linux下apache页面认证+ssl
安装Openssl
#tar zxvf openssl-0.9.7e.tar.gz
#cd openssl-0.9.7e
#./config
#make
#make install
此举将安装最新的OpenSSL到/usr/local/ssl目录中,无需理会系统中已有版本的OpenSSL,
也不要去卸载它,否则会导致很多的应用程序无法正常执行,例如X窗口无法进入等错误。
安装Apache
#tar zxvf httpd-2.0.53.tar.gz
#./configure --prefix=/apache/httpd --enable-ssl=static
--with-ssl=/usr/local/ssl --enable-so
#make
#make install
此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时
使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中.
使用密码验证的网页
#vi /usr/local/apache/conf/httpd.conf
AllowOverride AuthConfig
Order allow,deny
Allow from all
#mkdir -p /usr/local/apache/htdocs/www
#>xx
#touch xx >xx
#vi .htaccess
AuthName "shared files"
AuthType Basic
AuthUserFile /etc/.htpasswd
require valid-user
创建用户
#htpasswd -c /etc/.htpasswd username
启动Apache服务
#/usr/local/apache/bin/apachectl start 或
#cp /usr/local/apache/bin/apachectl /etc/rc.d/init.d/apache
#service apache start
来启动服务器.
我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:
。
下面是如何通过这个工具来生成证书的过程:
#cp ssl.ca-0.1.tar.gz /usr/local/apache/conf
#cd /usr/local/apache/conf
#tar zxvf ssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
#./new-root-ca.sh (生成根证书)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (输入一个密码)
Verifying - Enter pass phrase for ca.key: (再输入一次密码)
......
Self-sign the root CA... (签署根证书)
Enter pass phrase for ca.key: (输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:GuangDong//随你喜欢
Locality Name (eg, city) [Sitiawan]:GuangZhou//随你喜欢
Organization Name (eg, company) [My Directory Sdn Bhd]:GDLC//随你喜欢
Organizational Unit Name (eg, section) [Certification Services Division]:GDLC//随你喜欢
Common Name (eg, MD Root CA) []:winson CA//随你喜欢
Email Address []:yu.hanhui@gd-linux.org//随你喜欢
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:
#./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]: GuangDong
Locality Name (eg, city) [Sitiawan]: GuangZhou
Organization Name (eg, company) [My Directory Sdn Bhd]:GDLC
Organizational Unit Name (eg, section) [Secure Web Server]:GDLC
Common Name (eg, ) []:localhost
Email Address []:yu.hanhui@gd-linux.org
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
#./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (输入上面设置的根证书密码)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JiangSu'
localityName :PRINTABLE:'NanJing'
organizationName :PRINTABLE:'Wiscom System Co.,Ltd'
organizationalUnitName:PRINTABLE:'ACSTAR'
commonName :PRINTABLE:'acmail.wiscom.com.cn'
emailAddress :IA5STRING:'acmail@wiscom.com.cn'
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
#chmod 400 server.key
#mv server.key server.crt /usr/local/apache/conf
#vi /usr/local/apache/conf/httpd.conf
#Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf(把#号去掉)
#/usr/local/apache/bin/apachectl start
IE里输入IP地址来验证以下.
