2016-08-11 18:15:41 alexander_phper 阅读数 5158
  • Linux系列之走进Linux新世界

    本课程为全新马哥Linux全套系列课程之一--Linux基础入门和架构了解,从Linux起源,Linux架构和Linux形成历史开始逐步讲解,让你彻彻底底了解Linux的诞生,之后介绍了Linux相关文化和核心组成结构,以及Linux常用命令和基本用法,课程由浅入深,讲授方法受到98%学员一致好评!

    20742 人正在学习 去看看 马永亮

apache开启mod_ssl扩展

apache的配置文件apache2/conf/httpd.conf,去除下面的注释#。

#LoadModule ssl_module modules/mod_ssl.so

如果apache里面没有mod_ssl.so这个扩展,利用apxs动态编译该扩展或者重新编译apache,重新编译参数如下:

./configure --enable-so --enable-mods-shared=most

加载conf/extra/httpd-ssl.conf配置文件。去除下面的注释#。

#Include conf/extra/httpd-ssl.conf

配置httpd-ssl.conf文件,将配置https访问项目的目录和域名配置到该文件中。

<VirtualHost _default_:443>
DocumentRoot "/www"
ServerName www.domain.com:443
ServerAdmin abc@abc.com
...

生成证书

保证你的系统中已经安装了openssl。

第一步生成key

openssl genrsa -des3 -out server.key 1024

第二步生成csr

openssl req -newkey rsa:2048 -keyout server.key -out server.csr

第三部生成crt

openssl req -x509 -days 365 -key server.key -in server.csr > server.crt

现在生成了三个文件:server.key,server.csr,server.crt。
打开conf/extra/httpd-ssl.conf文件,然后将下面位置配置为生成的key和crt文件,文件路径写自己的。

...
SSLCertificateFile "/tmp/server.crt"
...
SSLCertificateKeyFile "/tmp/server.key"
...

然后重启apache,打开自己的域名查看。
这里写图片描述
可以看到,https服务已经配置成功。
这里https证书是我们自己生成的,没有认证,所以有红叉叉的提示。

startssl免费认证证书

证书生成步骤官网有详细说明。
使用startssl证书之后,将证书文件下载下来,传输到服务器,conf/extra/httpd-ssl.conf配置如下:
相比自己生成的证书和key多了一个crt文件。

...
SSLCertificateFile "/ptah/2_www.domain.com.crt"
...
SSLCertificateKeyFile "/ptah/www.domain.com.key"
...
SSLCACertificateFile "/ptah/1_root_bundle.crt"
...

然后重启apache,可以看到
这里写图片描述

2019-01-04 13:57:16 weixin_42242253 阅读数 162
  • Linux系列之走进Linux新世界

    本课程为全新马哥Linux全套系列课程之一--Linux基础入门和架构了解,从Linux起源,Linux架构和Linux形成历史开始逐步讲解,让你彻彻底底了解Linux的诞生,之后介绍了Linux相关文化和核心组成结构,以及Linux常用命令和基本用法,课程由浅入深,讲授方法受到98%学员一致好评!

    20742 人正在学习 去看看 马永亮

160 0 1

首先说明一点,并不是仅仅配置就可以使用真正的https服务,因为需要向证书颁发机构申请SSL证书

首先先去你的云服务器购买证书,然后按照提示进行购买

购买完毕后下载证书然后在nginx.conf配置:

listen 443;
#省略若干配置......
ssl on;    #开启ssl支持

ssl_certificate      /opt/server.pem;    #指定服务器证书路径

ssl_certificate_key  /opt/server.key;    #指定私钥证书路径

ssl_session_timeout  5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     #指定SSL服务器端支持的协议版本

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

ssl_prefer_server_ciphers   on;

做完以上工作后测试nginx配置文件无误后重新载入配置,如果需要配置通过http访问时自动跳转到https 可以在80端口对应的虚拟主机配置中设置

rewrite ^(.*) https://www.ziransha.shop$1 permanent;

 

2019-09-17 16:09:30 qq_35510729 阅读数 60
  • Linux系列之走进Linux新世界

    本课程为全新马哥Linux全套系列课程之一--Linux基础入门和架构了解,从Linux起源,Linux架构和Linux形成历史开始逐步讲解,让你彻彻底底了解Linux的诞生,之后介绍了Linux相关文化和核心组成结构,以及Linux常用命令和基本用法,课程由浅入深,讲授方法受到98%学员一致好评!

