[CentOS7] apache ssl 인증서 사용 및 nginx ssl 인증서 사용

2019-02-05 by sanjuk·0 Comments

apache ssl 인증서 사용 및 nginx ssl 인증서 사용

인증서 사용시 싱글 사인 ssl key 를 사용 하였습니다.

ssl single sign 의 경우 차후 포스팅 하겠습니다.

Windows 에서 테스트 할경우 /windows/system32/drivers/etc/hosts 에 www.web.com / web.com 도메인을 등록 합니다.

apache 에서 ssl 인증서를 사용 하기 위하여 mod_ssl 패키지를 설치 합니다.

[root@CentOS7 ~]# yum install -y mod_ssl

ssl.conf 파일을 수정 합니다.

[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf
NameVirtualHost *:443

<VirtualHost *:443>
ServerName web.com
ServerAlias www.web.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/web.crt
SSLCertificateKeyFile /etc/pki/tls/private/web.key
SSLCACertificateFile /etc/pki/tls/certs/webca.crt

 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
 </Files>
 <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
 </Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ErrorLog logs/example.com-ssl_error_log
TransferLog logs/example.com-ssl_access_log
LogLevel warn
CustomLog logs/example.com-ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

web site 접속 테스트를 합니다.

http 로 접속 하면 강제로 https 로 전환

[root@CentOS7 httpd]# vi conf.d/httpd-vhosts.conf
<VirtualHost *:80>
       ServerAdmin admin@web.com
       DocumentRoot /var/www/html/
       ServerName web.com
       ServerAlias www.web.com
<Location />
RedirectMatch /(.*)$ https://www.web.com/$1
</Location>
       ErrorLog /var/www/html/web.com/logs/web.com-error_log
       CustomLog /var/www/html/web.com/logs/web.com-access_log common
</VirtualHost>

apache 에서 nginx 서비스 이관

[root@CentOS7 ~]# yum install -y nginx php-fpm
[root@CentOS7 ~]# vi /etc/nginx/nginx.conf
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    charset UTF-8;

        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

}

[root@CentOS7 ~]# vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

[root@CentOS7 ~]# systemctl enable php-fpm
[root@CentOS7 ~]# systemctl start php-fpm
[root@CentOS7 ~]# systemctl start nginx

Virtualhost 설정

[root@CentOS7 ~]#  vi /etc/nginx/conf.d/default.conf
server {
    listen       80 default_server;
    server_name  localhost;

[root@CentOS7 ~]# mkdir -p /var/www/html/web.com/{public_html,logs}
[root@CentOS7 ~]# mkdir /etc/nginx/sites-enabled
[root@CentOS7 ~]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       80;
    server_name  www.web.com web.com;
    root   /var/www/html/web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        return 301 https://web.com$request_uri;
    }


    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}

server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html/web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate      /etc/pki/tls/certs/web.crt;
    ssl_certificate_key  /etc/pki/tls/private/web.key;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Web page 테스트를 진행 합니다.
80 port www.web.com 접속을 하여도 443 https 로 자동으로 넘어 가는지 확인 합니다.

관련

답글 남기기 답글 취소하기

댓글을 달기 위해서는 로그인해야합니다.

%d 블로거가 이것을 좋아합니다: