“UbuntuHelp:Forum/server/apache2/SSL”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/forum/server/apache2/SSL}} | {{From|https://help.ubuntu.com/community/forum/server/apache2/SSL}} | ||
{{Languages|UbuntuHelp:forum/server/apache2/SSL}} | {{Languages|UbuntuHelp:forum/server/apache2/SSL}} | ||
| + | == SSL Install Method == | ||
| + | The instructions/software in this HOWTO is being repalaced with a more advanced software/instructions found at official [https://help.ubuntu.com/7.10/server/C/httpd.html#https-configuration Server Guide] | ||
| + | Note: The current server 7.10 guide for SSL has bugs/errors in the documentations and needs to be fixed.e.g. +CompatEnvVars | ||
=== Apache2 SSL === | === Apache2 SSL === | ||
| − | This guide will help you setup SSL with apache2. | + | This guide will help you setup SSL with apache2. |
For an introduction to [[UbuntuHelp:OpenSSL|OpenSSL]] see: https://help.ubuntu.com/community/OpenSSL | For an introduction to [[UbuntuHelp:OpenSSL|OpenSSL]] see: https://help.ubuntu.com/community/OpenSSL | ||
The following bugs are related to this documentation: | The following bugs are related to this documentation: | ||
| 第10行: | 第13行: | ||
|<code><nowiki>debian</nowiki></code>|| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520 | |<code><nowiki>debian</nowiki></code>|| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520 | ||
|} | |} | ||
| − | ==== | + | Note:The bugs listed above refer to the depreciation of the package '''apache2-ssl-certificate'''. This package creates SSL certificates but has been dropped as of ''feisty'' and above. Most documentions related to Apache and SSL has required '''apache2-ssl-certificate''' package and has caused lots of problems getting apache and SSL to work. |
| − | '''Since Ubuntu 7.04, certificate creation has been changed:''' | + | === Setup up Apache and SSL === |
| + | ==== Ubuntu 7.10 ==== | ||
| + | ----- | ||
| + | Select LAMP | ||
| + | <pre><nowiki> | ||
| + | tasksel | ||
| + | </nowiki></pre> | ||
| + | '''or''' | ||
| + | <pre><nowiki> | ||
| + | sudo apt-get install apache2 | ||
| + | </nowiki></pre> | ||
| + | ===== Create a Certificate ===== | ||
| + | <pre><nowiki> | ||
| + | sudo apt-get install ssl-cert | ||
| + | </nowiki></pre> | ||
| + | <pre><nowiki> | ||
| + | sudo mkdir /etc/apache2/ssl | ||
| + | </nowiki></pre> | ||
| + | Hardcoding cert lifetime based on this patch: | ||
| + | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22 | ||
| + | <pre><nowiki> | ||
| + | sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem | ||
| + | </nowiki></pre> | ||
| + | (Answer questions) | ||
| + | ===== Install Module ===== | ||
| + | The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar. | ||
| + | <pre><nowiki> | ||
| + | sudo a2enmod ssl | ||
| + | </nowiki></pre> | ||
| + | <pre><nowiki> | ||
| + | /etc/init.d/apache2 force-reload | ||
| + | </nowiki></pre> | ||
| + | ===== Create virtualhost ===== | ||
| + | Make a copy of the default virtualhost | ||
| + | <pre><nowiki> | ||
| + | sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl | ||
| + | </nowiki></pre> | ||
| + | Modify it so it looks something like this | ||
| + | <pre><nowiki> | ||
| + | sudo nano -w /etc/apache2/sites-available/ssl | ||
| + | </nowiki></pre> | ||
| + | <pre><nowiki> | ||
| + | NameVirtualHost *:443 | ||
| + | <virtualhost *:443> | ||
| + | ServerAdmin webmaster@localhost | ||
| + | |||
| + | SSLEngine On | ||
| + | SSLCertificateFile /etc/apache2/ssl/apache.pem | ||
| + | |||
| + | DocumentRoot /var/www/ | ||
| + | <directory /> | ||
| + | Options FollowSymLinks | ||
| + | AllowOverride None | ||
| + | </directory> | ||
| + | |||
| + | <directory /var/www/> | ||
| + | Options Indexes FollowSymLinks MultiViews | ||
