|
|
|
|
|
|
◆
|
SSL
|
|
|
|
|
|
これまでのApacheの設定だけではデータはインターネット上にそのまま平分として流れていきます。ログイン画面等でパスワード等を入力する際この平分のままではインターネット上に悪意のあるユーザーがいた場合、そのパスワード等を盗み見て悪用してしまう可能性があります。
そこで、暗号化通信を行うSSL(Sekure
Sockets Layer)ソフト『mod_ssl』をインストールします。
|
|
|
|
|
|
|
|
◆
|
mod_ssl のインストール
|
|
|
|
|
|
下記のように入力します。青文字が入力文字です。
|
|
|
|
|
|
[root@linux]#
yum install mod_ssl ← 入力
fedora
100% |=========================| 2.1 kB 00:00
updates
100% |=========================| 2.3 kB 00:00
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.8-1.fc8 set to be updated
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-15 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package
Arch Version
Repository Size
=============================================================================
Installing:
mod_ssl
i386 1:2.2.8-1.fc8
updates 86 k
Installing for dependencies:
distcache
i386 1.4.5-15
fedora 121 k
Transaction Summary
=============================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 206 k
Is this ok [y/N]: y ← y を入力
Downloading Packages:
(1/2): mod_ssl-2.2.8-1.fc 100% |=========================| 86 kB
00:00
(2/2): distcache-1.4.5-15 100% |=========================| 121 kB
00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: distcache
######################### [1/2]
Installing: mod_ssl
######################### [2/2]
Installed: mod_ssl.i386 1:2.2.8-1.fc8
Dependency Installed: distcache.i386 0:1.4.5-15
Complete! ← Complete! と表示されれば完了
|
|
|
|
|
◆
|
ポートの開放
|
|
|
|
|
|
SSLサーバー用のポート
443 を開放します。
設定ファイル
iptables が開き最終行に -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 443 -j ACCEPT を追記してポート番号 443 を開きます。青文字が入力文字です。
|
|
|
|
|
|
[root@linux]# vi /etc/sysconfig/iptables
← 入力
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is recommended.
*filter
: IMPUT ACCEPT [0:0]
↓↓
↓↓ 途中省略
↓↓
-A INPUT -j RH-Firewall-1-INPUT
↓↓
↓↓ 途中省略
↓↓
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
443 -j ACCEPT
← 最終行に追記
|
|
|
|
|
|
設定を反映させるため iptables を再起動させます。
|
|
|
|
|
|
[root@papa-net ~]# /etc/rc.d/init.d/iptables restart ← 入力
iptables: Flushing
firewall rules:
[
OK
]
iptables: Setting chains to policy ACCEPT: filter
[
OK
]
iptables: Unloading modules:
[
OK
]
iptables: Applying firewall rules:
[
OK
]
|
|
|
|
|
|
|
|
◆
|
認証キーの作成
|
|
|
|
|
|
SSL通信の正当性を認証してくれる公の正規認証局から発行される証明書をWebサーバに置いておくことが必要になります。
しかし、正規認証局にサーバを認証してもらうには認証局と契約をしなければなりません。また費用もかなり掛かります。そこで自分で認証し証明書を発行ます。ただし、自己認証ですので何らの補償はありません。
サーバー用シークレット認証キーを作成します。下記のように入力します。青文字が入力文字です。
|
|
|
|
|
|
[root@linux]#
cd /etc/pki/tls/certs ← certs ディレクトリに移動
[root@linux
certs]# make server.key ← サーバー用シークレット認証キーの作成
umask 77 ; \
/usr/bin/openssl genrsa -des3
1024 > server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase ****** ← パスワード入力(* は実際には表示されません)
Verifying - Enter pass phrase: ****** ← 再度パスワード入力(* は実際には表示されません)
|
|
|
|
|
|
Webサーバー起動時にパスワードを要求されないようにするためにサーバー用シークレット認証キーのパスワードを削除します。
|
|
|
|
|
|
[root@linux
certs]# openssl rsa -in server.key -out server.key ← 入力
Enter pass phrase for server.key: ****** ← パスワード入力(* は実際には表示されません)
writing RSA key
|
|
|
|
|
|
次にサーバー用公開認証キーを作成します。下記のように入力します。青文字が入力文字です。
|
|
|
|
|
|
[root@linux
certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP ← 国名入力(jp = 日本)
State or Province Name (full name) [Berkshire]:Tokyou
← 都道府県名入力(tokyo = 東京都)
Locality Name (eg, city) [Newbury]:tiyoda-ku
← 市区町村名入力(chiyoda
= 千代田区)
サーバー名)
Organization Name (eg, company) [My Company Ltd]:linux-server ← 会社名入力(linux-server = 個人運営の場合は↑
Organizational Unit Name (eg, section) []: ← 部署名入力(個人運営の場合は空白のまま Enter を押す)
Common Name (eg, your name or your server's hostname) []:******.com ← ホスト(ドメイン)名入力
Email Address []:****@xxxx.zzz ← サーバー管理者のメールアドレス入力
(******.com = ドメイン名)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← 空白のまま Enter を押す
An optional company name []: ← 空白のまま Enter を押す
|
|
|
|
|
|
次にサーバー用証明書を作成します。下記のように入力します。青文字が入力文字です。
|
|
|
|
|
|
[root@linux
certs]# openssl x509 -in server.csr -out server.pem -req -signkey
server.key -days 365
Signature ok
↑サーバー用証明書作成
subject=/C=JP/ST=Tokyou/L=tiyoda-ku/O=papa-net/CN=papa-net/emailAddress=****@xxxx.zzz
← 下記のよう
Getting Private
key
に上で入力した内容が表示されれば完了
|
|
|
|
|
|
尚、上記設定は365日(1年間)有効です。設定日より365日経過した場合は再度設定が必要です。また、最後の数字(365)は日数を表しますのでこの数字を変えることで有効期間を変えることができます。 |
|
|
|
|
|
次にrootのみが
SSL の内容を参照できるようにパーミッションを変更します。
|
|
|
|
|
|
[root@linux]#
chmod 400 /etc/pki/tls/certs
← 入力
You have new mail in /var/spool/mail/root
|
|
|
|
|
|
以上で終了です。
|
|
|
|
|
|
|
|
◆
|
SSL
の設定
|
|
|
|
|
|
設定ファイルの編集をします。
緑色の部分を黄色に変更(書き換え・削除)して下さい。赤文字は説明で青文字が入力文字です。
|
|
|
|
|
|
[root@linux]#
vi /etc/httpd/conf.d/ssl.conf ← 入力
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how
to
# serve pages over an https connection. For detailing information about
these
# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are
unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global
configuration
#DocumentRoot "/var/www/html"
↓
DocumentRoot "/home/user/www/pass" ← ドキュメントルート(ホームぺージファイルの格納フォルダ)の指定
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
↓
SSLCertificateFile
/etc/pki/tls/certs/server.pem ← 認証キーファイルの指定
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
↓
SSLCertificateKeyFile
/etc/pki/tls/certs/server.key ← 認証キーファイルの指定
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA",
"Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means
that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509
certificate.
# Note that no password is obtained from the user. Every entry in the
user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT
and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment
variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or
"SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies
access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't
wait for
# the close notify alert from client. When you need a different
shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e.
no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach
where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e.
a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers.
Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable
"nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to
workaround
# their broken HTTP/1.1 implementation. Use variables
"downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
|
|
|
|
|
|
|
◆
|
apacheの再読込
|
|
|
|
|
|
最後に apache を再読込して完了です。
|
|
|
|
|
|
[root@linux]#
/etc/rc.d/init.d/httpd
reload
← /etc/rc.d/init.d/httpd reloadt
を入力(apache の再読込)
httpd を再読み込み中:
[ OK ]
|
|
|
|
|
|
|
|
◆ |
クライアント側の設定 |
|
|
|
| |
SSL(https://******.com)でアクセスすると下図のような『セキュリティの警告』表示されます。『セキュリティの警告』メッセージが表示された場合は『はい(Y)』をクリックして先に進んで下さ
るように案内して下さい。
このメッセージは通常のSSLを利用いたサイトでは表示されません。しかし、当サイト(上記の設定)の様な個人が運営するサイトでは高い料金を支払って認証機関に認証してもらい証明書を発行してもらうのは出来ないので自己認証という認証制度を利用しています。
今後このメッセージを表示したく無い場合は『証明書の表示(V)』をクリックします。
『証明書のインストール(I)』をクリックします。
『次へ(N)』をクリックします。
『次へ(N)』をクリックします。
『完了』をクリックします。
『はい(Y)』をクリックします。
『OK』をクリックします。
これで証明書がインポートされましたので今後『セキュリティ
の警告』メッセージは表示されなくなります。 |
|
|
|
|
|
|
