目次
※RPMも参照の事。
# yum remove httpd apr apr-util
# su - rpmdevel $ cd /home/rpmdevel/src $ wget http://ftp.riken.jp/Linux/fedora/releases/18/Everything/source/SRPMS/d/distcache-1.4.5-23.src.rpm $ rpmbuild --rebuild distcache-1.4.5-23.src.rpm $ cd /home/rpmdevel/rpm/RPMS/i686 $ sudo rpm -Uvh distcache-1.4.5-23.i686.rpm distcache-devel-1.4.5-23.i686.rpm
# yum -y install pcre-devel
# su - rpmdevel $ cd /home/rpmdevel/src $ wget http://ftp.riken.jp/net/apache/httpd/httpd-2.2.24.tar.gz
$ rpmbuild -tb --clean httpd-2.2.24.tar.gz
$ cd /home/rpmdevel/rpm/RPMS/i686 $ sudo rpm -Uvh httpd-2.2.24-1.i686.rpm $ sudo rpm -Uvh httpd-devel-2.2.24-1.i686.rpm $ sudo rpm -Uvh mod_ssl-2.2.24-1.i686.rpm
# vi /etc/httpd/conf/httpd.confユーザーとグループの変更
User daemon Group daemon ↓ User apache Group apacheサーバー名の設定
ServerName www.example.com:80 ↓ ServerName XXXXXXXXXXX:80
# cd /etc/pki/tls # cp misc/CA.sh . # ./CA.sh -newca CA certificate filename (or enter to create) ← 空Enter Making CA certificate ... Generating a 1024 bit RSA private key .....++++++ ................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: ← 秘密鍵のパスフレーズを入力 Verifying password - Enter PEM pass phrase: ← もう一度入力 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: ← JP State or Province Name (full name) [Some-State]: ← 県名 Locality Name (eg, city) []: ← 市町村 Organization Name (eg, company) [Internet Widgits Pty Ltd]:← 社名 Organizational Unit Name (eg, section) []: ← 部署 Common Name (eg, YOUR name) []: ← (※) Email Address []: ← メルアド Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ← 空Enter An optional company name []: ← 空Enter Enter pass phrase for ./demoCA/private/./cakey.pem: ← 秘密鍵のパスフレーズを入力 (※)サーバのURL(またはサーバ名?)にしないとApacheLogに警告が出力されてた。以上の処理により、
# chmod 600 /etc/pki/CA/private/cakey.pem # chmod 700 /etc/pki/CA/privateとパーミッションを設定しておく。
# openssl x509 -in /etc/pki/CA/cacert.pem -text
# openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modules .............++++++ ....++++++ e is 65537 (0x10001)確認
# ls server.key
# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: ← JP State or Province Name (full name) [Some-State]: ← 県名 Locality Name (eg, city) []: ← 市町村 Organization Name (eg, company) [Internet Widgits Pty Ltd]:← 社名 Organizational Unit Name (eg, section) []: ← 部署 Common Name (eg, YOUR name) []: ← (※) Email Address []: ← メルアド Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ← 空Enter An optional company name []: ← 空Enter (※)サーバのURL(またはサーバ名?)にしないとApacheLogに警告が出力されてた。確認
# ls server.key server.csr
# echo 01 > ca-cert.srl # openssl x509 -CA cacert.pem -CAkey private/cakey.pem -CAserial ca-cert.srl -req -days 3650 -in server.csr -out server.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: ← 秘密鍵のパスフレーズを入力確認
# ls server.key server.csr server.crt秘密鍵と証明書を移動する。
# mkdir /etc/httpd/conf/ssl # mv server.key /etc/httpd/conf/ssl # mv server.crt /etc/httpd/conf/ssl
# vi /etc/httpd/conf/extra/httpd-ssl.confサーバー名
<VirtualHost _default_:443> ServerName www.example.com:443 ↓ ServerName XXXXXXXXXXXXXXX:443サーバー証明書のパス
SSLCertificateFile "/etc/httpd/conf/server.crt" ↓ SSLCertificateFile "/etc/httpd/conf/ssl/server.crt"秘密鍵のパス
SSLCertificateKeyFile "/etc/httpd/conf/server.key" ↓ SSLCertificateKeyFile "/etc/httpd/conf/ssl/server.key"
# vi /etc/httpd/conf/httpd.confSSL設定ファイルのリンク
# Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf ↓ Include conf/extra/httpd-ssl.conf ← コメント外す確認
# /usr/sbin/apachectl configtest Syntax OK
下記のコマンドで起動、停止、再起動を行う
# /usr/sbin/apachectl start ← 起動 # /usr/sbin/apachectl stop ← 停止 # /usr/sbin/apachectl restart ← 再起動
http,httpsでそれぞれアクセスし「It works!」が表示されればOK。
大層な数のモジュールが動作しているので、下記に限定して他は無効化。
(とりあえず)
LoadModule authz_host_module /usr/lib/httpd/modules/mod_authz_host.so
→authz_host_module のドキュメント
LoadModule log_config_module /usr/lib/httpd/modules/mod_log_config.so
→log_config_module のドキュメント
LoadModule setenvif_module /usr/lib/httpd/modules/mod_setenvif.so
→setenvif_module のドキュメント
LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so
→ssl_module のドキュメント
LoadModule mime_module /usr/lib/httpd/modules/mod_mime.so
→mime_module のドキュメント
LoadModule dav_module /usr/lib/httpd/modules/mod_dav.so
→dav_module のドキュメント
LoadModule dav_fs_module /usr/lib/httpd/modules/mod_dav_fs.so
→dav_fs_module のドキュメント
LoadModule rewrite_module /usr/lib/httpd/modules/mod_rewrite.so
→rewrite_module のドキュメント
LoadModule dav_svn_module /usr/lib/httpd/modules/mod_dav_svn.so
→dav_svn_module のドキュメント