Category Archives: Maintenance

Enable https for your nginx-hosted website with a CA-signed certificate

1. Exchange a Certificate Signing Request for certificate files

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out my.csr

Then submit my.csr file to your CA. You will then get certificate files from it.  

* The private.key will be used for decryption during SSL/TLS session establishment between a server and a client.

2. Combine all the certificate files into a single certificate chain file

Nginx requires a single certificate file, while other servers may not.

     cat my_server.crt my_server.ca-bundle > cert_chain.crt
     vi cert_chain.crt   # to make sure there is a new line between “end certificate” and next “begin certificate"

3. Configure Nginx with the files

    server {
    	listen 80;
    	listen 443 ssl;
    	# force https-redirects
    	if ($scheme = http) {
        	return 301 https://$server_name$request_uri;
    	}
	server_name my-server.com;
    	ssl_certificate    /path/to/your/cert_chain.crt ;
    	ssl_certificate_key /path/to/your/private.key;

  	}
    }

Enable https for your apache-httpd-hosted website with a self-signed certificate

Generate a self-signed https certificate

Java’s KeyTool is kind of heavy due to its “keystore” concept. I prefer openssl:

openssl req -x509 -nodes -newkey rsa:2048 -keyout cjx_private.key -out cjx_cert.pem -days 36500
#"-nodes" means no password to access the certificate file
# You will be prompted set up your information. This one is important:
Common Name (e.g. server FQDN or YOUR name) []:*.foo.com   ## Let it be availabe to all sub domains under foo.com 

#After generation you can have a check: 
openssl x509 -in cjx_cert.pem -text 

Now you’ve got two files:
1. cjx_private.key — the private key file
2. cjx_cert.pem — the certificate file

Install it on Apache

Install mod_ssl first

yum install mod_ssl

edit httpd.conf

NameVirtualHost *:443 
...

    ....
    SSLEngine on
    SSLCertificateFile  /somepath/cjx_cert.pem
    SSLCertificateKeyFile /somepath/cjx_private.key

ec2中搭建服务后要编辑一下security group才能让外网访问

在aws ec2中搭建apache httpd或tomcat后,发现使用ec2 instance的public ip在浏览器里访问相关服务时失败。

这是因为防火墙未设置。对ec2来说,security group就相当于防火墙。

设置办法: 进入instance列表,在security group列中找到对应的group, 点击它,然后Actions => Edit Inbound Rules, 加入http, 即可允许80端口访问。

如果要打开8080的http端口,新增一个custom tcp rule.

.htaccess被忽略了?

看看你的virtual host是不是有这个错误:

引用
<Directory "/home/page_url/www/">

    AllowOverride None

你要去掉AllowOverride None. 如果 apache版本较低,还要加上AllowOverride All

引用

Syntax: AllowOverride All|None|directive-type [directive-type] …

Default:AllowOverride None (2.3.9 and later), AllowOverride All (2.3.8 and earlier)

http://stackoverflow.com/questions/5210820/apache-server-ignores-htaccess

apache httpd: A typical virtualhost

引用

<VirtualHost myjoomla.kent.net:80>

        ServerName myjoomla.kent.net

        DocumentRoot /home/kent/dev/phpws/joomla25

        <Directory />

                Options FollowSymLinks

                AllowOverride None

        </Directory>

</VirtualHost>

eclipse + tomcat + maven 集成开发环境

eclipse + tomcat + maven 集成开发环境,满足:

   1.对jsp的修改直接生效

   2.改好代码后只需要点击启动tomcat,不需要执行mvn package等命令

  

网上搜了半天,完整的解决方案是:

   0. eclipse要用jee版,并装好m2eclipse插件

   1. 按
这个配置dynamic web module,将web root配成 src/main/webapp.

   2. 在server窗口里新增tomcat并且将刚才的工程加进去。tomcat可能要7.0才行,具体版本 见:
这里

   3. 设置context path为你想要的,否则context path将与你的project同名。 Project Properties => Web Project Settings => Context Root

   4. 将maven所指向的依赖库纳入web module, 否则会报找不到类的错误.  Project Properties => Deployment Assembly => Add "Java Build Path Entry", 选择Maven Dependencies

   5. 启动tomcat

apache httpd禁止直接用IP访问

搜了半天,最后按下面这种方法搞定的: (不用xml做配置文件的系统都是耍流氓,像httpd.conf这种东西的层次感太不明确了)

引用

NameVirtualHost *:80

<VirtualHost *:80>

        ServerName 111.111.111.111

        <Location />

           Order deny,allow

            Deny from all

        </Location>

</VirtualHost>

<VirtualHost*:80>

        ServerName www.myblog.com

        DocumentRoot /home/me/myblog

        …       

</VirtualHost>

访问centos+apache所服务的页面时出现403错误

这一般是因为运行httpd的进程没有权限访问你的应用所在的目录; 你这个目录的所有者是不是root?

搞了半天,最佳方案是:

1. 新建一个linux账号和组,比如myblog/myblog

2. 用这个账号登录,然后在它的个人目录下建立你的应用目录

3. 修改httpd.conf,找到User和Group两项,改成myblog, myblog