配置https虚拟主机-创新互联

配置https虚拟主机

创新互联专注于罗城企业网站建设,响应式网站设计,商城网站建设。罗城网站建设公司,为罗城等地区提供建站服务。全流程按需网站设计,专业设计,全程项目跟踪,创新互联专业和态度为您提供的服务文章目录
  • 配置https虚拟主机
    • openssl实现私有CA:

openssl实现私有CA:

创建CA目录

[root@node1 ~]# mkdir /etc/pki/CA
[root@node1 ~]# cd /etc/pki/CA
[root@node1 CA]# pwd
/etc/pki/CA
[root@node1 CA]#

CA生成一对密钥

[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@node1 CA]# mkdir -p /etc/pki/CA/private
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................+++++
.................................................+++++
e is 65537 (0x010001)
[root@node1 CA]# ls
private
[root@node1 CA]# ll private/
total 4
-rw------- 1 root root 1675 Dec 26 20:06 cakey.pem
[root@node1 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAue+ul0JSXudpEv3b1Uab
7/o6pudQheeyqKM9g+bNS4Y3dCwI90KWqz1HtCjgRk7ws5hdplj5r8h+3c5r8Bq5
kcrhuBOezG/5RUXNZSwH/HQH4+OCskhwD+/v/tvsMcyv5mxGVe8nUCHjTlIEXMvW
pEmWpfiRoH4o257ZtTMNhupSq14SsS4CRjv8EJxzQ0+EOqka7JcAZvczo75mnOVr
ue+lLd0l0fJDC6rGOOSiZ7THQYEJXY6BHzCMsJA1gjafOhEpmDB7zOcDW+x5CwWt
z18aX8x3cHG2TOtNpexz+KxabfTIjOTq/NjO2UdpuqCafW62j1UcI78PnAb3f9eq
jQIDAQAB
-----END PUBLIC KEY-----
[root@node1 CA]#

生成自签署证书

[root@node1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:www.dianjijixu.com
Email Address []:2@233.com
[root@node1 CA]# ls
cacert.pem  private
[root@node1 CA]# mkdir certs newcerts crl
[root@node1 CA]# touch index.txt && echo 01 >serial
[root@node1 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@node1 CA]# cat serial
01
[root@node1 CA]# mkdir -p /usr/local/apache/conf/ssl
[root@node1 CA]# cd /usr/local/apache/conf/ssl
[root@node1 ssl]# ls
[root@node1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................+++++
.............................+++++
e is 65537 (0x010001)
[root@node1 ssl]# ls
httpd.key
[root@node1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime      
Common Name (eg, your name or your server's hostname) []:www.dianjijixu.com
Email Address []:2@233.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 ssl]#
[root@node1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 26 12:14:38 2022 GMT
            Not After : Dec 26 12:14:38 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = runtime
            organizationalUnitName    = runtime
            commonName                = www.dianjijixu.com
            emailAddress              = 2@233.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BB:C4:DD:0D:F7:E5:02:72:A6:E5:22:12:89:D2:C6:55:B8:D3:6E:8D
            X509v3 Authority Key Identifier: 
                keyid:D6:65:E6:E7:52:9E:FB:B1:84:21:4A:5D:81:4E:00:51:6F:F4:9E:93

Certificate is to be certified until Dec 26 12:14:38 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node1 ssl]#

取消注释

[root@node1 ~]# cd /usr/local/apache/conf/
[root@node1 conf]# vim httpd.conf
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so //删除#
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf  //删除#

修改文件httpd-vhosts.conf

[root@node1 ssl]# cd ..
[root@node1 conf]# vim extra/httpd-vhosts.conf 
[root@node1 conf]# tail -17 extra/httpd-vhosts.conf 
#DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
    ServerName www.dianjijixu.com
    ErrorLog "logs/www.dianjijixu.com-error_log"
    CustomLog "logs/www.dianjijixu.com-access_log" commonDocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
    ServerName www.dianjijixu.com
    ErrorLog "logs/www.dianjijixu.com-error_log"
    CustomLog "logs/www.dianjijixu.com-access_log" common[root@node1 conf]#

创建目录 移动文件 重新启动服务

root@node1 conf]# mkdir -p /usr/local/apache/htdocs/{www.dianjijixu.com,blog.dianjijixu.com}
[root@node1 conf]# ls /usr/local/apache/htdocs
blog.dianjijixu.com  index.html  www.dianjijixu.com
[root@node1 conf]#
[root@node1 conf]# mv /var/www/html/blog/* /usr/local/apache/htdocs/blog.dianjijixu.com/
[root@node1 conf]# mv /var/www/html/www/* /usr/local/apache/htdocs/www.dianjijixu.com/
[root@node1 conf]# apachectl stop
[root@node1 conf]# apachectl start
[root@node1 conf]#

修改httpd.conf 文件

[root@node1 conf]# vim httpd.conf 

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf 	//删除注释
#

#LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so //删除注释
#LoadModule socache_dbm_module modules/mod_socache_dbm.so

修改extra/httpd-ssl.conf的文件

[root@node1 conf]# vim extra/httpd-ssl.conf

#   General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/www.dianjijixu.com_error_log"
TransferLog "/usr/local/apache/logs/www.dianjijixu.com_access_log"

#   SSL Engine Switch:

SSLCertificateFile "/usr/local/apache/conf/ssl/httpd.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-dsa.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-ecc.crt"

SSLCertificateKeyFile "/usr/local/apache/conf/ssl/httpd.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-dsa.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-ecc.key"

重启服务

[root@node1 conf]# apachectl stop
[root@node1 conf]# apachectl start
[root@node1 conf]# ss -antl
State      Recv-Q     Send-Q         Local Address:Port         Peer Address:Port     Process     
LISTEN     0          128                  0.0.0.0:22                0.0.0.0:*                    
LISTEN     0          128                     [::]:22                   [::]:*                    
LISTEN     0          128                        *:443                     *:*                    
LISTEN     0          128                        *:8080                    *:*                    
LISTEN     0          128                        *:80                      *:*                    
[root@node1 conf]#

在这里插入图片描述

你是否还在寻找稳定的海外服务器提供商?创新互联www.cdcxhl.cn海外机房具备T级流量清洗系统配攻击溯源,准确流量调度确保服务器高可用性,企业级服务器适合批量采购,新人活动首月15元起,快前往官网查看详情吧


分享文章:配置https虚拟主机-创新互联
本文链接:http://ybzwz.com/article/dhsgge.html