| + | AllowOverride None | ||
| + | Order allow,deny | ||
| + | allow from all | ||
| + | # This directive allows us to have apache2's default start page | ||
| + | # in /apache2-default/, but still have / go to the right place | ||
| + | # Commented out for Ubuntu | ||
| + | #RedirectMatch ^/$ /apache2-default/ | ||
| + | </directory> | ||
| + | |||
| + | ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ | ||
| + | <directory "/usr/lib/cgi-bin"> | ||
| + | AllowOverride None | ||
| + | Options ExecCGI -MultiViews +SymLinksIfOwnerMatch | ||
| + | Order allow,deny | ||
| + | Allow from all | ||
| + | </directory> | ||
| + | |||
| + | ErrorLog /var/log/apache2/error.log | ||
| + | |||
| + | # Possible values include: debug, info, notice, warn, error, crit, | ||
| + | # alert, emerg. | ||
| + | LogLevel warn | ||
| + | |||
| + | CustomLog /var/log/apache2/access.log combined | ||
| + | ServerSignature On | ||
| + | |||
| + | Alias /doc/ "/usr/share/doc/" | ||
| + | <directory "/usr/share/doc/"> | ||
| + | Options Indexes MultiViews FollowSymLinks | ||
| + | AllowOverride None | ||
| + | Order deny,allow | ||
| + | Deny from all | ||
| + | Allow from 127.0.0.0/255.0.0.0 ::1/128 | ||
| + | </directory> | ||
| + | |||
| + | </virtualhost> | ||
| + | </nowiki></pre> | ||
| + | Enable SSL virtualhost | ||
| + | <pre><nowiki> | ||
| + | sudo a2ensite ssl | ||
| + | </nowiki></pre> | ||
| + | <pre><nowiki> | ||
| + | /etc/init.d/apache2 reload | ||
| + | </nowiki></pre> | ||
| + | don't forget to modify | ||
| + | <pre><nowiki> | ||
| + | sudo nano -w /etc/apache2/sites-available/default | ||
| + | </nowiki></pre> | ||
| + | <pre><nowiki> | ||
| + | NameVirtualHost *:80 | ||
| + | <virtualhost *:80> | ||
| + | </nowiki></pre> | ||
| + | Restart Apache server | ||
| + | <pre><nowiki> | ||
| + | sudo /etc/init.d/apache2 restart | ||
| + | </nowiki></pre> | ||
| + | ==== Ubuntu 7.04 ==== | ||
| + | ----- | ||
| + | ''' Since Ubuntu 7.04, certificate creation has been changed:''' | ||
https://bugs.launchpad.net/debian/+source/apache2/+bug/77675/comments/25 | https://bugs.launchpad.net/debian/+source/apache2/+bug/77675/comments/25 | ||
| − | Old fashioned way: | + | ==== Old fashioned way: ==== |
| + | ----- | ||
Create a certificate which are valid for a year. | Create a certificate which are valid for a year. | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apache2-ssl-certificate -days 365 | sudo apache2-ssl-certificate -days 365 | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | ==== Enable the SSL module ==== | + | ===== Enable the SSL module ===== |
<pre><nowiki> | <pre><nowiki> | ||
sudo a2enmod ssl | sudo a2enmod ssl | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | ==== Listen to port 443 ==== | + | ===== Listen to port 443 ===== |
<pre><nowiki> | <pre><nowiki> | ||
echo "Listen 443" | sudo tee -a /etc/apache2/ports.conf | echo "Listen 443" | sudo tee -a /etc/apache2/ports.conf | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | ==== Create and enable the SSL site ==== | + | ===== Create and enable the SSL site ===== |
<pre><nowiki> | <pre><nowiki> | ||
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl | sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl | ||
| 第95行: | 第214行: | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | ==== Mod rewrite ==== | + | ===== Mod rewrite ===== |
It's often desirable to force users to access things like webmail via https. This can be accomplished with mod_rewrite. | It's often desirable to force users to access things like webmail via https. This can be accomplished with mod_rewrite. | ||
First you'll have to enable the module | First you'll have to enable the module | ||
2008年4月23日 (三) 10:44的版本
 |
点击翻译: |
English |
