Пример настройки выполняется на:
# httpd -version Server version: Apache/2.2.29 (Unix) Server built: Mar 12 2015 03:50:17
# cat /etc/system-release Amazon Linux AMI release 2015.03
Содержание
Создание ключей
Устанавливаем необходимые пакеты:
# yum install mod_ssl openssl
# cd /etc/httpd # mkdir ssl
Создаём приватный ключ:
# openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ..................+++ ...........................................+++ e is 65537 (0x10001)
Создаём файл CSR (Certificate signing request):
# openssl req -new -key ca.key -out ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:UA State or Province Name (full name) []: Locality Name (eg, city) [Default City]:Kiev Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:aws.setevoy.org.ua Email Address []:root@setevoy.org.ua Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
И создаём самоподписанный сертификат для сервера:
# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Signature ok subject=/C=UA/L=Kiev/O=Default Company Ltd/CN=aws.setevoy.org.ua/emailAddress=root@setevoy.org.ua Getting Private key
Настройка Apache HTTP
В файле /etc/httpd/conf/httpd.conf
добавляем:
NameVirtualHost *:443
Проверяем:
# httpd -t Syntax OK
Открываем порт на фаерволе:
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Настройка виртуалхоста
В файле /etc/httpd/conf.d/ssl.conf
удаляем описание VirtualHost _default_
– от строки <VirtualHost _default_:443>
до </VirtualHost>
.
Настраиваем свой виртуалхост. Задача – настроить виртуалхост на порту 443 с шифрованием нашим ключём и переадресовывать весь трафик с HTTP на HTTPS.
Для переадресации – в файле /etc/httpd/conf.d/vhost.conf
добавляем редирект:
<VirtualHost *:80> ServerName aws.setevoy.org.ua RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301] </VirtualHost>
И добавляем второй виртуалхост – с SSL:
<VirtualHost *:443> ServerName aws.setevoy.org.ua DocumentRoot /var/www/aws.setevoy.org.ua SSLEngine on SSLCertificateFile /etc/httpd/ssl/ca.crt SSLCertificateKeyFile /etc/httpd/ssl/ca.key ErrorLog /var/log/httpd/aws.setevoy.org.ua-error.log CustomLog /var/log/httpd/aws.setevoy.org.ua-access.log combined </VirtualHost>
Проверяем:
# httpd -t Syntax OK
Перезапускаем:
# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
# curl http://localhost <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://localhost/">here</a>.</p> <hr> <address>Apache/2.2.29 (Amazon) Server at localhost Port 80</address> </body></html>
И по HTTPS:
# curl https://localhost -k Hello from SSL
Переадресация работает, SSL работает.