……
下载证书压缩包 包含CA根证书和服务器证书
用于证书请求的key文件
编辑apache配置文件
[root@pfx ~]# cd /usr/local/apache/conf/
[root@pfx conf]# vi httpd.conf
[root@pfx conf]# cd extra/
[root@pfx extra]# vi httpd-ssl.conf
服务器证书
SSLCertificateFile “/usr/local/apache/conf/server.crt”
#SSLCertificateFile “/usr/local/apache/conf/server-dsa.crt”
SSLCertificateFile “/usr/local/apache/conf/sample.com.crt”
服务器私钥KEY文件
SSLCertificateKeyFile “/usr/local/apache/conf/server.key”
#SSLCertificateKeyFile “/usr/local/apache/conf/server-dsa.key”
SSLCertificateKeyFile “/usr/local/apache/conf/sample.com.key”
重启Apache
检测语法
[root@pfx extra]# apachectl -t
Syntax error on line 56 of /usr/local/apache/conf/extra/httpd-ssl.conf:
Invalid command ‘SSLPassPhraseDialog’, perhaps misspelled or defined by a module not included in the server configuration
[root@pfx extra]#
查看是否加载mod_ssl模块
[root@pfx extra]# apachectl -l |grep ssl
[root@pfx extra]#
查看apache有关ssl的编译参数
[root@pfx httpd-2.2.24]# ./configure –help |grep ssl
–enable-ssl SSL/TLS support (mod_ssl)
–enable-distcache Select distcache support in mod_ssl
–with-sslport=SSLPORT Port on which to securelisten (default is 443)
–with-sslc=DIR RSA SSL-C SSL/TLS toolkit
–with-ssl=DIR OpenSSL SSL/TLS toolkit
[root@pfx httpd-2.2.24]#
查看当前版本apache的安装编译参数
重新编译安装Apache
[root@pfx httpd-2.2.24]# ./configure –prefix=/usr/local/apache \
> –enable-so –enable-rewrite –enable-ssl
[root@pfx httpd-2.2.24]# make
[root@pfx httpd-2.2.24]# make install
[root@pfx httpd-2.2.24]# /usr/local/apache2/bin/apachectl -l |grep ssl
mod_ssl.c
[root@pfx httpd-2.2.24]#
[root@pfx httpd-2.2.24]# netstat -lutn |grep 80
tcp 0 0 :::80 :::* LISTEN
[root@pfx httpd-2.2.24]#
[root@pfx httpd-2.2.24]# apachectl stop
[root@pfx httpd-2.2.24]# mv /usr/local/apache/ /usr/local/apache2
—————————————————
Listen 80
LoadModule php5_module modules/libphp5.so
User apache
Group apache
ServerName 192.168.197.15:80
DirectoryIndex index.html index.php
AddType application/x-httpd-php .php
Alias /pa “/usr/local/postfixadmin”
<Directory “/usr/local/postfixadmin”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
—————————————————
[root@pfx extra]# apachectl start
Apache/2.2.24 mod_ssl/2.2.24 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[root@pfx extra]#
强制SSL
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
[root@pfx conf]# apachectl stop
[root@pfx conf]# apachectl start
Apache/2.2.24 mod_ssl/2.2.24 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[root@pfx conf]#
直接重定向到mail.linuxcache.com
RewriteEngine On
RewriteRule ^(.*)$ https://mail.linuxcache.com/$1 [R,L]
……
CentOS6.3最小化系统安装PHP Apache MySQL基本运行环境
[root@localhost ~]# yum install httpd mysql-server php php-mysql php-pdo
安装包与依赖包及其版本信息
Installed:
httpd.i686 0:2.2.15-28.el6.centos mysql-server.i686 0:5.1.69-1.el6_4
php.i686 0:5.3.3-23.el6_4 php-mysql.i686 0:5.3.3-23.el6_4
php-pdo.i686 0:5.3.3-23.el6_4
Dependency Installed:
apr.i686 0:1.3.9-5.el6_2
apr-util.i686 0:1.3.9-3.el6_0.1
apr-util-ldap.i686 0:1.3.9-3.el6_0.1
httpd-tools.i686 0:2.2.15-28.el6.centos
mailcap.noarch 0:2.1.31-2.el6
mysql.i686 0:5.1.69-1.el6_4
mysql-libs.i686 0:5.1.69-1.el6_4
perl.i686 4:5.10.1-131.el6_4
perl-DBD-MySQL.i686 0:4.013-3.el6
perl-DBI.i686 0:1.609-4.el6
perl-Module-Pluggable.i686 1:3.90-131.el6_4
perl-Pod-Escapes.i686 1:1.04-131.el6_4
perl-Pod-Simple.i686 1:3.13-131.el6_4
perl-libs.i686 4:5.10.1-131.el6_4
perl-version.i686 3:0.77-131.el6_4
php-cli.i686 0:5.3.3-23.el6_4
php-common.i686 0:5.3.3-23.el6_4
解压缩并查看目录
[root@localhost ~]# mv phpMyAdmin-4.0.4.1-all-languages /var/www/html/pma
[root@localhost ~]# cd /var/www/html/pma/
[root@localhost pma]# cp config.sample.inc.php config.inc.php
安装mbstring扩展
[root@localhost pma]# yum install php-mbstring
[root@localhost pma]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@localhost pma]#
未安装mbsting扩展时使用浏览器访问phpmyadmin的错误信息及Apache错误日志信息
HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.
