прикручиваем ssl к apache

За основу взята: http://www.opennet.ru/base/dev/apache_mod_ssl.txt.html
У меня: apache-2.2.4_2.
Ставим openssl.
cd /usr/ports/security/openssl-stable/
make install clean


Редактируем конфиг ssl /usr/local/etc/apache22/extra/httpd-ssl.conf:

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex

Редактируем вирутальный хост /usr/local/etc/apache22/extra/httpd-vhosts.conf:

ServerName xxx
DocumentRoot /usr/http/base/http
php_admin_value open_basedir /usr/http/base:/var/tmp
Options -Indexes
ServerAdmin xxx@xxx.net
ErrorLog /usr/http/base/log/httpd-error.log
CustomLog /usr/http/base/log/httpd-access.log combined
#SSL settings
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/etc/apache22/ssl/swbase.crt
SSLCertificateKeyFile /usr/local/etc/apache22/ssl/swbase.pem SSLOptions +StdEnvVarsSSLOptions +StdEnvVars BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/http/base/log/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Теперь генерим ключики. Я сразу создал диркеторию /usr/local/etc/apache22/ssl:

openssl genrsa -des3 -rand file1:file2:file3 -out swbase.key
openssl rsa -in swbase.key -out swbase.pem #удаляем пароль с сертификата
openssl req -new -key swbase.key -out swbase.csr

Тут в common name надо указать адрес сайта без “http://”
openssl x509 -req -days 60 -in swbase.csr -signkey swbase.key -out swbase.crt

Ну вроде всё.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s