SSL Install Method
The instructions/software in this HOWTO is being repalaced with a more advanced software/instructions found at official Server Guide Note: The current server 7.10 guide for SSL has bugs/errors in the documentations and needs to be fixed.e.g. +CompatEnvVars
Apache2 SSL
This guide will help you setup SSL with apache2. For an introduction to OpenSSL see: https://help.ubuntu.com/community/OpenSSL The following bugs are related to this documentation:
ubuntu |
https://launchpad.net/ubuntu/+source/apache2/+bug/77675 |
debian |
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520 |
Note:The bugs listed above refer to the depreciation of the package apache2-ssl-certificate. This package creates SSL certificates but has been dropped as of feisty and above. Most documentions related to Apache and SSL has required apache2-ssl-certificate package and has caused lots of problems getting apache and SSL to work.
Setup up Apache and SSL
Ubuntu 7.10
Select LAMP
tasksel
or
sudo apt-get install apache2
Create a Certificate
sudo apt-get install ssl-cert
sudo mkdir /etc/apache2/ssl
Hardcoding cert lifetime based on this patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293821#22
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
(Answer questions)
Install Module
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.
sudo a2enmod ssl
/etc/init.d/apache2 force-reload
Create virtualhost
Make a copy of the default virtualhost
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
Modify it so it looks something like this
sudo nano -w /etc/apache2/sites-available/ssl
NameVirtualHost *:443 <virtualhost *:443> ServerAdmin webmaster@localhost SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem DocumentRoot /var/www/ <directory /> Options FollowSymLinks AllowOverride None </directory> <directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place # Commented out for Ubuntu #RedirectMatch ^/$ /apache2-default/ </directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </directory> </virtualhost>
Enable SSL virtualhost
sudo a2ensite ssl
/etc/init.d/apache2 reload
don't forget to modify
sudo nano -w /etc/apache2/sites-available/default
NameVirtualHost *:80 <virtualhost *:80>
Restart Apache server
sudo /etc/init.d/apache2 restart
Ubuntu 7.04
Since Ubuntu 7.04, certificate creation has been changed: https://bugs.launchpad.net/debian/+source/apache2/+bug/77675/comments/25
Old fashioned way:
Create a certificate which are valid for a year.
sudo apache2-ssl-certificate -days 365
Enable the SSL module
sudo a2enmod ssl
Listen to port 443
echo "Listen 443" | sudo tee -a /etc/apache2/ports.conf
Create and enable the SSL site
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
Modify it so it looks something like this
NameVirtualHost *:443
<virtualhost *:443>
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride None
</directory>
<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
</directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</directory>
</virtualhost>
...and enable it
sudo a2ensite ssl
don't forget to modify /etc/apache2/sites-available/default
NameVirtualHost *:80 <virtualhost *:80>
Mod rewrite
It's often desirable to force users to access things like webmail via https. This can be accomplished with mod_rewrite. First you'll have to enable the module
sudo a2enmod rewrite
Then add the following to /etc/apache2/sites-available/default
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/webmail(.*)$ https://%{SERVER_NAME}/webmail$1 [L,R]
RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 2
Create directory for pidfile; it may be missing
sudo mkdir -p /var/run/apache2 sudo chown -R www-data /var/run/apache2
Don't forget to restart apache
sudo /etc/init.d/apache2 force-reload
