2018/07/31

HTTP Server、SSL 操作與設定



Part 1: 自建 private key, 建立 CSR 申請第三方憑證
#private key, need password(keep it)
openssl genrsa -des3 -out private.key 2048

# certificate signing request (CSR)
openssl req -new -key private.key -out domaincsr.csr

#產生如下列問題:
Country Name (2 letter code) [XX]:TW => 填寫國名(兩碼),填完後按下enter
State or Province Name (full name) []:Taiwan =>填寫州或郡,填完後按下enter
Locality Name (eg, city) [Default City]:Taipei =>填寫城市名稱,填完後按下enter
Organization Name (eg, company) [Default Company Ltd]:MyCompany Inc =>填寫公司名稱,填完後按下enter
Organizational Unit Name (eg, section) []:IT Dept =>填寫部門名稱,填完後按下enter
Common Name (eg, your name or your server's hostname) []:www.mydomain.com =>填寫保護網域名稱,填完後按下enter
Email Address []: demo@mydomain.com=>填寫電子郵件地址(可不填),填完後按下enter
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: =>請留空白,按下enter
An optional company name []: =>填寫公司名稱(可不填),填完後按下enter

#利用 domaincsr.csr 申請第三方憑證

refrence url:
1. https://blog.longwin.com.tw/2014/08/apache2-ssl-create-build-setup-2014/
2. https://slproweb.com/products/Win32OpenSSL.html
3. http://wiki.gandi.net/zh-tw/ssl/dcv


Part 2: 申請到憑證之後下載憑證串鏈
至少包含 2 張憑證,分別是
1. 中繼憑證 (第三方單位會提供 or 直接下載)
ex: GandiStandardSSLCA2.pem

2. 第三方單位發下來的憑證 (第三方單位會提供 or 直接下載)
ex: mydomain.crt

Part 3: 製作 HTTP Server 憑證串
#產製沒有加密過的 private key
openssl rsa -in private.key -out server_no_pwd.key

#產製包含 key 和 第三方憑證 PEM 檔案
cat server_no_pwd.key > server.key

cat GandiStandardSSLCA2.pem mydomain.crt > server.pem

Part 4: 確認共有三個檔案內容:
1. 自行產生的 private key: server.key
2. 串聯的憑證: server.pem
3. 第三方認證公司發行的憑證: mydomain.crt


於 Apache2 的設定範例

ServerAdmin admin@mydomain.com.tw
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /var/www/html/gandi_key/server.pem
SSLCertificateKeyFile /var/www/html/gandi_key/server.key
SSLCertificateChainFile /var/www/html/gandi_key/mydomain.crt


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


於 Ngnix 的設定範例
# HTTPS server
server {
listen 443 ssl;
server_name mydomain.com.tw;
access_log C://data//BackendService//logs//access_log.log;

ssl_stapling on;
ssl_stapling_verify on;

ssl_certificate /ngnix/gandi_key/server.pem
ssl_certificate_key /ngnix/gandi_key/server.key

#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 5m;

#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;

ssl_trusted_certificate /ngnix/gandi_key/mydomain.crt

location / {
proxy_pass http://127.0.0.1:4001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

NGINX SSL/設定檔案

#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #...