ÔÚApache+mod_wsgi+pythonµÄ»ù´¡Éϴhttps°²È«·ÃÎÊ

±¾Àý»·¾³£º

²Ù×÷ϵͳ£ºCentOS6.5

1£¬°²×°ÕâЩ»·¾³

yum install mod_ssl

ÔÚĿ¼/etc/httpd/conf.dÏ»ØÉú³ÉÒ»¸öеÄconfÎļþssl.conf

2£¬Éú³ÉÖ¤Êé

linuxÏÂ

²½Öè1£ºÉú³ÉÃÜÔ¿

ÃüÁopenssl genrsa 1024 > server.key

˵Ã÷£ºÕâÊÇÓÃ128λrsaËã·¨Éú³ÉÃÜÔ¿£¬µÃµ½server.keyÎļþ

²½Öè2: Éú³ÉÖ¤ÊéÇëÇóÎļþ

ÃüÁopenssl req -new -key server.key > server.csr

˵Ã÷£ºÕâÊÇÓò½Öè1µÄÃÜÔ¿Éú³ÉÖ¤ÊéÇëÇóÎļþserver.csr, ÕâÒ»²½ÌáºÜ¶àÎÊÌ⣬һһÊäÈë

²½Öè3: Éú³ÉÖ¤Êé

ÃüÁopenssl req -x509 -days 365 -key server.key -in server.csr > server.crt

˵Ã÷£ºÕâÊÇÓò½Öè1,2µÄµÄÃÜÔ¿ºÍÖ¤ÊéÇëÇóÉú³ÉÖ¤Êéserver.crt£¬-days²ÎÊýÖ¸Ã÷Ö¤ÊéÓÐЧÆÚ£¬µ¥Î»ÎªÌì

windowÏÂ

²½Öè1£ºÉú³ÉÃÜÔ¿
ÃüÁopenssl genrsa 1024 > server.key
˵Ã÷£ºÕâÊÇÓÃ128λrsaËã·¨Éú³ÉÃÜÔ¿£¬µÃµ½server.keyÎļþ

²½Öè2: Éú³ÉÖ¤ÊéÇëÇóÎļþ
ÃüÁopenssl req -config D:\work_soft\Apache2.2\conf\openssl.cnf -new -key server.key > server.csr
˵Ã÷£ºÕâÊÇÓò½Öè1µÄÃÜÔ¿Éú³ÉÖ¤ÊéÇëÇóÎļþserver.csr, ÕâÒ»²½ÌáºÜ¶àÎÊÌ⣬һһÊäÈë

²½Öè3: Éú³ÉÖ¤Êé
ÃüÁopenssl req -config D:\work_soft\Apache2.2\conf\openssl.cnf -x509 -days 365 -key server.key -in server.csr > server.crt
˵Ã÷£ºÕâÊÇÓò½Öè1,2µÄµÄÃÜÔ¿ºÍÖ¤ÊéÇëÇóÉú³ÉÖ¤Êéserver.crt£¬-days²ÎÊýÖ¸Ã÷Ö¤ÊéÓÐЧÆÚ£¬µ¥Î»ÎªÌì

°ÑµÃµ½µÄserver.keyºÍserver.crtÎļþ¿½±´µ½apacheµÄ¶ÔӦĿ¼

3£¬½«ÔªconfÎļþÖеÄÅäÖ㬰áǨµ½ssl.confÖУ¬²¢Ìí¼ÓÁ½¸öÖ¤Ê飨SSLCertificateFile£¬SSLCertificateKeyFile£©µÄ·¾¶

[root@10-9-21-98conf.d]#catssl.conf

#

#ThisistheApacheserverconfigurationfileprovidingSSLsupport.

#Itcontainstheconfigurationdirectivestoinstructtheserverhowto

#servepagesoveranhttpsconnection.Fordetailinginformationaboutthese

#directivessee<URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>

#

#DoNOTsimplyreadtheinstructionsinherewithoutunderstanding

#whattheydo.They'rehereonlyashintsorreminders.Ifyouareunsure

#consulttheonlinedocs.Youhavebeenwarned.

#

LoadModulessl_modulemodules/mod_ssl.so

#

#WhenwealsoprovideSSLwehavetolistentothe

#theHTTPSportinaddition.

#

Listen443

##

##SSLGlobalContext

##

##AllSSLconfigurationinthiscontextappliesbothto

##themainserverandallSSL-enabledvirtualhosts.

##

#PassPhraseDialog:

#Configurethepassphrasegatheringprocess.

#Thefilteringdialogprogram(`builtin'isainternal

#terminaldialog)hastoprovidethepassphraseonstdout.

SSLPassPhraseDialogbuiltin

#Inter-ProcessSessionCache:

#ConfiguretheSSLSessionCache:Firstthemechanism

#touseandsecondtheexpiringtimeout(inseconds).

SSLSessionCacheshmcb:/var/cache/mod_ssl/scache(512000)

SSLSessionCacheTimeout300

#Semaphore:

#Configurethepathtothemutualexclusionsemaphorethe

#SSLengineusesinternallyforinter-processsynchronization.

