設定 Apache
1. 安裝 Apache 的 OpenSSL 版本
2. httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
3. conf\extra\httpd-ssl.conf
SSLMutex none <-- 不確定這要做什麼, 我是保留 SSLMutex default
確認以下設定的值
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "D:/Apache2.2/htdocs"
ServerName Your.server.com.tw:443
ServerAdmin YourName@email.com
ErrorLog "D:/Apache2.2/logs/error_log"
TransferLog "D:/Apache2.2/logs/access_log"
SSLCertificateFile "D:/Apache2.2/conf/ssl/server.crt"
SSLCertificateKeyFile "D:/Apache2.2/conf/ssl/server.key"
如果不需要瀏覽端認證,以下可以不管這:
#SSLVerifyClient require
#SSLVerifyDepth 10
如果自發認證,以下可以不管這:
#SSLCertificateChainFile "D:/Apache2.2/conf/server-ca.crt"
#SSLCACertificatePath "D:/Apache2.2/conf/ssl.crt"
#SSLCACertificateFile "D:/Apache2.2/conf/ssl.crt/ca-bundle.crt"
#SSLCARevocationPath "D:/Apache2.2/conf/ssl.crl"
#SSLCARevocationFile "D:/Apache2.2/conf/ssl.crl/ca-bundle.crl"
5. 要產生SSL所需要的 Key 的前置動作
D:/Apache2.2/conf/openssl.cnf
檢查:
[ CA_default ]
dir= ./ssl
這是 D:/Apache2.2/bin/ 下的相對位置 (例: D:/Apache2.2/bin/ssl)
產生自我驗證的憑證
1. 在 D:/Apache2.2/bin/ssl 下建立一個空檔案 index.txt
2. 在 D:/Apache2.2/bin/ssl 下建立一個檔案 serial (無附檔名),內容就輸入01
3. 在 D:/Apache2.2/bin/ssl 下建立一個目錄 newcerts
4. 產生SSL key
執行 D:/Apache2.2/bin/openssl.exe
下指令 (過程中會要你輸入一些組態, Request 的組態需與 CA 的組態相同)
a. 產生 CA 根憑證
openssl> genrsa -des3 -out ssl/ca.key 1024
openssl> req -config openssl.cnf -new -key ssl/ca.key -out ssl/ca.csr
openssl> x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt
b. 產生 要給 Apache 用的憑證
openSSL> genrsa -out ssl/server.key 1024
openssl> req -config openssl.cnf -new -key ssl/server.key -out ssl/server.csr
openssl> ca -config openssl.cnf -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt
檢查你的 D:/Apache2.2/bin/ssl 下應該有 11 個檔案及一個目錄
將 server.crt 及 server.key 複製到 ./conf下/ssl 下
5. Restart Apache Service 已可使用 https:// 來開網站
全站強制 https://的設定
若要開啟全站強制 https:// , 在 httpd.conf 中設定:
a. 開啟 mod_rewrite
LoadModule rewrite_module modules/mod_rewrite.so
b. 在適當位置加入:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</IfModule>
我是加在 <IfModule dir_module> 的後面
實務上 (申請公認的憑證時):
1. openssl> genrsa -out ssl/RSAPrivateKey.key 2048
第一次輸出 Apache 用的 Private Key, 不可以加 -des3 參數
Windows 版 Apache 不吃加密過的 Private Key, 會產生以下問題
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32.
如果產生 Private Key 時加了加密參數也沒關係
可以下這個指令來轉換成未加密的 Key: openssl rsa -in Encrypted.key -out Decrypted.key
參考文末註解
2. req -config ../conf/openssl.cnf -new -key ssl/RSAPrivateKey.key -out ssl/Request.csr
此步驟中 Common Name (eg, YOUR name) []: 要輸入網址, 並不是輸入 YourName....
憑證授權給哪一個網址使用是看這裡決定的
3. conf\extra\httpd-ssl.conf
此處要放入根憑證
#SSLCACertificateFile "D:/WebService/Apache/conf/ssl/verisign.crt"
註解:
TN 5634 - Why do I receive [error] Init: SSLPassPhraseDialog builtin is not supported on Win32?
Applicable to: Windows 2000, 2003, XP running Apache win32
Problem:
Upon Apache startup with SSL, the log shows the following error:
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32.
The SSLPassPhraseDialog is a directive within the Apache httpd.conf or ssl.conf that is not supported by Windows
Resolution:
Remove the encryption from the RSA private key (while preserving the original file)
Remark out - SSLPassPhraseDialog in the appropriate apache conf file with a # in front of the directive
1. Make a copy of the private key and call it "server.key.org"
2. Use the OpenSSL command to remove the passphrase such as;
openssl rsa -in server.key.org -out server.key
server.key will be your new private key with the passphrase removed.
3. Move this new key to the same path as where your original was kept. Verify that the directive called "SSLCertificateKeyFile" in your apache config file points to the new private key.
4. Find the directive "SSLPassPhraseDialog" and put a # in front to comment out the line.
You will now be able to startup Apache with SSL on Windows.
- 原文出處:
http://blog.roodo.com/myroodo/archives/4219557.html - 資料來源:
http://blog.ericsk.org/archives/215
http://www.pczone.com.tw/vbb3/thread/47/96241/
沒有留言:
張貼留言