{"id":2293,"date":"2021-03-19T20:09:08","date_gmt":"2021-03-19T19:09:08","guid":{"rendered":"http:\/\/blogperso.union31.fr\/?p=2293"},"modified":"2021-03-21T15:09:37","modified_gmt":"2021-03-21T14:09:37","slug":"apache-activer-le-ssl","status":"publish","type":"post","link":"https:\/\/blogperso.union31.fr\/?p=2293","title":{"rendered":"Apache : Activer le SSL"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sommaire<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#I_Introduction\" >I Introduction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#II_Module_SSL_pour_Apache\" >II Module SSL pour Apache<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III_Certificats\" >III Certificats<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III1_Introduction_petite\" >III.1 Introduction (petite)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III2_Creation_dun_certificat_auto_signe\" >III.2 Cr\u00e9ation d&rsquo;un certificat auto sign\u00e9<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III21_Creation_dune_clef_privee\" >III.2.1 Cr\u00e9ation d&rsquo;une clef  priv\u00e9e<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III22_Creation_dune_CSR_Certificate_Signing_Request\" >III.2.2 Cr\u00e9ation d&rsquo;une CSR (Certificate Signing Request)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III23_Creation_dun_certificat_auto-signe\" >III.2.3 Cr\u00e9ation d&rsquo;un certificat auto-sign\u00e9<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III23_Emplacement_des_clefs_et_certificats\" >III.2.3 Emplacement des clefs et certificats<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#III3_Pour_aller_plus_loin\" >III.3 Pour aller plus loin<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#IV_Configuration_dApache\" >IV Configuration d&rsquo;Apache<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#IV1_Configuration_du_https_dans_Apache\" >IV.1 Configuration du https dans Apache<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#IV2_Apache_redirection_automatique_http_vers_le_port_443\" >IV.2 Apache : redirection automatique http vers le port 443<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blogperso.union31.fr\/?p=2293\/#IV3_Pour_aller_plus_loin\" >IV.3 Pour aller plus loin<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_Introduction\"><\/span>I Introduction<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>L&rsquo;objectif est de montrer les  premi\u00e8res \u00e9tapes principales afin de  mettre en \u0153uvre une communication HTTPS avec un serveur Apache. <\/p>\n\n\n\n<p>Pr\u00e9-requis : <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Apache d\u00e9j\u00e0 install\u00e9<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II_Module_SSL_pour_Apache\"><\/span>II Module SSL pour Apache<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Avant de mettre en place le mode de communication s\u00e9curis\u00e9 en \u00ab\u00a0https\u00a0\u00bb, il faut s&rsquo;assurer que le module SSL soit actif dans Apache car c&rsquo;est gr\u00e2ce \u00e0 ce dernier qu&rsquo;il sera possible d&rsquo;utiliser le protocole TLS.