全部博文(150)
分类: 系统运维
2005-11-24 11:42:14
修订的部分:
1. soloris系统上默认的openssl不在PATH变量里面,所以修订文档中执行openssl之前都把找到openssl的执行路径加上了。
2. 增加了solaris系统启用ssl的两个常见错误的解决方法。
apache2整合weblogic 虚拟主机下的ssl配置
分四部分
1。应用目标和环境
2。apache2 weblogic openssl安装
3。虚拟主机的配置
4。补遗或注解
一. 应用目标和环境
应用目标
1。jsp支持的webserver,只有一个ip,多个虚拟主机,其中有一个支持ssl的虚拟主机。
应用环境
1. os 为 solaris 9 和建议补丁
2. weblogic为8.1sp4 ,java为 1.4.1_06-b01
3. OpenSSL 0.9.7g
4. apache 2.0.54
二. apache2 weblogic openssl安装
1. apache 2.0.54的安装
略
2. weblogic 8.1 sp4的安装
略
3. openssl的安装
略
三. 虚拟主机的配置
1. 需要配置的虚拟主机
www 网站
bbs 论坛
diy 后台及个人管理维护平台
ssl 提供https传输的虚拟主机
sso 单点登陆
cis 卡拉蜂接口
2. 虚拟主机使用的ip
192.168.1.254
3. httpd.conf中的相关配置
......
ServerName
ServerRoot "/usr/local/apache2"
Listen 80
LoadModule ssl_module modules/mod_ssl.so
# support weblogic
LoadModule weblogic_module modules/mod_wl_20.so
#
# load ssl.conf
Include conf/ssl.conf
#
# load VirtualHost
Include "conf/vhost.conf"
#
......
4. ssl.conf配置
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#
Listen 443
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
#
SSLPassPhraseDialog builtin
#
SSLMutex default
5. vhost.conf配置
#
NameVirtualHost 192.168.1.254:80
#
# Section 1: http virtualhost
ServerAdmin
DocumentRoot "/web/webapp"
ServerName
ErrorLog logs/colorme-error_log
AddType application/x-httpd-php .php
AddType text/html .shtml
CustomLog logs/colorme-access_log combined
TransferLog logs/colorme-access_log
WebLogicHost 192.168.1.254
WebLogicPort 7001
MatchExpression *.jsp
MatchExpression *.do
MatchExpression *.jspa
MatchExpression /myhome/*
#php_flag engine on
Options FollowSymLinks MultiViews Includes
AddOutputFilter Includes .shtml
AddOutputFilter Includes .php
AllowOverride None
Allow from all
Order deny,allow
Deny from all
ServerAdmin
DocumentRoot "/web/bbs"
ServerName bbs.colorme.com
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
CustomLog logs/bbs-access_log combined
ServerName bbs.colorme.com
ServerAlias diy
ErrorLog logs/bbs-error_log
TransferLog logs/bbs-access_log
WebLogicHost 192.168.1.254
WebLogicPort 7001
MatchExpression *.jsp
MatchExpression *.jspa
MatchExpression *.do
Options FollowSymLinks MultiViews Includes
AddOutputFilter Includes html
AllowOverride None
Allow from all
Order deny,allow
Deny from all
ServerAdmin
DocumentRoot "/web/diy"
ServerName diy.colorme.com
ErrorLog logs/diy-error_log
TransferLog logs/diy-access_log
WebLogicHost 192.168.1.254
WebLogicPort 7001
MatchExpression *.jsp
MatchExpression *.jspa
MatchExpression *.do
Options FollowSymLinks MultiViews Includes
AddOutputFilter Includes html
AllowOverride None
Allow from all
Order deny,allow
Deny from all
# Section 2: https VirtualHost
ServerName ssl.colorme.com
DocumentRoot "/web/ssl"
CustomLog logs/ssl-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
WebLogicHost 192.168.1.254
WebLogicPort 7001
MatchExpression *.jsp
MatchExpression *.do
MatchExpression *.jspa
MatchExpression /myhome/*
Options FollowSymLinks MultiViews Includes
AddOutputFilter Includes .shtml
AddOutputFilter Includes .php
AllowOverride None
Allow from all
Order deny,allow
Deny from all
6. 相关条目的说明
6.1 SSLEngine on
在虚拟主机中打开ssl支持,默认主服务主机和虚拟主机是禁用的。
6.2 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ssl协议握手协商时使用的密码簇,支持所有握手密码
6.3 SSLCertificateFile conf/ssl.crt/server.crt
服务器端PEM-encoded X.509认证文件
6.4 SSLCertificateKeyFile conf/ssl.key/server.key
服务器端PEM-encoded私匙文件
6.5 SSLOptions +StdEnvVars
配置各种运行时的SSL引擎选项, +StdEnvVars创建SSL与CGI&SSI相关的变量,仅用在CGI和SSI的页面中。
四. 补遗或注解
1. 认证文件的认证方式
本例中采用的自认证的方式,就是说没有去购买证书,如果是商业站点可以考虑购买证书。
2. 自认证文件的生成
a. 生成private Key文件
# LD_LIBRARY_PATH=/usr/openwin/lib:/usr/local/ssl/lib;export LD_LIBRARY_PATH
# PATH=$PATH:/usr/local/ssl/bin; export PATH
# LD_LIBRARY_PATH=/usr/openwin/lib:/usr/local/ssl/lib;export LD_LIBRARY_PATH
# /usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
openssl genrsa -des3 -out server.key 1024
b. 创建服务器端的认证文件
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
在提示输入common name的时候输入域名:
c. 按照vhost.conf中的配置,存放b步骤中创建的文件
存放位置
conf/ssl.key/server.key
conf/ssl.crt/server.crt
3. apache的启动和关闭方式(SSL)
3.1 启动
./apachectl startssl
会提示输入创建server.key时的密码,输入正确才能启动
3.2 关闭
./apachectl stop
3.3 为了测试方便可以关闭启动时输入密码
a. 修改vhost.conf
#SSLCertificateKeyFile conf/ssl.key/server.key
SSLCertificateKeyFile conf/ssl.key/server.key.unsecure
b. server.key.unsecure的生成
openssl rsa -in server.key -out server.key.unsecure
4. SSL类型的虚拟主机只用用于基于ip的虚拟主机
5. 基于测试,hosts文件的修改
192.168.1.254
192.168.1.254 ssl.colorme.com
6. 基于正式站点
相应的二级域名必须有Cname
file vhost.c, line 190, assertion "rv == APR_SUCCESS" failed
7. bug
7.1 死锁bug的解决方法
故障现象如下:
[warn] (45)Deadlock situation detected/avoided: ap_proxy: couldn't create the lock
在ssl.conf增加下面的配置可以解决
AcceptMutex pthread
SSLMutex sem
7.2 bug 27525
故障现象:
bash-2.05# ../bin/apachectl startssl
[Sun Nov 20 14:52:44 2005] [crit] [Sun Nov 20 14:52:44 2005] file vhost.c, line 190, assertion "rv == APR_SUCCESS" failed
解决方法1:
Essentially the same problem as bug 27525 -- edit /etc/nsswitch.conf and add
"dns" to the end of the hosts: line to fix it.
解决方法2:
删除ssl.conf中的默认的ssl虚拟主机
Bug 37488 has been added to the database