apache ssl 인증서 사용 및 nginx ssl 인증서 사용
인증서 사용시 싱글 사인 ssl key 를 사용 하였습니다.
ssl single sign 의 경우 차후 포스팅 하겠습니다.
Windows 에서 테스트 할경우 /windows/system32/drivers/etc/hosts 에 www.web.com / web.com 도메인을 등록 합니다.
- apache 에서 ssl 인증서를 사용 하기 위하여 mod_ssl 패키지를 설치 합니다.
[root@CentOS7 ~]# yum install -y mod_ssl
- ssl.conf 파일을 수정 합니다.
[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf NameVirtualHost *:443 <VirtualHost *:443> ServerName web.com ServerAlias www.web.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/web.crt SSLCertificateKeyFile /etc/pki/tls/private/web.key SSLCACertificateFile /etc/pki/tls/certs/webca.crt <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown ErrorLog logs/example.com-ssl_error_log TransferLog logs/example.com-ssl_access_log LogLevel warn CustomLog logs/example.com-ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
- web site 접속 테스트를 합니다.
- http 로 접속 하면 강제로 https 로 전환
[root@CentOS7 httpd]# vi conf.d/httpd-vhosts.conf <VirtualHost *:80> ServerAdmin admin@web.com DocumentRoot /var/www/html/ ServerName web.com ServerAlias www.web.com <Location /> RedirectMatch /(.*)$ https://www.web.com/$1 </Location> ErrorLog /var/www/html/web.com/logs/web.com-error_log CustomLog /var/www/html/web.com/logs/web.com-access_log common </VirtualHost>
- apache 에서 nginx 서비스 이관
[root@CentOS7 ~]# yum install -y nginx php-fpm [root@CentOS7 ~]# vi /etc/nginx/nginx.conf include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; } [root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf server { listen 80; server_name localhost; charset UTF-8; root /usr/share/nginx/html; index index.php index.html index.htm; location / { try_files $uri $uri/ /index.php?$query_string; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.+)$; #fastcgi_pass unix:/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } [root@CentOS7 ~]# vi /etc/php-fpm.d/www.conf user = nginx group = nginx listen.owner = nginx listen.group = nginx listen.mode = 0660 [root@CentOS7 ~]# systemctl enable php-fpm [root@CentOS7 ~]# systemctl start php-fpm [root@CentOS7 ~]# systemctl start nginx
- Virtualhost 설정
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf server { listen 80 default_server; server_name localhost; [root@CentOS7 ~]# mkdir -p /var/www/html/web.com/{public_html,logs} [root@CentOS7 ~]# mkdir /etc/nginx/sites-enabled [root@CentOS7 ~]# vi /etc/nginx/sites-enabled/web_com.conf server { listen 80; server_name www.web.com web.com; root /var/www/html/web.com/public_html; index index.php index.html index.htm; location / { return 301 https://web.com$request_uri; } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443; server_name www.web.com web.com; root /var/www/html/web.com/public_html; index index.php index.html index.htm; location / { try_files $uri $uri/ /index.php?$query_string; autoindex on; } access_log /var/www/html/web.com/logs/access.log; error_log /var/www/html/web.com/logs/error.log warn; ssl on; ssl_certificate /etc/pki/tls/certs/web.crt; ssl_certificate_key /etc/pki/tls/private/web.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
- Web page 테스트를 진행 합니다.
- 80 port www.web.com 접속을 하여도 443 https 로 자동으로 넘어 가는지 확인 합니다.