Apache 2 Server에 보안인증서(SSL) 설치하기

개인키: ssl.key

인증서: ssl.crt

중개자인증서: chain_ssl.crt

체인인증서: chain_all_ssl.crt

openssl rsa -noout -text -in ssl.key 

이렇게 입력하고 패스워드를 입력하고 결과를 확인해 보면 입력한 패스워드가 맞는지 확인할 수 있다.

< HTTPS 인증서 설치: 웹서버 셋팅 >

http://opentutorials.org/course/228/4894

2. 아파치의 SSL 모듈을 활성화 한다.

root@example1:/etc/apache2/sites-available# a2enmod ssl

Enabling module ssl.

See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.

To activate the new configuration, you need to run:

  service apache2 restart

root@example1:/etc/apache2/sites-available# service apache2 restart

 * Restarting web server apache2                                                apache2: Could not reliably determine the server's fully qualified domain name, using example1.cafe24.com for ServerName

 ... waiting ..apache2: Could not reliably determine the server's fully qualified domain name, using example1.cafe24.com for ServerName

 

 vi /etc/hosts 파일에서

 

 127.0.0.1 example1.cafe24.com

 < 보안 인증서 설치 참조 사이트 >

 

 http://calflove.tistory.com/356

 9. 버추얼 호스트 default-ssl을 활성화된 서비스로 등록한다.

sudo a2ensite default-ssl

root@example1:/etc/apache2/sites-available# a2ensite default-ssl

Enabling site default-ssl.

To activate the new configuration, you need to run:

  service apache2 reload

root@example1:/etc/apache2/sites-available# service apache2 reload

 * Reloading web server config apache2                                          apache2: Could not reliably determine the server's fully qualified domain name, using example1.cafe24.com for ServerName

* hostname 변경하기

 

vi /etc/hostname

* /etc/hosts 파일에서

127.0.0.1 example1.cafe24.com localhost

위와 같이 example1.cafe24.com 이 localhost 앞에 와야 함.

tomcat 서버 띄울때 앞에 오는 것으로 canonicalHostName 이 결정된다.

cf) http://zetawiki.com/wiki/%EB%A6%AC%EB%88%85%EC%8A%A4_%ED%98%B8%EC%8A%A4%ED%8A%B8%EB%AA%85_%EB%B3%80%EA%B2%BD

root@example1:/etc/libapache2-mod-jk# vi httpd-jk.conf

다음 내용 추가.

    <VirtualHost *:443>

        JkMount /* loadbalancer

    </VirtualHost>

80포트에 대한 설정이 httpd-jk.conf 파일 안에 있어서 443 포트에 대한 설정도 이 파일에 같이 집어 넣었더니 다음과 같은 Warning이 발생하고, Tomcat Server로 Service 되지도 않는다.

[Fri Feb 13 19:07:10 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

/etc/apache2/sites-available# vi default-ssl

위 파일 안에 

<VirtualHost _default_:443> 태그 안에 맨 끝에 

JkMount /* loadbalancer

추가하고, apache 서버 재시작 했더니 잘 작동함.

Apache 서버 재시작할때 매번 ssl 개인키 패스워드 안 넣어도 되도록 하기.

[참고] http://whiteship.me/?p=13580

root@example1:/etc/apache2/sites-available# vi default-ssl

<IfModule mod_ssl.c>

SSLPassPhraseDialog exec:/etc/apache2/ssl/ssl.pass   <= 추가

<VirtualHost _default_:443>

default-ssl 파일의 내용

<IfModule mod_ssl.c>

SSLPassPhraseDialog exec:/etc/apache2/ssl/ssl.pass

<VirtualHost _default_:443>

ServerAdmin homepage@example.com

ServerName example.cafe24.com

DocumentRoot /var/www

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory "/usr/lib/cgi-bin">

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"

<Directory "/usr/share/doc/">

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Deny from all

Allow from 127.0.0.0/255.0.0.0 ::1/128

</Directory>

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   A self-signed (snakeoil) certificate can be created by installing

#   the ssl-cert package. See

#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.

#   If both key and certificate are stored in the same file, only the

#   SSLCertificateFile directive is needed.

SSLCertificateFile    /etc/apache2/ssl/ssl.crt

SSLCertificateKeyFile /etc/apache2/ssl/ssl.key

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

SSLCertificateChainFile /etc/apache2/ssl/chain_ssl.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /etc/ssl/certs/

#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /etc/apache2/ssl.crl/

#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

<FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

</FilesMatch>

<Directory /usr/lib/cgi-bin>

SSLOptions +StdEnvVars

</Directory>

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

# MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

# hskang (2015-02-13) for Tomcat Server Load balancing

JkMount /* loadbalancer

</VirtualHost>

</IfModule>