ApacheでSSLを使う


    ApacheのSSL対応は、いくつかやり方があるが、今回はmod_sqlとOpenSSLを用いる。

  1. OpenSSL: The Open Source toolkit for SSL/TLSよりopenssl-0.9.7.tar.gzをダウンロードします。
    2002/12/31現在 0.9.7 が最新
  2. mod_ssl: The Apache Interface to OpenSSLよりmod_ssl-2.8.12-1.3.27.tar.gzをダウンロードします。
    2004/5/11現在 2.8.17-1.3.31 が最新
  3. Downloading Apache - Japanized Apache Siteよりapache_1.3.27.tar.gzをダウンロードします。
    2004/5/11現在 1.3.31 が最新

    まずOpenSSLのインストールを行います。次にmod_sslを組み込み、Apacheをメイク、インストールします。
    ここでは試験的に、make certificate TYPE=custom により、独自CA局による証明書作成を行います。
    ApacheはDSO(Dynamic Shared Object) サポート付きにします。
    $ tar xvzf openssl-0.9.7.tar.gz
    $ cd openssl-0.9.7
    $ ./config
    $ make
    $ make test
    $ su
    # make install
    # exit
    $ cd ..
    $ tar xvzf apache_1.3.27.tar.gz
    $ tar xvzf mod_ssl-2.8.12-1.3.27.tar.gz
    $ cd mod_ssl-2.8.12-1.3.27
    $ ./configure --with-apache=../apache_1.3.27 \
                  --with-ssl=/usr/local/ssl \
                  --enable-rule=SHARED_CORE \
                  --enable-module=so
    $ cd ../apache_1.3.27
    $ make
    $ make certificate TYPE=custom
    
    SSL Certificate Generation Utility (mkcert.sh)
    Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
    
    Generating custom certificate signed by own CA [CUSTOM]
    ______________________________________________________________________
    
    STEP 0: Decide the signature algorithm used for certificates
    The generated X.509 certificates can contain either
    RSA or DSA based ingredients. Select the one you want to use.
    Signature Algorithm ((R)SA or (D)SA) [R]:
    ______________________________________________________________________
    
    STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
    46961 semi-random bytes loaded
    Generating RSA private key, 1024 bit long modulus
    ...++++++
    ...................................++++++
    e is 65537 (0x10001)
    ______________________________________________________________________
    
    STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
    Using configuration from .mkcert.cfg
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    1. Country Name             (2 letter code) [XY]:JP
    2. State or Province Name   (full name)     [Snake Desert]:Kanagawa
    3. Locality Name            (eg, city)      [Snake Town]:Yokohama
    4. Organization Name        (eg, company)   [Snake Oil, Ltd]:ITNAVI.com
    5. Organizational Unit Name (eg, section)   [Certificate Authority]:
    6. Common Name              (eg, CA name)   [Snake Oil CA]:ITNAVI CA
    7. Email Address            (eg, name@FQDN) [ca@snakeoil.dom]:sawa@itnavi.com
    8. Certificate Validity     (days)          [365]:
    ______________________________________________________________________
    
    STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
    Certificate Version (1 or 3) [3]:
    Signature ok
    subject=/C=JP/ST=Kanagawa/L=Yokohama/O=ITNAVI.com/OU=Certificate Authority/CN=IT
    NAVI CA/Email=sawa@itnavi.com
    Getting Private key
    Verify: matching certificate & key modulus
    read RSA key
    Verify: matching certificate signature
    ../conf/ssl.crt/ca.crt: /C=JP/ST=Kanagawa/L=Yokohama/O=ITNAVI.com/OU=Certificate
     Authority/CN=ITNAVI CA/Email=sawa@itnavi.com
    error 18 at 0 depth lookup:self signed certificate
    OK
    ______________________________________________________________________
    
    STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
    46961 semi-random bytes loaded
    Generating RSA private key, 1024 bit long modulus
    ........++++++
    ..........++++++
    e is 65537 (0x10001)
    ______________________________________________________________________
    
    STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
    Using configuration from .mkcert.cfg
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    1. Country Name             (2 letter code) [XY]:JP
    2. State or Province Name   (full name)     [Snake Desert]:Kanagawa
    3. Locality Name            (eg, city)      [Snake Town]:Yokohama
    4. Organization Name        (eg, company)   [Snake Oil, Ltd]:ITNAVI.com
    5. Organizational Unit Name (eg, section)   [Webserver Team]:
    6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:www.itnavi.com
    7. Email Address            (eg, name@fqdn) [www@snakeoil.dom]:sawa@itnavi.com
    8. Certificate Validity     (days)          [365]:
    ______________________________________________________________________
    
    STEP 6: Generating X.509 certificate signed by own CA [server.crt]
    Certificate Version (1 or 3) [3]:
    Signature ok
    subject=/C=JP/ST=Kanagawa/L=Yokohama/O=ITNAVI.com/OU=Webserver Team/CN
    =www.itnavi.com/Email=sawa@itnavi.com
    Getting CA Private Key
    Verify: matching certificate & key modulus
    read RSA key
    Verify: matching certificate signature
    ../conf/ssl.crt/server.crt: OK
    ______________________________________________________________________
    
    STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
    The contents of the ca.key file (the generated private key) has to be
    kept secret. So we strongly recommend you to encrypt the server.key file
    with a Triple-DES cipher and a Pass Phrase.
    Encrypt the private key now? [Y/n]:
    read RSA key
    writing RSA key
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:
    Fine, you're using an encrypted private key.
    ______________________________________________________________________
    
    STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [ser
    ver.key]
    The contents of the server.key file (the generated private key) has to be
    kept secret. So we strongly recommend you to encrypt the server.key file
    with a Triple-DES cipher and a Pass Phrase.
    Encrypt the private key now? [Y/n]:
    read RSA key
    writing RSA key
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:
    Fine, you're using an encrypted RSA private key.
    ______________________________________________________________________
    
    RESULT: CA and Server Certification Files
    
    o  conf/ssl.key/ca.key
       The PEM-encoded RSA private key file of the CA which you can
       use to sign other servers or clients. KEEP THIS FILE PRIVATE!
    
    o  conf/ssl.crt/ca.crt
       The PEM-encoded X.509 certificate file of the CA which you use to
       sign other servers or clients. When you sign clients with it (for
       SSL client authentication) you can configure this file with the
       'SSLCACertificateFile' directive.
    
    o  conf/ssl.key/server.key
       The PEM-encoded RSA private key file of the server which you configure
       with the 'SSLCertificateKeyFile' directive (automatically done
       when you install via APACI). KEEP THIS FILE PRIVATE!
    
    o  conf/ssl.crt/server.crt
       The PEM-encoded X.509 certificate file of the server which you configure
       with the 'SSLCertificateFile' directive (automatically done
       when you install via APACI).
    
    o  conf/ssl.csr/server.csr
       The PEM-encoded X.509 certificate signing request of the server file which
       you can send to an official Certificate Authority (CA) in order
       to request a real server certificate (signed by this CA instead
       of our own CA) which later can replace the conf/ssl.crt/server.crt
       file.
    
    Congratulations that you establish your server with real certificates.
    
    
    $ su
    # make install
    

    証明書関連書類のインストール先ディレクトリ
    書類の種類 ディレクトリ
    証明書 /usr/local/apache/conf/ssl.crt
    秘密鍵 /usr/local/apache/conf/ssl.key
    証明書破棄リスト /usr/local/apache/conf/ssl.crl
    証明書要求 /usr/local/apache/conf/ssl.csr
    DSAのパラメータファイル /usr/local/apache/conf/ssl.prm

  4. httpd.confの設定が完了したら、
    configtestで設定内容に誤りが無いか確認します。
    httpd.confのPortが8080になっている箇所は80に、8443になっている箇所は443に変更します。
    # /usr/local/apache/bin/apachectl configtest
    Syntax OK
    
    apachectlのconfigtestでSyntax OKが出たら設定に問題ありません。

  5. 自動起動の設定をします。
    起動スクリプトを作成します。
    /etc/rc.d/init.d/httpd
    #!/bin/sh
    #
    # Startup script for the Apache Web Server
    #
    # chkconfig: 345 85 15
    # description: Apache is a World Wide Web server.  It is used to serve \
    #	       HTML files and CGI.
    # processname: httpd
    # pidfile: /var/run/httpd.pid
    # config: /usr/local/apache/conf/access.conf
    # config: /usr/local/apache/conf/httpd.conf
    # config: /usr/local/apache/conf/srm.conf
    
    
    # Source function library.
    . /etc/rc.d/init.d/functions
    
    # See how we were called.
    case "$1" in
      start)
    	echo -n "Starting httpd: "
    	daemon /usr/local/apache/bin/httpd -DSSL
    	echo
    	touch /var/lock/subsys/httpd
    	;;
      stop)
    	echo -n "Shutting down http: "
    	killproc httpd
    	echo
    	rm -f /var/lock/subsys/httpd
    	rm -f /var/run/httpd.pid
    	;;
      status)
    	status httpd
    	;;
      restart)
    	$0 stop
    	$0 start
    	;;
      reload)
    	echo -n "Reloading httpd: "
    	killproc httpd -HUP
    	echo
    	;;
      *)
    	echo "Usage: $0 {start|stop|restart|reload|status}"
    	exit 1
    esac
    
    exit 0
    
    ファイル作成後はchmodで実行許可を与える。

  6. httpdのランレベルを設定します。
    # su -
    # chkconfig --add httpd
    # chkconfig --list httpd
    httpd           0:off   1:off   2:off   3:on    4:on    5:on    6:off
    

  7. パスワード入力なしでSSL対応Apacheを起動できるようにします。(非推奨)
    # cd /usr/local/apache/conf/ssl.key/
    # cp -p server.key server.key.org
    # openssl rsa -in server.key.org -out server.key
    read RSA key
    Enter PEM pass phrase:
    writing RSA key
    

  8. 早速、起動してみます。
    # /etc/rc.d/init.d/httpd start
    


構築環境
Apache 1.3.27/PHP 4.3.0/Red Hat Linux 7.3



  1. Apacheをインストールする
  2. PHPをインストールする
  3. ApacheでSSLを使う
  4. ユーザ認証をする。(ベーシック認証)
  5. ユーザ認証をする。(ダイジェスト認証)
  6. Analogでアクセスログ解析をする





Apache で ウェブサーバを構築する


当サイト 人気ウイルス対策ソフト

ESET Smart Security

ウイルスバスター

ノートン・アンチウイルス

マカフィーウイルススキャン

NOD32

ウイルスセキュリティZERO

Copyright(c) 1999-2017 ITNAVI.com サイト運営者情報