Categories
- FFMpeg (5)
- Libav (1)
- Google (3)
- iBeacon (1)
- LDAP (3)
- Me (2)
- Network (11)
- OS (149)
- RTMP (4)
- SIP (1)
- Kamailio (1)
- SNMP (1)
- VMware (20)
- VCP考試 (1)
- 伺服器 網站服務 (105)
- 名詞解釋 (4)
- 專案管理 (1)
- 工具軟體 (50)
- Adobe (1)
- FMS (1)
- Cloudera (1)
- Docker (1)
- Eclipse (4)
- Intellij (2)
- OBS (2)
- Office (10)
- Excel (4)
- PowerPoint (5)
- Postman (1)
- Splunk (13)
- Virtualbox (2)
- Visual Studio (2)
- 文字編輯器 (10)
- Sublime Text 2 (6)
- Sublime Text 3 (3)
- Vim (3)
- 連線工具 (1)
- Xshell (1)
- Adobe (1)
- 程式語言 (79)
- CSS (2)
- HTML (2)
- iOS (1)
- Java (30)
- JavaScript (5)
- jQuery (4)
- jsTree (2)
- JSP (3)
- PHP (16)
- Python (7)
- Ruby (1)
- sed (1)
- Shell Script (8)
- Windows Bash Script (1)
- XML (1)
- 資料庫 (37)
- FFMpeg (5)
Category Archives: SSL
Nginx SSL Enable
環境: Ubuntu 14.04 x64 產生key
1 2 3 4 5 6 7 |
root@Wordpress:/tmp# openssl genrsa -des3 -out site.key 2048 Generating RSA private key, 2048 bit long modulus ..........................+++ ....................................+++ e is 65537 (0x10001) Enter pass phrase for site.key: Verifying - Enter pass phrase for site.key: |
2.產生 csr
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
root@Wordpress:/tmp# openssl req -new -key site.key -out site.csr Enter pass phrase for site.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:Taiwan Locality Name (eg, city) []:Taipei City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cowman Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:cowman.ip Email Address []:cowman.chiang@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
cat csr,貼至申請處
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
root@Wordpress:/tmp# cat site.csr -----BEGIN CERTIFICATE REQUEST----- MIIC1DCCAbwCAQAwgY4xCzAJBgNVBAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xFDAS BgNVBAcMC1RhaXBlaSBDaXR5MQ8wDQYDVQQKDAZDb3dtYW4xCzAJBgNVBAsMAklU MRIwEAYDVQQDDAljb3dtYW4uaXAxJjAkBgkqhkiG9w0BCQEWF2Nvd21hbi5jaGlh bmdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oNl FGzEzzpVSvFkwrYegC1VxoznmsPp2UrImb+w2M4ZLLuqdAqjhLs1atnPaQZsQlOF wfbnbGvcdwULuIzU8o1o1v7KS7TmWfi7P3oYG5GBRq/j3QuOQEwQ1s0QFAnulso9 rAHCt4i1rFg8wNF6mEF1Ghd2DzzD8P7Ew+LCYq+C4G8yq44RD+WJ8DccA4OQfzou mcstrRkXWmoYyrICepCE4eqxSdlNH3dyZbSmG4yKC1gQc60/Utm5o8lGynvS0pBh PUx124eMsWz80wZ0xAkE6Ma24XgOHied3XuaiRfBi5/tql+wfEQBrIOZ0DJ1DAhN J723zUMw9amQ8cF4zQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGeLtDAWlgh6 ag+PP8YqXrxGSAkkyL8EKdrPEntgYEPIkKt9to+h0tKBCZ5kCvG4bL6V5zRhtx4f ViqTzh9itOI3MDfvE5o8vxhed4jzevIifpKDONt0bAOC73STpv9+HCR+CMNX0Erf tmhD+zuLwHcBl5qoZqaPQobPF1VR1U2jsGBZ2HTTamtjGcr0mkso3MO5QxcV8JkP DwAc/PGn06zzKUyPeGPY2PE2xAppcof8B/WOYLvRx202YeoG6Cp1hLT94GoN+ef/ aDwd7WgaFpC1sXTnjoOlzpsxoovHmaJMTskncYkUZIsg4ZvhJnF9trqu9XlUKBh7 vDAfX3ZNzCs= -----END CERTIFICATE REQUEST----- |
這裡一樣以namecheap的comodo ssl為例,會收到下面四個檔案 伺服器類型選nginx AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt cowman_ip.crt 產生 ssl-bundle.crt
1 |
cat cowman_ip.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt |
移除需要輸入 phase 的機制
1 2 3 |
root@Wordpress:/tmp# openssl rsa -in site.key -out site-nopass.key Enter pass phrase for site.key: writing RSA key |
修改 nginx 設定檔,位置在 /etc/nginx/sites-enabled/default,這裡把設定檔整併在server中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