    20742 人正在学习 去看看 马永亮

首先说一下我的服务器是apache2的
需要到自己的域名下面,添加解析记录,添加到服务器要配置的文件夹
打开freessl官网,这个网站,输入自己解析后的域名
在这里插入图片描述
点击创建
在这里插入图片描述
输入邮箱点击创建
在这里插入图片描述
没有的下载一个,下载之后设置启动密码,然后点继续
浏览器会生成一个TXT的解析记录,继续添加在域名下面然后点击验证,验证成功之后就可以签发证书
在这里插入图片描述
在这里插入图片描述
添加信息,填写证书的路径之后先不要部署,先到服务器apache2目录下面的apache2.conf,在最后面添加一段代码,

<VirtualHost *:443>

DocumentRoot "你的文件夹目录"
ServerName 你的域名
SSLEngine on
SSLCertificateFile /etc/apache2/cert/test.questionnaire.bjswz.cn/full_chain.pem
SSLCertificateKeyFile /etc/apache2/cert/test.questionnaire.bjswz.cn/private.key
ServerAlias 你的域名
 <Directory "你的文件夹目录">

  Options FollowSymLinks ExecCGI

  AllowOverride All

  Order allow,deny

  Allow from all

  Require all granted

 </Directory>

</VirtualHost>

保存好文件,一键部署,OK
(刚开始不会,同事教我的,后面自己独立配成功了,在此感谢)

2015-04-03 14:33:00 weixin_33749131 阅读数 38
  • Linux系列之走进Linux新世界

    本课程为全新马哥Linux全套系列课程之一--Linux基础入门和架构了解,从Linux起源,Linux架构和Linux形成历史开始逐步讲解,让你彻彻底底了解Linux的诞生,之后介绍了Linux相关文化和核心组成结构,以及Linux常用命令和基本用法,课程由浅入深,讲授方法受到98%学员一致好评!

    20742 人正在学习 去看看 马永亮

1.在线安装mod_ssl

yum -y install mod_ssl

查看openssl 是否安装成功

rpm -qa |grep openssl 

 

2.建立服务器密钥

openssl genrsa -out server.key 1024

 

 

3.建立服务器公钥 

openssl req -new -key server.key -out server.csr

 

4.建立服务器证书 

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

 

 

5.修改SSL的设置文件

/etc/httpd/conf.d/ssl.conf

 

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned. 
#

LoadModule ssl_module modules/mod_ssl.so
LoadModule jk_module modules/mod_jk.so
JkWorkersFile"conf/workers.properties"
JkLogFile"logs/mod_jk.log"


#
# When we also provide SSL we have to listen to the 
# the HTTPS port in addition.
#
Listen 443

##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism 
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization. 
SSLMutex default

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the 
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use"SSLCryptoDevice"to enable any supported hardware
# accelerators. Use"openssl engine -v"to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##


<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot"/var/www/html"
#ServerName www.example.com:443
jkMount /* tomcat1
ServerName 192.168.1.134:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateFile /etc/httpd/conf/server.crt 
SSLCertificateKeyFile /etc/httpd/conf/server.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ 
# and %{SSL_CLIENT_S_DN_O} eq"Snake Oil, Ltd."
# and %{SSL_CLIENT_S_DN_OU} in {"Staff","CA","Dev"} 
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) 
# or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
#</Location>

# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when"SSLRequireSSL"or"SSLRequire"applied even
# under a"Satisfy any"situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~".(cgi|shtml|phtml|php3?)$">
 SSLOptions +StdEnvVars
</Files>
<Directory"/var/www/cgi-bin">
 SSLOptions +StdEnvVars
</Directory>

# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly. 
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable"nokeepalive"for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables"downgrade-1.0"and
#"force-response-1.0"for this.
SetEnvIf User-Agent".*MSIE.*"
 nokeepalive ssl-unclean-shutdown 
 downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log 
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r"%b"

</VirtualHost>

 

6.重启httpd

service httpd restart

 

注意:crt文件一定要与ssl.conf文件中的路径一致

 

2018-12-14 12:23:31 liuchangjie0112 阅读数 352
  • Linux系列之走进Linux新世界

    本课程为全新马哥Linux全套系列课程之一--Linux基础入门和架构了解,从Linux起源,Linux架构和Linux形成历史开始逐步讲解,让你彻彻底底了解Linux的诞生,之后介绍了Linux相关文化和核心组成结构,以及Linux常用命令和基本用法,课程由浅入深,讲授方法受到98%学员一致好评!