<\/p>\n\n\n\n<p>Activer le module SSL :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>a2enmod ssl<\/strong>\nConsidering dependency setenvif for ssl:\nModule setenvif already enabled\nConsidering dependency mime for ssl:\nModule mime already enabled\nConsidering dependency socache_shmcb for ssl:\nEnabling module socache_shmcb.\nEnabling module ssl.\nSee \/usr\/share\/doc\/apache2\/README.Debian.gz on how to configure SSL and create self-signed certificates.\nTo activate the new configuration, you need to run:\n  service apache2 restart\n<\/code><\/pre>\n\n\n\n<p>puis lancer le service apache :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart apache2.service<\/code><\/pre>\n\n\n\n<p>Enfin v\u00e9rifier que le module soit charg\u00e9 par apache :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>apachectl -M | grep ssl<\/strong>\n<span class=\"has-inline-color has-vivid-green-cyan-color\">ssl_module (shared)<\/span>\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III_Certificats\"><\/span>III Certificats<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III1_Introduction_petite\"><\/span>III.1 Introduction (petite)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Dans le cadre du chiffrement des donn\u00e9es entre 2 machines via TLS, il est n\u00e9cessaire de s&rsquo;authentifier et de s&rsquo;assurer que le serveur est bien celui qui dit l&rsquo;\u00eatre. Pour cela il est utiliser le principe des certificats.<\/p>\n\n\n\n<p>Le certificat (dans les grandes lignes) fournit :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>des \u00e9l\u00e9ments d&rsquo;identit\u00e9 ;<\/li><li>l&rsquo;authentification du serveur ;<\/li><li>une clef publique qui sera utilis\u00e9e dans cadre du chiffrement entre le client et le serveur ;<\/li><li>peut \u00eatre v\u00e9rifi\u00e9 par une autorit\u00e9 de certification tierce.<\/li><\/ul>\n\n\n\n<p>Pour en savoir plus sur le protocole TLS : <a rel=\"noreferrer noopener\" href=\"https:\/\/fr.wikipedia.org\/wiki\/Transport_Layer_Security\" target=\"_blank\">lien wiki<\/a><\/p>\n\n\n\n<p>Maintenant deux possibilit\u00e9s s&rsquo;offrent \u00e0 nous avant de continuer. Soit on cr\u00e9e un certificat via une autorit\u00e9 de certification (organisme gratuit : CA CERT ou Let&rsquo;s Encrypt) soit on cr\u00e9e un certificat auto-sign\u00e9 (les navigateurs web vont un peu crier et indiquer que la communication n&rsquo;est pas sure car il n&rsquo;y a pas d&rsquo;autorit\u00e9 tierce de certification qui certifiera que le serveur c&rsquo;est bien le bon serveur &#8230;) <\/p>\n\n\n\n<p>Nous allons prendre le dernier cas, l&rsquo;id\u00e9e initiale \u00e9tant d&rsquo;activer le https et non d&rsquo;\u00eatre dans l&rsquo;\u00e9tat de l&rsquo;art \u00e0 ce stade.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III2_Creation_dun_certificat_auto_signe\"><\/span>III.2 Cr\u00e9ation d&rsquo;un certificat auto sign\u00e9<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III21_Creation_dune_clef_privee\"><\/span>III.2.1 Cr\u00e9ation d&rsquo;une clef  priv\u00e9e<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>G\u00e9n\u00e9ration d&rsquo;une clef :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>openssl genrsa -des3 -out server.key 2048<\/strong>\nGenerating RSA private key, 2048 bit long modulus (2 primes)\n..................................................+++++\n......+++++\ne is 65537 (0x010001)\nEnter pass phrase for server.key:\nVerifying - Enter pass phrase for server.key:\n<\/code><\/pre>\n\n\n\n<p>La clef ressemblera \u00e0 ceci :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>cat server.key <\/strong>\n-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,F4BD099F3D84CEE1\n\nWGX0CXxF9XH1Tz1Ehs\/RkYsIzv30t0EmVGM5wqJcj6mrL6H9GcrDTmKFRr2Nc\/Cd\nfScu5cizm1q0+pzAptOl51LMPvW\/8qI6wdaTo\/vQGHHwigw1EJgvi3ryns17MQMK\nmMWpuWXS6muYCai+YrhSN\/8AmqKbFqoq5NdEPwjtww0UiGNEkQ1zMzNaQomFXgqN\n7bQQ1mnJLFzgz2\/ljEVjtyZJ\/A09I7+lNkWEztvTxOy6Kk4GKWmbUrf\/fdC++Uan\n5eKaU4ujn9tc1ycFssoPIqIgAAZpr+ZabS3LC8qtlHeHSpfmBBntgu+8bnapNuLB\nWNllQs4AWX4GQienJwXnYURT4G6GIVR\/yiFQkvkY8cRkyAI4aNNkgXLOus4vzkUf\nQzX\/1loSgPAd\/nd8NVuKaYeypT6lBEGPmYPE5u\/OoToDD8slEl1UwrdRd0sgx0Du\nCmycQic6Kip\/YO\/sTLCCD0cDmQ3aCRHghc\/wPtLv2gyZwJQ1lXIEavAcSt96ZzMQ\nQF\/9ML2dVIHHaMaHv1sRVL4b3JAbSvjgS\/N2vEKTE3LGN1Uutm+eklU44umQPh3b\ndLBUjUHutiJGfUSsID2UimG66A1pZC6dgAedWny9ZMZnvkSh21aJUboCz7NZwHu3\n6PjoFrYKbeMdky5PjYpwziCDkLBpLQ2ahRv27IYXhbKemuEaV5TT9M68vhmxfuqF\nDV\/K\/ux6pwgtkR7EZkyXtPOKYJ0\/ZpwvtTAy7PQt8SCsVZy3LB5ky0K0R6oJn5+S\nqfw9sorAEXScyyj5YMxoZWpXjcBmRIc4vY487OeIMcWxcoXCwwqMvqzx+BE1luZd\nh7MO6ZUzJ3jUBSuwy1Hr4+nAWQDOlLi5QS8lMqt4qVOdIb6Xvsqhzgc3FXPs\/L4r\nGBdQiJ7WeKz7SZSWINTX\/q0vEqLRnMwLmYaDfWuP+NNdKKiDMbG5+qBy9qrmLopL\n7YTwPv8+z0DPqauGwyJUPRRTvoMo4yLpNwPEV8jqZcS7S9l4BSnLd2eJYIwOW7lR\nJMQhoR1gE9mRvg67g\/ZV9dMfnkBWt2EAIrPw3IK283wagKJ+Z2Tp1ITalyHZ4PVg\nSwhnVZsXpO0SC6UwEwoSOmWMzRrCwnj5mi+sR5xJdbUCEjtsWI7BpdS6RnFnUzRw\nBdsL6\/DerrfygBjGK6sFSDIOWDgUxaWRN\/RTOfYUwbyxPI7cBRo0kHkgOoyQSd86\nawhOrn1T7NTRbyBvLcKQNdGc+KnJhr95T9RR8Ww846S3F1zVugl9K+UN4+HXbdlI\nC6pqAIwGcqtd5C+bbqLg4U1rlX4bpxyeYL8fI9xSI3a02CPl+5fQ6xEci5b1ufiw\nJg\/Zl0FQHGwUHMvOJA\/\/wGER6BoWF9uiEuMXCwVcfJLPQ2G1O+Pk8xakFfgAlrgq\nOpnN6J2kM8+sX8fa0aycRKtAoRtWjLQCtxvCyh4EgkLsNfPtRitqEEyHIKzngpoS\nWlqj3iOcNb6AXwO8BuRZYAQFndvfoN+VM2V+HbcK60nDoeSkwuoYHDgMCrt1jIIk\nYacqjiBsYxzupXVTFMZyqgAkQiVStWd5JgMwMEUPVM\/XDhuxEHugzg94d7lmmkVU\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n\n\n\n<p>Cette clef demande un passphrase. Ce qui va \u00eatre g\u00eanant par la suite car le serveur apache demandera ce passphrase \u00e0 son lancement pour utiliser la clef dans le chiffrement TLS.