好像有一段时间没有Update my blog了,没办法,最近被Boss催的团团转,晕的很,而且还有该死的毕业论文来添乱,哎~~
为了留下点纪念,把前两天配置的Apache + SSL + Subversion的文档奉献出来,我发现网上大部分文档都是在Windows下配置的,在Linux下的配置文档很少;而且其中一个最重要的问题就是它们都没有与SSL相结合,我ft,真正企业级的应用哪有不用SSL的,除非从最一开始它就想开源……
All By Our Smart Lili :)
Here are the steps we can follow, execut them in the order:
Step1:Install OpenSSL, Apache2 & Subversion
OpenSSL:
--------------------------------------------------------------------------------------
./config
make
make test
make install
--------------------------------------------------------------------------------------
Apache2:
--------------------------------------------------------------------------------------
./configure --enable-dav --enable-so --enable-deflate \
--enable-ssl --with-ssl=/usr/local/ssl
make clean
make
make install
--------------------------------------------------------------------------------------
Subversion
--------------------------------------------------------------------------------------
./configure --with-zlib --enable-ssl --with-ssl \
--with-libs=/usr/local/ssl:/usr/local/ssl/lib:/usr/local/lib:/usr/lib:/lib
make clean
make
make install
--------------------------------------------------------------------------------------
Note: Strongly suggest using tar package, if using rpm package, you maybe get an error about an “Unrecognized URL scheme” when access to subversion repository. One of the reasons is the dynamic linker/loader can’t find the plugins to load. So when we install subversion , “--enable-ssl --with-ssl” is necessary.
Step2: create certificate
1. # cd /usr/local/apache/conf
# mkdir ssl.crt
#cd ssl.crt
# cp /usr/local/openssl/ssl/misc/CA.sh \
/usr/local/apache/conf/ssl.crt/CA.sh
2. Create self-signed Certificate Authority certificate/private key.
# ./CA.sh –newca
You will be asked to input these information:
MILY: Verdana">Country Name (2 letter code) [GB]:CN Organization Name (eg, company) [My Company Ltd]:CUIT |
Now in the directory /usr/local/apache/conf/ssl.crt/, a new directory ./demoCA is created. ../demoCA/private/cakey.pem is the private key and ../demoCA/cacert.pem is the certificate.
3.Create web server certificate request and private key, and to sign server certificate using CA private key.
# openssl genrsa -des3 -out server.key 1024
#openssl req -new -key server.key -out server.csr
You will be asked to input these information again:
Country Name (2 letter code) [GB]:CN Organization Name (eg, company) [My Company Ltd]:CUIT |
Note: We must input server’s hostname or IP when asked input common name, it is very important.
# mv server.csr newreq.pem
# ./CA.sh –sign
Now we get a server certificate named newcert.pem, rename newcert.pem as server.crt:
#mv newcert.pem server.crt
4. Generate client certificate request and private key, and to sign client certificate using CA private key.
# openssl genrsa -des3 -out client.key 1024
# openssl req -new -key client.key -out client.csr
#openssl ca -in client.csr -out client.crt
#openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out \ client.pfx
Step3: Edit ssl.conf & httpd.conf
Ssl.conf:
I edit my ssl.conf as below:
---------------------------------------------------------------------------------
DocumentRoot https://192.168.?.?
ServerName 192.168.?.?:443
ServerAdmin someone@somewhere.com
Add the following lines or delete “#” before them:
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/demoCA
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1
--------------------------------------------------------------------------------
Httpd.conf:
Configurate the Apache httpd.conf file as below:
---------------------------------------------------------------------------------
Change from “Listen 80” à“Listen 127.0.0.1:80” to limit somebody access to server by http://192.168.?.?.
Add: “ServerAdmin someone@somewhere.com”
Add: “ServerName 192.168.?.?:443”
Change from “AllowOverride None” à “AllowOverride All”
Change from “
Change from “AccessFileName.htaccess” à“AccessFileName /home/mysvn/.htaccess”
Add :“NameVirtualHost 192.168.?.?:443”
Put the following lines into :
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
(If the two lines above already exist, please skip.)
VirtualHost 192.168.?.?:443>
DocumentRoot "/home/mysvn"
ServerName 192.168.?.?
ServerAdmin someone@somewhere.com
SSLEngine on
SSLCACertificateFile \ /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
DAV svn
SVNParentPath /home/mysvn
AuthzSVNAccessFile /home/mysvn/authz.conf
---------------------------------------------------------------------------------
Now we edit .htaccess as the following:
---------------------------------------------------------------------------------
AuthType Basic
AuthName "subversion repository"
AuthUserFile /home/mysvn/.htpasswd
Require valid-user
---------------------------------------------------------------------------------
.We can use “htpasswd –c /home/mysvn/.htpasswd user_name” to create user and password for the first time, “-c ” isn’t needed after that.
The file authz.conf can be used to limite user’s authority. Edit as below:
---------------------------------------------------------------------------------
[groups]
groupA = rchu, jhuang, mhsu, hma, jxu, tzheng, jlai, tho, lwei, sliu,
groupB = ipu, ddong, aho, mmcgrew, jliu, jliang, khuang, vyang, azhou, kye
[xyz:/]
@groupA = rw
@groupB = rw
[t1:/]
@groupA = rw
[t2:/]
@groupB = rw
---------------------------------------------------------------------------------
So all people can checkout xyz, the numbers of groupA can checkout t1 , the numbers of groupB can checkout t2.
Use “/usr/local/apache2/bin/apachetl startssl ” to start apache, “/usr/local/apache2/bin/apachetl stop” to stop it.
That’s all.
Wish you good luck!
For protect our company information, all "?" can be replaced by any ip address like and so are emails.
文章来源于领测软件测试网 https://www.ltesting.net/
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备2023014753号-2
技术支持和业务联系:info@testage.com.cn 电话:010-51297073