SSLMutexdefault

#PseudoRandomNumberGenerator(PRNG):

#ConfigureoneormoresourcestoseedthePRNGofthe

#SSLlibrary.Theseeddatashouldbeofgoodrandomquality.

#WARNING!Onsomeplatforms/dev/randomblocksifnotenoughentropy

#isavailable.Thismeansyouthencannotusethe/dev/randomdevice

#becauseitwouldleadtoverylongconnectiontimes(aslongas

#itrequirestomakemoreentropyavailable).Butusuallythose

#platformsadditionallyprovidea/dev/urandomdevicewhichdoesn't

#block.So,ifavailable,usethisoneinstead.Readthemod_sslUser

#Manualformoredetails.

SSLRandomSeedstartupfile:/dev/urandom256

SSLRandomSeedconnectbuiltin

#SSLRandomSeedstartupfile:/dev/random512

#SSLRandomSeedconnectfile:/dev/random512

#SSLRandomSeedconnectfile:/dev/urandom512

#

#Use"SSLCryptoDevice"toenableanysupportedhardware

#accelerators.Use"opensslengine-v"tolistsupported

#enginenames.NOTE:Ifyouenableanacceleratorandthe

#serverdoesnotstart,consulttheerrorlogsandensure

#youracceleratorisfunctioningproperly.

#

SSLCryptoDevicebuiltin

#SSLCryptoDeviceubsec

##

##SSLVirtualHostContext

##

<VirtualHost_default_:443>

#Generalsetupforthevirtualhost,inheritedfromglobalconfiguration

#DocumentRoot"/var/www/html"

#ServerNamewww.example.com:443

#UseseparatelogfilesfortheSSLvirtualhost;notethatLogLevel

#isnotinheritedfromhttpd.conf.

ErrorLoglogs/ssl_error_log

TransferLoglogs/ssl_access_log

LogLevelwarn

#SSLEngineSwitch:

#Enable/DisableSSLforthisvirtualhost.

SSLEngineon

#SSLProtocolsupport:

#Listtheenableprotocollevelswithwhichclientswillbeableto

#connect.DisableSSLv2accessbydefault:

SSLProtocolall-SSLv2

#SSLCipherSuite:

#Listtheciphersthattheclientispermittedtonegotiate.

#Seethemod_ssldocumentationforacompletelist.

SSLCipherSuiteDEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

#ServerCertificate:

#PointSSLCertificateFileataPEMencodedcertificate.If

#thecertificateisencrypted,thenyouwillbepromptedfora

#passphrase.Notethatakill-HUPwillpromptagain.Anew

#certificatecanbegeneratedusingthegenkey(1)command.

#SSLCertificateFile/etc/pki/tls/certs/localhost.crt

SSLCertificateFile/etc/httpd/conf.d/server.crt

#ServerPrivateKey:

#Ifthekeyisnotcombinedwiththecertificate,usethis

#directivetopointatthekeyfile.Keepinmindthatif

#you'vebothaRSAandaDSAprivatekeyyoucanconfigure

#bothinparallel(toalsoallowtheuseofDSAciphers,etc.)

#SSLCertificateKeyFile/etc/pki/tls/private/localhost.key

SSLCertificateKeyFile/etc/httpd/conf.d/server.key

#ServerCertificateChain:

#PointSSLCertificateChainFileatafilecontainingthe

#concatenationofPEMencodedCAcertificateswhichformthe

#certificatechainfortheservercertificate.Alternatively

#thereferencedfilecanbethesameasSSLCertificateFile

#whentheCAcertificatesaredirectlyappendedtotheserver

#certificateforconvinience.

#SSLCertificateChainFile/etc/pki/tls/certs/server-chain.crt

#CertificateAuthority(CA):

#SettheCAcertificateverificationpathwheretofindCA

#certificatesforclientauthenticationoralternativelyone

#hugefilecontainingallofthem(filemustbePEMencoded)

#SSLCACertificateFile/etc/pki/tls/certs/ca-bundle.crt

#ClientAuthentication(Type):

#Clientcertificateverificationtypeanddepth.Typesare

#none,optional,requireandoptional_no_ca.Depthisa

#numberwhichspecifieshowdeeplytoverifythecertificate

#issuerchainbeforedecidingthecertificateisnotvalid.

#SSLVerifyClientrequire

#SSLVerifyDepth10

#AccessControl:

#WithSSLRequireyoucandoper-directoryaccesscontrolbased

#onarbitrarycomplexbooleanexpressionscontainingserver

#variablechecksandotherlookupdirectives.Thesyntaxisa

#mixturebetweenCandPerl.Seethemod_ssldocumentation

#formoredetails.

#<Location/>

#SSLRequire(%{SSL_CIPHER}!~m/^(EXP|NULL)/\

#and%{SSL_CLIENT_S_DN_O}eq"SnakeOil,Ltd."\

#and%{SSL_CLIENT_S_DN_OU}in{"Staff","CA","Dev"}\

#and%{TIME_WDAY}>=1and%{TIME_WDAY}<=5\

#and%{TIME_HOUR}>=8and%{TIME_HOUR}<=20)\

#or%{REMOTE_ADDR}=~m/^192\.76\.162\.[0-9]+$/

#</Location>

#SSLEngineOptions:

#SetvariousoptionsfortheSSLengine.

#oFakeBasicAuth:

#TranslatetheclientX.509intoaBasicAuthorisation.Thismeansthat

#thestandardAuth/DBMAuthmethodscanbeusedforaccesscontrol.The

#usernameisthe`oneline'versionoftheclient'sX.509certificate.

#Notethatnopasswordisobtainedfromtheuser.Everyentryintheuser

#fileneedsthispassword:`xxj31ZMTZzkVA'.

#oExportCertData:

#Thisexportstwoadditionalenvironmentvariables:SSL_CLIENT_CERTand

#SSL_SERVER_CERT.ThesecontainthePEM-encodedcertificatesofthe

#server(alwaysexisting)andtheclient(onlyexistingwhenclient

#authenticationisused).Thiscanbeusedtoimportthecertificates

#intoCGIscripts.

#oStdEnvVars:

#ThisexportsthestandardSSL/TLSrelated`SSL_*'environmentvariables.

#Perdefaultthisexportationisswitchedoffforperformancereasons,

#becausetheextractionstepisanexpensiveoperationandisusually

#uselessforservingstaticcontent.Sooneusuallyenablesthe

#exportationforCGIandSSIrequestsonly.

#oStrictRequire:

#Thisdeniesaccesswhen"SSLRequireSSL"or"SSLRequire"appliedeven

#undera"Satisfyany"situation,i.e.whenitappliesaccessisdenied

#andnoothermodulecanchangeit.

#oOptRenegotiate:

#ThisenablesoptimizedSSLconnectionrenegotiationhandlingwhenSSL

#directivesareusedinper-directorycontext.

#SSLOptions+FakeBasicAuth+ExportCertData+StrictRequire

<Files~"\.(cgi|shtml|phtml|php3?)$">

SSLOptions+StdEnvVars

</Files>

WSGIScriptAlias/"/root/blog_island/blog_island.wsgi"

<Directory/root/blog_island>

Orderdeny,allow

Allowfromall

SSLOptions+StdEnvVars

</Directory>

#<Directory"/var/www/cgi-bin">

#SSLOptions+StdEnvVars

#</Directory>

#SSLProtocolAdjustments:

#ThesafeanddefaultbutstillSSL/TLSstandardcompliantshutdown

#approachisthatmod_sslsendstheclosenotifyalertbutdoesn'twaitfor

#theclosenotifyalertfromclient.Whenyouneedadifferentshutdown

#approachyoucanuseoneofthefollowingvariables:

#ossl-unclean-shutdown:

#Thisforcesanuncleanshutdownwhentheconnectionisclosed,i.e.no

#SSLclosenotifyalertissendorallowedtoreceived.Thisviolates

#theSSL/TLSstandardbutisneededforsomebrain-deadbrowsers.Use

#thiswhenyoureceiveI/Oerrorsbecauseofthestandardapproachwhere

#mod_sslsendstheclosenotifyalert.

#ossl-accurate-shutdown:

#Thisforcesanaccurateshutdownwhentheconnectionisclosed,i.e.a

#SSLclosenotifyalertissendandmod_sslwaitsfortheclosenotify

#alertoftheclient.Thisis100%SSL/TLSstandardcompliant,butin

#practiceoftencauseshangingconnectionswithbrain-deadbrowsers.Use

#thisonlyforbrowserswhereyouknowthattheirSSLimplementation

#workscorrectly.

#Notice:MostproblemsofbrokenclientsarealsorelatedtotheHTTP

#keep-alivefacility,soyouusuallyadditionallywanttodisable

#keep-aliveforthoseclients,too.Usevariable"nokeepalive"forthis.

#Similarly,onehastoforcesomeclientstouseHTTP/1.0toworkaround

#theirbrokenHTTP/1.1implementation.Usevariables"downgrade-1.0"and

#"force-response-1.0"forthis.

SetEnvIfUser-Agent".*MSIE.*"\

nokeepalivessl-unclean-shutdown\

downgrade-1.0force-response-1.0

#Per-ServerLogging:

#ThehomeofacustomSSLlogfile.Usethiswhenyouwanta

#compactnon-errorSSLlogfileonavirtualhostbasis.

CustomLoglogs/ssl_request_log\

"%t%h%{SSL_PROTOCOL}x%{SSL_CIPHER}x\"%r\"%b"

</VirtualHost>

4£¬ÖØÆôhttpd·þÎñ£¬²¢²âÊÔ·ÃÎÊ

service httpd restart

µ½ä¯ÀÀÆ÷Öдò¿ª²âÊÔÁ´½Ó£¬ÀýÈ磺https://127.0.0.1

×¢Ò⣬°²È«Á´½ÓµÄЭÒéÊÇhttps£¬ÆäĬÈ϶˿ÚΪ443