root@Wordpress:/tmp# vim /etc/nginx/sites-enabled/default server { #listen 80 default_server; #listen [::]:80 default_server ipv6only=on; listen 80; listen 443 default ssl; ssl_certificate /opt/local/nginx/conf/certs/ssl-bundle.crt; ssl_certificate_key /opt/local/nginx/conf/certs/site_ip.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; |
重新啟動 nginx
1 |
service nginx restart |
Posted in Nginx, SSL, Ubuntu
Leave a comment
Apache SSL Enable
環境 CentOS 5.x i386 產生 key
1 2 3 4 5 6 7 |
[root@Web test]# openssl genrsa -des3 -out site.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ ..................+++ e is 65537 (0x10001) Enter pass phrase for site.key: Verifying - Enter pass phrase for site.key: |
產生 csr
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@Web test]# openssl req -new -key site.key -out site.csr Enter pass phrase for site.key: #輸入剛剛產生key時輸入的資訊 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei City Organization Name (eg, company) [My Company Ltd]:Cowman Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:Cowman.ip Email Address []:cowman.chiang@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #可以直接按enter忽略 An optional company name []: #可以直接按enter忽略 |
cat csr,將資料丟到憑證申請的網站輸入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@Web test]# cat site.csr #將以下的資料複製,貼至申請的網站 -----BEGIN CERTIFICATE REQUEST----- MIIC1DCCAbwCAQAwgY4xCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWl3YW4xFDAS BgNVBAcTC1RhaXBlaSBDaXR5MQ8wDQYDVQQKEwZDb3dtYW4xCzAJBgNVBAsTAklU MRIwEAYDVQQDEwlDb3dtYW4uaXAxJjAkBgkqhkiG9w0BCQEWF2Nvd21hbi5jaGlh bmdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUwx YtxHedYFykUgJuhtKGF0UuzPZ195QW9imVbFy0hT3Qt9YLKrmVESTFXxcdcLI6ty uSB3kZbnsOBr7XgGezso/lsY3dEprUplyYOXkKZsYXl7n4l7KU7nf7siGW0QY6xS oq1+7IIWa7Z9sKfdYUU9BsmH4c3YduuTa4WKdhOtn1RfSmqr5Gt+i35WZXc2/NUo efTHqsTmICh26eLjCmqrjgLfnSK9FpSa5q7nKbvK9s5q9Qae3vpECgJRf1klP1cS kBUTBoa6f46Wx+nWG/+QFpsW95w84RxxAIuUsTW2VcG6Ay6Q8TDEncj7iQ0TpJnh M3BCaepcnRVB7pNmYQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBACmQWu30vr1v UuFxszR6ZUC3e25EEwCNg5UNh8iG9abauiE2K7l9lVWPicYdoZ1GjWGT13zMslwC 4c8nxvBKZfh4QGw5ALJvb1SZhvO/OMjPGCfQjuWRza44nNaaKi+BtCVHtglqvxTP EXpCODWd+E9x5NCzKyXLGXJpT3rDg4Ov1QaGNMtNByQLD+SgsoTR+yS+RcxwS11Y Ul26LrxnrbUvkwMV0/OWvbNREKSv3RsfjMWVsAtVwmdkRKlUNAFXMIOvAwmSImd/ +0ya5gEv4M+JVWWYy6vEnUOV333eR9tR4eCw7YO862TFdic9+4OPhVFpKeWJLANz wQ4uUOWkuPA= -----END CERTIFICATE REQUEST----- |
以namecheap的comodo憑證為例,選擇伺服器為 apache + mod_ssl,會回傳兩個檔案至mail中 cowman_ip.ca-bundle cowman_ip.crt 安裝mod_ssl
1 |
yum install mod_ssl |
取消需要輸入phase的機制
1 2 3 |
[root@Web test]# openssl rsa -in site.key -out site-nopass.key Enter pass phrase for roamingcenter_tanet_edu_tw.key: writing RSA key |
編輯 apache 設定檔,範例是在 /etc/httpd/conf.d/ssl.conf
1 2 3 4 5 6 7 |
[root@Web test]# vim /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> SSLEngine on SSLCertificateFile /etc/httpd/certs/cowman_ip.crt SSLCertificateKeyFile /etc/httpd/certs/site-nopass.key SSLCertificateChainFile /etc/httpd/certs/cowman_ip.ca-bundle |
將 http 轉至 https,修改 /etc/httpd/conf/httpd.conf
1 2 3 4 5 6 |
[root@Web test]# vim /etc/httpd/conf/httpd.conf #加在最後面 RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} |
重新啟動 apache
1 |
service httpd restart |
!! 記得檢查iptables防火牆設定
Posted in Apache, CentOS, SSL
Leave a comment