Notebook

これは日々の作業を通して学んだことや毎日の生活で気づいたことをを記録しておく備忘録である。

HTML ファイル生成日時: 2024/09/03 20:25:59.812 (台灣標準時)

NetBSD 上で Apache により HTTPS サーバを立ち上げる方法

以下に、 NetBSD 上で、 Apache HTTP サーバを使って、 TLS 1.3 に準拠した HTTPS サーバを立ち上げる方法をまとめておく。 Apache の公式の文書と OpenSSL のマニュアルを読めばどのようにすればよいか分かった。

秘密鍵と証明書の準備

OpenSSL のインストール

OpenSSL をインストールする。 pkgsrc を使えば簡単である。 
# cd /usr/pkgsrc/security/openssl
# make install
=> Bootstrap dependency digest>=20010302: found digest-20190127
=> Checksum SHA1 OK for openssl-1.1.1i.tar.gz
=> Checksum RMD160 OK for openssl-1.1.1i.tar.gz
=> Checksum SHA512 OK for openssl-1.1.1i.tar.gz
===> Installing dependencies for openssl-1.1.1i
==========================================================================
The supported build options for openssl are:

        idea md2 mdc2 rc5 threads zlib

The currently selected options are:

        idea md2 mdc2 rc5 threads

You can select which build options to use by setting PKG_DEFAULT_OPTIONS
or the following variable.  Its current value is shown:

        PKG_OPTIONS.openssl (not defined)

==========================================================================
=> Tool dependency gmake>=3.81: found gmake-4.2.1nb1
=> Tool dependency perl>=5.0: found perl-5.32.0nb1
=> Build dependency cwrappers>=20150314: found cwrappers-20180325
===> Checking for vulnerabilities in openssl-1.1.1i
===> Overriding tools for openssl-1.1.1i
===> Extracting for openssl-1.1.1i

.....

=> Automatic manual page handling
=> Generating post-install file lists
=> Checking file-check results for openssl-1.1.1i
=> Creating binary package /data0/netbsd/pkgsrc/current/pkgsrc/security/openssl/work/.packages/openssl-1.1.1i.tgz
===> Building binary package for openssl-1.1.1i
=> Creating binary package /tmp/packages/All/openssl-1.1.1i.tgz
===> Installing binary package of openssl-1.1.1i
openssl-1.1.1i: copying /usr/pkg/share/examples/openssl/openssl.cnf to /usr/pkg/etc/openssl/openssl.cnf
# make clean

RSA 秘密鍵の生成

OpenSSL を使って RSA 秘密鍵を作る。パスフレーズを入力する必要がある。 
% cd /somewhere/in/the/disk
% ls
% openssl genpkey -algorithm RSA -out server.key -aes-256-cbc \
? -pkeyopt rsa_keygen_bits:4096
..............................++++
................................................................................................................................................................................................................................................++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
% ls -l
total 1
-rw-------  1 daisuke  taiwan  3434 Jan 27 17:50 server.key
秘密鍵 server.key ができた。

秘密鍵の内容を見てみる

以下のようにすれば生成した秘密鍵の内容を確認することができる。秘密鍵の 情報を表示させるためには、パスフレーズが必要となる。 
% openssl rsa -noout -text -in server.key
Enter pass phrase for server.key:
RSA Private-Key: (4096 bit, 2 primes)
modulus:

.....

証明書の作成

自身が認証局 (CA, Certificate Authority) となって、署名し、証明書を生 成する。 
% openssl req -new -x509 -nodes -sha384 -days 365 \
? -key server.key -out server.crt -extensions usr_cert
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taoyuan
Locality Name (eg, city) []:Jhongli
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXX
Organizational Unit Name (eg, section) []:XXXXX
Common Name (e.g. server FQDN or YOUR name) []:XXXXX
Email Address []:XXXXX@YYYYY.ZZZZZ
% ls -l
total 1
-rw-r--r--  1 daisuke  taiwan  2134 Jan 27 18:15 server.crt
-rw-------  1 daisuke  taiwan  3434 Jan 27 17:50 server.key
署名された証明書 server.crt ができた。

証明書の内容を確認する

証明書の内容を確認する方法は次の通りである。 
% openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:

.....

Apache のインストールと設定

Apache のインストール

# cd /usr/pkgsrc/www/apache24
# make install
=> Bootstrap dependency digest>=20010302: found digest-20190127
=> Checksum SHA1 OK for httpd-2.4.46.tar.bz2
=> Checksum RMD160 OK for httpd-2.4.46.tar.bz2
=> Checksum SHA512 OK for httpd-2.4.46.tar.bz2
===> Installing dependencies for apache-2.4.46nb2
==========================================================================
The supported build options for apache are:

        apache-managed-domain-handling apache-mpm-event
        apache-mpm-prefork apache-mpm-worker brotli
        http2 lua suexec xml

The currently selected options are:

        apache-mpm-event apache-mpm-prefork apache-mpm-worker
        brotli http2 xml

You can select which build options to use by setting PKG_DEFAULT_OPTIONS
or the following variable.  Its current value is shown:

