Apache

Apache2.2.xでVirtualHost + SSL


まずはデフォルトでインストールされているOpenSSLで証明書を作成しておきます。

[ 証明書の作成 ]
mkdir ~/keys
cd ~/keys
openssl genrsa -des3 1024 > server.key
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.cert
openssl x509 -in server.cert -out server.cert -req -signkey server.key -days 3650


openssl-0.9.8i.tar.gzが必要になるので、そちらをインストールします。

[ OpenSSL インストール ]
cd /usr/local/src
wget http://www.openssl.org/source/openssl-0.9.8i.tar.gz
tar xzf openssl-0.9.8i.tar.gz
cd openssl-0.9.8i
./config --prefix=/usr/local/openssl enable-tlsext; make depend; make; make install; make clean;


パッチを充てて、Apacheをインストール。

[ Apache2.2 インストール ]
wget http://www.meisei-u.ac.jp/mirror/apache/httpd/httpd-2.2.10.tar.gz
wget https://sni.velox.ch/misc/httpd-2.2.x-sni.patch
tar xzf httpd-2.2.10.tar.gz
cd httpd-2.2.10
patch -p1 < ../httpd-2.2.x-sni.patch
./configure --prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/openssl
make; make install; make clean
cp ~/keys/* /usr/local/apache/conf/


/usr/local/apache/conf/httpd.conf に下記1行を追記。
[ /usr/local/apache/conf/httpd.conf ]
# My configration
Include conf/extra/httpd-my.conf


httpd-my.confで設定を行う

vi ./conf/extra/httpd-my.conf
-------------------------------
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
#SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         "dbm:/usr/local/apache/logs/ssl_scache"
#SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
#SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
#SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

#
# Virtual Hosts
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    ServerAdmin webmaster@hoge.com
    DocumentRoot "/home/www/v1"
    ServerName v1.hoge.com

    <Directory "/home/www/v1">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin webmaster@hoge.com
    DocumentRoot "/home/www/v2"
    ServerName v2.hoge.com

    <Directory "/home/www/v2">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

# Secure Shell ver.
<VirtualHost *:443>
    ServerAdmin webmaster@hoge.com
    DocumentRoot "/home/www/v1"
    ServerName v1.hoge.com:443

    #SSL Engine Switch:
    #Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateFile "/usr/local/apache/conf/server.cert"
    SSLCertificateKeyFile "/usr/local/apache/conf/server.key"

    <Directory "/home/www/v1">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@hoge.com
    DocumentRoot "/home/www/v2"
    ServerName v2.hoge.com:443

    #SSL Engine Switch:
    #Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateFile "/usr/local/apache/conf/server.cert"
    SSLCertificateKeyFile "/usr/local/apache/conf/server.key"

    <Directory "/home/www/v2">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>
-------------------------------
VirtualHostとSSLを併用する場合は、<VirtualHost *:443><VirtualHost *:80>を必要台数分記述します。


■追記
Apache 2.2.11 の場合は https://sni.velox.ch/misc/ から対応しているパッチを落として充てて下さい。

■追記その2 -2009/10/12-
Apache 2.2.12以降はパッチ適用の必要がなくなりました。
./configure --prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/openssl;
make; make install; make clean
だけで大丈夫です。opensslはenable-tlsext を指定して下さい。

このページの先頭へ