安爺ニュース/newsリンク/ ニュース拾い読み/PC備忘録

Webサーバー　mod_ssl　設定

-----------------
[root@falcon21 ~]# yum -y install php php-mbstring　

[root@falcon21 ~]# vi /etc/httpd/conf/httpd.conf

85 ServerAdmin webmaster@falcon21.space

94 ServerName falcon21.space:80

****************************************

[root@falcon21 ~]# rrm -f /etc/httpd/conf.d/welcome.conf
[root@falcon21 ~]# rm -f /var/www/error/noindex.html

perl パスを通す
[root@falcon21 ~]# ln -s /usr/bin/perl /usr/local/bin/perl　
[root@falcon21 ~]#whereis perl 

perl: /usr/bin/perl /usr/local/bin/perl /usr/share/man/man1/perl.1.gz

ドキュメントルート所有者変更
[root@falcon21 ~]# chown hayato. /var/www/html/

Webサーバー起動
[root@falcon21 ~]# systemctl start httpd

Webページ表示確認
[root@falcon21 ~]# vi /var/www/html/index.html
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>テスト</title>
</head>
<body>
テスト
</body>
</html>

[root@falcon21 ~]# vi /var/www/html/test.cgi
#!/usr/local/bin/perl
print "Content-type: text/html\n\n";
print "<html>\n";
print "<head>\n";
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n";
print "<title>テスト</title>\n";
print "</head>\n";
print "<body>\n";
print "CGIテスト\n";
print "</body>\n";
print "</html>\n";
~

[root@falcon21 ~]# chmod 755 /var/www/html/test.cgi

SSI　.shtmlページ確認
[root@falcon21 ~]# vi /var/www/html/test.shtml
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>テスト</title>
</head>
<body>
SSIテスト
<!--#config timefmt="%Y/%m/%d %H:%M:%S" -->
<!--#echo var="DATE_LOCAL" -->
</body>
</html>
~
 

.htaccess アクセス制限ページ確認
[root@falcon21 ~]# vi /var/www/html/.htaccess　　　//アクセス制限ファイル作成
DirectoryIndex index.shtml

[root@falcon21 ~]# vi /var/www/html/index.shtml 　　　　　//アクセスページ作成
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>テスト</title>
</head>
<body>
<p>.htaccessによるWebサーバー設定(例としてDirectoryIndex)の変更テスト</p>
このページのファイル名は<!--#echo var="DOCUMENT_NAME" -->
</body>
</html>

http://falcon21.space/ アクセスで、index.shtmlが表示
テスト確認後、削除
[root@falcon21 ~]# rm -f /var/www/html/.htaccess

PHP確認
[root@falcon21 ~]# vi /var/www/html/info.php
<?php
phpinfo();
?>

http://falcon21.space/info.phpphp 情報表示

＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊

mod_ssl Certbot で、ssl 証明登録設定

*****************************

Apache+mod_SSL+Certbot

[root@falcon21 ~]# yum -y install epel-releas

[root@falcon21 ~]# cd /usr/local/

[root@falcon21 local]# git clone https://github.com/certbot/certbot

Certbotクライアントインストール
[root@falcon21 ~]# /usr/local/certbot/certbot-auto -n

サーバー証明書取得

[root@falcon21 ~]# /usr/local/certbot/certbot-auto certonly --webroot -w /var/www/html -m webmaster@falcon21.space -d falcon21.space

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

DeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/falcon21.space.conf)

What would you like to do?

1: Keep the existing certificate for now

2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for falcon21.space

Using the webroot path /var/www/html for all unmatched domains.

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/falcon21.space/fullchain.pem. Your cert will

expire on 2017-08-24. To obtain a new or tweaked version of this

certificate in the future, simply run certbot-auto again. To

non-interactively renew *all* of your certificates, run

"certbot-auto renew"

- If you like Certbot, please consider supporting our work by:

重要なメモ：

- おめでとう！ 証明書とチェーンが保存されました

/etc/letsencrypt/live/falcon21.space/fullchain.pem あなたの証明書は

有効期限は2017-08-24です。 これの新しいバージョンまたは変更されたバージョンを入手するには

証明書を発行するには、単にcertbot-autoを再度実行します。

に 非インタラクティブに*すべての証明書を更新して実行する

"certbot-auto renew"

********************************************************************************

Apache SSL設定（Certbot対応）

[root@falcon21 ~]# vi /etc/httpd/conf.d/ssl.conf

109 SSLCertificateFile /etc/letsencrypt/live/falcon21.space/cert.pem

110 #SSLCertificateFile /etc/pki/tls/certs/server.crt

118 SSLCertificateKeyFile /etc/letsencrypt/live/falcon21.space/privkey.pem

119 #SSLCertificateKeyFile /etc/pki/tls/certs/server.key

129 SSLCertificateChainFile /etc/letsencrypt/live/falcon21.space/chain.pem

＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊　

毎月自動でサーバー証明書を更新する　　　証明書自動更新スクリプト作成

[root@falcon21 ~]# vi /etc/cron.monthly/certbot

#!/bin/sh

log=`mktemp`

code=0

#
# 証明書更新
#
for conf in `ls /etc/letsencrypt/renewal/`
do

# ドメイン名取得

domain=`echo ${conf}|sed -e 's/\([^ ]*\)\.conf/\1/p' -e d`

# 認証方式取得

authenticator=`grep authenticator /etc/letsencrypt/renewal/${conf}|awk '{print $3}'`

if [ ${authenticator} = 'webroot' ]; then

# Web認証の場合

# ドキュメントルート取得

webroot=`grep -A 1 webroot_map /etc/letsencrypt/renewal/${conf}|grep =|awk '{print $3}'`

# 証明書更新

/usr/local/certbot/certbot-auto certonly --webroot \

-w ${webroot} -d ${domain} --renew-by-default >> ${log} 2>&1

[ $? -ne 0 ] && cat ${log}

else

# スタンドアロン認証の場合

# 証明書更新

lsof -i:80 > /dev/null 2>&1

if [ $? -eq 0 ]; then

echo 'Webサーバー稼働中のためスタンドアロン認証不可'

else

/usr/local/certbot/certbot-auto certonly -a standalone \

-d ${domain} --renew-by-default >> ${log} 2>&1

[ $? -ne 0 ] && cat ${log}
fi
fi
done
#
# 証明書更新反映
#
# Webサーバー設定再読込み

lsof -i:443 > /dev/null 2>&1

if [ $? -eq 0 ]; then

rpm -q systemd > /dev/null 2>&1

if [ $? -eq 0 ]; then

systemctl reload httpd

else

/etc/rc.d/init.d/httpd reload > /dev/null 2>&1

fi

fi

# SMTPサーバー設定再読込み

lsof -i:465 > /dev/null 2>&1

if [ $? -eq 0 ]; then

rpm -q systemd > /dev/null 2>&1

if [ $? -eq 0 ]; then

systemctl reload postfix

else

/etc/rc.d/init.d/postfix reload > /dev/null 2>&1

fi

fi

# IMAPサーバー設定再読込み

lsof -i:995 > /dev/null 2>&1

if [ $? -eq 0 ]; then

rpm -q systemd > /dev/null 2>&1

if [ $? -eq 0 ]; then

systemctl reload dovecot

else

/etc/rc.d/init.d/dovecot reload > /dev/null 2>&1
fi
fi
#
# ログをsyslogへ出力後削除
#
cat ${log}|logger -t `basename ${0}` ; rm -f ${log}

[root@falcon21 ~]# chmod +x /etc/cron.monthly/certbot

＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊　

SSL Server Test設定

[root@falcon21 ~]# vi /etc/httpd/conf.d/ssl.conf

/etc/letsencrypt/options-ssl-apache.conf のSSLCipherSuite 部分をコピー貼り付け

100  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

101 SSLHonorCipherOrder on

228 Header always set Strict-Transport-Security "max-age=15768000"

229 </VirtualHost>

*************  やり直しで、/etc/letsencrypt/options-ssl-apache.conf がなくなっており、バックアップから、

古いバージョンで登録したものをコピーで、エラーか？　　**********************

AWStats設定修正

[root@falcon21 ~]# vi /etc/httpd/conf.d/ssl.conf

82 ErrorLog logs/error_log // ssl_error_log ------> error_log

84 CustomLog logs/access_log combined env=!no_log

[root@falcon21 ~]# systemctl restart httpd

ポート443番のOPEN WEBページ http: ~ へのアクセスは自動で、暗号化ページ https:~ へ転送される。