配置持久连接这里我们将80,443端口绑定在一起这就会用mangle搭上一个标记
5)安装mod_ssl模块
[root@node3 ~]# yum install mod_ssl
6)申请证书
1 创建CA证书颁发机构
[root@LVS/DR CA]# (umask 077;openssl genrsa 1024 > private/cakey.pem) 创建私钥
Generating RSA private key, 1024 bit long modulus
.................................++++++
..................................++++++
e is 65537 (0x10001)
自签证书
[root@LVS/DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:chongqing
Organization Name (eg, company) [Default Company Ltd]:MT
Organizational Unit Name (eg, section) []:teach
Common Name (eg, your name or your server's hostname) []:ca.mictiger.com
Email Address []:
[root@LVS/DR CA]# ls
cacert.pem certs crl newcerts private
[root@LVS/DR CA]# touch index.txt
[root@LVS/DR CA]# touch serial
[root@LVS/DR CA]# echo 01 > serial
2 RealServer生成证书签署请求
生成私钥
[root@node3 conf]# mkdir ssl
[root@node3 ssl]# (umask 077;openssl genrsa 1024 > apache.key)
Generating RSA private key, 1024 bit long modulus
................++++++
....++++++
e is 65537 (0x10001)
证书签署请求
[root@node3 ssl]# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:chongqing
Organization Name (eg, company) [Default Company Ltd]:MT
Organizational Unit Name (eg, section) []:teach
Common Name (eg, your name or your server's hostname) []:192.168.1.250
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
scp apache.csr root@192.168.1.150:/tmp
3 CA签署证书
[root@LVS/DR tmp]# openssl ca -in apache.csr -out apache.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 23 04:53:26 2014 GMT
Not After : Nov 23 04:53:26 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = CQ
organizationName = MT
organizationalUnitName = teach
commonName = 192.168.1.250
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:5E:3C:6D:27:5A:94:9A:E7:F2:35:0F:76:5A:C0:D6:80:1F:E7:8E
X509v3 Authority Key Identifier:
keyid:CD:4E:2E:C5:F7:BF:B3:6F:5E:23:C7:FB:A6:3B:52:71:6C:70:3A:90
Certificate is to be certified until Nov 23 04:53:26 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@LVS/DR tmp]# scp apache.crt root@192.168.1.130:/etc/httpd/conf/ssl
apache.crt 100% 3047 3.0KB/s 00:00
4 配置Apache的https服务
/etc/httpd/conf.d/ssl.conf 配置如下几个选项
DocumentRoot "/var/www/html"
SSLCertificateFile /etc/httpd/conf/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/apache.key
5 copy node3的ssl配置到node2并重启httpd服务
[root@node3 httpd]# scp conf.d/ssl.conf root@192.168.1.120:/etc/httpd/conf.d
[root@node3 httpd]# scp -rp conf/ssl/ root@192.168.1.120:/etc/httpd/conf/ssl/ 验证https服务是否配置成功
QQ群⑧:
窥视卡
雷达卡
发表于 2019-1-3 06:56:32
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