<\/p>\n\n\n\n<p>Nous allons donc cr\u00e9er une clef priv\u00e9e sans passphrase \u00e0 partir de la clef priv\u00e9e initiale :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl rsa -in server.key -out server.key.insecure<\/code><\/pre>\n\n\n\n<p>Ensuite on remplace la clef initiale par la nouvelle :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv server.key server.key.secure\nmv server.key.insecure server.key<\/code><\/pre>\n\n\n\n<p>La nouvelle clef sans passphrase ressemblera \u00e0 celle ci :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA59sAK0bBXpPvnBsmFCjfPklDOcdNaSTwtwVZQYODxB18T7Yb\nkZt0xIB\/6zXbxu02RwFeV9zni6xdN999YOojs20g\/0cEoANiHfAYtf7NiY4n5sAZ\n+CDpLXoWFrFxrUKlYI2\/xon6eMISr80XPtAGQkbdT2LAmDPM7DnYQ2ypof+CT8Jr\n5X\/LXMd9XDA5IzNp2Ox2xIe9PM2GDd2mHKmRpoMZMyxydCrKsIqblDY63vtHWwT4\nmZ8D8gRpIG4kcxGiLOPrEyAT8LESCKzygk8MyZNkB78cRqJbA3LL3wgcdTqHjXcy\nn3\/3WFxE9yyXOD6kuQflg4+IuSTqWrwaVU4NrQIDAQABAoIBAQCvANuYzrhIJguW\n3dsZHlybC\/uFEg05DtvumUfsrlL35XWeSQt4FUnGxGNJa4avGP9+CudmFGRlRb26\n3aMqUrCNzxI3\/Sfdi5A0nrRYMrJ7YGR3xIoVguneHKeti1QNfh+LyJJ3TlBTc9Fd\nBsXD8Iq43fpP4G8Uswy7RVIaWluT3PNLDCTWDqwyRVqZT9bJN2HQlpByoj5yi6Aj\nwmS8AH2EGczr4eZEkiXNWctsil1ou3iD6HBp9r5wjyHG5gIXrHD1zVOsRrRVGJ3l\ndXqLvXDdUBZf7QWXFrFDl+9NbfEsCe42w3CrPQ\/8F5Ta0cl3pHVkNTQa+iXJTEWb\nY6Xh7Y7hAoGBAPuLqO4xZf9YCrj9tzWSqf2nUujygaydJ1Cpjc55Cz7lbMIAZrbD\nYQXIKvpgHJlLi9JyK6u90pBOuuIn85Wkg1XHRLwGjNkapwK64Ky7sxQtNep\/V9W0\nYyJ15BDN8c\/GcKa78pMJA4UR3kidQShUNd5d3\/SqKxZDYtrLjHVuV3GlAoGBAOv2\nFD53lGku9sFnx9N3X9Bqi59LwW0gK0Ixdo4iWhn9bZaxsGp2wcGOijeiL\/eqESdL\nreJTYA+YWWCE2zRCM9qap8r1UOLeoAqVcOZYN8Q0AhU49RaONXgU8wFb8dO38BB\/\ns1ESZYOZ3HQaQF3UyI+pVY2ZUTuhyGvqx7MS8d1pAoGAEv7P6fTXA\/pNDP0z2ZrS\ntXHuQ+MUQcm4T1IOgFoJrF084kWPfBuy9vHPtQqO\/lCDJYgzngt+nCEl4bAsp889\nj7u1iBFij36AwCcGkmS2OD7VxHiLVHsDxXVrnI1AxnTwytaEke\/rUSAxTgB6DCaX\nzsv9\/obfLBY4n9chKzkC53UCgYBT7Qy6QzIIT2n41H7gmh78NElA+WLs+3onawxt\n9Y3ynI80ADNtSpwTyi0jKI7DGjxLq8FHNLyAD4IKsHZ\/GeTzpfp0V9jTOLfXy9uC\nMnJzWMQ85CtYQHCIK3tbSmazFUNPuvv+o\/pzWnBs40FtnldPsbz6RkP8X8i3iaRJ\n7z0TsQKBgE4zAhAf5j9VE8wqBnKDGoptKGT5k3roj9azoTbd+CiGE9YzbjnwbZgd\nmZv3tus\/SEworRyiHdZAZIY1us6tZjUDI219hL2GWTGVAQWBFCE3Kqb9CvS7Iioa\nu\/+SwbjrnmRa3VgsQuYlZIBv8s8cS7YtQKVg0VriEN8IHAhWeWlo\n-----END RSA PRIVATE KEY----<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III22_Creation_dune_CSR_Certificate_Signing_Request\"><\/span>III.2.2 Cr\u00e9ation d&rsquo;une CSR (Certificate Signing Request)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Une CSR est un fichier \u00e0 g\u00e9n\u00e9rer pour demander un certificat. Dans notre cas il est n\u00e9cessaire de cr\u00e9er ce fichier pour pouvoir g\u00e9n\u00e9rer plus tard un certificat auto-sign\u00e9.<\/p>\n\n\n\n<p>La commande est la suivante puis r\u00e9pondre aux questions :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>openssl req -new -key server.key -out server.csr<\/strong>\nEnter pass phrase for server.key:\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) &#91;AU]:FR\nState or Province Name (full name) &#91;Some-State]:france\nLocality Name (eg, city) &#91;]:L'Union        \nOrganization Name (eg, company) &#91;Internet Widgits Pty Ltd]:perso\nOrganizational Unit Name (eg, section) &#91;]:perso\nCommon Name (e.g. server