ATMINTINĖ kaip susikūriau self-signed SSL sertifikatą virtualhost’ui ant localhost’o :)
OS: ubuntu 16.04
Webserver: apache
Virtualhost: https://buba/
Toliau – tik konsolės kodas su minimaliais paaiškinimais.
Generuojam sertifikatą, raktą:
$ sudo openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout /etc/ssl/private/buba.key -out /etc/ssl/certs/buba.crt Generating a 2048 bit RSA private key ......................................................+++ ........................................+++ writing new private key to '/etc/ssl/private/buba.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:LT State or Province Name (full name) [Some-State]:Foo Locality Name (eg, city) []:Bar Organization Name (eg, company) [Internet Widgits Pty Ltd]:Buba Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:buba Email Address []:webmaster@localhost
„Pastiprinsim“ saugumą Diffie–Hellman navarotais :)
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Sukūriau failą:
$ sudo vim /etc/apache2/conf-available/ssl-params.conf
tokiu turiniu:
$ sudo cat /etc/apache2/conf-available/ssl-params.conf # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLSessionTickets Off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Konfigūruoju virtualhost’ą (mano konfigas yra tam skirtam faile klientai.conf):
$ sudo vim /etc/apache2/sites-enabled/klientai.conf
Ką pakeičiau? – Pridėjau 443 port’o direktyvas:
$ sudo cat /etc/apache2/sites-enabled/klientai.conf ... <VirtualHost *:80> DocumentRoot /var/www/virt/buba.lt/public_html ServerName buba </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/virt/buba.lt/public_html ServerName buba SSLCertificateFile /etc/ssl/certs/buba.crt SSLCertificateKeyFile /etc/ssl/private/buba.key </VirtualHost> ...
Atsišaukimas: šio straipsnelio rašymo metu domenas buba.lt yra laisvas. Ir jei šio straipsnelio skaitymo metu toks domenas jau yra užregistruotas, tai aš su juo niekaip nesu susijęs. Savininkams prašant savo pavyzdžius pakeisčiau. Reikalausiu nuosavybės patvirtinimo :)
Na ir pabaigai:
$ sudo a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Module socache_shmcb already enabled Module ssl already enabled
$ sudo a2enmod headers Enabling module headers. To activate the new configuration, you need to run: service apache2 restart
$ sudo a2enconf ssl-params Enabling conf ssl-params. To activate the new configuration, you need to run: service apache2 reload
$ sudo apache2ctl configtest Syntax OK
$ sudo systemctl restart apache2
Užeinu į https://buba/, naršyklė „pasispjaudo“, pridedu exception’ą ir toliau viskas veikia „ant amžių amžinųjų“…