浮雲雅築: [研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)

[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum :安裝 (CentOS 7.2 x64)

2016-08-09

參考
https://wiki.centos.org/zh-tw/HowTos/Https

CentOS 7-1511 (7.2) 的
Apache Web Server ( httpd ) 是 2.4.x 系列
OpenSSL 是 1.0.1x 系列

取得所需的軟件
產生一張自我簽署的憑證
設置虛擬主機
設置防火牆
這個指引會解釋如何設置一個支援 https 的網站。這個教程使用一個自我簽署的金鑰，因此它適用於個人網站或作測試用途。這個指引並未經修訂，因此請自行承擔風險，並進行備份！

1. 安裝套件

yum -y install httpd mod_ssl openssl

2. 產生一張自我簽署的憑證

# 產生私鑰
openssl genrsa -out ca.key 2048

[root@localhost ~]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..+++
..................................+++
e is 65537 (0x10001)
[root@localhost ~]#

# 產生 CSR
openssl req -new -key ca.key -out ca.csr

[root@localhost ~]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ~]#

# 產生自我簽署的金鑰
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

[root@localhost ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
[root@localhost ~]#

# 複製檔案至正確位置
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

警告：如果你採用 SELinux，請確保你複製這些檔案而不是遷移它們。否則 Apache 將會投訴關於違漏了的憑證檔，因為它無法讀取這些擁有錯誤 SELinux 脈絡的憑證檔。
假如你遷移了這些檔案而不是複製它們，你可以用以下的指命來矯正這些檔案的 SELinux 脈絡，因為 /etc/pki/* 的正確脈絡定義已包含在 SELinux 政策裡。
restorecon -RvF /etc/pki

[root@localhost ~]# restorecon -RvF /etc/pki
restorecon reset /etc/pki/tls/certs/localhost.crt context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/certs/ca.crt context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/private/localhost.key context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/private/ca.key context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
restorecon reset /etc/pki/tls/private/ca.csr context unconfined_u:object_r:cert_t:s0->system_u:object_r:cert_t:s0
[root@localhost ~]# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
[root@localhost ~]#

修改 /etc/httpd/conf.d/ssl.conf 檔案中憑證路徑

vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
改為
SSLCertificateFile /etc/pki/tls/certs/ca.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
改為
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
存檔，離開

重新啟動 httpd讓設定生效

service httpd restart
或
systemctl restart httpd

原來網頁上說用 /etc/init.d/httpd restart，這對 CentOS 7.2 無用，會產生下面錯誤
[root@localhost ~]# /etc/init.d/httpd restart
-bash: /etc/init.d/httpd: No such file or directory

3. 設置虛擬主機

一如你為 http 在連接埠 80 上設立 VirtualHost，你亦可為 https 在連接埠 443 上作樣似的設置。一個在連接埠 80 上的網站的典型 VirtualHost 有如下樣子

編輯 /etc/httpd/conf/httpd.conf
vi /etc/httpd/conf/httpd.conf

依照實際情況，增加下面格式的內容

<VirtualHost *:80>
<Directory /var/www/vhosts/yoursite.com/httpdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
ServerName yoursite.com
</VirtualHost>

NameVirtualHost *:443

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /var/www/vhosts/yoursite.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
ServerName yoursite.com
</VirtualHost>

敝人在檔案最下方增加了

<VirtualHost *:80>
<Directory /var/www/html>
AllowOverride All
</Directory>
DocumentRoot /var/www/html
#ServerName yoursite.com
</VirtualHost>

NameVirtualHost *:443

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /var/www/html>
AllowOverride All
</Directory>
DocumentRoot /var/www/html
#ServerName yoursite.com
</VirtualHost>

重新啟動 Apache，讓設定生效
service httpd restart

設定 reboot 後 httpd 自動啟動
systemctl enable httpd

4. 設置防火牆

原始網頁上說用下面方法

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v

但根據以往經驗，CentOS 7 上用 iptables 可能有問題

[研究] CentOS 7.0 x64 的 iptables 與 firewall-cmd 防火牆
http://shaurong.blogspot.tw/2014/07/centos-70-x64.html

建議改用下面方法

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=443/tcp

systemctl restart firewalld

firewall-cmd --list-all

PS：實際測試
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=443/tcp
無法合併成為
firewall-cmd --permanent --add-service=http --add-port=443/tcp
會執行失敗
[root@localhost ~]# firewall-cmd --list-all

public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client http ssh
ports: 443/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@localhost ~]#

5.測試

自簽的憑證，在使用 HTTPS 時候會有警告；如果是個人 or 公司內部使用，用免費自簽的就可以了。如果是要公開給大眾瀏覽，可以考慮花錢買憑證，避免出現一些警告訊息。

Internet Exploer 11 上測試