access_log co...
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"...
</VirtualHost>
</IfDefine>
*再起動前の準備 [#da987caf]
毎回起動時にパスフレーズを聞かれるのはめんどいし、自動起...
# openssl rsa -in /usr/local/apache/conf/ssl.key/server....
&color(red){PHPを利用している場合はPHPもインストールしな...
apache起動時に -DEAPI うんちゃらで怒られます
あとは以下を変更
-ログローテーションの追加~
-rc.local に記述している起動コマンドを startssl へ~
-mrtgでhttpdプロセス数を監視している場合は snmpd.conf フ...
バーチャルホストの設定を確認するには
$ /usr/local/apache/bin/httpd -S
*Apacheの起動 [#w8fc4c9f]
# /usr/local/apache/bin/apachectl startssl
でスタート~
普通にstartすればSSLはサポートされず~
とめるときは stop で同じ
https:// でアクセスし画面が表示されればOK
*ネームベースからIPベースのバーチャルホストに移行する [#g...
SSLはプロトコルの特徴によりネームベースのバーチャルホスト...
ネームベースはHTTPリクエストヘッダに含まれるHostを参照し...
http://httpd.apache.org/docs/vhosts/name-based.html#namevip
すでにIP192.168.0.1でネームベースで運営しているドメインex...
...
Port 80
ServerName www.example.com
DocumentRoot /www/example
NameVirtualHost 192.168.0.1
<VirtualHost 192.168.0.1 192.168.0.2>
DocumentRoot /www/example2
ServerName www.example2.com
...
</VirtualHost>
<VirtualHost 192.168.0.1>
DocumentRoot /www/example
ServerName www.example.com
...
</VirtualHost>
参考:http://httpd.apache.org/docs/vhosts/examples.html#m...
#exlink
ページ名: