Class
- Tip&Tech
| [¼³Ä¡/¼³Á¤] Apache2 & OpenSSL on Linux - A Quick Install Guide | |||||
| ±Û¾´ÀÌ |    xµô¸¶ |
³¯ Â¥ | 06-02-21 21:49 | Á¶ ȸ | 5961 |
|---|---|---|---|---|---|
| °£ÆíURL |
http://www.phpschool.com/link/tipntech/44942
|
||||
| Link1 | http://www.loblolly.net/%7Erddecker/helppages/install-apache2-mod_ssl.¡¦ (371) | ||||
|
¿À´Ã ¼³Ä¡!! ¾Æ·¡ ¼³Ä¡ °¡À̵忡 µû¶ó ¼³Ä¡ µÇ¾ú½À´Ï´Ù.
¿À´Ã ÇÏ·ç Á¾ÀÏ °ü·Ã ¼³Ä¡ ¹®¼¸¦ ã¾Ò´Âµ¥ ã±â¾î·Æ ´õ±º¿ä. ¾î·Æ°Ô ãÀº ¹®¼ ÀÔ´Ï´Ù. ÁÁÀº ÀÚ·á°¡ µÇ¾úÀ¸¸é ÇÕ´Ï´Ù. Quick Install Guide A Reminder, not a Tutorial for Apache 2.0.xx with mod_perl, mod_SSL and OpenSSL.. Assumes use of x86 processors either Slackware or Redhat This quick guide will remind/show how to setup Apache2 for a domain with a secure SSL web site and a regular web site. The cgi-bin for the SSL web site is seperate from the common cgi-bin. NOTE: My preference is to run Apache 2.0 in /usr/local/apache2 (this is apache default location) Slackware uses /var/lib/apache or /var/lib/httpd - use pkgtool to remove any existinig version Redhat uses /etc/httpd -- sorry, I am a Slackware slack now. 1 - download new Apache source http://www.apache.org/httpd.html , the mod_perl source code from http://perl.apache.org/download/index.html Be sure to get the mod_perl for Apache 2. 2 - mv the apache and mod_perl source file to /usr/src/apache (My preference, but it can be unpacked anywhere) 3 -unpack the new Apache 2.0.XX and mod_perl with: tar zxvf httpd-2.0.XX.tar.gz -- if the file ends in tar.gz(where XXX is the version) for the Apache 2.0.XX tar zxvf mod_perl.XXXX.tar.gz -- if the file ends in tar.gz(where XXX is the version) for the mod_perl version.. Note that the lastest version may be mod_perl-2.0-current.tar.gz but when unpacked give mod_perl-1.99_XX or something like it.. 4 - cd httpd-2.0.XX directory 5 - Read the README and INSTALL files etc... 6 - Edit the configure file in the main directory to select modules to be compiled in the new Apache. This starts after Optional Features. --enable will enable the feature, --disable will disable it.. Note that there appears to be a bug/glitch in that not all modules are controlled from configure.. 7 - Create a file named configthese to enable/disable needed modules: cat configthese ./configure --prefix=/usr/local/apache2 \ --enable--ssl \ --enabel-info \ --enable-status \ --enable-rewrite 8 - chmod 744 configthese to make it executable. 9 - Now to compile and install it. ./configthese make 10 - To install it either cp httpd /usr/local/apache2/bin/httpd to replace existing httpd (Slackware and Redhat may have it in sbin instead of bin) or make install to install all Apache files and subdirectories -- may replace existing httpd.conf--Yikes!! Often there are changes made in the httpd.conf file in new versions to reflect the server changes/additions. If you have a previous version of apache that is running, first stop it by /usr/local/apache2/bin/apachectl stop 11 - edit apachectl in apache2/bin or apache2/sbin. You may need to edit it, but it should work as is. PIDFILE=where the pid file is HTTPD=where the httpd file is STATUSURL="http://localhost/server-status" (should work ok as is) 12 - Now to compile and install mod_perl. cd /usr/src/apache/mod_perl-1.99_XX .......or whatever the current version is.. Read the INSTALL and README files. The Simple Install should work ok. perl Makefile.PL MP_AP_PREFIX=/usr/local/apache2 make && make test make install The install should copy mod_perl.so into /usr/local/apache2/modules. Check to make sure it is there. Now to edit the Apache configuration file. 13 -Edit your /usr/local/apache2/conf/httpd.conf file to check the following ServerRoot "/usr/local/apache2" or wherever PidFile /usr/local/apache2/logs/httpd.pid should be the same as the above PIDFILE in step 11 ServerAdmin who@domain (maybe correct/useable as installed) ServerName new.host.name:80 replace with either your IP or domain name.. DocumentRoot "/usr/local/apache2/htdocs" UserDir public_html (public_html is the default. Just make sure each user has one.) Remove the # from infront of the example control access to UserDir directories. Should follow the UserDir public_html section. DirectoryIndex index.html index.htm index.html.var index.shtml default.html default.htm DirectoryIndex is the starting page name and the search order.(index.html is the default) for cgi uncomment and edit: AddHandler cgi-script .cgi for serverside includes uncomment and edit AddType text/html .shtml .htm .html AddHandler server-parsed .shtml .htm .html Also for the serverside includes to work, you will need to have either a Options Includes or Options IncludesNoExec within the <Directory> ...</Directory> sections. Under the Dynamic Shared Oject (DSO) Support you will need to make sure the following two lines are there, otherwise your mod_perl might not be loaded into Apache. # now to load the perl module LoadModule perl_module modules/mod_perl.so Uncomment the <Location /server-status> section and edit the Allow from .your_domain.com with one or more IPs or domain names.. let these and only these be able to http://servername-or-IP/server-status. All this info would be usefull to a cracker/hacker to attack your Apache server. You can use either the 192.168.1 or 192.168.1.0/24 notation for IPs. Uncomment the ExtendedStatus On line -- do be sure you have restricted the Allow from in the <Location /server-status> section. Uncomment the <Location /server-info> section and edit the Allow from .your_domain.com with one or more IPs or domain names.. let these and only these be able to http://servername-or-IP/server-info. All this info would be usefull to a cracker/hacker to attack your Apache server. You can use either the 192.168.1 or 192.168.1.0/24 notation for IPs. Uncomment or add in a NameVirtualHost with the servers IP Add any <VirtualHost section> 14 - edit the startup files as needed. Slackware is /etc/rc.d/rc.httpd Redhat is /etc/rc.d/init.d/httpd.org 15 - start it up either using the startup file or cd to the apache2/bin directory and using ./apachectl start without mod_SSL support ./apachectl startssl with mod_SSL support The SSL support is not yet complete as we have not yet installed a SSL Certificate. Note that you may need to vi apachectl to edit the PIDFILE and HTTPD to where they really are. 16 - watch for errors then use a web browser on a pc to try it out... try a virtual host domain and a users directory. http://xx.yy.zz.aa/server-info (where xx.yy.zz.aa is an IP that your Apache Server will respond to) will tell you what modules your Apache has loaded. http://xx.yy.zz.aa/server-status (where xx.yy.zz.aa is an IP that your Apache Server will respond to) for server status info. 17 run apachectl graceful after any changes to the httpd.conf file Now for the SSL part... 18 - Download a current copy of OpenSSL from http://www.openssl.org/source/ . You may see openssl and openssl-engine. Download the current version of openssl. It does not matter where it is on your server. But I prefer /usr/src/ 19 - unpack openssl with tar zxvf opensll-0.9.xx.tar.gx where xx is the version. 20 - Change into the new directory cd openssl-0.9.xx and read the INSTALL and README files. 21 - Go with the defaults and just do the following: ./config make make test make install This should compile it and install it in /usr/local/ssl. Note that the make and make test may take 5 minutes or so to compile and test. Making a SSL key, CSR and self signed cert for Apache. 22 - Change to the /usr/local/ssl directory cd /usr/local/ssl echo $PATH to see if the ssl directory is in your path PATH=$PATH:/usr/local/ssl echo $PATH and you should see the ssl directory in your path 23 - Now to generate an SSL Cert. For several years I could not figure this out but with the help of Linux Sever Hacks by Rob Flickenger from O'Reilly (hacks.oreilly.com) I was finally able to hack it. Peace of pie! Tip! It seems to work best if you use your actual domain name for the file names in Steps 1-3 and to use the actual domain name for the Common Name in Step 2. Internet Explorer will ask for your OK each session time it encounters the certificate if you do not use the actual domain name. Step 1 openssl genrsa -des3 1024 > www.domainname.com.key to generate a SSL key with password protection. You will be asked to enter in a new password for this. You will need to remember this to generate the Certificate - crt in Step 3 and in starting Apache2 with mod_SSL. Step 2 openssl req -new -key www.domainname.com.key >www.domainname.com.csr to generate the Certificate Signing Request. You will be asked for the following: Country Name ( 2 letter code) = US State or Province Name = Texas Locality Name = Houston 0rganization Name = MegaDomane, Inc. Organizational Unit Name = Our Secure Web Site CommonName = www.domainname.com Email Address = admin@dominname.com The default answers for these can be set in openssl.cnf. Just look for the lines with _default and change them... Step 3 openssl req -x509 -days 90 -key www.domainname.com.key \ -in www.domainname.com.csr > www.domainname.com.crt You will be asked for the pass phrase that you entered in Step 1. do a ls -l www* to see your new Certificates.. 24 - Now to copy your new self signed SSLCerficatefile crt and key to the Apache2 directory tree. cp www.domainname.com.crt /usr/local/apache2/conf/ssl.crt/www.domainname.com.crt cp www.domainname.com.key /usr/local/apache2/conf/ssl.key/www.domainname.com.key you may first need to: mkdir /usr/local/apache2/conf/ssl.crt mkdir /usr/local/apache2/conf/ssl.key Back to Apache2 Configuration: 25 - cd /usr/local/apache2/conf to change back to the Apache2 configuration directory. 26 - Now to edit the ssl.conf file. Tigers and lions and bears oh my! The following should be enabled/uncommented and edited in conf/ssl.conf: <NameVirtualHost ww.xx.yy.zz:443> #where ww.xx.yy.zz is the IP and 443 is the port for SSL <VirtualHost ww.xx.yy.zz:443> ServerName www.domainname.com:443 ServerAlias domainname.com:443 DocomentRoot "/home/joeuser/public_html/webssl" ScriptAlias /cgi-bin "/home/joeuser/cgi-bin" ServerAdmin adminjoe@domainname.com ErrorLog logs/error_log TransferLog logs/access_log SSLEngine on SSLCertificateFile /usr/local/apache2/conf/ssl.crt/www.domainname.com.crt SSLCertificateFile /usr/local/apache2/conf/ssl.key/www.domainname.com.key <Directory "/home/joeuser/public_html/webssl" SSLRequireSSL </Directory> <Directory "/home/joeuser/cgi-bin"> SSLOptions +StdEnvVars </Directory> </VirtualHost> 27- Now back to the conf/httpd.conf file to edit. To get a seperate normal web site/non SSL site, you will need to have the following lines in httpd.conf: NameVirtualHost ww.xx.yy.zz:80 # where ww.xx.yy.zz is the IP and 80 is the port number. <VirtualHost ww.xx.yy.zz:80> ServerName www.domainname.com ServerAlias www.domainname.net www.domainname.info DocumentRoot /home/joeuser/public_html </VirutalHost> to be continued Last modfied on Tuesday, 17-Jun-2003 13:08:22 CDT rddecker@lanranger.net |
|||||
-
°Ô½Ã¹° 659°Ç
12345678910