[Mon Jul 01 12:00:56 2013] [error] [client 192.168.1.24] PHP Fatal error: Call to undefined function mb_detect_encoding() in /var/www/html/pma/libraries/php-gettext/gettext.inc on line 177
安装mcrypt扩展
[root@localhost pma]# yum install php-mcrypt
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
* base: mirrors.btte.net
* extras: ftp.stu.edu.tw
* updates: mirrors.btte.net
Setting up Install Process
No package php-mcrypt available.
Error: Nothing to do
[root@localhost pma]#
下载并安装EPEL
[root@localhost pma]# yum install wget
https://fedoraproject.org/wiki/EPEL
[root@localhost ~]# wget http://mirrors.yun-idc.com/epel/6/i386/epel-release-6-8.noarch.rpm
[root@localhost ~]# rpm -lpq epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
/etc/rpm/macros.ghc-srpm
/etc/yum.repos.d/epel-testing.repo
/etc/yum.repos.d/epel.repo
/usr/share/doc/epel-release-6
/usr/share/doc/epel-release-6/GPL
[root@localhost ~]#
使用EPEL更新源安装php-mcrypt扩展包
[root@localhost ~]# yum install php-mcrypt
重启Apache服务器
[root@localhost ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@localhost ~]#
postmaster邮箱收到的邮件内容
Postfix SMTP server: errors from localhost.localdomain[127.0.0.1]
Transcript of session follows.
Out: 220 program.sample.com ESMTP Postfix
In: EHLO localhost.localdomain
Out: 250-program.sample.com
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: MAIL From:<apache@localhost.localdomain> SIZE=910
Out: 452 4.3.1 Insufficient system storage
In: QUIT
Out: 221 2.0.0 Bye
在CentOS 6.3最小化环境下安装依赖软件包
[root@localhost openvpn-2.2.2]# yum install gcc make lzo-devel openssl-devel
编译安装OpenVPN 2.2.2
[root@localhost ~]# tar xzf openvpn-2.2.2.tar.gz [root@localhost ~]# cd openvpn-2.2.2 [root@localhost openvpn-2.2.2]# ./configure --prefix=/usr/local/openvpn [root@localhost openvpn-2.2.2]# make [root@localhost openvpn-2.2.2]# make install
生成证书
编辑控制证书生成工具easy-rsa参数的配置文件
[root@localhost 2.0]# vi vars
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don’t edit this file in place in
# /usr/share/openvpn/easy-rsa —
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA=”`pwd`”
#
# This variable should point to
# the requested executables
#
export OPENSSL=”openssl”
export PKCS11TOOL=”pkcs11-tool”
export GREP=”grep”
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=”$EASY_RSA/keys”
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH=”dummy”
export PKCS11_PIN=”dummy”
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
执行证书环境配置清理工作
[root@localhost 2.0]# source ./vars ************************************************************** No /root/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf file could be found Further invocations will fail ************************************************************** NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.2.2/easy-rsa/2.0/keys [root@localhost 2.0]# [root@localhost 2.0]# ./clean-all
根据当前系统中安装openssl的版本确定引用openssl配置文件
[root@localhost 2.0]# cp openssl-1.0.0.cnf openssl.cnf
生成CA证书
[root@localhost 2.0]# ./build-ca Generating a 1024 bit RSA private key .............++++++ ..++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:CN State or Province Name (full name) [CA]:GD Locality Name (eg, city) [SanFrancisco]:SHENZHEN Organization Name (eg, company) [Fort-Funston]:LINUXCACHE Organizational Unit Name (eg, section) [changeme]:LINUXCACHE LABS Common Name (eg, your name or your server's hostname) [changeme]:LINUXCACHE CA Name [changeme]: Email Address [mail@host.domain]: [root@localhost 2.0]#
查看已生成的文件
[root@localhost 2.0]# ls keys/ ca.crt ca.key index.txt serial [root@localhost 2.0]#
生成服务证书
