huilapman/openssl_apache_tomcat.txt

## openssl_apache_tomcat.txt
# ======================
#  Download Files
# ======================
cd ~

curl -O https://www.openssl.org/source/openssl-1.0.2o.tar.gz
curl -O http://ftp.cuhk.edu.hk/pub/packages/apache.org/httpd/httpd-2.4.33.tar.gz
curl -O http://apache.website-solution.net/apr/apr-1.6.3.tar.gz
curl -O http://apache.website-solution.net/apr/apr-util-1.6.1.tar.gz
curl -O https://jaist.dl.sourceforge.net/project/pcre/pcre/8.42/pcre-8.42.tar.gz
curl -O http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.43-src.tar.gz

# ======================
#  Unzip Files
# ======================
tar -xvzf openssl-1.0.2o.tar.gz
tar -xvzf httpd-2.4.33.tar.gz
tar -xvzf apr-1.6.3.tar.gz
tar -xvzf apr-util-1.6.1.tar.gz
tar -xvzf pcre-8.42.tar.gz
tar -xvzf tomcat-connectors-1.2.43-src.tar.gz

# ======================
#  Install OpenSSL
# ======================
cd ~
cd openssl-1.0.2o
./config --prefix=/usr/local/openssl-1.0.2o
make
make test
make install
ln -s /usr/local/openssl-1.0.2o	/usr/local/ssl
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

# ======================
#  Check OpenSSL Version
# ======================
openssl version
openssl ciphers -v

# ======================
#  Install PCRE
# ======================
cd ~
cd pcre-8.42
./configure --prefix=/usr/local/pcre-8.42
make && make install
ln -s /usr/local/pcre-8.42 /usr/local/pcre

# ======================
#  Install Apache
# ======================
cd ~
mv ~/apr-1.6.3 ~/httpd-2.4.33/srclib/
mv ~/apr-util-1.6.1 ~/httpd-2.4.33/srclib/
ln -s ~/httpd-2.4.33/srclib/apr-1.6.3 ~/httpd-2.4.33/srclib/apr
ln -s ~/httpd-2.4.33/srclib/apr-util-1.6.1 ~/httpd-2.4.33/srclib/apr-util

cd httpd-2.4.33
./configure --prefix=/usr/local/httpd-2.4.33 --enable-ssl --with-ssl=/usr/local/ssl --enable-so --with-included-apr --with-pcre=/usr/local/pcre
make && make install
cd /usr/local/httpd-2.4.33/
ln -s /usr/local/httpd-2.4.33 /usr/local/httpd

# ======================
#  Control Apache
# ======================
/usr/local/httpd/bin/apachectl -k start
/usr/local/httpd/bin/apachectl -k stop
/usr/local/httpd/bin/apachectl -k restart

# ======================
#  Self-signed Cert
# ======================
cd ~
openssl req -nodes -x509 -newkey rsa:4096 -keyout /usr/local/httpd/conf/server.key -out /usr/local/httpd/conf/server.crt -days 365 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com"

# ======================
#  Install Mod_jk
# ======================
cd ~
cd tomcat-connectors-1.2.43-src/native
./configure --with-apxs=/usr/local/httpd/bin/apxs
make && make install

# ======================
#  httpd.conf
# ======================
cd ~
vi /usr/local/httpd/conf/httpd.conf
-----------------------
LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/jk.conf
Include conf/extra/httpd-ssl.conf
-----------------------

# ======================
#  jk.conf
# ======================
cd ~
vi /usr/local/httpd/conf/extra/jk.conf
-----------------------
LoadModule      jk_module       /usr/local/httpd/modules/mod_jk.so
JkWorkersFile   /usr/local/httpd/conf/workers.properties
JkShmFile       /var/log/httpd/mod_jk.shm
JkLogFile       /var/log/httpd/mod_jk.log
JkLogLevel      info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

JkMount /jkstatus/*	jkstatus
JkMount /app/*		loadbalancer
-----------------------

# ======================
#  workers.properties
# ======================
cd ~
vi /usr/local/httpd/conf/workers.properties
-----------------------
worker.list=loadbalancer,jkstatus
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=worker1,worker2

worker.jkstatus.type=status

worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009

worker.worker2.type=ajp13
worker.worker2.host=127.0.0.1
worker.worker2.port=9009
-----------------------

# ======================
#  httpd_ssl.conf
# ======================
cd ~
vi /usr/local/httpd/conf/extra/jk.conf
-----------------------
SSLProtocol -all +TLSv1.2

SSLCertificateKeyFile "/usr/local/httpd-2.4.33/conf/server.key"
SSLCertificateFile "/usr/local/httpd-2.4.33/conf/server.crt"

JkMount /jkstatus/*	jkstatus
JkMount /app/*		loadbalancer
-----------------------

# ======================
#  Check TLS 1.2
# ======================
openssl s_client -connect 127.0.0.1:443 -tls1_2

# ======================
#  Display Cert Content
# ======================
openssl x509 -in /usr/local/httpd/conf/server.crt -text