    20742 人正在学习 去看看 马永亮
注意:该方法已在多台服务器配置了免费的https证书,无论是更新还是第一次配置都运行成功;由于是免费版,每个证书都只有三个月的有效期,也无法保证安全和稳定性,所以只建议做测试用,客户的项目需要时,请让购买正式版证书
一、配置https免费证书,确保服务器已开启443端口

    ①在root目录下,执行下面命令:只有第一次安装时需要执行,后面追加域名时不再需要
        wget https://dl.eff.org/certbot-auto
    
    ②停止nginx,必须停止,否则安装证书时会报80端口被占用
        service nginx stop
    
    ③追加多个域名
        // 565356915@qq.com 换成自己的常用邮箱,据说到期前会给发提醒邮件
        // www.xieyouhui.com    换成自己需要配置https的域名,多个域名使用 -d 追加
        
        ./certbot-auto certonly --standalone --email 565356915@qq.com --agree-tos -d www.xieyouhui.com -d app.xieyouhui.com -d admin.xieyouhui.com
        
        //  也能用于后期域名的追加
        ./certbot-auto certonly --standalone --email 565356915@qq.com --agree-tos -d www.weimi888.com -d weimi888.com



        如果出现./certbot-auto: Permission denied 错误,需要certbot-auto文件拥有可执行权限


    ④查看生成的证书 
        ls /etc/letsencrypt/live/
        
    ⑤在nginx配置证书
        //证书文件需要开启读写权限
        ssl_certificate /etc/letsencrypt/live/cdw.me/fullchain.pem;#证书位置
        ssl_certificate_key /etc/letsencrypt/live/cdw.me/privkey.pem;# 私钥位置
        
    ⑥启动nginx
        service nginx start
    
    手动更新https证书
    2、手动更新的方法,如果遇到更新报错,可以重新运行上面第③条,重新申请证书
        service nginx stop                停止nginx        
        ./certbot-auto renew -v            执行更新方法,certbot-auto该文件需要获得执行权限
        service nginx start                启动nginx

    3、自动更新的方法 certbot-auto脚本带有自动更新证书功能,运行如下代码即可:
        // 该方法执行后,由于证书到期时间过长,还未证实是否有用
        ./certbot-auto renew --quiet --no-self-upgrade
    
    
    定时任务:不确定下面这俩定时任务是否都能使用,请自己测试
    # 每月1号5时执行执行一次更新,并重启nginx服务器
    00 05 01 * * /root/certbot renew --quiet && /bin/systemctl restart nginx
    #更新SSL证书
    30 2 3 * * /root/letsencrypt/./letsencrypt-auto renew > /var/log/le-renew.log && nginx -s reload
    
二、配置域名,通用配置文件下载地址,请按照提示更换成自己的信息
        https://liuniu.oss-cn-zhangjiakou.aliyuncs.com/xyh/peizhiwenjian.zip



三、查询证书到期时间封装方法
    
    /**
     * 获取SSL证书到期时间
     * param $domain 需要查询的域名,例如www.baidu.com
     * return array
     */
    public function getValidity($domain){
        $context = stream_context_create(array("ssl" => array("capture_peer_cert_chain" => true)));
        $socket = stream_socket_client("ssl://$domain:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
        $context = stream_context_get_params($socket);
        foreach ($context["options"]["ssl"]["peer_certificate_chain"] as $value) {
            //使用openssl扩展解析证书,这里使用x509证书验证函数
            $cerInfo = openssl_x509_parse($value);
            if(strpos($cerInfo['name'],$domain)) {

                // 提前三天预警
                $early_warning_time = time() - 3 * 24 * 3600;
                if ($cerInfo['validTo_time_t'] <= $early_warning_time) {
                    $end_type = 1;
                } else {
                    $end_type = 0;
                }

                $result = array(
                    'start_time' => date("Y-m-d H:i",$cerInfo['validFrom_time_t']), // 开始时间
                    'end_time' => date("Y-m-d H:i",$cerInfo['validTo_time_t']), // 到期时间
                    'end_type' => $end_type
                );

                return $result;
            }
        }
    }

 

linux总结

阅读数 203

linux安装pymysql

阅读数 1205

linux安装tomcat

阅读数 21

没有更多推荐了,返回首页