[root@localhost 2.0]# ./build-key-server server Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:CN State or Province Name (full name) [CA]:GD Locality Name (eg, city) [SanFrancisco]:SHENZHEN Organization Name (eg, company) [Fort-Funston]:LINUXCACHE Organizational Unit Name (eg, section) [changeme]:LINUXCACHE LABS Common Name (eg, your name or your server's hostname) [server]:LINUXCACHE SERVER Name [changeme]:linuxcache Email Address [mail@host.domain]:hostmaster@linuxcache.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /root/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SHENZHEN' organizationName :PRINTABLE:'LINUXCACHE' organizationalUnitName:PRINTABLE:'LINUXCACHE LABS' commonName :PRINTABLE:'LINUXCACHE SERVER' name :PRINTABLE:'linuxcache' emailAddress :IA5STRING:'hostmaster@linuxcache.com' Certificate is to be certified until Nov 10 06:48:22 2023 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ 01.pem ca.key index.txt.attr serial server.crt server.key ca.crt index.txt index.txt.old serial.old server.csr [root@localhost 2.0]#
生成服务器DH文件
[root@localhost 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..............................................................+.................... ................................................................................... ..............................+........+........................................... ................................................................................... .........+....................................................+.................... .....+....+........................................................................ ......................+.................+.................+..........+............. .........+......................................................................... ...................+............................................................... +.......................+......+......+.......+............+....................... .............................+......+.............................................. ..........+...................................................+.................... ..........+....+...................................................+............... .................................................................+................. ..........................++*++*++* [root@localhost 2.0]#
生成客户端证书
修改客户端证书的有效期
Certificate is to be certified until Dec 12 07:01:44 2013 GMT (30 days)
[root@localhost 2.0]# ./build-key client
Generating a 1024 bit RSA private key
…..++++++
….++++++
writing new private key to ‘client.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:GD
Locality Name (eg, city) [SanFrancisco]:SHENZHEN
Organization Name (eg, company) [Fort-Funston]:LINUXCACHE
Organizational Unit Name (eg, section) [changeme]:LINUXCACHE LABS
Common Name (eg, your name or your server’s hostname) [client]:CLIENT
Name [changeme]:linuxcache-client
Email Address [mail@host.domain]:client@linuxcache.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’GD’
localityName :PRINTABLE:’SHENZHEN’
organizationName :PRINTABLE:’LINUXCACHE’
organizationalUnitName:PRINTABLE:’LINUXCACHE LABS’
commonName :PRINTABLE:’CLIENT’
name :PRINTABLE:’linuxcache-client’
emailAddress :IA5STRING:’client@linuxcache.com’
Certificate is to be certified until Nov 10 06:54:04 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/
01.pem ca.key client.key index.txt.attr serial server.csr
02.pem client.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client.csr index.txt index.txt.old server.crt
[root@localhost 2.0]#
查看当前系统发行版本
[root@localhost ~]# cat /etc/redhat-release CentOS release 6.4 (Final) [root@localhost ~]#
安装PPP包
[root@localhost ~]# yum install ppp
下载
[root@localhost ~]# wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.i686.rpm
查看pptpd二进制包安装路径
[root@localhost ~]# rpm -lpq pptpd-1.3.4-2.el6.i686.rpm warning: pptpd-1.3.4-2.el6.i686.rpm: Header V3 DSA/SHA1 Signature, key ID 862acc42: NOKEY /etc/ppp/options.pptpd /etc/pptpd.conf /etc/rc.d/init.d/pptpd /usr/bin/vpnstats.pl /usr/bin/vpnuser /usr/lib/pptpd/pptpd-logwtmp.so /usr/sbin/bcrelay /usr/sbin/pptp-portslave /usr/sbin/pptpctrl /usr/sbin/pptpd /usr/share/doc/pptpd-1.3.4 /usr/share/doc/pptpd-1.3.4/AUTHORS /usr/share/doc/pptpd-1.3.4/COPYING /usr/share/doc/pptpd-1.3.4/ChangeLog /usr/share/doc/pptpd-1.3.4/INSTALL /usr/share/doc/pptpd-1.3.4/README /usr/share/doc/pptpd-1.3.4/README.bcrelay /usr/share/doc/pptpd-1.3.4/README.cvs /usr/share/doc/pptpd-1.3.4/README.inetd /usr/share/doc/pptpd-1.3.4/README.logwtmp /usr/share/doc/pptpd-1.3.4/README.portslave /usr/share/doc/pptpd-1.3.4/README.slirp /usr/share/doc/pptpd-1.3.4/TODO /usr/share/doc/pptpd-1.3.4/samples /usr/share/doc/pptpd-1.3.4/samples/chap-secrets /usr/share/doc/pptpd-1.3.4/samples/options.pptpd /usr/share/doc/pptpd-1.3.4/samples/pptpd.conf /usr/share/man/man5/pptpd.conf.5.gz /usr/share/man/man8/pptpctrl.8.gz /usr/share/man/man8/pptpd.8.gz [root@localhost ~]#
安装pptp安装包
[root@localhost ~]# rpm -ivh pptpd-1.3.4-2.el6.i686.rpm warning: pptpd-1.3.4-2.el6.i686.rpm: Header V3 DSA/SHA1 Signature, key ID 862acc42: NOKEY Preparing... ########################################### [100%] 1:pptpd ########################################### [100%] [root@localhost ~]#
设置服务器端虚拟接口IP地址和客户端IP地址池
[root@localhost ~]# cp /etc/pptpd.conf /etc/pptpd.conf.backup [root@localhost ~]# vi /etc/pptpd.conf localip 10.0.192.1 remoteip 10.0.192.100-200
设置拨号账户用户名与密码
[root@localhost ~]# cd /etc/ppp/ [root@localhost ppp]# cp chap-secrets chap-secrets.backup [root@localhost ppp]# vi chap-secrets harvey pptpd 78903456 *
第一列:用户名
第二列:服务器名称(与/etc/ppp/options.pptpd中对应)
第三列:密码
第四列:限定连接用户的IP地址
设定客户端DNS
[root@localhost ppp]# vi options.pptpd ms-dns 8.8.8.8 ms-dns 8.8.4.4
查看并设置pptpd服务开机启动状态
[root@localhost ppp]# chkconfig --list pptpd pptpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@localhost ppp]# chkconfig --level 35 pptpd on
启动pptpd服务器
[root@localhost ppp]# service pptpd start Starting pptpd: [ OK ] [root@localhost ppp]#
确认服务已运行且监听1723端口
[root@localhost ppp]# netstat -ltn |grep 1723 tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN [root@localhost ppp]#
设置IP包转发
临时设置
[root@localhost ppp]# echo 1 > /proc/sys/net/ipv4/ip_forward
开机设置
[root@localhost ppp]# vi /etc/sysctl.conf net.ipv4.ip_forward = 1
使用Windows作为客户端连接pptpd服务器
新建拨号连接
拨号连接向导
输入VPN服务器的IP地址
点击新建的VPN拨号连接,输入用户名密码后点连接
拨号连接成功
查看本机拨号连接获得的IP地址
查看服务器端PPP网关接口状态
拨号连接后成功后,使用ping www.facebook.com超时,显示无法正常访问被限制网站
防火墙转发设置
[root@localhost ~]# iptables -t nat -A POSTROUTING -o eth0 -s 10.0.192.0/24 -j SNAT --to 174.139.2.162
[root@localhost ~]# iptables save
Bad argument `save'
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@hvpn ~]#
[root@localhost ~]# /etc/init.d/iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
[root@localhost ~]#
[root@localhost ~]# service pptpd restart
Shutting down pptpd: [ OK ]
Starting pptpd: [ OK ]
Warning: a pptpd restart does not terminate existing
connections, so new connections may be assigned the same IP
address and cause unexpected results. Use restart-kill to
destroy existing connections during a restart.
[root@localhost ~]#
查看已生效的转发策略
[root@localhost ~]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all — 10.0.192.0/24 0.0.0.0/0 to:174.139.2.162
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]#
在服务器添加防火墙转发规则以后再次ping www.facebook.com显示可以正常访问被限制网站
iptables -I INPUT -p gre -j ACCEPT
相关下载:
(1)pptpd 1.3.4-2 rhel6 x86 rpm package (2) pptpd 1.3.4-2 rhel6 x86_64 rpm package