Простая настройка SSL на Apache
July 1st, 2009
Генерим закрытый ключ и запрос на сертификат.
openssl genrsa –des3 –out mydomain.com.key 1024
openssl req -new -key mydomain.com.key -out mydomain.com.csr
openssl req -new -key mydomain.com.key -out mydomain.com.csr
Когда генерим CSR то не надо указывать e-mail, challenge password и дополнительные опции.
Если мы хотим подписать сертификат доверенным центром сертификации, то отправляем им mydomain.com.csr. Если же будем подписывать сами то:
openssl x509 -req -days 365 -in mydomain.com.csr -signkey mydomain.com.key -out mydomain.com.crt
И базовый ssl.conf для примера:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# If you use secret phrase
SSLPassPhraseDialog exec:/usr/local/etc/apache2/certs/domain.com.pass
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
<VirtualHost 192.168.0.1:443>
<Directory /home/domain.com/htdocs>
Order Allow,Deny
Allow from all
</Directory>
DocumentRoot "/home/domain.com/htdocs"
ServerName secure.domain.com:443
ServerAdmin you@example.com
ErrorLog /home/logs/httpsd-error.log
TransferLog /home/logs/httpsd-access.log
SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/etc/apache2/certs/domain.com.crt
SSLCertificateKeyFile /usr/local/etc/apache2/certs/domain.com.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/home/domain.com/htdocs">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /home/logs/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# If you use secret phrase
SSLPassPhraseDialog exec:/usr/local/etc/apache2/certs/domain.com.pass
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
<VirtualHost 192.168.0.1:443>
<Directory /home/domain.com/htdocs>
Order Allow,Deny
Allow from all
</Directory>
DocumentRoot "/home/domain.com/htdocs"
ServerName secure.domain.com:443
ServerAdmin you@example.com
ErrorLog /home/logs/httpsd-error.log
TransferLog /home/logs/httpsd-access.log
SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/etc/apache2/certs/domain.com.crt
SSLCertificateKeyFile /usr/local/etc/apache2/certs/domain.com.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/home/domain.com/htdocs">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /home/logs/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
