NC61+nc中间件+HTTPS配置方案Apache安装从网上下载带有openssl的Apache:httpd-2.2.22-win32-x86-openssl-0.9.8t.msimod_jk.so说明:APACHE安装完后,需要将Apache插件mod_jk.so文件拷贝到Apache_home\modules目录下。ftp://ncjs:ncjs@125.35.5.209tool目录下注:apache使用80端口说明:APACHE安装完后,需要将Apache插件mod_jk.so文件拷贝到Apache_home\modules目录下。NC61中间件配置nchome\bin\ncSysConfig.bat配置nc单server添加AJP1.3协议修改端口号,避免与apache端口80冲突配置服务转发,选择Apachhome配置后在D:\ncenv\apache22ssl\conf目录下会生成下面的三个文件:ncmodjk.confncmapping.propertiesncworkers.propertiesHTTPS配置方案生成服务器端的私钥KEYD:\ncenv\apache22ssl\conf>..\bin\opensslgenrsa-outserver.key1024Loading'screen'intorandomstate-doneGeneratingRSAprivatekey,1024bitlongmodulus................................++++++...................................................................++++++eis65537(0x10001)生成的文件位置:D:\ncenv\apache22ssl\conf\server.key生成未签署的CSR文件server.csr注意:1.CountryName(2lettercode)[AU]:国家名称CountryName需要输入CN2.Achallengepassword在windows环境下不用输入。3.CommonName(e.g.serverFQDNorYOURname)中CommonName必须和Apache_HOME\conf\httpd.conf中ServerName必须一致,否则apache启动时会错报错:RSAservercertificateCommonName(CN)‘javavag’doesNOTmatchservername!?D:\ncenv\apache22ssl\conf>..\bin\opensslreq-new-keyserver.key-outserver.csr-configopenssl.cnfLoading'screen'intorandomstate-doneYouareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[AU]:CNStateorProvinceName(fullname)[Some-State]:BEIJINGLocalityName(eg,city)[]:BEIJINGOrganizationName(eg,company)[InternetWidgitsPtyLtd]:UFIDAOrganizationalUnitName(eg,section)[]:UFIDACommonName(e.g.serverFQDNorYOURname)[]:javavag.ufida.com.cnEmailAddress[]:dqy@ufida.com.cnPleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:Anoptionalcompanyname[]:说明:生成的文件位置:D:\ncenv\apache22ssl\conf\server.csr签署服务器证书文件server.crtD:\ncenv\apache22ssl\conf>..\bin\opensslx509-req-days3650-inserver.csr-signkeyserver.key-outserver.crtLoading'screen'intorandomstate-doneSignatureoksubject=/C=CN/ST=BEIJING/L=BEIJING/O=UFIDA/OU=UFIDA/CN=javavag.ufida.com.cn/emailAddress=dqy@ufida.com.cnGettingPrivatekey生成的文件位置:D:\ncenv\apache22ssl\conf\server.crt说明:用前两步的密钥KEY和证书请求生成证书server.crt,-days参数指明证书有效期,单位为天,x509表示生成的为X.509证书。查看证书D:\ncenv\apache22ssl\conf>..\bin\opensslx509-noout-text-inserver.crtCertificate:Data:Version:1(0x0)SerialNumber:e4:d1:23:49:95:44:38:22SignatureAlgorithm:sha1WithRSAEncryptionIssuer:C=CN,ST=BEIJING,L=BEIJING,O=UFIDA,OU=UFIDA,CN=javavag.ufida.com.cn/emailAddress=dqy@ufida.com.cnValidityNotBefore:Dec407:14:542012GMTNotAfter:Dec407:14:542013GMTSubject:C=CN,ST=BEIJING,L=BEIJING,O=UFIDA,OU=UFIDA,CN=javavag.ufida.com.cn/emailAddress=dqy@ufida.com.cnSubjectPublicKeyInfo:PublicKeyAlgorithm:rsaEncryptionRSAPublicKey:(1024bit)Modulus(1024bit):00:d4:5b:b7:94:ea:a6:5b:34:5c:22:8c:44:d3:58:96:19:1a:35:f8:c8:a1:0e:64:08:6e:3e:ee:5e:f9:c5:1c:fc:79:13:c2:91:ec:d4:9e:3b:5c:6e:3d:88:63:78:60:70:ca:2a:03:33:0f:42:d7:35:d4:f0:83:ed:b8:da:f7:ae:5c:42:87:5d:d5:2f:74:91:18:d2:8f:ad:fb:25:42:22:b4:32:34:2d:d9:32:ff:55:5a:e8:f5:26:15:d2:2a:ef:ea:cd:bb:d9:6f:2e:c8:13:b5:73:4d:ed:c0:30:64:df:72:fd:de:9d:4d:04:cd:e7:90:49:90:c7:a5:a2:87:81Exponent:65537(0x10001)SignatureAlgorithm:sha1WithRSAEncryption35:27:c1:2b:0b:47:41:18:bb:02:e8:75:ab:f2:0d:b1:d0:23:f9:5e:e5:8e:30:9e:77:ec:ec:83:62:0a:03:fe:25:56:5e:e1:0d:e4:8f:a8:d4:20:a5:e0:ff:60:11:64:bb:a2:26:95:85:82:9d:8c:1a:e9:99:a8:d2:4b:e9:ac:c1:3d:5e:6e:b2:72:9a:9d:1e:7c:d4:1b:7b:1b:72:9e:65:ca:b2:a9:99:68:d8:c2:f3:a0:70:e6:35:aa:45:5d:f0:25:bb:8f:ff:d7:4d:00:0b:44:ac:d3:13:94:97:79:55:92:d8:46:f6:57:d3:93:c6:81:aa:b5:1f:97:3a:83配置HTTPS方式访问httpd.conf文件配置:D:\ncenv\apache22ssl\conf\httpd.conf找到#Includeconf/extra/httpd-ssl.conf去掉注释#变为:Includeconf/extra/httpd-ssl.conf找到#LoadModulessl_modulemodules/mod_ssl.so去掉注释#变为:LoadModulessl_modulemodules/mod_ssl.sohttpd-ssl.conf文件配置:在D:\ncenv\apache22ssl\conf\extra\httpd-ssl.conf文件中找到VirtualHost_default_:443,然后增加下面红色的内容,同时注释掉DocumentRoot"D:/ncenv/apache22ssl/htdocs"说明:javavag.ufida.com.cn是机器名##SSLVirtualHostContext#Generalsetupforthevirtualhost#DocumentRoot"D:/ncenv/apache22ssl/htdocs"JKMountFileconf/ncmapping.propertiesServerNamejavavag.ufida.com.cn:443ServerAdmindqy@ufida.com.cnErrorLog"D:/ncenv/apache22ssl/logs/error.log"TransferLog"D:/ncenv/apache22ssl/logs/access.log"#SSLEngineSwitch:#Enable/DisableSSLforthisvirtualhost.SSLEngineon在D:\ncenv\apache22ssl\conf\extra\httpd-ssl.conf文件中,检查下面的脚本是否存在,如果不存在,则需要添加上:#ServerCertificate:SSLCertificateFile"D:/ncenv/apache22ssl/conf/server.crt"#ServerPrivateKey:SSLCertificateKeyFile"D:/ncenv/apache22ssl/conf/server.key"启动NC:D:\ncenv\nc61ncc>startup.bat启动Apache:D:\ncenv\apache22ssl\bin>httpd.exe-kstarthttps方式访问NC:https://ip:porthttp方式访问NC:http://ip:port如果需要http://ip:port自动跳转为https://ip:port则需要做如下配置,配置完后,所有的访问都为https://ip:port方式:在D:\ncenv\apache22ssl\conf\httpd.conf文件中找到找到#LoadModulerewrite_modulemodules/mod_rewrite.so去掉注释#变为:LoadModulerewrite_modulemodules/mod_rewrite.so同时,在下面两段兰色的中间增加红色的片段:SSLRandomSeedstartupbuiltinSSLRandomSeedconnectbuiltinRewriteEngineonRewriteCond%{SERVER_PORT}!^443$RewriteRule^.*$https://%{SERVER_NAME}%{REQUEST_URI}[L,R]#ncmodjkconf@MonDec0314:25:20CST2012#ncmodjkconf@ver6.0#PLScopymod_jk.sotoApache'smodulesdirectory,filenamemustbemod_jk.so.includeconf/ncmodjk.conf#ncmodjkconf@end
