학습자료(~2017)

apache2 인증서 생성 및 https(ssl) 설정

단세포소년 2014. 2. 5. 14:39
반응형

1. 인증서 생성


sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt



2. apache 설정


아파치 설정 부분에 아래의 굻은 글씨를 추가하면 https 접속으로 바뀐다. https 기본 포트는 443 이다.


vi /etc/apache2/sites-available/https.conf


<VirtualHost *:443>

        ServerAdmin webmaster@localhost



       SSLEngine on

       SSLCertificateFile /etc/apache2/ssl/apache.crt

       SSLCertificateKeyFile /etc/apache2/ssl/apache.key



        DocumentRoot /var/www

        <Directory />

                Options FollowSymLinks

                AllowOverride None

        </Directory>

        <Directory /var/www/>

                Options Indexes FollowSymLinks MultiViews

                AllowOverride None

                Order allow,deny

                allow from all

        </Directory>


        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

        <Directory "/usr/lib/cgi-bin">

                AllowOverride None

                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

                Order allow,deny

                Allow from all

        </Directory>


        ErrorLog ${APACHE_LOG_DIR}/error.log


        # Possible values include: debug, info, notice, warn, error, crit,

        # alert, emerg.

        LogLevel warn


        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>








443 포트에 관한 설정은 /etc/apache2/sites-available/default-ssl  이미 기본적으로 있다. 443포트에 대해 위처럼 따로 설정을 한다면

 

sudo a2dissite default-ssl 


명령을 통해 default-ssl 설정을 사용중지 시켜야한다.





3. ssl 모듈 활성



sudo a2enmod ssl


sudo service apache2 restart







4. https.conf 활성



sudo a2ensite https.conf







5. 참고 사항



기본적으로 apache 설치시 /etc/apache2/sites-available/default-ssl 란 파일에 443 포트에 대한 https 설정이 있다.


sudo a2enmod ssl 

sudo service apache2 restart


명령을 통해 ssl 모듈을 활성화 시키고



sudo a2ensite default-ssl 


명령을 통해 설정을 활성화만 시키면 https 접속이 가능하다.





아래는 /etc/apache2/sites-available/default-ssl  내용이다.


<IfModule mod_ssl.c>

<VirtualHost _default_:443>

        ServerAdmin webmaster@localhost


        DocumentRoot /var/www

        <Directory />

                Options FollowSymLinks

                AllowOverride None

        </Directory>

        <Directory /var/www/>

                Options Indexes FollowSymLinks MultiViews

                AllowOverride None

                Order allow,deny

                allow from all

        </Directory>


        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

        <Directory "/usr/lib/cgi-bin">

                AllowOverride None

                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

                Order allow,deny

                Allow from all

        </Directory>


        ErrorLog ${APACHE_LOG_DIR}/error.log


        # Possible values include: debug, info, notice, warn, error, crit,

        # alert, emerg.

        LogLevel warn


        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined


        #   SSL Engine Switch:

        #   Enable/Disable SSL for this virtual host.

        SSLEngine on


        #   A self-signed (snakeoil) certificate can be created by installing

        #   the ssl-cert package. See

        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.

        #   If both key and certificate are stored in the same file, only the

        #   SSLCertificateFile directive is needed.

        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem

        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key


        #   Server Certificate Chain:

        #   Point SSLCertificateChainFile at a file containing the

        #   concatenation of PEM encoded CA certificates which form the

        #   certificate chain for the server certificate. Alternatively

        #   the referenced file can be the same as SSLCertificateFile

        #   when the CA certificates are directly appended to the server

        #   certificate for convinience.

        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt


        #   Certificate Authority (CA):

    #   Set the CA certificate verification path where to find CA

        #   certificates for client authentication or alternatively one

        #   huge file containing all of them (file must be PEM encoded)

        #   Note: Inside SSLCACertificatePath you need hash symlinks

        #         to point to the certificate files. Use the provided

        #         Makefile to update the hash symlinks after changes.

        #SSLCACertificatePath /etc/ssl/certs/

        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt


        #   Certificate Revocation Lists (CRL):

        #   Set the CA revocation path where to find CA CRLs for client

        #   authentication or alternatively one huge file containing all

        #   of them (file must be PEM encoded)

        #   Note: Inside SSLCARevocationPath you need hash symlinks

        #         to point to the certificate files. Use the provided

        #         Makefile to update the hash symlinks after changes.

        #SSLCARevocationPath /etc/apache2/ssl.crl/

        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl


        #   Client Authentication (Type):

        #   Client certificate verification type and depth.  Types are

        #   none, optional, require and optional_no_ca.  Depth is a

        #   number which specifies how deeply to verify the certificate

        #   issuer chain before deciding the certificate is not valid.

        #SSLVerifyClient require

        #SSLVerifyDepth  10


        #   Access Control:

        #   With SSLRequire you can do per-directory access control based

        #   on arbitrary complex boolean expressions containing server

        #   variable checks and other lookup directives.  The syntax is a

        #   mixture between C and Perl.  See the mod_ssl documentation

        #   for more details.

        #<Location />

        #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

        #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

        #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

        #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

        #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

        #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

        #</Location>


        #   SSL Engine Options:

        #   Set various options for the SSL engine.

        #   o FakeBasicAuth:

        #     Translate the client X.509 into a Basic Authorisation.  This means that

        #     the standard Auth/DBMAuth methods can be used for access control.  The

        #     user name is the `one line' version of the client's X.509 certificate.

        #     Note that no password is obtained from the user. Every entry in the user

        #     file needs this password: `xxj31ZMTZzkVA'.

        #   o ExportCertData:

        #     This exports two additional environment variables: SSL_CLIENT_CERT and

        #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

        #     server (always existing) and the client (only existing when client


#     authentication is used). This can be used to import the certificates

        #     into CGI scripts.

        #   o StdEnvVars:

        #     This exports the standard SSL/TLS related `SSL_*' environment variables.

        #     Per default this exportation is switched off for performance reasons,

        #     because the extraction step is an expensive operation and is usually

        #     useless for serving static content. So one usually enables the

        #     exportation for CGI and SSI requests only.

        #   o StrictRequire:

        #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

        #     under a "Satisfy any" situation, i.e. when it applies access is denied

        #     and no other module can change it.

        #   o OptRenegotiate:

        #     This enables optimized SSL connection renegotiation handling when SSL

        #     directives are used in per-directory context.

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

        <FilesMatch "\.(cgi|shtml|phtml|php)$">

                SSLOptions +StdEnvVars

        </FilesMatch>

        <Directory /usr/lib/cgi-bin>

                SSLOptions +StdEnvVars

        </Directory>


        #   SSL Protocol Adjustments:

        #   The safe and default but still SSL/TLS standard compliant shutdown

        #   approach is that mod_ssl sends the close notify alert but doesn't wait for

        #   the close notify alert from client. When you need a different shutdown

        #   approach you can use one of the following variables:

        #   o ssl-unclean-shutdown:

        #     This forces an unclean shutdown when the connection is closed, i.e. no

        #     SSL close notify alert is send or allowed to received.  This violates

        #     the SSL/TLS standard but is needed for some brain-dead browsers. Use

        #     this when you receive I/O errors because of the standard approach where

        #     mod_ssl sends the close notify alert.

        #   o ssl-accurate-shutdown:

        #     This forces an accurate shutdown when the connection is closed, i.e. a

        #     SSL close notify alert is send and mod_ssl waits for the close notify

        #     alert of the client. This is 100% SSL/TLS standard compliant, but in

        #     practice often causes hanging connections with brain-dead browsers. Use

        #     this only for browsers where you know that their SSL implementation

        #     works correctly.

        #   Notice: Most problems of broken clients are also related to the HTTP

        #   keep-alive facility, so you usually additionally want to disable

        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.

        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround

        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

        #   "force-response-1.0" for this.

        BrowserMatch "MSIE [2-6]" \

                nokeepalive ssl-unclean-shutdown \

                downgrade-1.0 force-response-1.0

        # MSIE 7 and newer should be able to use keepalive

        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


</VirtualHost>




반응형