FQDN or YOUR name) &#91;]:pc-xavior\nEmail Address &#91;]:none\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password &#91;]:\nAn optional company name &#91;]:<\/code><\/pre>\n\n\n\n<p>Le certificat ressemblera \u00e0 ceci :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN CERTIFICATE REQUEST-----\nMIICvjCCAaYCAQAweTELMAkGA1UEBhMCRlIxDzANBgNVBAgMBmZyYW5jZTEQMA4G\nA1UEBwwHTCdVbmlvbjEOMAwGA1UECgwFcGVyc28xDjAMBgNVBAsMBXBlcnNvMRIw\nEAYDVQQDDAlwYy14YXZpb3IxEzARBgkqhkiG9w0BCQEWBG5vbmUwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChXM7ITWeo8gSXsGhWOBceG0EIvzKE0dk7\nuiwocntwFPZYYXt398TOoOn9v7Ws2M\/iPjDvT6P2IteqyYqu58IBmAzwqCR\/OJ7q\n7aBxAB9RzfSxRRnWWbTzpwWqfYL9AB7EsfOHPFdHgDU4rsZUcCgaBtYuSe3uK2Iv\ndCQWEC2Z9eOhvtS7GppKoFXvP\/1AHxUjEirIGd6Qzy0Yc1WstLuWzHiXQaeXk471\nlhUHnDby2VQjPj8J4UfvIgJvB\/F0V\/Rdcww5REsbm6gXT7TZHlsQTlSGOa48qldX\nHQDLvy0g+w28+JsJfBQfoRmOFz\/ucugr4zo5O3NtOccCGFuMaB5xAgMBAAGgADAN\nBgkqhkiG9w0BAQsFAAOCAQEAKbIyozGyNNLGF9cvnXY4IvxAJ9v\/hsimr9aMDNAX\nISIvWe6Me9\/kObv+eHwZdYu15GRvfx3\/UPPIzl6AK4BKzDMULJyiU7iMSw69MrsC\ny6Tir2t4N4FI1wnCc0ySUJdfrmLbpu25MyJATOz7tIbZLiHxOp7IJ0vK2jrVHXB6\nvwZMHXizZ92g+o3bMkdVJ8x3sP2tIIemSqu7jT5pGleNmMuLDSVWj4UbF2zcuvP8\na+VlJaeh8z6Z\/CFr\/uojSqyJ4ceuIrFCpLObls5ApXiz4KeaVf8FpPVBJ6Kl5Taa\nBhiCojdsRCO1iNHB3eeDfM+aT68jyXs+omFmRqpnoIk2Jg==\n-----END CERTIFICATE REQUEST-----<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III23_Creation_dun_certificat_auto-signe\"><\/span>III.2.3 Cr\u00e9ation d&rsquo;un certificat auto-sign\u00e9<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Pour cr\u00e9er le certificat, taper la ligne suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt<\/strong>\nSignature ok\nsubject=C = FR, ST = france, L = L'Union, O = perso, OU = perso, CN = pc-xavior, emailAddress = none\nGetting Private key\nEnter pass phrase for server.key:\n<\/code><\/pre>\n\n\n\n<p>Le certificat auto-sign\u00e9 \u00ab\u00a0server.crt\u00a0\u00bb ressemblera \u00e0 ceci :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN CERTIFICATE-----\nMIIDeTCCAmECFE4vuwLBB5VTXYYcS0D4thEhFZCHMA0GCSqGSIb3DQEBCwUAMHkx\nCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZmcmFuY2UxEDAOBgNVBAcMB0wnVW5pb24x\nDjAMBgNVBAoMBXBlcnNvMQ4wDAYDVQQLDAVwZXJzbzESMBAGA1UEAwwJcGMteGF2\naW9yMRMwEQYJKoZIhvcNAQkBFgRub25lMB4XDTIxMDMyMDA4MjI1NFoXDTIyMDMy\nMDA4MjI1NFoweTELMAkGA1UEBhMCRlIxDzANBgNVBAgMBmZyYW5jZTEQMA4GA1UE\nBwwHTCdVbmlvbjEOMAwGA1UECgwFcGVyc28xDjAMBgNVBAsMBXBlcnNvMRIwEAYD\nVQQDDAlwYy14YXZpb3IxEzARBgkqhkiG9w0BCQEWBG5vbmUwggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQChXM7ITWeo8gSXsGhWOBceG0EIvzKE0dk7uiwo\ncntwFPZYYXt398TOoOn9v7Ws2M\/iPjDvT6P2IteqyYqu58IBmAzwqCR\/OJ7q7aBx\nAB9RzfSxRRnWWbTzpwWqfYL9AB7EsfOHPFdHgDU4rsZUcCgaBtYuSe3uK2IvdCQW\nEC2Z9eOhvtS7GppKoFXvP\/1AHxUjEirIGd6Qzy0Yc1WstLuWzHiXQaeXk471lhUH\nnDby2VQjPj8J4UfvIgJvB\/F0V\/Rdcww5REsbm6gXT7TZHlsQTlSGOa48qldXHQDL\nvy0g+w28+JsJfBQfoRmOFz\/ucugr4zo5O3NtOccCGFuMaB5xAgMBAAEwDQYJKoZI\nhvcNAQELBQADggEBADezqdZRqoGh+5PT9Wz6dtspRXr4yDaMQVfu4Ig2OdtjWxvx\nOV1V2hK7Sa0HCQcie1J9iIpYAyJuP\/ZW0\/ci2dPW0mHUWQocMkVm5Tnj1MZQFuTo\no+hohLR6OozkesAsYHaG76+8NCgpd8EzaZ7mjWi2hOZ\/\/hFRWxUnw2jDFhy+9l5D\nKs7xhkW4M+oqyuwSkfjrNzQiwAuVcnyQnvyZFDiw2p9pcpXDABCYK6Y3yvfYOtuh\npo203rrQiCLbyj6dCZKVc0I\/cVZnca9wXzLcLL83GZOGotJ5AykvgJe+v7UhBhfA\n61kvB62WealR5u+TJsDihyzdeq3gHDeke0SYEgM=\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III23_Emplacement_des_clefs_et_certificats\"><\/span>III.2.3 