・AlmaLinux9.6+Apache2.4の環境でhttps化する方法を知りたい。
・具体的な手順を教えてほしい。
こういった疑問に答えます。
本記事の内容
- AlmaLinux9.6+Apache2.4の環境でhttps化する手順
この記事を書いている私は、某SIerに勤務しながら、
WEB系エンジニア・インフラエンジニアに憧れて、プログラミングおよびインフラ技術の勉強をしています。
こういった私が、解説していきます。
私が実機で試したコマンドや画像を載せて書いています。
記事の信頼性担保に繋がると思います。
AlmaLinux9.6+Apache2.4の環境でhttps化する手順
firewalldの設定
[root@a-webap01 ~]# firewall-cmd --zone=home --add-service=https --permanent success [root@a-webap01 ~]# firewall-cmd --reload success
mod_sslのインストール
dnf install mod_ssl
[root@a-webap01 ~]# dnf install mod_ssl メタデータの期限切れの最終確認: 0:31:16 前の 2025年09月01日 18時18分51秒 に実施しました。 依存関係が解決しました。 ==================================================================================================== パッケージ アーキテクチャー バージョン リポジトリー サイズ ==================================================================================================== インストール: mod_ssl x86_64 1:2.4.62-4.el9 appstream 109 k 依存関係のインストール: sscg x86_64 3.0.0-7.el9 appstream 45 k トランザクションの概要 ==================================================================================================== インストール 2 パッケージ ダウンロードサイズの合計: 154 k インストール後のサイズ: 378 k これでよろしいですか? [y/N]: y
ssl.confの修正
/etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443> ~ </VirtualHost> の部分をすべてコメントアウトします。
バーチャルホスト用の「ssl_xxxxxxxxxxx.conf」作成
/etc/httpd/conf.d/ssl_test01.a-email01.blue-planet.internal.conf
1 # 2 # When we also provide SSL we have to listen to the 3 # standard HTTPS port in addition. 4 # 5 Listen 443 https 6 7 ## 8 ## SSL Global Context 9 ## 10 ## All SSL configuration in this context applies both to 11 ## the main server and all SSL-enabled virtual hosts. 12 ## 13 14 # Pass Phrase Dialog: 15 # Configure the pass phrase gathering process. 1 <VirtualHost *:443> 2 3 # General setup for the virtual host, inherited from global configuration 4 DocumentRoot "/var/www/html/test01" ←★★★変更 5 ServerName test01.blue-planet.internal:443 ←★★★変更 6 ServerAlias www.test01.blue-planet.internal:443 ←★★★変更 7 # Use separate log files for the SSL virtual host; note that LogLevel 8 # is not inherited from httpd.conf. 9 ErrorLog logs/ssl_test01.blue-planet.internal-error_log ←★★★変更 10 TransferLog logs/ssl_test01.blue-planet.internal-access_log ←★★★変更 11 LogLevel warn 12 13 # SSL Engine Switch: 14 # Enable/Disable SSL for this virtual host. 15 SSLEngine on 24 # own preference of either security or performance, therefore this 25 # must be the prerogative of the web server administrator who manages 26 # cpu load versus confidentiality, so enforce the server's cipher order. 27 SSLHonorCipherOrder on 28 29 # SSL Cipher Suite: 30 # List the ciphers that the client is permitted to negotiate. 31 # See the mod_ssl documentation for a complete list. 32 # The OpenSSL system profile is configured by default. See 33 # update-crypto-policies(8) for more details. 34 SSLCipherSuite PROFILE=SYSTEM 35 SSLProxyCipherSuite PROFILE=SYSTEM 36 37 # Point SSLCertificateFile at a PEM encoded certificate. If 38 # the certificate is encrypted, then you will be prompted for a 39 # pass phrase. Note that restarting httpd will prompt again. Keep 40 # in mind that if you have both an RSA and a DSA certificate you 41 # can configure both in parallel (to also allow the use of DSA 42 # ciphers, etc.) 43 # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) 44 # require an ECC certificate which can also be configured in 45 # parallel. 46 SSLCertificateFile /etc/pki/tls/certs/blue-planet.crt ←★★★変更 47 48 # Server Private Key: 49 # If the key is not combined with the certificate, use this 50 # directive to point at the key file. Keep in mind that if 51 # you've both a RSA and a DSA private key you can configure 52 # both in parallel (to also allow the use of DSA ciphers, etc.) 53 # ECC keys, when in use, can also be configured in parallel 54 SSLCertificateKeyFile /etc/pki/tls/certs/blue-planet.key ←★★★変更 55 56 # Server Certificate Chain: 57 # Point SSLCertificateChainFile at a file containing the 58 # concatenation of PEM encoded CA certificates which form the 59 # certificate chain for the server certificate. Alternatively 60 # the referenced file can be the same as SSLCertificateFile 61 # when the CA certificates are directly appended to the server 62 # certificate for convenience. 63 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 64 65 # Certificate Authority (CA): 66 # Set the CA certificate verification path where to find CA 67 # certificates for client authentication or alternatively one 68 # huge file containing all of them (file must be PEM encoded) 69 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt 70 71 # Client Authentication (Type): 72 # Client certificate verification type and depth. Types are 73 # none, optional, require and optional_no_ca. Depth is a 74 # number which specifies how deeply to verify the certificate 75 # issuer chain before deciding the certificate is not valid. 