# ======================
#  Check Ciphers Support
# ======================
nmap --script ssl-enum-ciphers -p 443 100.66.201.107
	# ======================
	# Download Files
	# ======================
	cd ~

	curl -O https://www.openssl.org/source/openssl-1.0.2o.tar.gz
	curl -O http://ftp.cuhk.edu.hk/pub/packages/apache.org/httpd/httpd-2.4.33.tar.gz
	curl -O http://apache.website-solution.net/apr/apr-1.6.3.tar.gz
	curl -O http://apache.website-solution.net/apr/apr-util-1.6.1.tar.gz
	curl -O https://jaist.dl.sourceforge.net/project/pcre/pcre/8.42/pcre-8.42.tar.gz
	curl -O http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.43-src.tar.gz

	# ======================
	# Unzip Files
	# ======================
	tar -xvzf openssl-1.0.2o.tar.gz
	tar -xvzf httpd-2.4.33.tar.gz
	tar -xvzf apr-1.6.3.tar.gz
	tar -xvzf apr-util-1.6.1.tar.gz
	tar -xvzf pcre-8.42.tar.gz
	tar -xvzf tomcat-connectors-1.2.43-src.tar.gz

	# ======================
	# Install OpenSSL
	# ======================
	cd ~
	cd openssl-1.0.2o
	./config --prefix=/usr/local/openssl-1.0.2o
	make
	make test
	make install
	ln -s /usr/local/openssl-1.0.2o /usr/local/ssl
	ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

	# ======================
	# Check OpenSSL Version
	# ======================
	openssl version
	openssl ciphers -v

	# ======================
	# Install PCRE
	# ======================
	cd ~
	cd pcre-8.42
	./configure --prefix=/usr/local/pcre-8.42
	make && make install
	ln -s /usr/local/pcre-8.42 /usr/local/pcre

	# ======================
	# Install Apache
	# ======================
	cd ~
	mv ~/apr-1.6.3 ~/httpd-2.4.33/srclib/
	mv ~/apr-util-1.6.1 ~/httpd-2.4.33/srclib/
	ln -s ~/httpd-2.4.33/srclib/apr-1.6.3 ~/httpd-2.4.33/srclib/apr
	ln -s ~/httpd-2.4.33/srclib/apr-util-1.6.1 ~/httpd-2.4.33/srclib/apr-util

	cd httpd-2.4.33
	./configure --prefix=/usr/local/httpd-2.4.33 --enable-ssl --with-ssl=/usr/local/ssl --enable-so --with-included-apr --with-pcre=/usr/local/pcre
	make && make install
	cd /usr/local/httpd-2.4.33/
	ln -s /usr/local/httpd-2.4.33 /usr/local/httpd

	# ======================
	# Control Apache
	# ======================
	/usr/local/httpd/bin/apachectl -k start
	/usr/local/httpd/bin/apachectl -k stop
	/usr/local/httpd/bin/apachectl -k restart

	# ======================
	# Self-signed Cert
	# ======================
	cd ~
	openssl req -nodes -x509 -newkey rsa:4096 -keyout /usr/local/httpd/conf/server.key -out /usr/local/httpd/conf/server.crt -days 365 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com"

	# ======================
	# Install Mod_jk
	# ======================
	cd ~
	cd tomcat-connectors-1.2.43-src/native
	./configure --with-apxs=/usr/local/httpd/bin/apxs
	make && make install

	# ======================
	# httpd.conf
	# ======================
	cd ~
	vi /usr/local/httpd/conf/httpd.conf
	-----------------------
	LoadModule ssl_module modules/mod_ssl.so

	Include conf/extra/jk.conf
	Include conf/extra/httpd-ssl.conf
	-----------------------

	# ======================
	# jk.conf
	# ======================
	cd ~
	vi /usr/local/httpd/conf/extra/jk.conf
	-----------------------
	LoadModule jk_module /usr/local/httpd/modules/mod_jk.so
	JkWorkersFile /usr/local/httpd/conf/workers.properties
	JkShmFile /var/log/httpd/mod_jk.shm
	JkLogFile /var/log/httpd/mod_jk.log
	JkLogLevel info
	JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

	JkMount /jkstatus/* jkstatus
	JkMount /app/* loadbalancer
	-----------------------

	# ======================
	# workers.properties
	# ======================
	cd ~
	vi /usr/local/httpd/conf/workers.properties
	-----------------------
	worker.list=loadbalancer,jkstatus
	worker.loadbalancer.type=lb
	worker.loadbalancer.balance_workers=worker1,worker2

	worker.jkstatus.type=status

	worker.worker1.type=ajp13
	worker.worker1.host=127.0.0.1
	worker.worker1.port=8009

	worker.worker2.type=ajp13
	worker.worker2.host=127.0.0.1
	worker.worker2.port=9009
	-----------------------

	# ======================
	# httpd_ssl.conf
	# ======================
	cd ~
	vi /usr/local/httpd/conf/extra/jk.conf
	-----------------------
	SSLProtocol -all +TLSv1.2

	SSLCertificateKeyFile "/usr/local/httpd-2.4.33/conf/server.key"
	SSLCertificateFile "/usr/local/httpd-2.4.33/conf/server.crt"

	JkMount /jkstatus/* jkstatus
	JkMount /app/* loadbalancer
	-----------------------

	# ======================
	# Check TLS 1.2
	# ======================
	openssl s_client -connect 127.0.0.1:443 -tls1_2

	# ======================
	# Display Cert Content
	# ======================
	openssl x509 -in /usr/local/httpd/conf/server.crt -text

	# ======================
	# Check Ciphers Support
	# ======================
	nmap --script ssl-enum-ciphers -p 443 100.66.201.107