Emplacement des clefs et certificats<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Enfin ranger la clef priv\u00e9e et le certificat auto-sign\u00e9 dans les bons r\u00e9pertoires :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp server.crt \/etc\/ssl\/certs\/\ncp server.key \/etc\/ssl\/private\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III3_Pour_aller_plus_loin\"><\/span>III.3 Pour aller plus loin<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pour aller plus loin et par exemple cr\u00e9er une autorit\u00e9 de certification locale :   <a rel=\"noreferrer noopener\" href=\"https:\/\/guide.ubuntu-fr.org\/server\/certificates-and-security.html\" target=\"_blank\">lien<\/a> <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV_Configuration_dApache\"><\/span>IV Configuration d&rsquo;Apache<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV1_Configuration_du_https_dans_Apache\"><\/span>IV.1 Configuration du https dans Apache<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Maintenant que nous avons un certificat (auto-sign\u00e9 et sans passphrase), il faut configurer Apache pour activer l&rsquo;HTTPS.<\/p>\n\n\n\n<p>Il faut modifier (ou cr\u00e9er) un fichier de site d\u00e9di\u00e9 au port 443. Par default il existe celui-ci : \/etc\/apache2\/sites-available\/<strong>default-ssl.conf<\/strong>. Nous allons utiliser celui-ci et dont le contenu sera le suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>IfModule mod_ssl.c&gt;\n        &lt;VirtualHost _default_:443&gt;\n                ServerAdmin webmaster@localhost\n\n                DocumentRoot \/var\/www\/html\n<strong>                &lt;Directory \/var\/www\/html\/&gt;\n                        Options Indexes FollowSymLinks\n                        AllowOverride None\n                        Require all granted\n                &lt;\/Directory&gt;<\/strong>\n\n                ErrorLog ${APACHE_LOG_DIR}\/error.log\n                CustomLog ${APACHE_LOG_DIR}\/access.log combined\n\n<strong><span class=\"has-inline-color has-vivid-purple-color\">                SSLEngine on\n                SSLCertificateFile      \/etc\/ssl\/certs\/server.crt\n                SSLCertificateKeyFile \/etc\/ssl\/private\/server.key<\/span><\/strong>\n                \n\n                &lt;FilesMatch \"\\.(cgi|shtml|phtml|php)$\"&gt;\n                                SSLOptions +StdEnvVars\n                &lt;\/FilesMatch&gt;\n                &lt;Directory \/usr\/lib\/cgi-bin&gt;\n                                SSLOptions +StdEnvVars\n                &lt;\/Directory&gt;\n        &lt;\/VirtualHost&gt;\n&lt;\/IfModule&gt;<\/code><\/pre>\n\n\n\n<p>Les directives en couleur concernent l&rsquo;activation du SSL, la localisation de la clef priv\u00e9e et la localisation du certificat auto-sign\u00e9.