Самоподписанный SSL сертификат для Аpache

15.01.2021

Часто для тестовых веб серверов нужно настроить https (SSL сертификат).

В заметке будет пример настройки самоподписанного SSL сертификата в Аpache.

Для начала устанавливаем mod_ssl:

 
yum -y install mod_ssl

Далее создаем нужные папки, генерируем сертификаты и dhparam, а затем добавляем dhparam в сертификат:

 
mkdir /etc/ssl/private
chmod 700 /etc/ssl/private
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/apache-selfsigned.crt

Остается только создать конфигурационный файл (NAME-ssl.RU.conf):

 
    <VirtualHost *:443>
	    SSLEngine on
        ServerName gosthotels.local
        ServerAlias www.gosthotels.local
        DocumentRoot /home/public/gosthotels.local/www
        <Directory /home/public/gosthotels.local/www>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
        </Directory>
        #Error log
        ErrorLog /home/public/gosthotels.local/logs/error.log

        #Access log
        #CustomLog /home/public/gosthotels.local/logs/access.log common

        php_admin_flag register_globals 0
        php_admin_value date.timezone 'Europe/Moscow'
        php_admin_value open_basedir /home/public/gosthotels.local/
        php_admin_value max_execution_time 60
        php_admin_value upload_max_filesize 50M
        php_admin_value upload_tmp_dir /home/public/gosthotels.local/tmp
        php_admin_value session.save_path /home/public/gosthotels.local/tmp

        SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
        SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

    </VirtualHost>
    
    
    
# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
##--Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

Категории: Web, Apache, Linux, Centos
Пометки: Аpache https настройка в centos 7
Яндекс.Метрика