啟用Apache的https步驟:
1.安裝apache (這是假設沒有安裝或版本比較舊)
這個步驟必須要連結網路才行
sudo apt-get install apache2
2.啟用SSL模組
sudo a2enmod ssl
執行後顯示訊息如下:
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
3.重新啟動apache2
sudo service apache2 restart
4.建立存放金鑰相關資料的目錄
sudo mkdir /etc/apache2/ssl
5.建立金鑰
金鑰的有效期限是365天 (修改為十年則為 -days 3650 ...以此類推)
同時設定金鑰存放檔的位置,在此設為將 apache.key 及 apache.crt 兩個檔放在 "/etc/apache2/ssl/" 目錄下
另外,apache.key 及 apache.crt 這兩個檔名可視需要另命名及設定存放位置
在設定apache2 組態時 "SSLCertificateFile"、"SSLCertificateKeyFile" 這兩個項目要指定好路徑及檔名
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
接著會要求填入金鑰的相關資料
Country Name (2 letter code):TW
State or Province Name (full name) [Some-State]: Taiwan, Republic of China
Locality Name (eg, city) []:TaiTai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WaHaHa Co. , Ltd.
Organizational Unit Name (eg, section) []:Tea-CoffeeOrMe Sec.
Common Name (e.g. server FQDN or YOUR name) []:None.com
Email Address []:root@None.com
完成後到/etc/apache2/ssl/ 目錄中,就可以看到建立的兩個金鑰檔
6.設定並修改apache openSSL的組態檔
sudo vi /etc/apache2/sites-avaialable/000-default.conf
(Ubuntu 12.04版,組態檔為 /etc/apache2/sites-avaialable/default)
原內容如下:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
複製以下的內容,並於檔案最下貼上複製內容,紅字底線顯示的內容為必須留意
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName example.com:443
DocumentRoot /var/www --> 可以用來分離HTTPS的工作文件目錄位置
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/apache.crt#==> 指到第五步所建立金鑰檔名( -out /path/..../Filename.crt)
SSLCertificateKeyFile /etc/apache2/ssl/apache.key #==> 指到第五步所建立金鑰檔名( -keyout /path/..../Filename.key)
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
7.重新啟動apache
sudo service apache2 restart
8.檢查
用netstat -an | grep :443來看443 port是否被正確開啟
=====備 註===========
若要強迫指定必須使用HTTPS來連結網站時
可執行以下兩個動作來達成...
1.設定並修改apache openSSL的組態檔
sudo vi /etc/apache2/sites-avaialable/000-default.conf
將以下的區間刪除
<VirtualHost *:80>
...
</VirtualHost>
2.修改埠位組態設定,
sudo vi /etc/apache2/ports.conf
將原檔內容"Listen 80",加以標註以停止80埠的回應
# Listen 80 <--刪除或標註都可以
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
3.重新啟動apache -->sudo service apache2 restart
沒有留言:
張貼留言