Apache HTTP: настройка HTTPS и SSL

Автор: | 23/07/2015

apache_logoПример настройки выполняется на:

# httpd -version
Server version: Apache/2.2.29 (Unix)
Server built:   Mar 12 2015 03:50:17
# cat /etc/system-release
Amazon Linux AMI release 2015.03

Создание ключей

Устанавливаем необходимые пакеты:

# yum install mod_ssl openssl
# cd /etc/httpd
# mkdir ssl

Создаём приватный ключ:

# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
...........................................+++
e is 65537 (0x10001)

Создаём файл CSR (Certificate signing request):

# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:UA
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Kiev
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:aws.setevoy.org.ua
Email Address []:root@setevoy.org.ua

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

И создаём самоподписанный сертификат для сервера:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=UA/L=Kiev/O=Default Company Ltd/CN=aws.setevoy.org.ua/emailAddress=root@setevoy.org.ua
Getting Private key

Настройка Apache HTTP

В файле /etc/httpd/conf/httpd.conf добавляем:

NameVirtualHost *:443

Проверяем:

# httpd -t
Syntax OK

Открываем порт на фаерволе:

# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

Настройка виртуалхоста

В файле /etc/httpd/conf.d/ssl.conf удаляем описание VirtualHost _default_ – от строки <VirtualHost _default_:443> до </VirtualHost>.

Настраиваем свой виртуалхост. Задача – настроить виртуалхост на порту 443 с шифрованием нашим ключём и переадресовывать весь трафик с HTTP на HTTPS.

Для переадресации – в файле /etc/httpd/conf.d/vhost.conf добавляем редирект:

<VirtualHost *:80>
        ServerName aws.setevoy.org.ua
        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

И добавляем второй виртуалхост – с SSL:

<VirtualHost *:443>
        ServerName aws.setevoy.org.ua
        DocumentRoot /var/www/aws.setevoy.org.ua

        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/ca.crt
        SSLCertificateKeyFile /etc/httpd/ssl/ca.key

        ErrorLog     /var/log/httpd/aws.setevoy.org.ua-error.log
        CustomLog  /var/log/httpd/aws.setevoy.org.ua-access.log combined

</VirtualHost>

Проверяем:

# httpd -t
Syntax OK

Перезапускаем:

# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
# curl http://localhost
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://localhost/">here</a>.</p>
<hr>
<address>Apache/2.2.29 (Amazon) Server at localhost Port 80</address>
</body></html>

И по HTTPS:

# curl https://localhost -k
Hello from SSL

Переадресация работает, SSL работает.