[웹서버] SSL[보안] 가상호스트 설정
참고 문서가 별로 없어서, 셋업하는데 시간이 많이 걸렸습니다.
같은 고민을 하시는 분들에게 도움이 되었으면 바랍니다.
SSL 가상 호스트의 핵심은 2가지 입니다.
1) SSL 포트 정의 항목입니다.
아파치 웹서버가 시동될때, Bind 되어야 할 포트입니다.
사용하고자 하는 도메인 갯수만큼 포트를 할당해야 합니다.
443 포트는 SSL기본포트로 브라우저에서 별도로 입력하지 않아도
아파치웹서버가 https로 들어오는 요청을 443으로 전달합니다.
나머지는 반드시 SSL 문서요청시 https://ip:port 지정해야 합니다.
<IfDefine SSL>
Listen 80
Listen 443
Listen 444
Listen 445
Listen 446
</IfDefine>
2) 가상 호스트 셋업인데, 기존의 가상호스팅과 별도로
IP:Port 기반으로 작성해 주어야 합니다.
http:aaa.co.kr/index.html 은
VirtualHost Directive 에,,
SSLDisable 옵션을 추가해 주시고,,
https://aaa.co.kr/index.html
을 사용하시려면,
별도 SSL용 VirtualHost Directive를 작성해 주셔야 합니다.
### Section 2: ‘Main’ server configuration
#
# Port: The port to which the standalone server listens. For
# ports < 1023, you will need httpd to be run as root initially.
#
Port 80
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
Listen 444
Listen 445
Listen 446
</IfDefine>
ServerName 210.103.144.15
;
;
;중략
### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn’t need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at <URL: http://www.apache.org/docs/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option ‘-S’ to verify your virtual host
# configuration.
#
# Use name-based virtual hosting.
#
NameVirtualHost 211.32.23.43
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *>
# ServerAdmin webmaster@dummy -host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
#<VirtualHost _default_:*>
#</VirtualHost>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin’ is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:/usr/local/httpd/logs/ssl_scache(512000)
#SSLSessionCache shmcb:/usr/local/httpd/logs/ssl_scache(512000)
SSLSessionCache dbm:/usr/local/httpd/logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/usr/local/httpd/logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn’t
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /usr/local/httpd/logs/ssl_engine_log
SSLLogLevel info
</IfModule>
############################################################################
#### 요기서 부터 SSL 가상호스트를 설정합니다.
############################################################################
<IfDefine SSL>
<VirtualHost 211.32.23.43:443>
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /usr/local/apache/htdocs
ServerName 210.104.144.15
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/server.key
<Files ~ “\\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/usr/local/httpd/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0
CustomLog /usr/local/httpd/logs/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”
</VirtualHost>
<VirtualHost 211.32.23.43:444>
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/kaski-org/kaski/www
ServerName kaski.or.kr
ServerAlias www.kaski.or.kr
ScriptAlias /cgi-bin/ “/home/kaski-org/kaski/cgi-bin/”
CustomLog logs/kaski-access_log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/server.key
<Files ~ “\\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/usr/local/httpd/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0
CustomLog /usr/local/httpd/logs/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”
</VirtualHost>
<VirtualHost 211.32.23.43:445>
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/cyber-org/physio/www
ServerName koreacyber.org
ServerAlias www.koreacyber.org
ScriptAlias /cgi-bin/ “/home/cyber-org/physio/cgi-bin/”
CustomLog logs/koreacyber-access_log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/server.key
<Files ~ “\\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/usr/local/httpd/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0
CustomLog /usr/local/httpd/logs/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”
</VirtualHost>
<VirtualHost 211.32.23.43:446>
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/cyber-org/physio/www
ServerName koreacyber.org
ServerAlias www.koreacyber.org
ScriptAlias /cgi-bin/ “/home/cyber-org/physio/cgi-bin/”
CustomLog logs/koreacyber-access_log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/server.key
<Files ~ “\\.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/usr/local/httpd/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0
CustomLog /usr/local/httpd/logs/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”
</VirtualHost>
# 기본 IP 페이지 (SSL:443)
<VirtualHost 211.32.23.43>
SSLDisable
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /usr/local/apache/htdocs
ServerName 211.32.23.43
</VirtualHost>
# kaski.org (SSL: 444)
<VirtualHost 211.32.23.43>
SSLDisable
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/kaski-org/kaski/www
ServerName kaski.org
ServerAlias www.kaski.org
ScriptAlias /cgi-bin/ “/home/kaski-org/kaski/cgi-bin/”
CustomLog logs/kaski-access_log combined
</VirtualHost>
# koreacyber (SSL:445)
<VirtualHost 211.32.23.43>
SSLDisable
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/cyber-org/physio/www
ServerName koreacyber.org
ServerAlias www.koreacyber.org
ScriptAlias /cgi-bin/ “/home/cyber-org/physio/cgi-bin/”
CustomLog logs/koreacyber-access_log combined
</VirtualHost>
# kosmos (SSL:446)
<VirtualHost 211.32.23.43>
SSLDisable
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/kosmos-org/kosmos/www
ServerName kosmos.org
ServerAlias www.kosmos.org
ScriptAlias /cgi-bin/ “/home/kosmos-org/kosmos/cgi-bin/”
CustomLog logs/kosmos-access_log combined
</VirtualHost>
# kosmos
<VirtualHost 211.32.23.43>
SSLDisable
ServerAdmin telnet99 at
webhost.co.kr
DocumentRoot /home/kosmos-org/kosmos/www
ServerName kosmos.or.kr
ServerAlias www.kosmos.or.kr
ScriptAlias /cgi-bin/ “/home/kosmos-org/kosmos/cgi-bin/”
CustomLog logs/kosmos-access_log combined
</VirtualHost>
</IfDefine>
5 Responses
… [Trackback]
[…] Read More Info here to that Topic: nblog.syszone.co.kr/archives/77 […]
… [Trackback]
[…] Here you will find 41613 additional Info on that Topic: nblog.syszone.co.kr/archives/77 […]
… [Trackback]
[…] Read More on on that Topic: nblog.syszone.co.kr/archives/77 […]
… [Trackback]
[…] Read More Information here to that Topic: nblog.syszone.co.kr/archives/77 […]
… [Trackback]
[…] Find More on to that Topic: nblog.syszone.co.kr/archives/77 […]