一:CA伺服器的搭建[root@zzu ~]# yum install openssl*[root@zzu ~]# cd /etc/pki/[root@zzu pki]# vim tls/openssl.cnf45 dir = /etc/pki/CA88 countryName = optional 89 stateOrProvinceName = optional 90 organizationName = optional136 countryName_default = CN 一些預設選項141 stateOrProvinceName_default = beijing 一些預設選項144 localityName_default = beijing一些預設選項[root@zzu pki]# cd CA [root@zzu CA]# mkdir certs newcerts crl 建立3個目錄和兩個檔案[root@zzu CA]# touch index.txt serial www.2cto.com [root@zzu CA]# echo "01">serial 根索引檔案[root@zzu CA]#openssl genrsa 1024 >private/cakey.pem 建立ca的私密金鑰檔案[root@zzu CA]# chmod 600 private/cakey.pem 改變私密金鑰的許可權[root@zzu CA]#openssl req -new -key private/cakey.pem -days 3650 -x509 -out cacert.pem 為ca產生一份認證二.為www伺服器頒發認證[root@zzu ~]# cd /etc/httpd/[[root@zzu httpd]# mkdir certs[root@zzu httpd]# cd certs/ [root@zzu certs]#openssl genrsa 1024 > httpd.key 產生伺服器的私密金鑰[root@zzu certs]# openssl req -new -key httpd.key -out httpd.csr產生伺服器的請求檔案[root@zzu certs]# openssl ca -in httpd.csr -out httpd.cert 產生伺服器的認證檔案[root@zzu certs]#cp /etc/pki/CA/cacert.pem ./ 拷貝ca的認證檔案[root@zzu certs]#chmod 600 *[root@zzu certs]#yum install mod_ssl*改變檔案的許可權增加安全性[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf 捆綁認證檔案和鑰匙檔案112 SSLCertificateFile /etc/httpd/certs/httpd.cert www.2cto.com 119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key128 SSLCertificateChainFile /etc/httpd/certs/cacert.pem
192.168.1.200 www.abc.com
[root@zzu certs]# netstat -tupln |grep httpd tcp 0 0 :::80 :::* LISTEN 5544/httpd tcp 0 0 :::443 :::* LISTEN 5544/httpd
關閉原來的80連接埠[root@zzu certs]# vim /etc/httpd/conf/httpd.conf134 #Listen 80 注釋掉該行[root@zzu certs]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ][root@zzu certs]# netstat -tupln|grep httpd tcp 0 0 :::443 :::* LISTEN 5483/httpd 這樣www.abc.com 就只能夠使用https進行訪問啦 補充:一:為www.abc.com 頒發認證192.168.1.200的主機[root@zzu certs]#vim /etc/httpd/conf.d/ssl.confnameVirtualHost 192.168.1.200:443<VirtualHost 192.168.1.200:443> DocumentRoot "/var/www/html" ServerName www.abc.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn www.2cto.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/certs/httpd.cert SSLCertificateKeyFile /etc/httpd/certs/httpd.key SSLCertificateChainFile /etc/pki/CA/cacert.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> 二:為 tec.abc.com 頒發認證192.168.1.100的主機[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf<VirtualHost 192.168.1.100:443> DocumentRoot "/var/www/tec" ServerName tec.abc.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/certs/httpd1.cert SSLCertificateKeyFile /etc/httpd/certs/httpd1.key SSLCertificateChainFile /etc/pki/CA/cacert.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> www.2cto.com <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> 摘自 再別combridge 的BLOG
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
