ot Bondoff(20-02-2005)
reiting (9)
[ dobre ]
[ zle ]
Variant za otpechatvane
Instalirane na Apache s poddruzha na SSL/TLS
Purvata stupka, koiato trabva da predpriemem, kakto kazahme v CHast
I, e da si instalirame Apache 2 ueb survur, i da suzdadem v sistemata
potrebitel i grupa s ime “apache”. Predi da izpulnim
komandata ./configure, sus suotvetnite optsii, shte nablegna na optsiite
“--enable-ssl” “--enable-setenvif”, koeto
oznachava, che osven mod_ssl, shte imate vuzmozhnost i da vklyuchvate
modulut mod_setenvif. Tova e neobhodimo za da ima suvmestimost na
survura s niakoi versii na MS Internet Explorer.
./configure \
--prefix=/usr/local/apache2 \
--with-mpm=prefork \
--enable-ssl \
--disable-charset-lite \
--disable-include \
--disable-env \
--enable-setenvif \
--disable-status \
--disable-autoindex \
--disable-asis \
--disable-cgi \
--disable-negotiation \
--disable-imap \
--disable-actions \
--disable-userdir \
--disable-alias \
--disable-so
Sled konfiguratsiiata sledva standartna protsedura:
make
su
umask 022
make install
chown -R root:sys /usr/local/apache2
Konfigurirane na SSL/TLS
Predi da startirame Apache za purvi put, estestveno shte triabva da
go konfigurirame i sushto taka, shte suzdadem niakakva malka ueb stranitsa
za provezhdane na testove. Kato nachalo e neobodimo da izpulnim
slednoto (kato root):
-
umask 022
mkdir /www
echo "Test \
Test works." > /www/index.html
chown -R root:sys /www
-
# =================================================
# Basic settings
# =================================================
User apache
Group apache
ServerAdmin webmaster@www.seccure.lab
ServerName www.seccure.lab
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
ServerRoot "/usr/local/apache2"
DocumentRoot "/www"
PidFile /usr/local/apache2/logs/httpd.pid
ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard
DirectoryIndex index.html
# =================================================
# HTTP and performance settings
# =================================================
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 30
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
# =================================================
# Access control
# =================================================
Options None
AllowOverride None
Order deny,allow
Deny from all
Order allow,deny
Allow from all
# =================================================
# MIME encoding
# =================================================
TypesConfig /usr/local/apache2/conf/mime.types
DefaultType text/plain
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# =================================================
# Logs
# =================================================
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /usr/local/apache2/logs/error_log
CustomLog /usr/local/apache2/logs/access_log combined
CustomLog logs/ssl_request_log \
"%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
# =================================================
# SSL/TLS settings
# =================================================
Listen 0.0.0.0:443
SSLEngine on
SSLOptions +StrictRequire
SSLRequireSSL
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLPassPhraseDialog builtin
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
SSLVerifyClient none
SSLProxyEngine off
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Zabelezhka: Estestveno shte triabva
da promenite niakoi ot nastroikite vuv faila kato naprimer imeto na
ueb survura, e-mail na administratora i t.n.
-
umask 022
mkdir /usr/local/apache2/conf/ssl.key
mkdir /usr/local/apache2/conf/ssl.crt
mkdir /usr/local/apache2/conf/ssl.crl
-
openssl req \
-new \
-x509 \
-days 30 \
-keyout /usr/local/apache2/conf/ssl.key/server.key \
-out /usr/local/apache2/conf/ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'
Za sega shte stprem do tuk. V
poslednata chast na statiiata, shte vidite kak se testva survur i shte
posochim niakoi metodi za tursene i premahvane na greshki
<< Nelegitimen dostup do resursi (ueb-bazirani poshtenski uslugi) | Promqna firmware-a na Linksys WRT54G s Linux >>
|