Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1829937
  • 博文数量: 636
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 3950
  • 用 户 组: 普通用户
  • 注册时间: 2014-08-06 21:58
个人简介

博客是我工作的好帮手,遇到困难就来博客找资料

文章分类

全部博文(636)

文章存档

2024年(5)

2022年(2)

2021年(4)

2020年(40)

2019年(4)

2018年(78)

2017年(213)

2016年(41)

2015年(183)

2014年(66)

我的朋友

分类: 系统运维

2017-03-13 20:53:29

1.安装openssl


[root@c6 ~]# yum install -y openssl openssl-devel

___________________________________________________________   yum安装方式


  #下载openssl


[root@Web_server src]# tar xf openssl-1.0.1s.tar.gz

[root@Web_server src]# cd openssl-1.0.1s

[root@Web_server openssl-1.0.1s]# ./config 

[root@Web_server openssl-1.0.1s]# make && make install


------------------------------------源码安装方式

安装apache

[root@Web_server src]# wget

[root@Web_server src]# tar xvf httpd-2.2.31.tar.gz

[root@Web_server src]#cd httpd-2.2.31

[root@Web_server httpd-2.2.31]#./configure --prefix=/usr/local/apache2 --with-included-apr --enable-so --enable-deflate=shared --enable-expires=shared --enable-rewrite=shared --with-pcre --enable-ssl=shared --with-ssl=/usr/local/ssl     #此处选择动态模式,--enable-ssl=static --with-ssl=/usr/local/ssl选择静态


------------------------------------添加扩展模块方式


[root@Web_server openssl-1.0.1s]# cd /usr/local/src/httpd-2.2.31/modules/ssl   #务必进入httpd源码目录


[root@Web_server ssl]# /usr/local/apache2/bin/apxs  -i -c -a -D HAVE_OPENSSL=1 -I 

/usr/lib/openssl/engines/lib -lcrypto -lssl -ldl *.c     


#

错误一、error "Unrecognized SSL Toolkit!、declaration for parameter 'XXXXXX' but no such parameter

 

解决:添加-D HAVE_OPENSSL=1


错误二、undefined symbol: ssl_cmd_SSLMutex 


解决:apxs编译追加模块成功,但是apache启动失败。出现这个错误后,我把运行apxs时指定mod_ssl.c改成*.c 。和添加mod_deflate不一样,ssl中包含多个源代码文件


错误三、undefined symbol: X509_INFO_free

解决:由于静态连接了 openssl的库造成的(默认),解决办法是添加-lcrypto -lssl -ldl参数


2.创建证书

■ 创建私钥

___________________________________________________________


[root@Web_server modules]# cd /usr/local/ssl/bin/          

[root@Web_server bin]# openssl genrsa -out server.key 2048

[root@Web_server bin]# cp server.key  /usr/local/apache2/conf/ssl.key


■ 生成证书请求(CSR)文件

___________________________________________________________


[root@Web_server bin]# openssl req -new -key server.key -out certreq.csr 

Country Name (2 letter code) [XX]:cn                 #所在国家的ISO标准代号,中国为CN

State or Province Name (full name) []:zj            #单位所在地省/自治区/直辖市

Locality Name (eg, city) [Default City]:zs            #单位所在地的市/县/区

Organization Name (eg, company) [Default Company Ltd]:dx      #单位/机构/企业合法的名称

Organizational Unit Name (eg, section) []:zwy                #部门名称 

Common Name (eg, your name or your server's hostname) []:zwy    #此项必须与访问提供SSL服务的服务器时所应用的域名完全匹配   

Email Address []:       #邮件地址,不必输入,直接回车跳过

"extra"attributes                        #以下信息不必输入,回车跳过直到命令执行完毕

[root@c6 conf]#  cp server.key server.key.ori

[root@c6 conf]# openssl rsa -in server.key.ori -out server.key

writing RSA key

[root@c6 conf]#  openssl x509 -req -days 365 -in certreq.csr -signkey server.key -out server.crt

Signature ok

subject=/C=CN/ST=ZJ/L=ZS/O=DX/OU=ZWY/CN=ZWY/emailAddress=szk5043@foxmail.com

Getting Private key

3. Apache配置

___________________________________________________________  


[root@Web_server ~]# vim /usr/local/apache2/conf/httpd.conf 

Include conf/extra/httpd-ssl.conf

#取消前面注释   


[root@Web_server ~]#  vim /usr/local/apache2/conf/extra/httpd-vhosts.conf

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [L,R]


#在需要开启的虚拟主机配置文件中,加上http自动重定向为https


[root@Web_server ~]#  mv /usr/local/apache2/conf/extra/httpd-ssl.conf 

 /usr/local/apache2/conf/extra/httpd-ssl.conf.bak    #备份默认配置文件


[root@Web_server ~]#  > /usr/local/apache2/conf/extra/httpd-ssl.conf  


[root@c6 ~]# vim /usr/local/apache2/conf/extra/httpd-ssl.conf


LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)

SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256

SSLRandomSeed connect builtin

#SSLCryptoDevice builtin

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!RC4:

    DocumentRoot "/data/www"

    ServerName

    ErrorLog "logs/dummy-host.example.com-error_log"

    CustomLog "logs/dummy-host.example.com-access_log" common

   

        SSLEngine on

        SSLCertificateFile /usr/local/apache2/conf/server.crt

        SSLCertificateKeyFile /usr/local/apache2/conf/server.key

        #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediatebundle.crt

   


错误:curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

解决:把443的VirtualHost 放到80的VirtualHost 前面;80 部分 NameVirtualHost *443部分NameVirtualHost *:443




