[CentOS7] Apache TLS

1. httpd 및 mod_ssl 패키지 설치

# yum install httpd mod_ssl

2. 디렉토리 생성

# mkdir -p /srv/{www,webapp}11/www

# ls /srv

webapp11  www11

# vi /srv/www11/www/index.html

www11

# vi /srv/webapp11/www/index.html

webapp11

3. 새로운 디렉토리에 SELinux 컨텍스트 재설정

# restorecon -Rv /srv

restorecon reset /srv/www11/www context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /srv/www11/www/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /srv/webapp11/www context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /srv/webapp11/www/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

4.인증서에 서명 시 필요한 CA 인증서 다운로드

# cd /etc/pki/tls/certs
# wget http://classroom.example.com/pub/example-ca.crt

5. 가상 호스트에 대한 2개의 인증서 다운로드

# wget http://classroom.example.com/pub/tls/certs/www11.crt
# wget http://classroom.example.com/pub/tls/certs/webapp11.crt

6. 개인 키 다운로드(권한 설정 600)

# cd /etc/pki/tls/private/

# wget http://classroom.example.com/pub/tls/private/www11.key

# wget http://classroom.example.com/pub/tls/private/webapp11.key

# chmod 600 w*11.key

7. TLS 기반 가상 호스트 설정

# vi /etc/httpd/conf.d/www11.conf

<VirtualHost *:80>
        ServerName www11.example.com
        RewriteEngine on
        RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

<VirtualHost *:443>
        ServerName www11.example.com
        SSLEngine On
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNull:!MD5
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/pki/tls/certs/www11.crt
        SSLCertificateKeyFile /etc/pki/tls/private/www11.key
        SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
        DocumentRoot /srv/www11/www
</VirtualHost>

<Directory /srv/www11/www>

        Require all granted
</Directory>

# cp /etc/httpd/conf.d/www11.conf /etc/httpd/conf.d/webapp11.conf

# vi /etc/httpd/conf.d/webapp11.conf

# sed -i 's/www11/webapp11/g' /etc/httpd/conf.d/webapp11.conf

8. 재시작 및 부팅 활성화

#  systemctl start httpd.service
# systemctl enable httpd.service

ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

9. 방화벽 설정

# firewall-cmd --permanent --add-service=http --add-service=https
# firewall-cmd --reload

10. 클라이언트 설정

desktop# wget http://classroom.example.com/pub/example-ca.crt
desktop# firefox

Edit > Preferences > Advanced > Certificates > View Certificates > Import > example-ca.crt > Trust this CA to identify websites > OK

11. www11, webapp11 모두 https로 리다이렉션됨.

http://www11.example.com

http://webapp11.example.com

※ 문제 해결

- 방화벽 확인

- index 페이지 확인

- 관련 패키지 설치, php, php-mysql등