<\/p>\n\n\n\n<p>Ensuite il faut activer ce site :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/etc\/apache2\/sites-available\/\na2ensite default-ssl.conf <\/code><\/pre>\n\n\n\n<p>Cela cr\u00e9e un lien dans le r\u00e9pertoire site-enable vers le fichier .conf s\u00e9lectionn\u00e9 :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>\/etc\/apache2\/sites-enabled<\/strong>$ ls -als \ntotal 8 4 drwxr-xr-x 2 root root 4096 mars  20 10:44 <strong>.<\/strong>\n 4 drwxr-xr-x 8 root root 4096 oct.  17 18:08 <strong>..<\/strong>\n 0 lrwxrwxrwx 1 root root   35 oct.  17 15:49 <strong>000-default.conf<\/strong> -&gt; ..\/sites-available\/000-default.conf \n 0 lrwxrwxrwx 1 root root   35 mars  20 10:44 <strong>default-ssl.conf<\/strong> -&gt; ..\/sites-available\/default-ssl.conf <\/pre>\n\n\n\n<p>Une fois fait, il faut red\u00e9marrer le service Apache :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart apache2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV2_Apache_redirection_automatique_http_vers_le_port_443\"><\/span>IV.2 Apache : redirection automatique http vers le port 443<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Dans le fichier \/etc\/apache2\/sites-avaible\/000 ajouter la directive suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Redirect permanent \/ https:\/\/nom_serveur_ou_nom_dns\/<\/code><\/pre>\n\n\n\n<p>Et enlever les autres directives non n\u00e9cessaires &#8230;.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV3_Pour_aller_plus_loin\"><\/span>IV.3 Pour aller plus loin<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>A ce stade, Firefox indique que l&rsquo;acc\u00e8s au site n&rsquo;est pas s\u00e9curis\u00e9. Normal car il n&rsquo;a pas d&rsquo;autorit\u00e9 de certification prouvant que le serveur est bien celui qu&rsquo;il est. On passe outre en acceptant localement ce type de certificat. Une fois fait, la communication chiffr\u00e9e s&rsquo;\u00e9tablie. Cette m\u00e9thode est bien pour des devellopements ou tests locaux mais pas pour de la production bien entendu.<\/p>\n\n\n\n<p>Ainsi pour aller plus loin il faudra voir comment cr\u00e9er un certificat enti\u00e8rement valide. Pour cela il existe des autorit\u00e9s de certification payantes et gratuites telle que Let&rsquo;s Encrypt par exemple <\/p>\n\n\n\n<p>Enfin il est necessaire de s\u00e9curiser un peu plus Apache. Pour cela il existe un outil  outil en ligne permettant de voir comment configurer une service (Apache, NGINX, mysql, etc..) pour la communication SSL. A voir imp\u00e9rativement avant toute mise  en production.  