Apache配置實現https訪問
Apache配置實現https訪問php
1、編譯安裝的Apache配置https訪問
1、軟件環境
HTTPS是以安全爲目標的HTTP通道,簡單講是HTTP的安全版。谷歌已經制定了一項長遠的計劃,它的最終目標是將全部經過HTTP協議呈現的網頁標爲「不安全」,對於站長來講,部署SSL證書來遷移到HTTPS是一個現實和重要的問題linux
操做系統:CentOS 7.3apache
Apache版本:編譯安裝的Apache 2.4.7vim
IP地址:192.168.115.120瀏覽器
對應的域名:www.awstats.com安全
關閉selinux和關閉防火牆,也能夠提早設置好防火牆的規則服務器
Windows的hosts文件中須要添加」192.168.115.120 www.awstats.com」域名解析app
使用Windows瀏覽器測試是否成功ide
2、給Apache安裝ssl模塊
爲了使Apache支持https訪問,系統須要安有apache、openssl、mod_ssl.so工具
Linux系統默認安裝了openssl,全部就不須要安裝了,因爲某些緣由,apache的ssl模塊在最初安裝時未能包含進去,在以後又不能從新安裝apache,這時就須要在不從新編譯apache的狀況下新增編譯模塊,可採用如下方法
(1)進入Apache的源碼解壓的/modules/ssl目錄執行安裝命令
[root@www modules]# whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz
[root@www ~]# cd /root/httpd-2.4.7/modules/ssl
[root@www ssl]# apxs -i -c -a -D HAVE_OPENSSL=1 -I /usr/include/openssl -lcrypto -lssl -ldl *.c
/usr/local/apr/build-1/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -pthread -I/usr/local/apache2/include -I/usr/local/apr/include/apr-1 -I/usr/local/apr-util/include/apr-1 -I/usr/include/openssl -DHAVE_OPENSSL=1 -c -o mod_ssl.lo mod_ssl.c && touch mod_ssl.slo
In file included from mod_ssl.c:27:0:
ssl_private.h:85:30: 致命錯誤:openssl/opensslv.h:沒有那個文件或目錄
#include <openssl/opensslv.h>
^
編譯中斷。
apxs:Error: Command failed with rc=65536
上面出現編譯報錯,說缺乏openssl某個文件
解決方法:
[root@www ssl]# yum -y install openssl-devel
上面安裝完成以後,接着執行以前的編譯模塊命令
[root@www ssl]# apxs -i -c -a -D HAVE_OPENSSL=1 -I /usr/include/openssl -lcrypto -lssl -ldl *.c
…………………………………………………………………………………………………………………省略若干
libtool: install: chmod 644 /usr/local/apache2/modules/mod_ssl.a
libtool: install: ranlib /usr/local/apache2/modules/mod_ssl.a
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/apache2/modules
----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/apache2/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the 'LD_RUN_PATH' environment variable
during linking
- use the '-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to '/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/apache2/modules/mod_ssl.so
[activating module `ssl' in /usr/local/apache2/conf/httpd.conf]
apxs命令參數說明:
-i 此選項表示須要執行安裝操做,以安裝一個或多個動態共享對象到服務器的modules目錄中。
-a 此選項自動增長一個LoadModule行到httpd.conf文件中,以激活此模塊,或者,若是此行已經存在,則啓用之。
-A 與 -a 選項相似,可是它增長的LoadModule命令有一個井號前綴(#),即此模塊已經準備就緒但還沒有啓用。
-c 此選項表示須要執行編譯操做。它首先會編譯C源程序(.c)files爲對應的目標代碼文件(.o),而後鏈接這些目標代碼和files中其他的目標代碼文件(.o和.a),以生成動態共享對象dsofile 。若是沒有指定 -o 選項,則此輸出文件名由files中的第一個文件名推測獲得,也就是默認爲mod_name.so
(2)查看安裝的ssl模塊
[root@www ssl]# ls -l /usr/local/apache2/modules/ | grep ssl
-rwxr-xr-x 1 root root 945280 5月 16 15:20 mod_ssl.so
3、申請證書或本身生成自簽名證書
咱們可使用openssl工具本身生成證書或者到各大廠商去申請免費證書,可知足我的網站的需求,如企業網站,建議購買企業收費證書。
這裏咱們就本身生成一個自簽名證書
首先,生成2048位的加密私鑰
[root@www ~]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
....................+++
..+++
e is 65537 (0x10001)
而後,生成證書籤名請求(CSR),這裏須要填寫許多信息,如國家,省市,公司等
[root@www ~]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:ll
Organizational Unit Name (eg, section) []:lz
Common Name (eg, your name or your server's hostname) []:www.awstats.com
注意這裏的主機名必定要和httpd.conf文件中的ServerName www.awstats.com保持一致,不然會報錯。
Email Address []:123456@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
最後,生成類型爲X509的自簽名證書。有效期設置3650天,即有效期爲10年
