📄 00000044.htm
字号:
<HTML><HEAD> <TITLE>BBS水木清华站∶精华区</TITLE></HEAD><BODY><CENTER><H1>BBS水木清华站∶精华区</H1></CENTER>发信人: mv (蓝花·无争|19:50), 信区: Linux <BR>标 题: Installing a secure web server <BR>发信站: BBS 水木清华站 (Sat Dec 16 05:56:14 2000) <BR> <BR> <BR> <BR> <BR>With ``e-commerce'' becoming an important part of many businesses, it's use <BR>ful to know how to set up your server to run SSL for secure transfer of sens <BR>itive information. <BR>What's SSL? <BR>SSL, which stands for Secure Socket Layers, is a protocol by which a client <BR>(web browser) and server (Apache, for example) can communicate with one anot <BR>her securely, using encrypted messages. Anyone intercepting the message will <BR> receive only garbage, since the messages are encoded with the public keys o <BR>f the conversants, but must be decrypted with their private keys, which are <BR>not distributed. <BR>Getting SSL <BR>There are a variety of SSL solutions available, and you should probably chec <BR>k out all the options before making the decision that is right for your busi <BR>ness, or that of your clients. <BR>Being an Open Source advocate, I am partial to OpenSSL. You can get OpenSSL <BR>from <A HREF="http://www.openssl.org/">http://www.openssl.org/</A> in source code form. It is free software, and y <BR>ou can build it to run on whatever platform you are using. <BR>As of this writing, the latest version of OpenSSL is 0.9.6. The file is appr <BR>oximately 2 MB, so be prepared to wait a while. <BR>You need to click on the ``Source'' link, and get the file that is labelled <BR>as "LATEST". <BR>Installing SSL <BR>Please note that SSL is the engine, and you'll still need mod_ssl for the in <BR>teraction between SSL and Apache. <BR>Once you've downloaded OpenSSL, you will need to unpack it. Do this in the s <BR>ame location where you have Apache source code unpacked. I'll assume for thi <BR>s article that you're working in /usr/src. <BR> gunzip openssl-0.9.6.tar.gz <BR> tar -vxf openssl-0.9.6.tar <BR>Then change into the openssl-0.9.6 directory, and type the following: <BR> ./config <BR> make <BR> make test <BR> make install <BR>That's it. You're ready to move on to the next stage. For detailed instructi <BR>ons and advanced options, read the INSTALL file. <BR>Installing mod_ssl <BR>Here's where things get interesting. mod_ssl has a reputation of being somew <BR>hat difficult to install, but it does not need to be. <BR>Warning: Make an effort to understand what you are doing before you do it. I <BR> gave a very skimpy definition of SSL above. You really should read the refe <BR>renced article. Security that you don't understand is much more likely to be <BR> compromized than security which you know what it's doing. <BR>Note also that you're going to need to rebuild Apache, so you should have th <BR>e Apache source code handy also. Take this opportunity to upgrade to the lat <BR>est version of Apache. 1.3.15 should be out real soon. <BR>Get mod_ssl from <A HREF="http://www.modssl.org/">http://www.modssl.org/</A> You should notice a resemblance betw <BR>een this site and the OpenSSL web site. It's not a conicidence. <BR>Download the latest source code file, and unpack it somewhere you can get to <BR> it. It is useful to unpack it in the same place where you have your Apache <BR>source code unpacked, such as in /usr/src, for example. <BR>Now, follow the following carefully. This assumes that you have unpacked all <BR> of these packages in /usr/src, and that you have the Apache source code, th <BR>e OpenSSL source code, and the mod_ssl source code all there. <BR> cd mod_ssl-2.7.xxxx <BR> ./configure --with-apache=../apache_1.3.14 \ <BR> --with-ssl=../openssl-0.9.6 \ <BR> --with-crt=/path/to/your/server/certificate \ <BR> --with-key=/path/to/your/server/key \ <BR> cd ../apache_1.3.14 <BR> make <BR> make install <BR>And then you're done. <BR>Yes, perhaps there's a little more to it than that. <BR>Certificate <BR>You need a certificate. It's going to cost you a little money. There are a f <BR>ew companies (VeriSign, for example) that sell secure server certificates th <BR>at are automatically accepted by the major browsers. <BR>You can generate one of your own, but it will show up in the clients browser <BR> window as possibly insecure, and they will have to verify that they are wil <BR>ling to accept it. <BR>Once you have gone through the painful process of purchasing a secure certif <BR>icate, you'll be able to use the --with-crt and --with-key lines above to te <BR>ll SSL to use those certificates. <BR>If you don't have a certificate, skip those two lines, and add a make certif <BR>icate between the make and the make install at the end of the process. This <BR>will generate a test certificate for you to use while you're waiting for the <BR> real one to arrive. <BR>Configuration <BR>The above process added a large number of directives to your configuration f <BR>ile. You should look through httpd.conf and see what sorts of new things are <BR> in there. As you learn more about SSL, the things in there will begin to ma <BR>ke more sense. The purpose of this article is to get you running with SSL as <BR> quickly as possible, and so I'm not going to spend a lot of time on configu <BR>ration, except to make the following important point. <BR>SSL and name-based virtual hosts <BR>Because of the way SSL works, you can't use SSL on name-based virtual hosts. <BR> There are no configuration tricks that you can to do make this work. SSL mu <BR>st run on the primary name on the IP address to which it answers. This has t <BR>o do with the order in which things are said in the SSL negotiation conversa <BR>tion -- the secure connection is made before the client ever tells the serve <BR>r what document it is looking for, so the virtual host negotiation is too la <BR>te. <BR>So, in order to run SSL on multiple virtual hosts, you'll need to use IP-bas <BR>ed virtual hosts. This is being addressed in upcoming revisions to the SSL p <BR>rotocol, but that could be a while away. <BR>More information <BR>One of the clearest explanations of how mod_ssl works is Ralf Engelschall's <BR>talk from ApacheCon in London. You can see this talk at <A HREF="http://www.modssl.or">http://www.modssl.or</A> <BR>g/docs/apachecon2000/. I was able to attend that talk, and learned a lot of <BR>interesting things. <BR>The talk also has a step-by-step guide for installing mod_ssl. It does thing <BR>s a little differently than I do above, and it might give you some additiona <BR>l insight into what's going on. <BR>Conclusion <BR>The documentation that comes with OpenSSL and mod_ssl is pretty complete. Th <BR>e trick is in knowing that you have to install both in order to make things <BR>work. Reading the docs for both will teach you a lot about how the technolog <BR>ies work, as well as how to get them working. <BR> <BR> <BR>-- <BR> <BR> 影子与尘土 <BR> <BR> <BR>※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.168.2] <BR><CENTER><H1>BBS水木清华站∶精华区</H1></CENTER></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -