NC61+nc中间件+HTTPS配置方案Apache安装从网上下载带有openssl的Apache:httpd-2.2.22-win32-x86-openssl-0.9.8t.msimod_jk.so说明:APACHE安装完后,需要将Apache插件mod_jk.so文件拷贝到Apache_home\modules目录下。注:apache使用80端口说明:APACHE安装完后,需要将Apache插件mod_jk.so文件拷贝到Apache_home\modules目录下。Linux的.so文件下载http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/linux/jk-1.2.23/Linux环境安装ApacheHttpd2.2.29(http://httpd.apache.org)OpenSSL1.0.1h(http://www.openssl.org/source)SSL-Tools(http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz)1.OpenSSL#tarzxvfopenssl-1.0.1h.tar.gz#cdopenssl-1.0.1h#./config#make#makeinstall此举将安装最新的OpenSSL到/usr/local/ssl目录中,无需理会系统中已有版本的OpenSSL,也不要去卸载它,否则会导致很多的应用程序无法正常执行,例如X窗口无法进入等错误。2.ApacheHttpd#tarzxvfhttpd-2.2.29.tar.gz#cdhttpd-2.2.29#./configure--prefix=/usr/local/apache/httpd--enable-ssl=static--with-ssl=/usr/local/ssl#make#makeinstall此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。\\\\\\\\\\\\\\\\后续可参考命令\\\\\\\\\\\\\\\\\\\apache22ssl\conf>/usr/local/openssl/bin/opensslgenrsa-outserver.key1024\apache22ssl\conf>/usr/local/openssl/bin/opensslreq-new-keyserver.key-outserver.csr-config/usr/local/openssl/ssl/openssl.cnf\apache22ssl\conf>/usr/local/openssl/bin/opensslx509-req-days3650-inserver.csr-signkeyserver.key-outserver.crt\apache22ssl\conf>/usr/local/openssl/bin/opensslx509-noout-text-inserver.crtJKMountFileconf/ncmapping.propertiesServerNamejavavag.ufida.com.cn:443\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\NC61中间件配置nchome\bin\ncSysConfig.bat配置nc单server添加AJP1.3协议修改端口号,避免与apache端口80冲突配置服务转发,选择Apachhome配置后在D:\ncenv\apache22ssl\conf目录下会生成下面的三个文件:ncmodjk.confncmapping.propertiesncworkers.propertiesHTTPS配置方案生成服务器端的私钥KEYD:\ncenv\apache22ssl\conf>..\bin\opensslgenrsa-outserver.key1024Loading'screen'intorandomstate-doneGeneratingRSAprivatekey,1024bitlongmodulus................................++++++...................................................................++++++eis65537(0x10001)生成的文件位置:D:\ncenv\apache22ssl\conf\server.key生成未签署的CSR文件server.csr注意:1.CountryName(2lettercode)[AU]:国家名称CountryName需要输入CN2.Achallengepassword在windows环境下不用输入。3.CommonName(e.g.serverFQDNorYOURname)中CommonName必须和Apache_HOME\conf\httpd.conf中ServerName必须一致,否则apache启动时会错报错:RSAservercertificateCommonName(CN)‘javavag’doesNOTmatchservername!?D:\ncenv\apache22ssl\conf>..\bin\opensslreq-new-keyserver.key-outserver.csr-configopenssl.cnfLoading'screen'intorandomstate-doneYouareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[AU]:CNStateorProvinceName(fullname)[Some-State]:BEIJINGLocalityName(eg,city)[]:BEIJINGOrganizationName(eg,company)[InternetWidgitsPtyLtd]:UFIDAOrganizationalUnitName(eg,section)[]:UFIDACommonName(e.g.serverFQDNorYOURname)[]:javavag.ufida.com.cnEmailAddress[]:dqy@ufida.com.cnPleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:Anoptionalcompanyname[]:说明:生成的文件位置:D:\ncenv\apache22ssl\conf\server.csr签署服务器证书文件server.crtD:\ncenv\apache22ssl\conf>..\bin\opensslx509-req-days3650-inserver.csr-signkeyserver.key-outserver.crtLoading'screen'intorandomstate-doneSignatureoksubject=/C=CN/ST=BEIJING/L=BEIJING/O=UFIDA/OU=UFIDA/CN=javavag.ufida.com.cn/emailAddress=dqy@ufida.com.cnGettingPrivatekey生成的文件位置:D:\ncenv\apache22ssl\conf\server.crt说明:用前两步的密钥KEY和证书请求生成证书server.crt,-days参数指明证书有效期,单位为天,x509表示生成的为X.509证书。查看证书D:\ncenv\apache22ssl\conf>..\bin\opensslx509-noout-text-inserver.crtCertificate:Data:Version:1(0x0)SerialNumber:e4:d1:23:49:95:44:38:22SignatureAlgorithm:sha1WithRSAEncryptionIssuer:C=CN,ST=BEIJING,L=BEIJING,O=UFIDA,OU=UFIDA,CN=javavag.ufida.com.cn/emailAddress=dqy@ufida.com.cnValidityNotBefore:Dec407:14:542012GMTNotAfter:Dec407:14:542013GMTSubject:C=CN,ST=BEIJING,L=BEIJING,O=UFIDA,OU=UFIDA,CN=javavag.ufida.com.cn/emailAddress=dqy@ufida.com.cnSubjectPublicKeyInfo:PublicKeyAlgorithm:rsaEncryptionRSAPublicKey:(1024bit)Modulus(1024bit):00:d4:5b:b7:94:ea:a6:5b:34:5c:22:8c:44:d3:58:96:19:1a:35:f8:c8:a1:0e:64:08:6e:3e:ee:5e:f9:c5:1c:fc:79:13:c2:91:ec:d4:9e:3b:5c:6e:3d:88:63:78:60:70:ca:2a:03:33:0f:42:d7:35:d4:f0:83:ed:b8:da:f7:ae:5c:42:87:5d:d5:2f:74:91:18:d2:8f:ad:fb:25:42:22:b4:32:34:2d:d9:32:ff:55:5a:e8:f5:26:15:d2:2a:ef:ea:cd:bb:d9:6f:2e:c8:13:b5:73:4d:ed:c0:30:64:df:72:fd:de:9d:4d:04:cd:e7:90:49:90:c7:a5:a2:87:81Exponent:65537(0x10001)SignatureAlgorithm:sha1WithRSAEncryption35:27:c1:2b:0b:47:41:18:bb:02:e8:75:ab:f2:0d:b1:d0:23:f9:5e:e5:8e:30:9e:77:ec:ec:83:62:0a:03:fe:25:56:5e:e1:0d:e4:8f:a8:d4:20:a5:e0:ff:60:11:64:bb:a2:26:95:85:82:9d:8c:1a:e9:99:a8:d2:4b:e9:ac:c1:3d:5e:6e:b2:72:9a:9d:1e:7c:d4:1b:7b:1b:72:9e:65:ca:b2:a9:99:68:d8:c2:f3:a0:70:e6:35:aa:45:5d:f0:25:bb:8f:ff:d7:4d:00:0b:44:ac:d3:13:94:97:79:55:92:d8:46:f6:57:d3:93:c6:81:aa:b5:1f:97:3a:83配置HTTPS方式访问httpd.conf文件配置:D:\ncenv\apache22ssl\conf\httpd.conf找到#Includeconf/extra/httpd-ssl.conf去掉注释#变为:Includeconf/extra/httpd-ssl.conf找到#LoadModulessl_modulemodules/mod_ssl.so去掉注释#变为:LoadModulessl_modulemodules/mod_ssl.sohttpd-ssl.conf文件配置:在D:\ncenv\apache22ssl\conf\extra\httpd-ssl.conf文件中找到VirtualHost_default_:443,然后增加下面红色的内容,同时注释掉DocumentRoot"D:/ncenv/apache22ssl/htdocs"说明:javavag.ufida.com.cn是机器名##SSLVirtualHostContext#Generalsetupforthevirtualhost#DocumentRoot"D:/ncenv/apache22ssl/htdocs"JKMountFileconf/ncmapping.propertiesServerNamejavavag.ufida.com.cn:443ServerAdmindqy@ufida.com.cnErrorLog"D:/ncenv/apache22ssl/logs/error.log"TransferLog"D:/ncenv/apache22ssl/logs/access.log"#SSLEngineSwitch:#Enable/DisableSSLforthisvirtualhost.SSLEngineon在D:\ncenv\apache22ssl\conf\extra\httpd-ssl.conf文件中,检查下面的脚本是否存在,如果不存在,则需要添加上:#ServerCertificate:SSLCertificateFile"D:/ncenv/apache22ssl/conf/server.crt"#ServerPrivateKey:SSLCertificateKeyFile"D:/ncenv/apache22ssl/conf/server.key"启动NC:D:\ncenv\nc61ncc>startup.bat启动Apache:D:\ncenv\apache22ssl\bin>httpd.exe-kstarthttps方式访问NC:https://ip:porthttp方式访问NC:http://ip:port如果需要http://ip:port自动跳转为https://ip:port则需要做如下配置,配置完后,所有的访问都为https://ip:port方式:在D:\ncenv\apache22ssl\conf\httpd.conf文件中找到找到#LoadModulerewrite_modulemodules/mod_rewrite.so去掉注释#变为:LoadModulerewrite_modulemodules/mod_rewrite.so同时,在下面两段兰色的中间增加红色的片段:SSLRandomSeedstartupbuiltinSSLRandomSeedconnectbuiltinRewriteEngineonRewriteCond%{SERVER_PORT}!^443$RewriteRule^.*$https://%{SERVER_NAME}%{REQUEST_URI}[L,R]#ncmodjkconf@MonDec0314:25:20CST2012#ncmodjkconf@ver6.0#PLScopymod_jk.sotoApache'smodulesdirectory,filenamemustbemod_jk.so.includeconf/ncmodjk.conf#ncmodjkconf@end
