歡迎喜歡文章的朋友們自行轉錄,請在轉錄開頭註明出處與連結感謝各位的尊重與支持!^_^

2011年7月19日 星期二

Lighttpd - HTTPS(SSL) 設置

參考網站

Howto: Linux Lighttpd SSL (Secure Server Layer) Https Configuration And Installation (主要)

How To Lighttpd Create Self Signed SSL Certificates 

Howto: Linux Lighttpd SSL (secure server layer) https 安装和配置 (原文)



成功過程紀錄

# mkdir -p /etc/lighttpd/ssl/web.netxtream.com

# cd /etc/lighttpd/ssl/web.netxtream.com

# openssl genrsa -des3 -out web.netxtream.com.key 1024             //Create a RSA key

# openssl req -new -key web.netxtream.com.key -out web.netxtream.com.csr                //Now create a CSR

#openssl x509 -req -days 365 -in web.netxtream.com.csr -signkey web.netxtream.com.key -out web.netxtream.com.crt              //Get certificate

#cat web.netxtream.com.key web.netxtream.com.crt > web.netxtream.com.pem                 //create your final pem file

#chmod 0600 web.netxtream.com.pem                //setup permission

#/usr/sbin/lighttpd -v            //make sure lighttpd support ssl

#vi /etc/lighttpd/lighttpd.conf            //edit config file

 

Add in lighttpd.conf file:

$SERVER["socket"] == "web.netxtream.com:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/web.netxtream.com/web.netxtream.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl/web.netxtream.com/web.netxtream.com.crt"
server.name = "web.netxtream.com"
server.document-root = "/srv/www"
server.errorlog = "/var/log/lighttpd/web.netxtream.com/serror.log"
accesslog.filename = "/var/log/lighttpd/web.netxtream.com/saccess.log"
}

 

 
 

以下資料轉錄自- 蚊子館

--------------------------------------------

1.建立存放私鑰及證書目錄

#mkdir /etc/lighttpd/ssl
#cd /etc/lighttpd/ss

2. 產生私鑰(Private key)
# openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
.........................................................................................................................+++
e is 65537 (0x10001)

3. 產生需求證書(CSR)
# openssl req -new -key privkey.pem -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:Darwin@catchlink.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

這個命令將會生成一個證書請求,當然,用到了前面生成的金鑰privkey.pem檔案
這裡將生成一個新的檔cert.csr,即一個證書請求檔,你可以拿著這個檔去數位憑證頒發機構(即CA)申請一個數位憑證。CA會給你一個新的檔cacert.pem,那才是你的數位憑證。

如果是自己做測試,那麼證書的申請機構和頒發機構都是自己。就可以用下面這個命令來生成證書:
openssl req -new -x509 -days 3650 -key privkey.pem -out cacert.pem
這個命令將用上面生成的金鑰privkey.pem生成一個數位憑證cacert.pem

# openssl req -new -x509 -days 3650 -key privkey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]: Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:Darwin@catchlink.com
# ls -l
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem

4.將私鑰及證書整合一個file
# cat privkey.pem cacert.pem >lighttpd.pem
# ls -l
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 3338 Dec 25 08:24 lighttpd.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
#chmod -R 600 /etc/lighttpd/ssl

5.編輯vhosts.conf檔案
# vi /etc/lighttpd/conf.d/vhosts.conf
$SERVER["socket"] == "192.168.11.201:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/lighttpd.pem"
server.name = "www.aaa.com"
server.document-root="/var/lighttpd/blog.aaa.com"
server.errorlog="/var/log/lighttpd/blog.aaa.com.error.log"
accesslog.filename="/var/log/lighttpd/blog.aaa.com.access.log"

}

https://192.168.11.201

轉錄自: 蚊子館 http://linux-guys.blogspot.com/2010/12/lighttpd-httpsssl.html
Related Posts Plugin for WordPress, Blogger...