在Apache2.2.X環境下，為Virtual Host設定SSL

其實這是林志民老師給我的功課，為的是線上研習系統和OpenID系統。我花了1.5個工作天才完成。設定方式與網路上能找到的不盡相同，特此紀錄下來。

1. 安裝與設定OpenSSL

cd /usr/ports/security/openssl

make install clean;rehash

注意，OpenSSL已到1.0.0.X版了。正式的版本比過去的0.9.X.X版穩定度和相容性高很多。

ee /etc/rc.conf

加入：apache22_flags="-DSSL" 並存檔。

2. 產生並設定認證金鑰(SSL Key for Apache)

mkdir /usr/local/etc/apache22/ssl.key

mkdir /usr/local/etc/apache22/ssl.crt

chmod 0700 /usr/local/etc/apache22/ssl.key

chmod 0700 /usr/local/etc/apache22/ssl.crt

cd /root

openssl genrsa -des3 -out server.key 1024   #以RSA編碼產生1024bit的加密金鑰 server.key

會出現如下圖：

在pass phrase 處輸入密碼，接著再輸入一次確認。

openssl req -new -key server.key -out server.csr  # 根據server.key產生邀請檔server.csr

openssl x509 -req -days 730 -in /root/server.csr -signkey /root/server.key -out /root/server.crt #自我簽署server.key 並產出server.crt

cp /root/server.key /usr/local/etc/apache22/ssl.key/  #複製ssl.key與ssl.crt到apche22的認證目錄

cp /root/server.crt /usr/local/etc/apache22/ssl.crt/

chmod 0400 /usr/local/etc/apache22/ssl.key/server.key #更改檔案屬性

chmod 0400 /usr/local/etc/apache22/ssl.crt/server.crt

cd /usr/local/etc/apache22/ssl.key

cp server.key server.key.bak

openssl rsa -in server.key.bak -out server.key   # 移除認證密碼，不然每次重啟Apache時都要輸入密碼

3. 設定Apache設定檔 -> httpd.conf

切記!mod_rewrite模組一定要先安裝好。

cd /usr/local/etc/apache22

ee httpd.conf

在設定檔最末，將預設的Virtual hosts與Secure (SSL/TLS) connections全部註解掉(如果之前有開啟的話)，若無，維持預設值(註解)即可。並加入

如下設定，其中httpd-vhost-ssl.conf要自行產生。

# Virtual host with SSL

Include etc/apache22/extra/httpd-vhost-ssl.conf

將httpd.conf存檔。

4. 產出httpd-vhost-ssl.conf

cd /usr/local/etc/apache22/extra/

ee httpd-vhost-ssl.conf

1-41行如下：是照抄自httpd-ssl.conf中的一部份。

##  SSL Global Context

#

# When we also provide SSL we have to listen to the

# standard HTTP port (see above) and to the HTTPS port

#

# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"

#

Listen 443

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

#

#   Some MIME-types for downloading Certificates and CRLs

#

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

#SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache         "dbm:/usr/local/apache/logs/ssl_scache"

#SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"

#SSLSessionCacheTimeout  300

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

#SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

44-69行，設定Virtual Hosts，以下的 xxx、yyy、zzz請自行設定

# Virtual Hosts

NameVirtualHost *:80

NameVirtualHost *:443

ServerAdmin XXX@wlps.kl.edu.tw

DocumentRoot "/usr/local/www/apache22/data/"

ServerName XXX.kl.edu.tw

ServerAdmin zzz@wlps.kl.edu.tw

DocumentRoot "/home/zzz/public_html/"

ServerName zzz.kl.edu.tw

ServerAdmin yyy@wlps.kl.edu.tw

DocumentRoot "/usr/local/www/apache22/data/yyy/"

ServerName yyy.kl.edu.tw

71 - 末，設定VirtualHost with SSL，其中的yyy、zzz請自行設定，應與44-69行之間的yyy、zzz相符合。

# Secure Shell ver.

ServerAdmin zzz@wlps.kl.edu.tw

DocumentRoot "/home/zzz/public_html/"

ServerName zzz.kl.edu.tw:443

#SSL Engine Switch:

#Enable/Disable SSL for this virtual host.

SSLEngine on

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateFile /usr/local/etc/apache22/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/etc/apache22/ssl.key/server.key

ServerAdmin yyy@wlps.kl.edu.tw

DocumentRoot "/usr/local/www/apache22/data/yyy/"

ServerName yyy.kl.edu.tw:443

#SSL Engine Switch:

#Enable/Disable SSL for this virtual host.

SSLEngine on

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateFile /usr/local/etc/apache22/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/etc/apache22/ssl.key/server.key

存檔後重新啟動Apache -> /usr/local/etc/rc.d/apache22 restart

5. 強制瀏覽Virtual Host一定都透過加密連線(https)

ee /home/zzz/public_html/.htaccess

加入：

RewriteEngine On

RewriteBase /

Options +FollowSymLinks

RewriteRule ^id.server$ index.php/serve [L]

RewriteRule ^u/(.+)$ ?user=$1 [L]

RewriteRule ^xrds/(.+)$ ?xrds=$1 [L]

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

存檔。

chmod 440 /home/zzz/public_html/.htaccess # 修改.htaccess 屬性。