/ rhce-new

RHCE : HTTP/HTTPS – Configure TLS security.

rhce-new redhat-new apache httpd apachectl command /etc/httpd/conf.d/ /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/ssl.conf
https://4am.kr/rhce-http-https-configure-tls-security/

RHCE : HTTP/HTTPS – TLS 보안 구성

RHCE 주제입니다. 아래 참조된 사이트를 번역 및 내용 추가하였습니다.

사전 준비사항

파일다운로드 위치
TLS 서버 인증서http://repo.example.com/server2.4am.kr.crt
TLS 서버 개인키http://repo.example.com/server2.4am.kr.key
TLS CA 인증서http://repo.example.com/server2.4am.kr-ca.crt
## 설정하기 ##### 1. 인증서 및 개인키들을 저장한다. ``` [root@server2 ~]# cd /etc/httpd/conf [root@server2 conf]# wget http://repo.example.com/server2.4am.kr.crt --2016-05-04 14:30:26-- http://repo.example.com/server2.4am.kr.crt Resolving repo.example.com (repo.example.com)... Connecting to repo.example.com (repo.example.com)||:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2390 (2.3K) [application/x-x509-ca-cert] Saving to: ‘server2.4am.kr.crt’

100%[======================================>] 2,390 --.-K/s in 0s

2016-05-04 14:30:27 (338 MB/s) - ‘server2.4am.kr.crt’ saved [2390/2390]

[root@server2 conf]# wget http://repo.example.com/server2.4am.kr.key
--2016-05-04 14:30:40-- http://repo.example.com/server2.4am.kr.key
Resolving repo.example.com (repo.example.com)...
Connecting to repo.example.com (repo.example.com)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3294 (3.2K) [text/plain]
Saving to: ‘server2.4am.kr.key’

100%[======================================>] 3,294 --.-K/s in 0s

2016-05-04 14:30:40 (328 MB/s) - ‘server2.4am.kr.key’ saved [3294/3294]

[root@server2 conf]# wget http://repo.example.com/server2.4am.kr-ca.crt
--2016-05-04 14:30:51-- http://repo.example.com/server2.4am.kr-ca.crt
Resolving repo.example.com (repo.example.com)...
Connecting to repo.example.com (repo.example.com)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2106 (2.1K) [application/x-x509-ca-cert]
Saving to: ‘server2.4am.kr-ca.crt’

100%[======================================>] 2,106 --.-K/s in 0s

2016-05-04 14:30:51 (502 MB/s) - ‘server2.4am.kr-ca.crt’ saved [2106/2106]

[root@server2 conf]#

##### 2. `/etc/httpd/conf.d/ssl.conf`파일을 열어서, `SSLCertificate` 줄을 다음과 같이 변경한다.

[root@server2 conf.d]# vim ssl.conf

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateFile /etc/httpd/conf/server2.4am.kr.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you've both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateKeyFile /etc/httpd/conf/server2.4am.kr.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

SSLCertificateChainFile /etc/httpd/conf/server2.4am.kr-ca.crt
101,53 49%
[root@server2 conf.d]#


##### 3. 같은 부분에서 `ServerName` 부분을 찾아 다음과 같이 변경해준다.

SSL Virtual Host Context

General setup for the virtual host, inherited from global configuration

DocumentRoot "/var/www/html"

ServerName www.example.com:443

ServerName server2.4am.kr:443

Use separate log files for the SSL virtual host; note that LogLevel

is not inherited from httpd.conf.

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on
61,29 25%

##### 4. 설정 파일을 확인한다.

[root@server2 conf.d]# apachectl configtest
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using server2.example.com. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@server2 conf.d]#

노트: `httpd -t` 커맨드를 통해서도 확인이 가능하다.
##### 5. `httpd` 서비스를 재시작한다.

[root@server2 conf.d]# systemctl restart httpd
[root@server2 conf.d]#

노트: `apachectl restart`커맨드를 통해서도 재시작이 가능하다.

##### 6. 가상 호스트 구성을 확인한다.

[root@server2 conf.d]# httpd -D DUMP_VHOSTS
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using server2.example.com. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server server2.4am.kr (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost server2.4am.kr (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost server2.4am.kr (/etc/httpd/conf.d/ssl.conf:56)
[root@server2 conf.d]#

노트: 추가로 `openssl s_client -connect server2.4am.kr:443 -state`커맨드를 통해 인증서를 확인할 수 있다.

## 테스트하기
![tls-security-firefox-test-1](/content/images/2016/05/tls-security-firefox-test-1.png)


[^n]: RHEL7: Configure Apache TLS security. https://www.certdepot.net/rhel7-configure-apache-tls-security/