Apache and SSL na vašem stolu

Marketing

Evo da obradujem siroke pubne mase i napisem brzopotezni/pleti tutorialchic o SSLu.

Radnja... Linux Fedora 2 ... apache 2.
Daklem svi konfiguracijski fileovi se nalaze u direktoriju

/etc/httpd

Standardni conf se nalazi

/etc/httpd/conf

a svi ostali confovi (citaj za php, ssl, etc.) nalaze se unutar

/etc/httpd/conf.d

Simulirat cemo sljedecu situaciju ...
Sami ce te sebi izdati certifikat i probat se spojiti https://localhost
Zanimljivo samo da napomenem da Apache 1 nije imao podrsku za SSL Virtualne hostove dok novi ima ... jupiiii??? Smile
E sad ... prije svega moramo si izdati certifikat jeli??
e pa ajmo Smile

code:
[root@djomla][/etc/httpd/conf]pwd
/etc/httpd/conf

[root@djomla][/etc/httpd/conf]ls
httpd.conf httpd.conf.old magic ssl.crl ssl.csr
httpd.conf.bak httpd.conf.rpmsave Makefile ssl.crt ssl.key

[root@djomla][/etc/httpd/conf]make php-hr.crt
umask 77 ;
/usr/bin/openssl genrsa -des3 1024 > php-hr.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ;
/usr/bin/openssl req -new -key php-hr.key -x509 -days 365 -out php-hr.crt
Enter pass phrase for php-hr.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:
[root@djomla][/etc/httpd/conf]

Eh sad opis stanja ... znaci usmjerili smo se u direktorij /etc/httpd/conf
i Izdali naredbu "make php-hr.crt" dakle da napravi certifikat koji ce se zvati php-hr.crt i php-hr.key. Dakle sastoji se od public keya i private keya.
Kad smo ukucali make php-hr.crt
Vidimo da se radi o 1024 bitnoj enkripciji(valjda:))
pita nas passworde i verifikaciju passworda.
Na dalje on ide i pita "Country name" i slicne gluposti .. nista to nije toliko bitno za sada osim ovo gdje sam napisao localhost .. na svim onim mjestima sam lupio enter Smile
dakle izdajemo ga za koji hostname i stavio sam localhost...
E ajmo dalje

code:
[root@djomla][/etc/httpd/conf]ls
httpd.conf httpd.conf.rpmsave php-hr.crt ssl.crt ssl.prm
httpd.conf.bak magic php-hr.key ssl.csr
httpd.conf.old Makefile ssl.crl ssl.key
[root@djomla][/etc/httpd/conf]

[root@djomla][/etc/httpd/conf]mv php-hr.crt ssl.crt/
[root@djomla][/etc/httpd/conf]mv php-hr.key ssl.key/
[root@djomla][/etc/httpd/conf]cd ssl.key/
[root@djomla][/etc/httpd/conf/ssl.key]mv php-hr.key php-hr.key.orig
[root@djomla][/etc/httpd/conf/ssl.key]openssl rsa -in php-hr.key.orig -out php-h
r.key
Enter pass phrase for php-hr.key.orig:
writing RSA key
[root@djomla][/etc/httpd/conf/ssl.key]ls
php-hr.key
php-hr.key.orig
[root@djomla][/etc/httpd/conf/ssl.key]

Dakle dobili smo php-hr.key i php-hr.crt ... i njih smo makli u direktorije ssl.crt i ssl.key ... Da bi smo rijesili dilemu kad restartamo apache da nas pita za password usli smo u direktorij ssl.key
i udarili prvo mv php-hr.key php-hr.key
naredbom openssl smo makli password iz naseg keya i time dobili da kad resetiramo apache nece nas vise pitati za password

I ovime smo rijesili vecinu ... sad nam ostaje conf file editirati Smile
Ajmo??

code:
[root@djomla][/etc/httpd/conf]cd ..
[root@djomla][/etc/httpd]cd conf.d/
[root@djomla][/etc/httpd/conf.d]pwd
/etc/httpd/conf.d

I otvorimo SSL.conf sa svojim omiljenim editorom (moj je "vi")
E sad linije koje su nam potrebne su :

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443

/* Da slusa port 443 */

NameVirtualHost 192.168.68.1:443

/* Ovdje stavimo IP od naseg stroja */

DocumentRoot "/var/www/html"
ServerName localhost:443

/* Standardne postavke za defaultni DocumetRoot i server ime */

SSLEngine on

SSLCertificateFile /etc/httpd/conf/ssl.crt/php-hr.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/php-hr.key

I to je u principu sve
restartajte apache

service httpd restart
I SSL radi ...

napomena (za one koji zele znati vise) u slucaju da zelite imate vishe virtualnih SSL domena unutar istog filea moramo dodati sljedece :

code:

ServerName localhost
DocumentRoot "/var/www/html"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/php-hr.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/php-hr.key

Dakle ponavljamo nase defaultne postavke isto kao da je rijec o VirtualnomHostu i tek onda ispod dodajemo novi Virtual host

code:

ServerName mladen.nesto.hr
DocumentRoot "/home/mladen"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/mladen.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mladen.key

Eto ga ... Smile

U koliko ima netko pitanja ... feel free to screem Smile

Post je objavljen 20.12.2005. u 11:07 sati.

Pregled posta

Marketing

Apache and SSL na vašem stolu