在 Apache 中加入 SSL
  • 5,429 views,
  • 2013-10-21,
  • 上傳者: Kuann Hung,
  •  0
1a3cb39e6bfb98233877055484d0ec24.png
 
如果要讓自己的網站支援 SSL 的話,就要在 Apache 設定中加上 SSL 的設定。關於 SSL 憑證可以用申請的,也可以用自己建立的。
以下將針對 "自行產生" SSL 憑證說明。(請先想好自己要用的密碼喔!)
先產生 SSL (2048bit)
#openssl genrsa -des3 -out ssl/ca.key 2048 openssl genrsa -des3 -out ssl/ca.key 2048
#openssl req -config openssl.cnf -new -key ssl/ca.key -out ssl/ca.csr
 
Enter pass phrase for ssl/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Your Company
Organizational Unit Name (eg, section) []:Your OU
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:admin@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yourpassword
An optional company name []:
 
# openssl x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt
# openssl genrsa -out ssl/server.key 2048
# openssl req -config openssl.cnf -new -key ssl/server.key -out ssl/server.csr
 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
TaiState or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Your Company
Organizational Unit Name (eg, section) []:Your OU
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:admin@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yourpassword
An optional company name []:
 
# openssl ca -config openssl.cnf -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt
# openssl x509 -req -days 3650 -in ssl/server.csr -signkey ssl/server.key -out ssl/server.cert
 
記得要把產生的檔案都放到 /etc/httpd/conf/ 下面。
最後就是在 httpd.conf 中,你所要用到的 virtual domain 中加上:
SSLEngine On
SSLCertificateFile conf/ssl/server.cert
SSLCertificateKeyFile conf/ssl/server.key
SSLCertificateChainFile conf/ssl/ca.crt
除此之外,為了提高安全性,要停用 SSLv2, SSLv3, 只保留 TLS
先產生 Diffie Hellman 參數
openssl dhparam -out dhparam.pem 4096
然後是增加以下設定
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
# for apache 2.4.x
# SSLOpenSSLConfCmd DHParameters dhparams.pem

Facebook 討論區載入中...
資料夾 :
發表時間 :
2013-10-21 00:22:00
觀看數 :
5,429
發表人 :
Kuann Hung
部門 :
老洪的 IT 學習系統
QR Code :