Apache 配置https虚拟主机

一、安装带ssl的Apache2.2.21
1、安装apache之前需要先检查openssl是否安装完毕，yum list “*openssl*”，如果没有用yum安装下即可
2、apache安装，网上文档很多，以下是专门针对ssl的编译参数

  # cd  /usr/local/src/tarbag  # wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz  # tar xzvf httpd-2.2.21.tar.gz -C ../software  # cd ../software/httpd-2.2.21  # ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all  # make && make install  # rm -rf /etc/init.d/httpd  # cp /usr/local/apache/bin/apachectl /etc/init.d/httpd  # sed -i '2c#chkconfig: 35 85 15' /etc/init.d/httpd  # sed -i '3c#description: apache' /etc/init.d/httpd  # chmod  x /etc/init.d/httpd  # chkconfig --add httpd  # chkconfig httpd on  # rm -rf /sbin/apachectl  # ln -s /usr/local/apache/bin/apachectl /sbin

二、生成证书
1、生成证书存放目录

安装好apache后，第一时间生成证书，在生成证书之前先准备生成一个证书存放的目录

  # cd /usr/local/apache/conf  # mkdir ssl.key  # cd ssl.key/

2、分3步生成服务器签名的证书

step.1

首先要生成服务器端的私钥(key文件)

  # openssl genrsa -des3 -out server.key 1024

运行时会提示输入密码,此密码用于加密key文件，去除key文件口令的命令:

  .......................  .................................................  e is 65537 (0x10001)  Enter pass phrase for server.key:  Verifying - Enter pass phrase for server.key:

step.2

生成Certificate Signing Request（CSR）,生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.

  # openssl req -new -key server.key -out server.csr

看到如下提示，并按照提示输入相关信息即可生成密钥

  Enter pass phrase for server.key:  You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [GB]:CN  State or Province Name (full name) [Berkshire]:FJ  Locality Name (eg, city) [Newbury]:FZ  Organization Name (eg, company) [My Company Ltd]:company  Organizational Unit Name (eg, section) []:company  Common Name (eg, your name or your server's hostname) []:ty  Email Address []:[email protected]    Please enter the following 'extra' attributes  to be sent with your certificate request  A challenge password []:company  An optional company name []:company

如果要生成客户端证书，那么对客户端也作同样的命令生成key及csr文件:

openssl genrsa -des3 -out client.key 1024
  openssl req -new -key client.key -out client.csr -config openssl.cnf

这里就不做演示了，有兴趣的朋友可以去尝试下。

step.3

CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证.自己生成

  # openssl req -new -key server.key -out server.csr

看到如下提示，输入密码，即可完成

  Signature ok  subject=/C=CN/ST=FJ/L=FZ/O=poppace/OU=poppace/CN=ty/[email protected]  Getting Private key  Enter pass phrase for server.key:

为了安全起见要将证书相关文件的访问权限降到最低

  # chmod 400 *

证书生成完毕，接下来可以配置apache了。

三、配置apache
1、在httpd.conf中打开vhosts和ssl的配置文件

  # vi /usr/local/apache/conf/httpd.conf

打开vhosts配置，跳转到447行和459行，取消掉Include conf/extra/httpd-vhosts.conf和Include conf/extra/httpd-ssl.conf之前的注释

2、配置vhosts

  # vi /usr/local/apache/conf/extra/httpd-vhosts.conf

特别需要注意443段的配置，可在httpd-ssl.conf中找到相关说明

  NameVirtualHost *:80  NameVirtualHost *:443    <VirtualHost *:80>  DocumentRoot "/data/www/"  ServerName 192.168.1.201  <Directory /data/www/>  Order allow,deny  Allow from all  Options -Indexes FollowSymLinks  AllowOverride All  </Directory>  </VirtualHost>    <VirtualHost *:443>  DocumentRoot "/data/www/"  ServerName 192.168.1.201:443  SSLEngine on  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP: eNULL  SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"  SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"  <FilesMatch ".(cgi|shtml|phtml|php)$">  SSLOptions  StdEnvVars  </FilesMatch>  <Directory /data/www/>  Order allow,deny  Allow from all  Options -Indexes FollowSymLinks  AllowOverride All  </Directory>  BrowserMatch ".*MSIE.*"  nokeepalive ssl-unclean-shutdown  downgrade-1.0 force-response-1.0  </VirtualHost>

3、修改httpd-ssl.conf的相关配置

  # vi /usr/local/apache/conf/extra/httpd-ssl.conf

搜索SSLCertificateFile

并将：（99行）SSLCertificateFile "/usr/local/apache/conf/server.crt"
  改为：SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
  

搜索SSLCertificateKeyFile

并将：（107行）SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
  改为：SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"

4、重启apache

  # service httpd start  Apache/2.2.21 mod_ssl/2.2.21 (Pass Phrase Dialog)  Some of your private key files are encrypted for security reasons.  In order to read them you have to provide the pass phrases.    Server www.example.com:443 (RSA)  Enter pass phrase:    OK: Pass Phrase Dialog successful.

现在用浏览器访问下https://192.168.1.201，即大告大功。

本文原创地址：https://www.linuxprobe.com/apache-virtual-host.html编辑：public，审核员：暂无