        PKG_OPTIONS.apache (not defined)

==========================================================================
==========================================================================
The following variables will affect the build process of this package,
apache-2.4.46nb2.  Their current value is shown below:

        * APACHE_MODULES = all
        * IPV6_READY = YES
        * SSLBASE = /usr
        * SSLCERTS = /etc/openssl/certs
        * SSLDIR = /etc/openssl
        * SSLKEYS = /etc/openssl/private
        * VARBASE = /var

Based on these variables, the following variables have been set:

        * TERMCAP_TYPE = termcap

You may want to abort the process now with CTRL-C and change the value
of variables in the first group before continuing.  Be sure to run
`/usr/bin/make clean' after the changes.
==========================================================================
=> Tool dependency libtool-base>=2.4.2nb9: found libtool-base-2.4.6nb2
=> Tool dependency perl>=5.0: found perl-5.32.0nb1
=> Tool dependency pkgconf-[0-9]*: found pkgconf-1.7.3
=> Build dependency cwrappers>=20150314: found cwrappers-20180325
=> Full dependency apr>=1.5.0: found apr-1.7.0nb1
=> Full dependency apr-util>=1.6.1nb6: found apr-util-1.6.1nb8
=> Full dependency pcre>=8.30nb1: found pcre-8.44
=> Full dependency nghttp2>=1.40.0nb4: found nghttp2-1.42.0nb1
=> Full dependency libxml2>=2.9.10nb3: found libxml2-2.9.10nb3
=> Full dependency brotli>=1.0.1: found brotli-1.0.9
=> Full dependency readline>=6.0: found readline-8.0
===> Checking for vulnerabilities in apache-2.4.46nb2
===> Overriding tools for apache-2.4.46nb2
===> Extracting for apache-2.4.46nb2

.....

===========================================================================
The following files should be created for apache-2.4.46nb2:

        /etc/rc.d/apache (m=0755)
            [/usr/pkg/share/examples/rc.d/apache]

===========================================================================
===========================================================================
$NetBSD: MESSAGE,v 1.2 2014/02/22 17:28:34 ryoon Exp $

After apache-2.4.3, --enable-mpms-shared='event worker prefork' is
passed to configure script, then these multi-process model is built
and you can select the model in configuraton file.

The mod_cgi.so module conflicts with non-prefork multi-process model,
and mod_cgi.so module is not built anymore.
You can use mod_cgid.so module instead.
===========================================================================
# make clean

Apache の設定ファイルを書き換える

Apache の設定ファイルを書き換え、 Apache が期待通りに動作するようにす る。例えば、 httpd.conf と httpd-uesrdir.conf を書き換える。 
# cd /usr/pkg/etc/httpd
# cp -pi httpd.conf httpd.conf.orig
# vi httpd.conf
# cp -pi httpd-userdir.conf httpd-uesrdir.conf.orig
# vi httpd-userdir.conf

Apache の起動

Apache が起動するかどうか確認する。 
# ps auxww | grep httpd
root    22552  0.0  0.0    15012      48 pts/25 R+    6:35PM    0:00.00 grep httpd 
# /usr/pkg/sbin/apachectl start
# ps auxww | grep httpd
www     19714  0.0  0.0  3189776    3856 ?      Sl    6:35PM    0:00.00 /usr/pkg/sbin/httpd -k start 
www     24052  0.0  0.0  3189776    3792 ?      Sl    6:35PM    0:00.00 /usr/pkg/sbin/httpd -k start 
root    26030  0.0  0.0    88880    3864 ?      Ss    6:35PM    0:00.00 /usr/pkg/sbin/httpd -k start 
www     28793  0.0  0.0  3189776    3788 ?      Sl    6:35PM    0:00.00 /usr/pkg/sbin/httpd -k start 
root    23667  0.0  0.0     5472      52 pts/25 R+    6:35PM    0:00.00 grep httpd
起動することが確認できたら、一度、止めておく。 
# /usr/pkg/sbin/apachectl stop
# ps auxww | grep httpd
root      983  0.0  0.0    15596      48 pts/25 R+    6:38PM    0:00.00 grep httpd