Lien : <a href=\"https:\/\/ssl-config.mozilla.org\/\"> https:\/\/ssl-config.mozilla.org\/<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Et pour finir un exemple de Dokerfile (\u00e0 condition d&rsquo;avoir cr\u00e9\u00e9 la clef priv\u00e9e et le certificat auparavant) :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><font color=\"#34E2E2\">##################################<\/font>\n<font color=\"#34E2E2\">#  Image dev pour php 8.0.3<\/font>\n\n<font color=\"#34E2E2\"># A partir de quelle source<\/font>\n<font color=\"#FCE94F\">FROM <\/font>php:8.0.3-apache\n\n\n<font color=\"#34E2E2\"># qui maintien ?<\/font>\n<font color=\"#FCE94F\">MAINTAINER <\/font>union31xh union31xh@gmail.com\n\n<font color=\"#34E2E2\"># copie la clef privee et le certificat<\/font>\n<font color=\"#FCE94F\">COPY <\/font>.\/server.crt \/etc\/ssl\/certs\/\n<font color=\"#FCE94F\">COPY <\/font>.\/server.key \/etc\/ssl\/private\/\n\n<font color=\"#34E2E2\"># copie le 000-default.conf : attention redirige vers le port 4443 (A mapper avec le docker-compose.yml) <\/font>\n<font color=\"#FCE94F\">COPY <\/font>.\/000-default.conf \/etc\/apache2\/sites-available\/000-default.conf\n<font color=\"#34E2E2\"># copie default-ssl.conf <\/font>\n<font color=\"#FCE94F\">COPY <\/font>.\/default-ssl.conf \/etc\/apache2\/sites-available\/default-ssl.conf\n\n<font color=\"#34E2E2\"># active la conf ssl<\/font>\n<font color=\"#FCE94F\">RUN <\/font>ln -s \/etc\/apache2\/sites-available\/default-ssl.conf \/etc\/apache2\/sites-enabled\/default-ssl.conf\n\n<font color=\"#34E2E2\"># active le module SSL dans Apache<\/font>\n<font color=\"#FCE94F\">RUN <\/font>a2enmod ssl\n\n<font color=\"#34E2E2\"># install divers outils pour travailler dans le container si besoin <\/font>\n<font color=\"#FCE94F\">RUN <\/font>apt update\n<font color=\"#FCE94F\">RUN <\/font>apt install -y vim\n<font color=\"#FCE94F\">RUN <\/font>apt install -y tree\n\n<font color=\"#34E2E2\"># ajoute extension mysqli qui n'est pas pr\u00e9sente par defaut<\/font>\n<font color=\"#FCE94F\">RUN <\/font>docker-php-ext-install mysqli\n\n<font color=\"#34E2E2\"># lance apache<\/font>\n<font color=\"#FCE94F\">CMD <\/font>[<font color=\"#AD7FA8\">\"apache2-foreground\"<\/font>]\n\n<font color=\"#34E2E2\"># Expose les ports du serveur Apache<\/font>\n<font color=\"#FCE94F\">EXPOSE <\/font>80\n<font color=\"#FCE94F\">EXPOSE <\/font>443\n<\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I Introduction L&rsquo;objectif est de montrer les premi\u00e8res \u00e9tapes principales afin de mettre en \u0153uvre une communication HTTPS avec un serveur Apache. Pr\u00e9-requis : Apache d\u00e9j\u00e0 install\u00e9 II Module SSL pour Apache Avant de mettre en place le mode de<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2293","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/2293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2293"}],"version-history":[{"count":44,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/2293\/revisions"}],"predecessor-version":[{"id":2369,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/2293\/revisions\/2369"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}