[root@www ~]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=bj/L=bj/O=ll/OU=lz/CN=www.awstats.com/emailAddress=123456@163.com
Getting Private key
4、複製祕鑰和證書文件到指定位置
[root@www ~]# cp server.crt server.key /usr/local/apache2/conf
5、修改httpd-ssl.conf文件指定相關祕鑰和證書位置
[root@www ~]# vim /usr/local/apache2/conf/extra/httpd-ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.awstats.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
……………………………………………..省略若干
</VirtualHost>
6、修改Apache主配置文件並開啓相關模塊
[root@www ~]# vim /usr/local/apache2/conf/httpd.conf
打開相關的註釋,啓用須要的模塊
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
修改主機名
ServerName www.awstats.com
下面的須要添加進來
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/tz.php
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]
7、相關說明
配置文件參數 |
說明 |
LoadModule |
加載SSL模塊 |
Listen |
監聽443端口 |
DocumentRoot |
網頁目錄 |
ServerName |
站點域名 |
SSLEngine on |
啓用SSL功能 |
SSLCertificateFile |
證書文件 |
SSLCertificateKeyFile |
私鑰文件 |
SSLCertificateChainFile |
證書鏈文件 |
8、重啓Apache並檢查相應端口是否開啓
[root@www ~]# httpd -t
Syntax OK
[root@www ~]# systemctl restart httpd
[root@www ~]# ss -ant
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::443 :::*
9、在Windows瀏覽器測試訪問域名是否能自動成功跳轉到https
在瀏覽器地址欄輸入www.awstats.com域名,而後回車
上面回車以後,會自動跳轉到下面的頁面,咱們點擊「高級」選項會展開相關內容
上面點擊「高級」選項以後,會出現下面的頁面,咱們點擊下面的紅框部分就能夠進入下一步
上面點擊紅框部分以後,就會出現下面的網頁了。由於是本身生成的證書不被瀏覽器識別,因此會出現下面的頁面,說此站點不安全,咱們直接不用管點擊詳細信息並接着點擊「轉到此網頁(不推薦)」選項便可進入咱們須要的網頁了
下面是咱們須要訪問的最終頁面,若是是在各大廠商申請的證書就不會出現以上提示不安全的信息,會直接進入咱們下面的界面。
2、yum安裝的Apache配置https方法
1、安裝相關軟件
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# yum -y install mod_ssl
2、修改相關的配置文件
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
去掉下面幾行註釋
Include conf.modules.d/*.conf
ServerName www.awstats.com
IncludeOptional conf.d/*.conf
下面的須要添加在主配置文件中或虛擬主機中
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/tz.php
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]
[root@localhost conf.modules.d]# vim /etc/httpd/conf.modules.d/00-ssl.conf
去掉下面的註釋
LoadModule ssl_module modules/mod_ssl.so
[root@localhost ~]# vim /etc/httpd/conf.modules.d/00-base.conf
去掉下面的註釋
LoadModule rewrite_module modules/mod_rewrite.so
3、生成相關的證書及祕鑰文件
[root@localhost ~]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................+++
..........................+++
e is 65537 (0x10001)
[root@localhost ~]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:ll
Organizational Unit Name (eg, section) []:lz
Common Name (eg, your name or your server's hostname) []:www.awstats.com
Email Address []:123456@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost ~]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=bj/L=bj/O=ll/OU=lz/CN=www.awstats.com/emailAddress=123456@163.com
Getting Private key
4、修改配置文件中對應的祕鑰文件
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
去掉相關注釋並更改證書和私鑰文件
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
複製生成的祕鑰文件到ssl.conf指定的位置
[root@localhost ~]# cp /root/server.crt /etc/pki/tls/certs/
[root@localhost ~]# cp /root/server.key /etc/pki/tls/private/
5、驗證配置是否有問題並重啓Apache服務
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# systemctl restart httpd
6、在Windows瀏覽器測試訪問域名是否能自動成功跳轉到https
打開瀏覽器,輸入IP或域名會自動跳轉到https,說明配置成功,由於是本身生成的證書不被瀏覽器識別,因此會出現下面的頁面,說此站點不安全,咱們直接不用管點,擊詳細信息
上面點擊詳細信息以後,或展開下面的頁面,咱們點擊「轉到此網頁(不推薦)」便可進入咱們須要訪問的網站頁面。