TLS のための設定ファイルの編集

まず、 httpd.conf を編集する。 
# cd /usr/pkg/etc/httpd
# cp -pi httpd.conf httpd.conf.notls
# vi httpd.conf
# diff httpd.conf.notls httpd.conf
91c91
< #LoadModule socache_shmcb_module lib/httpd/mod_socache_shmcb.so
---
> LoadModule socache_shmcb_module lib/httpd/mod_socache_shmcb.so
148c148
< #LoadModule ssl_module lib/httpd/mod_ssl.so
---
> LoadModule ssl_module lib/httpd/mod_ssl.so
523c523
< #Include etc/httpd/httpd-ssl.conf
---
> Include etc/httpd/httpd-ssl.conf
次に、 httpd-ssl.conf を編集する。 TLS v1.3 のみを受け付けるようにする。 
# cd /usr/pkg/etc/httpd
# cp -pi httpd-ssl.conf httpd-ssl.conf.orig
# vi httpd-ssl.conf
# diff httpd-ssl.conf.orig httpd-ssl.conf
52,53c52,55
< SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
< SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
---
> #SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
> SSLCipherSuite TLSv1.3 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
> #SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
> SSLProxyCipherSuite TLSv1.3 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
79,80c81,84
< SSLProtocol all -SSLv3
< SSLProxyProtocol all -SSLv3
---
> #SSLProtocol all -SSLv3
> SSLProtocol -all +TLSv1.3
> #SSLProxyProtocol all -SSLv3
> SSLProxyProtocol -all +TLSv1.3
125,126c129,132
< ServerName www.example.com:443
< ServerAdmin you@example.com
---
> #ServerName www.example.com:443
> ServerName aaa.bbb.ccc.ddd:443
> #ServerAdmin you@example.com
> ServerAdmin XXXXX@YYYYY.ZZZZZ

秘密鍵と証明書を適切な場所に置く

秘密鍵は以下の場所に置かれていなくてはならない。 
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/usr/pkg/etc/httpd/server.key"
証明書は以下の場所に置かれていなくてはならない。 
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile "/usr/pkg/etc/httpd/server.crt"

Apache の起動

Apache を起動する。秘密鍵が暗号化されているので、パスフレーズを入力す る必要がある。 
# /usr/pkg/sbin/apachectl start
Apache/2.4.46 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Private key 127.0.0.1:443:0 (/usr/pkg/etc/httpd/server.key)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

パスフレーズの自動入力

パスフレーズを自動入力させるには、以下のようなスクリプトを用意する。こ のスクリプトが /somewhere/in/the/disk/echo_passphrase.sh だとする。 

#!/bin/sh

echo 'MY_PASSPHRASE'
httpd-ssl.conf ファイルを修正する。 
# cd /usr/pkg/etc/httpd
# chmod 700 /somewhere/in/the/disk/echo_passphrase.sh
# cp -pi httpd-ssl.conf httpd-ssl.conf.20210127
# vi httpd-ssl.conf
# diff httpd-ssl.conf.20210127 httpd-ssl.conf
90c90,91
< SSLPassPhraseDialog  builtin
---
> #SSLPassPhraseDialog  builtin
> SSLPassPhraseDialog  exec:/somewhere/in/the/disk/echo_passphrase.sh

http を https に自動転送する方法

http で来た接続要求を、自動的に https に変換する方法は以下の通り。 まず、 httpd.conf を修正する。 
# cd /usr/pkg/etc/httpd
# cp -pi httpd.conf httpd.conf.20210127
# vi httpd.conf
# diff httpd.conf.20210127 httpd.conf
173c173
< #LoadModule rewrite_module lib/httpd/mod_rewrite.so
---
> LoadModule rewrite_module lib/httpd/mod_rewrite.so
次に、 httpd-ssl.conf を修正する。 
# cd /usr/pkg/etc/httpd
# cp -pi httpd-ssl.conf httpd-ssl.conf.20210127_2
# vi httpd-ssl.conf
# diff httpd-ssl.conf.20210127_2 httpd-ssl.conf
125a126,131
> <VirtualHost *:80>
> RewriteEngine On 
> RewriteCond %{HTTPS} off 
> RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
> </VirtualHost>
>
Apache を再起動すれば、 http 接続要求が https に自動転送されるようにな る。

参考文献

Frequently accessed files

  1. Computer___Python/20220518_0.html
  2. Computer___Network/20230726_00.html
  3. Computer___Network/20230516_00.html
  4. Computer___FreeBSD/20220621_0.html
  5. Misc___Taiwan/20240207_00.html
  6. Computer___Python/20220715_0.html
  7. Food___Taiwan/20220429_0.html
  8. Computer___Network/20230508_00.html
  9. Computer___NetBSD/20220817_3.html
  10. Computer___Python/20220410_0.html
  11. Computer___Debian/20210223_1.html
  12. Computer___Python/20210124_0.html
  13. Computer___NetBSD/20220818_1.html
  14. Computer___NetBSD/20220428_0.html
  15. Computer___Python/20221013_0.html
  16. Science___Math/20220420_0.html
  17. Computer___NetBSD/20230119_00.html
  18. Science___Astronomy/20220503_0.html
  19. Computer___TeX/20230503_00.html
  20. Computer___NetBSD/20220808_0.html
  21. Computer___Network/20240130_00.html
  22. Computer___NetBSD/20230515_00.html
  23. Computer___Network/20240416_00.html
  24. Computer___NetBSD/20240101_02.html
  25. Travel___Taiwan/20220809_2.html
  26. Computer___NetBSD/20210204_0.html
  27. Computer___Python/20220816_1.html
  28. Science___Astronomy/20220420_1.html
  29. Food___Taiwan/20230526_00.html
  30. Computer___Python/20240101_00.html
HTML file generated by Kinoshita Daisuke.