Linux配置https部署方式

一，配置https

1，安装好httpd服务后，安装mod_ssl模块

         //首先查看是否安装mod_ssl

         [root@contos7 ~]#  rpm -qa | grep mod_ssl

         //安装mod_ssl模块          

         [root@contos7 ~]#  yum install mod_ssl

2，在/etc/httpd/conf.modules.d/目录查看是否自动生成00-ssl.conf文件

        [root@contos7 ~]# cd /etc/httpd/conf.modules.d/

        [root@contos7 conf.modules.d]# ls

        

          //查看00-ssl.conf里面，如下内容是否取消了注释，如果没有就取消注释

         LoadModule ssl_module modules/mod_ssl.so

 

3，申请CA证书

要生成证书就需要为服务端生成私钥，并用它来为其提供证书文件； 

[root@contos7 ~]# cd /etc/pki/CA
[root@contos7 /etc/pki/CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....++
.........................................................++
e is 65537 (0x10001)
[root@contos7 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@contos7 /etc/pki/CA]# touch index.txt
[root@contos7 /etc/pki/CA]# echo 00 > serial
[root@contos7 /etc/pki/CA]# mkdir /etc/httpd/conf.d/ssl
[root@contos7 /etc/pki/CA]# cd /etc/httpd/conf.d/ssl/
[root@contos7 /etc/httpd/conf.d/ssl]# (umask 066;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......++++++
.............++++++
e is 65537 (0x10001)
[root@contos7 /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
[root@contos7 /etc/httpd/conf.d/ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
[root@contos7 /etc/httpd/conf.d/ssl]# cp /etc/pki/CA/cacert.pem .

 

4，编辑.conf配置文件

将代码修改为下列三行

[root@contos7 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem

5，修改配置文件

[root@contos7 ~]# vim /etc/httpd/conf.d/vhost.conf
<VirtualHost *:443>
    ServerName www.baidu.com
    DocumentRoot "/app/website1"
    CustomLog "logs/www.baidu.com_access_log" combined
    <Directory "/app/website1">
    Require all granted
    </Directory>
</VirtualHost>
~

 

6，配置.conf文件，如果已经安装mod_ssl.so模块，那么在conf.d目录（或相似目录，根据个人配置而言）会存在ssl.conf文件，用于配置https请求，在conf.modules.d会增加00-ssl.conf文件用于加载模块

 

ssl.conf配置（各参数含义可参考配置文件中注释说明）：

 

SSLProtocol all-SSLV2 -S5LV3
＃SSLProtocol all TLSVI TLSV1.2

＃SSL Cipher Suite:
＃List the ciphers that the client is permitted to negotiate.
＃See the mod ssl documentation for a complete list.
＃SSLCipherSuite HIGH:MEDIUM: !aNULL: !MD5: !SEED: !IDEA
SSLCipherSuite HIGH: IRC4: IMD5:laNULL:leNULL: INULL: IDH: IEDH: !EXP : +MEDIUM

#Speed-optimized SSL Cipher configuration:
#If speed is your main concern (on busy HTTPS servers e.g.),
#you might ant to force clients to specific,performance
#optimized ciphers. In this case,prepend those ciphers
#to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#Caveat: by giving precedence to 4-SHA and AES128-SHA
#(as in the example below),most connections will no longer
#have perfect forward secrecy - if the server's key is
#compromised, captures of past or future traffic must be
#considered compromised,too.
＃SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM: ! aNULL: !MD5
SSLHonorCipherorder on

 

7，重新启动服务

[root@contos7 ~]# systemctl restart httpd