讓linux伺服器支援https(安全http協議)
我們通常用“http://”這樣的方式來訪問網站,而此時傳輸的內容是可能被別人截獲的,因為其內容是通過明文傳輸,所以在傳遞一些隱私、以及密碼相關的資訊時,就顯得非常的不安全。在一些比較正式的網站、以及一些銀行相關的網站中,一些需要提交隱私或者重要級別比較高的密碼時,都採用“https://”的方式,來將傳輸內容加密,從而保證使用者安全和避免隱私的洩漏。
今天在這裡,我就通過mod_ssl來使我們的伺服器也支援https。(環境:centos 5.5)
1、安裝mod_ssl
通過yum來線上安裝mod_ssl
[[email protected] ~]# yum -y install mod_ssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: data.nicehosting.co.kr
* extras: data.nicehosting.co.kr
* updates: data.nicehosting.co.kr
addons | 951 B 00:00
addons/primary | 202 B 00:00
http://data.nicehosting.co.kr/os/CentOS/5.7/os/i386/repodata/repomd.xml: [Errno 14] HTTP Error 403: Forbidden
base | 1.1 kB 00:00
base/primary | 961 kB 00:40
base 2705/2705
http://data.nicehosting.co.kr/os/CentOS/5.7/extras/i386/repodata/repomd.xml: [Errno 14] HTTP Error 403: Forbidden
Trying other mirror.
extras | 2.1 kB 00:00
extras/primary_db | 156 kB 00:06
http://data.nicehosting.co.kr/os/CentOS/5.7/updates/i386/repodata/repomd.xml
Trying other mirror.
updates | 1.9 kB 00:00
updates/primary_db | 290 kB 00:12
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-53.el5.centos.3 set to be updated
--> Processing Dependency: httpd = 2.2.3-53.el5.centos.3 for package: mod_ssl
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
---> Package httpd.i386 0:2.2.3-53.el5.centos.3 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
mod_ssl i386 1:2.2.3-53.el5.centos.3 updates 93 k
Installing for dependencies:
distcache i386 1.4.5-14.1 base 119 k
Updating for dependencies:
httpd i386 2.2.3-53.el5.centos.3 updates 1.2 M
Transaction Summary
================================================================================
Install 2 Package(s)
Upgrade 1 Package(s)
Total download size: 1.4 M
Downloading Packages:
(1/3): mod_ssl-2.2.3-53.el5.centos.3.i386.rpm | 93 kB 00:03
(2/3): distcache-1.4.5-14.1.i386.rpm | 119 kB 00:05
(3/3): httpd-2.2.3-53.el5.centos.3.i386.rpm | 1.2 MB 00:53
--------------------------------------------------------------------------------
Total 23 kB/s | 1.4 MB 01:02
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID e8562897
updates/gpgkey | 1.5 kB 00:00
Importing GPG key 0xE8562897 "CentOS-5 Key (CentOS 5 Official Signing Key) <[email protected]>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : distcache 1/4
Updating : httpd 2/4
Installing : mod_ssl 3/4
Cleanup : httpd 4/4
Installed:
mod_ssl.i386 1:2.2.3-53.el5.centos.3
Dependency Installed:
distcache.i386 0:1.4.5-14.1
Dependency Updated:
httpd.i386 0:2.2.3-53.el5.centos.3
Complete!
2、HTTP 伺服器上配置mod_ssl
[1] 建立伺服器金鑰
[[email protected] ~]#cd /etc/pki/tls/certs/ ← 進入HTTP伺服器配置檔案所在目錄
[[email protected] certs]#make server.key ← 建立伺服器金鑰
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase: ← 在這裡輸入口令
Verifying - Enter pass phrase: ← 確認口令,再次輸入
[[email protected] certs]#openssl rsa -in server.key -out server.key ← 從金鑰中刪除密碼(以避免系統啟動後被詢問口令)
Enter pass phrase for server.key: ← 輸入口令
writing RSA key
[2] 建立伺服器公鑰
[[email protected] certs]#make server.csr ← 建立伺服器金鑰
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN ← 輸入國名
State or Province Name (full name) [Berkshire]:Fujian ← 輸入省名
Locality Name (eg, city) [Newbury]:Quanzhou ← 輸入城市名
Organization Name (eg, company) [My Company Ltd]:www.51cto.com ← 輸入組織名(任意)
Organizational Unit Name (eg, section) []: ← 不輸入,直接回車
Common Name (eg, your name or your server's hostname) []:www.51cto.com ← 輸入通稱(任意)
Email Address []:[email protected] ← 輸入電子郵箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← 不輸入,直接回車
An optional company name []: ← 不輸入,直接回車
[3] 建立伺服器證書
[[email protected] certs]#openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 ← 建立伺服器證書
Signature ok
subject=/C=CN/ST=Fujian/L=Quanzhou/O=www.51cto.com/CN=www.51cto.com/[email protected]
Getting Private key
[[email protected] certs]#chmod 400 server.* ← 修改許可權為400
[4] 設定SSL
[[email protected] certs]#vi /etc/httpd/conf.d/ssl.conf ← 修改SSL的設定檔案
#DocumentRoot "/var/www/html" ← 找到這一行,將行首的“#”去掉
↓
DocumentRoot "/var/www/html" ← 變為此狀態
[5] 重新啟動HTTP服務,讓SSL生效
[[email protected] certs]#/etc/rc.d/init.d/httpd restart ← 重新啟動HTTP伺服器
停止 httpd: [確定]
啟動 httpd: [確定]
3、測試SSL
開啟瀏覽器,在位址列輸入“https://伺服器IP地址”或者“https://你的域名”後,如果出現提示安裝伺服器安全證書的視窗(如下所示),說明伺服器已經支援SSL。
轉載於:https://blog.51cto.com/300second/717462