1.SSL模块

nginx的https协议需要ssl模块的支持,我们在编译nginx时使用–with-http_ssl_module参数加入SSL模块。还需要服务器私钥,服务器证书,如果是公司对外环境,这个证书需要购买第三方的权威证书,否则用户体验得不到保障


2.检查Nginx的SSL模块是否安装


[root@c6 ~]# /usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.6.2

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)

TLS SNI support enabled

configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_stub_status_module


3.准备私钥和证书

3.1创建服务器私钥


[root@c6 ~]# cd /usr/local/nginx/conf/

[root@c6 conf]# mkdir key

[root@c6 conf]# cd key

[root@c6 key]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

..................++++++

..............++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:        ##输入一个密码

Verifying - Enter pass phrase for server.key:      #再次输入


3.2签发证书


[root@c6 key]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SH

Locality Name (eg, city) [Default City]:SH

Organization Name (eg, company) [Default Company Ltd]:YJS

Organizational Unit Name (eg, section) []:SA

Common Name (eg, your name or your server's hostname) []:Web

Email Address []:szk5043@foxmail.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:root

An optional company name []:root


3.3 删除服务器私钥口令


[root@c6 key]# cp server.key server.key.ori


[root@c6 key]# openssl rsa -in server.key.ori -out server.key


Enter pass phrase for server.key.ori:

writing RSA key


3.4生成使用签名请求证书和私钥生成自签证书


[root@c6 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=CN/ST=SH/L=SH/O=YJS/OU=SA/CN=Web/emailAddress=szk5043@foxmail.com

Getting Private key


3.5开启Nginx SSL


[root@c6 ~]# vim /usr/local/nginx/conf/vhosts/szk.conf


server {

server_name

listen   80;

rewrite ^(.*) permanent;

}

server  {

    listen 443;

    server_name

    index index.html index.htm index.php;

    root /data/www;

        

    ssl on;

    ssl_certificate key/server.crt;

    ssl_certificate_key key/server.key;

    location ~ \.php$ {

        include fastcgi_params;

       #fastcgi_pass unix:/tmp/php-fcgi.sock;

        fastcgi_pass 127.0.0.1:9000;

        fastcgi_index index.php;

        fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;

    }

}


#把80端口的访问自动跳转到433端口


[root@c6 ~]# /etc/init.d/nginx  restart

Stopping Nginx:                                            [   OK   ]

Starting Nginx:                                            [  OK  ]

[root@c6 ~]# netstat -tnlup | grep nginx

tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1504/nginx

tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      1504/nginx

4.测试




 默认情况下ssl模块并未被安装,如果要使用该模块则需要在编译时指定–with-http_ssl_module参数,安装模块依赖于OpenSSL库和一些引用文件,通常这些文件并不在同一个软件包中。通常这个文件名类似libssl-dev。


可以通过以下步骤生成一个简单的证书:

首先,进入你想创建证书和私钥的目录,例如:


cd /usr/local/nginx/conf

创建服务器私钥,命令会让你输入一个口令:


openssl genrsa -des3 -out server.key 1024

创建签名请求的证书(CSR):


openssl req -new -key server.key -out server.csr

在加载SSL支持的Nginx并使用上述私钥时除去必须的口令:


cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

配置nginx

最后标记证书使用上述私钥和CSR:


openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

修改Nginx配置文件,让其包含新标记的证书和私钥:


server {

    server_name YOUR_DOMAINNAME_HERE;

    listen 443;

    ssl on;

    ssl_certificate /usr/local/nginx/conf/server.crt;

    ssl_certificate_key /usr/local/nginx/conf/server.key;

}

重启nginx。

这样就可以通过以下方式访问:

另外还可以加入如下代码实现80端口重定向到443


server {

    listen 80;

    server_name ww.centos.bz;

    rewrite ^(.*) permanent;

}





(1) 生成私钥;

# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)


(2) 生成自签证书;


# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365


-new:生成新证书签署请求


-x509:生成自签格式证书,专用于创建私有CA时


-key:生成请求时用到的私有文件路径;


-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;


-days:证书的有效时长,单位是day;



(3) 为CA提供所需的目录及文件;

    # mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}

    # touch  /etc/pki/CA/{serial,index.txt}

    # echo  01 > /etc/pki/CA/serial

此主机即是一台CA了。


(4)用到证书的主机(httpd主机)生成私钥;

# mkdir  /etc/httpd/ssl 

# cd  /etc/httpd/ssl

# (umask  077; openssl  genrsa -out  /etc/httpd/ssl/httpd.key  2048)


(5) 生成证书签署请求


openssl  req  -new  -key  /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csr  -days  365


(6) 在CA主机上签署证书;

openssl ca  -in  /etc/httpd/ssl/httpd.csr  -out  /etc/pki/CA/certs/httpd.crt  -days  365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1(0x2)

        Validity

            Not Before: Apr 10 15:45:54 2016 GMT

            Not After : Apr 10 15:45:54 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = beijing

            organizationName          = ops

            organizationalUnitName    = ops

            commonName                = ops.com

            emailAddress              = admin@ops.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                08:A3:DD:98:D3:E0:42:58:5E:B7:24:43:6C:3D:B1:D8:02:34:16:46

            X509v3 Authority Key Identifier: 

                keyid:75:63:44:2C:46:80:2F:84:CE:EF:C6:F1:F2:E7:75:2E:EF:17:37:C2

Certificate is to be certified until Apr 10 15:45:54 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


(7)查看证书中的信息:

openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subject


阅读(529) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~