升级openssl+apache+mod_security在RedHat8&9
发表于:2007-07-04来源:作者:点击数:
标签:
升级openssl+apache+mod_security 我们的系统由于使用的Redhat8,系统只对外提供web服务。出于 安全 原因,我们需要升级openssl和apache来保障系统的安全。这只是我升级的一个步骤, 可能不是太详细。关于更多的apache的配置请参考别的文章。 系统:RedHat
升级openssl+apache+mod_security
我们的系统由于使用的Redhat 8,系统只对外提供web服务。出于
安全原因,我们需要升级openssl和apache来保障系统的安全。这只是我升级的一个步骤,
可能不是太详细。关于更多的apache的配置请参考别的文章。
系统:RedHat 8,9
1,安装openssl
下载:
http://www.openssl.org/source/openssl-0.9.7f.tar.gzhttp://www.linuxfromscratch.org/blfs/downloads/svn/openssl-0.9.7f-fix_manpages-1.patch
安装: 下载文件到:/opt/soft目录下。
# tar –zxvf openssl-0.9.7f.tar.gz
#cd openssl-0.9.7f
#patch -Np1 -i ../openssl-0.9.7f-fix_manpages-1.patch &&
#./config --openssldir=/opt/openssl/ssl --prefix=/opt/openssl shared
#make
#make install
# cp –r –v certs /opt/openssl/ssl
修改/etc/ld.so.conf文件在文件末尾添加/opt/openssl/lib后执行ldconfig命令
2,安装apache
下载:
http://www.apache.org/dist/httpd/httpd-2.0.54.tar.bz2安装:下载文件到:/opt/soft目录下。
# tar –jxvf httpd-2.0.54.tar.bz2
# cd httpd-2.0.54
# ./configure –prefix=/opt/apache –enable-ssl –with-ssl=/opt/openssl –enable-mods-shared=all
#make
#make install
配置:
由于我需要提供cgi所以我需要去除AddHandler cgi-script .cgi这行前面的注释。
可以下面的工具ssl所用到的证书。
http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz下载到/opt/apache/conf下
# tar zxvf ssl.ca-0.1.tar.gz
# cd ssl.ca-0.1
# ./new-root-ca.sh
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (输入一个密码)
Verifying - Enter pass phrase for ca.key: (再输入一次密码)
......
Self-sign the root CA... (签署根证书)
Enter pass phrase for ca.key: (输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:Suzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:Test System Co.,Ltd
Organizational Unit Name (eg, section) [Certification Services Division]:test
Common Name (eg, MD Root CA) []:test CA
Email Address []:test@test.com
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的
服务器生成一个证书:
# ./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:Suzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:test System Co.,Ltd
Organizational Unit Name (eg, section) [Secure Web Server]:test
Common Name (eg, www.domain.com) []:test.com
Email Address []:test@test.com.
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (输入上面设置的根证书密码)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JiangSu'
localityName :PRINTABLE:'Suzhou'
organizationName :PRINTABLE:'Test System Co.,Ltd'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'test.com'
emailAddress :IA5STRING:'test@test.com'
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
(如果这里出现错误,最好重新来过,删除ssl.ca-0.1这个目录,从解压缩处重新开始。)
下面要按照ssl.conf里面的设置,将证书放在适当的位置。
# chmod 400 server.key
# cd ..
# mkdir ssl.key
# mv ssl.ca-0.1/server.key ssl.key
# mkdir ssl.crt
# mv ssl.ca-0.1/server.crt ssl.crt
然后就可以启动啦!
# cd /opt/apache/
# ./bin/apachectl startssl
3,安装mod_security
下载:
http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz http://fedoranews.org/jorge/mod_security/mod_security.conf安装:下载到/opt/soft目录下。
# tar –zxvf modsecurity-1.8.7.tar.gz
# cd modsecurity-1.8.7
#cd apache2
# /opt/apache/bin/ apxs -cia mod_security.c
#copy mod_security.conf /opt/apache/conf
配置:
在/opt/apache/conf/httpd.conf中添加下面一行:
Include conf/mod_security.conf
/opt/apache/bin/apachectl stop
/opt/apache/bin/apachectl startssl
更详细的mod_security的配置请使用google。
参考:
http://www.kehui.net/html/article/27/27050.html 中的sslkey生成方式。
platinum 回复于:2005-05-23 18:39:56 |
不仅仅RH8/9可以,几乎所有*NIX都行
|
原文转自:http://www.ltesting.net