目前分類:Apache (2)

瀏覽方式: 標題列表 簡短摘要

上章 JBoss EAP6.x Domain Cluster + mod_cluster-1.2.6 Load Balancer 說完如何建構 EAP 的 cluster 後,再來說一下SSL;現在的網站與使用者間的資料傳輸安全性,大都已逐漸都加入了 SSL ,而企業級有很多網站,這時可以用 Wildcard SSL Certificate 更加有彈性, SSL 憑證的建置步驟大致如下圖:

 

ssl  

 

瞭解建置與使用步驟後,來實作一下,SSL 的憑證以 https://ssl.comodo.com/wildcard-ssl-certificates.p... 為例作示範

Step 01: 產生私鑰 Private Key,指令 openssl genrsa -out server.key 2048 (不對私鑰作密碼保護)

[root@eap-dev jboss]# pwd
/opt/jboss
[root@eap-dev jboss]# rpm -qa | grep openssl
openssl-1.0.1e-42.el7.x86_64
openssl-libs-1.0.1e-42.el7.x86_64

[root@eap-dev jboss]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
...........................+++
e is 65537 (0x10001)

註:若 option 有加入 -des3 則代表要對私鑰作密碼保護如下

[root@eap-dev jboss]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

 server-key  

 

Step 02:產生CSR檔,並填入憑證資料,指令 openssl req –new –key server.key –out xxx.CSR

[root@eap-dev jboss]# openssl req -new -key server.key -out EAP-DEV.CSR
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taichung
Organization Name (eg, company) [Default Company Ltd]:xxxxxx Industrial Corp.
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:*.xxxxxx.com
Email Address []:tech.admin@xxxxxx.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 server-csr  
 

 產生的 CSR 內容,類似下圖

server-csr-content  

 

Step 03: 向CA: comodo.com 申請憑證

 Comodo-ssl-wildcard  

COMODO驗證成功後會收到 yourDomainName.crt 和 yourDomainName.ca-bundle 兩個檔案:

a.  Step 01: 產生私鑰 Private Key 的 server.key 複製到 /etc/ssl/ssl.key/ 

b. 由COMODO拿到的兩個檔案: STAR_yourDomainName.crtSTAR_yourDomainName.ca-bundle 複製到 /etc/ssl/ssl.crt/ 

 

以上三個步驟只要作一次即可,未來只要將這三個檔案: server.keySTAR_yourDomainName.crtSTAR_yourDomainName.ca-bundle 複製到其它主機內即可有 SSL 的保護。

 

Step 04: 修改/opt/jboss/httpd/httpd/conf/httpd.conf,打開註解 Include extra/httpd-ssl.conf,套用ssl 的設定檔。並修改extra/httpd-ssl.conf,修改以下資訊

Listen 443

<VirtualHost _default_:443>

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   Server Certificate:
SSLCertificateFile "/etc/ssl/ssl.crt/STAR_xxxxxx_com.crt"

#   Server Private Key:
SSLCertificateKeyFile "/etc/ssl/ssl.key/server.key"

#   Server Certificate Chain:
SSLCertificateChainFile "/etc/ssl/ssl.crt/STAR_xxxxxx_com.ca-bundle"

</VirtualHost>

 

Step 04: 修改/opt/jboss/httpd/httpd/conf/httpd.conf,打開註解 Include extra/httpd-vhosts.conf,套用 vhosts 的設定檔。並修改extra/httpd-vhosts.conf,修改以下資訊

<VirtualHost *:80>
    ServerAdmin tech.admin@xxxxxx.com
    DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
    ServerName eap-dev.xxxxxx.com
    ServerAlias www.eap-dev.xxxxxx.com
    ErrorLog "logs/eap-dev-error_log"
    CustomLog "logs/eap-dev-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin tech.admin@xxxxxx.com
    DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
    ServerName bpm-dev.xxxxxx.com
    ErrorLog "logs/bpm-dev-error_log"
    CustomLog "logs/bpm-dev-access_log" common
</VirtualHost>

 

以上整個建置就完成了.  

文章標籤
ssl apache SSL Certificate

MIS 發表在 痞客邦 留言(0) 人氣()

▲top

Apache 網頁伺服器 (Apache Web Server) 上要如何設定以啟用壓縮功能,將輸出的網頁或資源檔案做壓縮後再送往瀏覽器端。也就是,開啟 mod_deflate 壓縮輸出的網頁或資源檔案以節省頻寬 (一般可省 2~3 倍以上)。

以下的範例說明瀏覽器和網頁伺服器間對於支援壓縮功能是如何溝通的:

瀏覽器:在送往伺服器的 HTTP 要求中會含有一個 Accept-Encoding 欄位說明自己支援的壓縮機制有哪些 (各壓縮機制以逗號「,」分開):

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding
gzip, deflate
Accept-Language
en-US,zh-TW;q=0.8,zh;q=0.5,en;q=0.3
Connection
keep-alive
Cookie
JSESSIONID="t5mGUd87rGbXsUQX1ij9M09s.slave:slave-server-one"; LtpaToken=AAECAzU2MDBGQ0VCNTYwMTI3MUJDTj1wb2x
DNT
1
Host
eap.globeunion.com
Referer
http://eap.globeunion.com/GUSSH/
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0



網頁伺服器:如果伺服器支援一個或多個瀏覽器所列的壓縮機制,則輸出的資料會被這一個或多個壓縮機制處理後送往瀏覽器,然後送出的 HTTP 回應中會含有一個 Content-Encoding 欄位說明用了資料被那些壓縮機制 (各壓縮機制以逗號「,」分開):

Cache-Control
No-Cache
Connection
Keep-Alive
Content-Encoding
gzip
Content-Length
6980
Content-Type
text/html;charset=UTF-8
Date
Tue, 22 Sep 2015 08:01:40 GMT
Expires
Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive
timeout=5, max=99
Pragma
No-Cache
Vary
Accept-Encoding
X-Powered-By
JSP/2.2


如下圖:




如何設定 Apache 網頁伺服器以啟用壓縮功能

0. 確認 Apache 網頁有安裝 deflate 模組
1. 在 httpd.conf 設定檔中確認 deflate 模組有設定載入,並且有做以下設定:
…..
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
…..
# 2015/09/22, added by polin wei
<IfModule mod_deflate.c>
DeflateCompressionLevel 9
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/javascript application/x-httpd-php
AddOutputFilter DEFLATE js css gif

#Instead of blacklist, we use a whitelist:
BrowserMatch ^MSIE [6-9] gzip

</IfModule>

<LocationMatch ".*\.jsp$">
     ForceType text/html
</LocationMatch>



2. 重新啟動 Apache 網頁伺服器:sudo service httpd restart
在上面的設定範例中,我們用最高的壓縮等級 (CompressionLevel) 9 (可用的數值 1 ~ 9),其實到 5 左右就有不錯的壓縮比例。而對於要根據檔案類型去啟用壓縮功能的列在「AddOutputFilterByType DEFLATE」之後;而對於要根據檔案“附檔名名稱”去啟用壓縮功能的列在「AddOutputFilter DEFLATE」之後。

文章標籤
apache

MIS 發表在 痞客邦 留言(0) 人氣()

▲top