apache+openssl搭建

最近漏洞扫描发现很多问题，故而升级apache,并且安装新版的openssl,并且这个openssl和系统的不冲突

一 安装需要的包 以及环境

环境：centos7.6 openssl 版本

[[email protected] ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic

安装所需的包

yum -y install gcc* expat-devel

二 安装apache需要的最新的其他包 apr apr-util  pcre

cd /usr/local/src
tar xf apr-1.7.0.tar.gz
cd apr-1.7.0/
./configure --prefix=/usr/local/apr
make && make install

cd ..
tar xf apr-util-1.6.1.tar.gz
cd apr-util-1.6.1/
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make && make install

cd ..
tar xf pcre-8.43.tar.gz
cd pcre-8.43/
./configure --prefix=/usr/local/pcre
make && make install

cd ..
tar xf openssl-1.1.1c.tar.gz
cd openssl-1.1.1c/
./config --prefix=/usr/local/ssl --shared
make && make install
echo "/usr/local/ssl/lib" >>/etc/ld.so.conf
ldconfig     #使库文件生效

三 安装apache

cd ..
tar xf httpd-2.4.41.tar.gz
cd httpd-2.4.41/
./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre  --enable-so --enable-rewrite --enable-ssl --with-ssl=/usr/local/ssl --with-mpm=prefork
make && make install

四 简单修改配置启动

vim /usr/local/httpd/conf/httpd.conf
ServerName localhost:80

/usr/local/httpd/bin/apachectl start

五 配置https访问

#私钥
/usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
#生成服务器证书请求
openssl req -new -key server.key -out server.csr
#自签证
[[email protected] conf]# /usr/local/ssl/bin/openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = beijing, L = beijing, O = lenovo.com, OU = IT, CN = liullm7
Getting Private key
Enter pass phrase for server.key:

vim httpd.conf
Include conf/extra/httpd-ssl.conf  #httpd-ssl.conf文件里面的两个密钥名称serve.crt  server.key
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

去除私钥短语，启动的时候就不用输入了
[[email protected] conf]# /usr/local/ssl/bin/openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

/usr/local/httpd/bin/apachectl restart

六查看openssl的情况

[[email protected] ~]# /usr/local/ssl/bin/openssl version -a
OpenSSL 1.1.1c  28 May 2019
built on: Thu Aug 22 15:33:35 2019 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl/ssl"
ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
Seeding source: os-specific
[[email protected] ~]# openssl version -a
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic 

原文地址：https://www.cnblogs.com/mmyy-blog/p/11408442.html