76 #SSLVerifyClient require 77 #SSLVerifyDepth 10 78 79 # Access Control: 80 # With SSLRequire you can do per-directory access control based 81 # on arbitrary complex boolean expressions containing server 82 # variable checks and other lookup directives. The syntax is a 83 # mixture between C and Perl. See the mod_ssl documentation 84 # for more details. 85 #<Location /> 86 #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ 87 # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 88 # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 89 # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 90 # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 91 # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 92 #</Location> 93 94 # SSL Engine Options: 95 # Set various options for the SSL engine. 96 # o FakeBasicAuth: 97 # Translate the client X.509 into a Basic Authorisation. This means that 98 # the standard Auth/DBMAuth methods can be used for access control. The 99 # user name is the `one line' version of the client's X.509 certificate. 100 # Note that no password is obtained from the user. Every entry in the user 101 # file needs this password: `xxj31ZMTZzkVA'. 102 # o ExportCertData: 103 # This exports two additional environment variables: SSL_CLIENT_CERT and 104 # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 105 # server (always existing) and the client (only existing when client 106 # authentication is used). This can be used to import the certificates 107 # into CGI scripts. 108 # o StdEnvVars: 109 # This exports the standard SSL/TLS related `SSL_*' environment variables. 110 # Per default this exportation is switched off for performance reasons, 111 # because the extraction step is an expensive operation and is usually 112 # useless for serving static content. So one usually enables the 113 # exportation for CGI and SSI requests only. 114 # o StrictRequire: 115 # This denies access when "SSLRequireSSL" or "SSLRequire" applied even 116 # under a "Satisfy any" situation, i.e. when it applies access is denied 117 # and no other module can change it. 118 # o OptRenegotiate: 119 # This enables optimized SSL connection renegotiation handling when SSL 120 # directives are used in per-directory context. 121 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 122 <FilesMatch "\.(cgi|shtml|phtml|php)$"> 123 SSLOptions +StdEnvVars 124 </FilesMatch> 125 <Directory "/var/www/cgi-bin"> 126 SSLOptions +StdEnvVars 127 </Directory> 128 129 # SSL Protocol Adjustments: 130 # The safe and default but still SSL/TLS standard compliant shutdown 131 # approach is that mod_ssl sends the close notify alert but doesn't wait for 132 # the close notify alert from client. When you need a different shutdown 133 # approach you can use one of the following variables: 134 # o ssl-unclean-shutdown: 135 # This forces an unclean shutdown when the connection is closed, i.e. no 136 # SSL close notify alert is sent or allowed to be received. This violates 137 # the SSL/TLS standard but is needed for some brain-dead browsers. Use 138 # this when you receive I/O errors because of the standard approach where 139 # mod_ssl sends the close notify alert. 140 # o ssl-accurate-shutdown: 141 # This forces an accurate shutdown when the connection is closed, i.e. a 142 # SSL close notify alert is sent and mod_ssl waits for the close notify 143 # alert of the client. This is 100% SSL/TLS standard compliant, but in 144 # practice often causes hanging connections with brain-dead browsers. Use 145 # this only for browsers where you know that their SSL implementation 146 # works correctly. 147 # Notice: Most problems of broken clients are also related to the HTTP 148 # keep-alive facility, so you usually additionally want to disable 149 # keep-alive for those clients, too. Use variable "nokeepalive" for this. 150 # Similarly, one has to force some clients to use HTTP/1.0 to workaround 151 # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 152 # "force-response-1.0" for this. 153 BrowserMatch "MSIE [2-5]" \ 154 nokeepalive ssl-unclean-shutdown \ 155 downgrade-1.0 force-response-1.0 156 157 # Per-Server Logging: 158 # The home of a custom SSL log file. Use this when you want a 159 # compact non-error SSL logfile on a virtual host basis. 160 CustomLog logs/ssl_request_log \ 161 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 162 163 </VirtualHost> 164
確認
[root@a-webap01 ~]# httpd -t Syntax OK
Apacheの再起動
[root@a-webap01 ~]# systemctl restart httpd
ブラウザで表示確認
