Mục tiêu thực hành:
- Cài đặt và enable Apache trên CentOS 7.
- Cài đặt Mod SSL Apache module.
- Khởi tạo Self-signed Certificate.
- Cấu hình Apache sử dụng SSL Certificate.
Các bước triển khai:
Cài đặt và enable Apache trên CentOS 7.
sudo yum install httpdsudo systemctl enable httpd.service
Cài đặt Mod SSL Apache module.
yum install mod_ssl
Khởi tạo Self-signed Certificate.
- The certificate file is stored in the /etc/ssl/certs directory.
- Modify the permissions to make sure only the root user has access.
mkdir /etc/ssl/privatesudo chmod 700 /etc/ssl/private
- Create the Certificate along with SSL key.
+ openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
+ req -x509: The "X.509" is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
+ nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
+ days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
+ newkey rsa:1024: The rsa:2048 portion tells it to make an RSA key that is 2048 bits long. "newkey" specifies that we want to generate a new certificate and a new key at the same time.
+ keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
+ out: This tells OpenSSL where to place the certificate that we are creating.
[root@localhost html]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crtGenerating a 2048 bit RSA private key.......................................................+++...................+++writing new private key to '/etc/ssl/private/apache-selfsigned.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:VNState or Province Name (full name) []:HCMLocality Name (eg, city) [Default City]:HCMOrganization Name (eg, company) [Default Company Ltd]:DWNOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:centosEmail Address []:bquocky@gmail.com[root@localhost html]#
- While we are using OpenSSL, we should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.
+ This may take a few minutes, but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem that we can use in our configuration.
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Cấu hình Apache sử dụng SSL Certificate.
- Since the version of Apache that ships with CentOS 7 does not include the SSLOpenSSLConfCmd directive, we will have to manually append the generated file to the end of our self-signed certificate.
- The apache-selfsigned.crt file should now have both the certificate and the generated Diffie-Hellman group.
[root@localhost ssl]# cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt-----BEGIN DH PARAMETERS-----MIIBCAKCAQEA3xetOeJd7UzfgVMNJRJLs9MW1UzmecQQEqossKqk5ixSn50fepEhLs5tjNcZTaC9mMq/nJlOhOzl/Xt8b3Y8q6HF06+WcFAVXeOc9gwaiKocNQL5MB19612fzF9nqPq84SLf2mQ43ADTG4XS7O+TWzOMSmAAcdHvL+PjxLPMd5seV7Anc/7d6PWf13KgbZMTRqRKD+6RACW4aB4/tv32Gaj5kAQhaJi1VIs6Vv1/5w2ifyt3j1KUGwlGTHOYBJ9G/qSOL27Qb9XR2bW08vFOwdjTwB6nyhHuat3hg8QYiDEF+brNR3D9vzcTjvDZTWLTGJ/E1djDnZkA591RKlu2AwIBAg==-----END DH PARAMETERS-----[root@localhost ssl]#
- Hiệu chỉnh các dòng info như bên dưới.
vi /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html"ServerName 192.168.100.122:443
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crtSSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.crt.key
- Trước khi hiệu chỉnh.
- Sau khi hiệu chỉnh.
- Restart Apache service.
[root@localhost ssl]# systemctl restart httpd[root@localhost ssl]# hostname -I192.168.100.122[root@localhost ssl]#
- Tiến hành truy cập tới Apache bằng https thông qua đường dẫn https://192.168.100.122/ hoặc https://192.168.100.122/info.php
Mọi thắc mắc các bạn vui lòng liên hệ với mình thông qua kênh Zalo (Jade Bùi) 076.877.2021.
0 comments