編輯“CentOS/讓服務(wù)器支持安全HTTP協(xié)議”

在我們通常用<nowiki>“http://”</nowiki>這樣的方式來訪問[[網(wǎng)站]]的時候，傳輸內(nèi)容是可能被別人截獲的，因為其內(nèi)容是通過明文傳輸，所以在傳遞一些隱私、以及密碼相關(guān)的信息時，就顯得非常的不安全。在一些比較正式的網(wǎng)站、以及一些銀行相關(guān)的網(wǎng)站中，一些需要提交隱私或者重要級別比較高的密碼時，都采用<nowiki>“https://”</nowiki>的方式，來將傳輸內(nèi)容加密，從而保證用戶安全和避免隱私的泄漏。

在這里，我們通過mod_ssl來使我們的[[服務(wù)器]]也支持HTTPS。

==安裝mod_ssl==
首先通過yum來在線安裝mod_ssl。
<pre>[root@sample html]# yum -y install mod_ssl　 ← 在線安裝mod_ssl

Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Reducing Dag RPM Repository for Red Hat Enterprise Linux to included packages only
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mod_ssl to pack into transaction set.
mod_ssl-2.0.52-28.ent.cen 100% |=========================| 25 kB 00:00
---> Package mod_ssl.i386 1:2.0.52-28.ent.centos4 set to be updated
--> Running transaction check
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for distcache to pack into transaction set.
distcache-1.4.5-6.i386.rp 100% |=========================| 7.2 kB 00:00
---> Package distcache.i386 0:1.4.5-6 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
mod_ssl i386 1:2.0.52-28.ent.centos4 base 98 k
Installing for dependencies:
distcache i386 1.4.5-6 base 111 k

Transaction Summary
=============================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 209 k
Downloading Packages:
(1/2): distcache-1.4.5-6. 100% |=========================| 111 kB 00:00
(2/2): mod_ssl-2.0.52-28. 100% |=========================| 98 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: distcache ######################### [1/2]
Installing: mod_ssl ######################### [2/2]

Installed: mod_ssl.i386 1:2.0.52-28.ent.centos4
Dependency Installed: distcache.i386 0:1.4.5-6
Complete!</pre>

==為HTTP服務(wù)器配置mod_ssl==
[1] 建立服務(wù)器密鑰
<pre>[root@sample conf]# cd /etc/httpd/conf　 ← 進入HTTP服務(wù)器配置文件所在目錄

[root@sample conf]# rm -f ssl.*/server.*　 ← 刪除默認(rèn)或殘留的服務(wù)器證書相關(guān)文件

[root@sample conf]# make genkey　 ← 建立服務(wù)器密鑰
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
................++++++
....................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:　 ← 在這里輸入口令
Verifying - Enter pass phrase:　 ← 確認(rèn)口令，再次輸入

[root@sample conf]# openssl rsa -in ssl.key/server.key -out ssl.key/server.key　 
← 從密鑰中刪除密碼（以避免系統(tǒng)啟動后被詢問口令）

Enter pass phrase for ssl.key/server.key:　 ← 輸入口令
writing RSA key
</pre>

[2] 建立服務(wù)器公鑰
<pre>[root@sample conf]# make certreq　 ← 建立服務(wù)器密鑰

umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out 
/etc/httpd/conf/ssl.csr/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN　 ← 輸入國名
State or Province Name (full name) [Berkshire]:Heilongjiang　 ← 輸入省名
Locality Name (eg, city) [Newbury]:Harbin　 ← 輸入城市名
Organization Name (eg, company) [My Company Ltd]:www.centospub.com　 ← 輸入組織名（任意）
Organizational Unit Name (eg, section) []:　 ← 不輸入，直接回車
Common Name (eg, your name or your server's hostname) []:www.centospub.com　 ← 輸入通稱（任意）
Email Address []:yourname@yourserver.com 　
 ← 輸入電子郵箱地址 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:　 ← 不輸入，直接回車
An optional company name []: 　 ← 不輸入，直接回車</pre>

[3] 建立服務(wù)器證書
<pre>[root@sample conf]# openssl x509 -in ssl.csr/server.csr -out ssl.crt/server.crt -req 
-signkey ssl.key/server.key -days 365　 ← 建立服務(wù)器證書

Signature ok
subject=/C=CN/ST=Heilongjiang/L=Harbin/O=
www.centospub.com/CN=www.centospub.com/emailAddress=yourname@yourserver.com
Getting Private key</pre>

[4] 設(shè)置[[SSL]]
<pre>[root@sample conf]# vi /etc/httpd/conf.d/ssl.conf　 ← 修改SSL的設(shè)置文件

#DocumentRoot "/var/www/html"　 ← 找到這一行，將行首的“#”去掉
　↓
DocumentRoot "/var/www/html"　 ← 變?yōu)榇藸顟B(tài)</pre>

[5] 重新啟動HTTP服務(wù)器，讓SSL生效
<pre>[root@sample conf]# /etc/rc.d/init.d/httpd restart 　← 重新啟動HTTP服務(wù)器 

Stopping httpd: 　　　　　　　　　　　　　 [ OK ]
Starting httpd:　　　　　　　　　　　　　　[ OK ]</pre>

[6] 設(shè)置[[防火墻]]允許SSL
<pre>[root@sample conf]# vi /etc/sysconfig/iptables 　 ← 編輯防火墻配置文件 

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT　 
← 找到這一行，接著添加如下行：
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT　 
← 開放443號端口，允許SSL

[root@sample conf]# /etc/rc.d/init.d/iptables restart 　 ← 重新啟動防火墻，使設(shè)置生效

Flushing firewall rules: 　　　　　　　　　　　[ OK ]
Setting chains to policy ACCEPT: filter　　　 [ OK ]
Unloading iptables modules:　　　　　　　　 [ OK ]
Applying iptables firewall rules:　　　　　　 [ OK ]</pre>

==測試SSL==
可以通過自用PC來測試SSL。打開[[瀏覽器]]，在地址欄輸入<nowiki>“https://服務(wù)器IP地址”</nowiki>或者<nowiki>“https://你的域名”</nowiki>后，如果出現(xiàn)提示安裝服務(wù)器證明書的窗口（圖樣如下），說明服務(wù)器已經(jīng)支持SSL。

[[Image:Sslcli.gif]]

這時，如果選擇“永遠(yuǎn)接受此證書”，然后點擊確定后，再次通過HTTPS協(xié)議訪問該站點，將不會再彈出此窗口提示安裝服務(wù)器證書。

==參考來源==
http://www.centospub.com/make/ssl.html

[[category:CentOS|R]]