部署HTTPS网站(Apache服务器)
在实验开始前,我们先思考,我们为什么要部署https网站?而在上篇我们讲到一个部署http网站,那为什么不就直接用http还需要去部署一个https?
那么就先让我们一起来回想一下http和https。
- HTTP超文本传输协议
它在TCP/IP模型中属于应用层,当我们在浏览器上打开一个html页面时,这时候浏览器会向网站服务器发送请求,网站服务器接收到请求数据后找出目标html传输给浏览器,浏览器响应后就会呈现我们想访问的页面。而这种在 Web 浏览器和网站服务器之间传递信息的方法就是HTTP。
HTTP 默认 80 端口,访问网站都是以 http:// 打头。
但HTTP 协议以明文方式发送内容,不给予任何的数据加密,所以当我们有的时候访问一个不安全的网站时,浏览器就会提醒我们不要输入个人信息或者密码。
HTTP是使用 TCP 三次握手建立连接的。
三次握手
- HTTPS超文本传输安全协议
顾名思义,它和HTTP最本质的区别是安全。
我们可以将HTTPS拆开来看——HTTP+SLL。也就是HTTPS 还是由 HTTP 进行通信,但利用 SSL/TLS 来加密数据包。
HTTPS 默认443端口,访问网站都是以 https:// 打头。我们会看到一把小锁。
使用 HTTPS 协议需要到 CA(Certificate Authority,数字证书认证机构) 申请证书,需要一定费用(具体可以自行了解)。
HTTPS除了 TCP 三次握手,还要加上 ssl 四次握手需要的 9 个包,一共需要 12 个包。
- 总结
从前面我们可以知道,HTTPS便是HTTP 使用SSL协议来加密HTTP通讯。SSL协议提供了一个锁,我们将要传输HTTP上锁,便是HTTPS协议。而想要用SSL锁,服务器就得需要有一把钥匙——证书。
- 证书
1.自建证书方法。
2.买个域名(域名注册方法,阿里云域名注册入口),申请免费证书,阿里云申请免费证书入口。(本文使用此方法)
记得实名认证,证书到手后,下载到本地。
做好一切后,我们开始部署服务器。
- 实验环境
Centos7、防火墙、SELinux关闭状态
- 安装apache环境依赖
[root@qmfz ~]# yum -y install mod_ssl openssl httpd
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.163.com
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
软件包 1:mod_ssl-2.4.6-97.el7.centos.x86_64 已安装并且是最新版本
软件包 1:openssl-1.0.2k-19.el7.x86_64 已安装并且是最新版本
软件包 httpd-2.4.6-97.el7.centos.x86_64 已安装并且是最新版本
无须任何处理
- 用mkdir命令在/etc/httpd下创建CA证书存放目录ca
[root@qmfz ~]# cd /etc/httpd
[root@qmfz httpd]# ll
总用量 0
drwxr-xr-x. 2 root root 177 11月 28 21:11 ca
drwxr-xr-x. 2 root root 37 11月 28 21:15 conf
drwxr-xr-x. 2 root root 98 11月 28 21:30 conf.d
drwxr-xr-x. 2 root root 165 11月 28 18:10 conf.modules.d
lrwxrwxrwx. 1 root root 19 11月 26 19:27 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root 29 11月 26 19:27 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root 10 11月 26 19:27 run -> /run/httpd
- 将我们刚刚下载到本地的证书拷贝进刚刚创建好的ca目录
(可以使用远程工具直接拉)
[root@qmfz httpd]# cd ca
[root@qmfz ca]# ll
总用量 32
-rw-r--r--. 1 root root 2032 11月 28 21:11 2_api.biuayi.cn.crt
-rw-r--r--. 1 root root 1700 11月 28 21:11 3_api.biuayi.cn.key
-rw-r--r--. 1 root root 2098 11月 28 20:29 ca.crt
-rw-r--r--. 1 root root 3272 11月 28 20:29 ca.key
-rw-r--r--. 1 root root 17 11月 28 20:33 ca.srl
-rw-r--r--. 1 root root 1980 11月 28 20:33 chenshuyi.top.crt
-rw-r--r--. 1 root root 1797 11月 28 20:32 chenshuyi.top.csr
-rw-r--r--. 1 root root 3272 11月 28 20:32 chenshuyi.top.key
- 用cp命令将证书拷贝到默认指定目录
[root@qmfz httpd]# cp 2_api.biuayi.cn.crt /etc/pki/tls/certs/
[root@qmfz httpd]# cp 3_api.biuayi.cn.key /etc/pki/tls/private/
- 修改SSL配置文件
(注意没有#号的地方)
[root@qmfz httpd]# vim /etc/httpd/conf.d/ssl.conf
1 #
2 # When we also provide SSL we have to listen to the
3 # the HTTPS port in addition.
4 #
5 Listen 443 https #443号默认端口
6
7 ##
8 ## SSL Global Context
9 ##
10 ## All SSL configuration in this context applies both to
11 ## the main server and all SSL-enabled virtual hosts.
12 ##
13
14 # Pass Phrase Dialog:
15 # Configure the pass phrase gathering process.
16 # The filtering dialog program (`builtin' is a internal
17 # terminal dialog) has to provide the pass phrase on stdout.
18 SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
19
20 # Inter-Process Session Cache:
21 # Configure the SSL Session Cache: First the mechanism
22 # to use and second the expiring timeout (in seconds).
23 SSLSessionCache shmcb:/run/httpd/sslcache(512000)
24 SSLSessionCacheTimeout 300
25
26 # Pseudo Random Number Generator (PRNG):
27 # Configure one or more sources to seed the PRNG of the
28 # SSL library. The seed data should be of good random quality.
29 # WARNING! On some platforms /dev/random blocks if not enough entropy
30 # is available. This means you then cannot use the /dev/random device
31 # because it would lead to very long connection times (as long as
32 # it requires to make more entropy available). But usually those
33 # platforms additionally provide a /dev/urandom device which doesn't
34 # block. So, if available, use this one instead. Read the mod_ssl User
35 # Manual for more details.
36 SSLRandomSeed startup file:/dev/urandom 256
37 SSLRandomSeed connect builtin
38 #SSLRandomSeed startup file:/dev/random 512
39 #SSLRandomSeed connect file:/dev/random 512
40 #SSLRandomSeed connect file:/dev/urandom 512
41
42 #
43 # Use "SSLCryptoDevice" to enable any supported hardware
43 # Use "SSLCryptoDevice" to enable any supported hardware
44 # accelerators. Use "openssl engine -v" to list supported
45 # engine names. NOTE: If you enable an accelerator and the
46 # server does not start, consult the error logs and ensure
47 # your accelerator is functioning properly.
48 #
49 SSLCryptoDevice builtin
50 #SSLCryptoDevice ubsec
51
52 ##
53 ## SSL Virtual Host Context
54 ##
55
56 <VirtualHost _default_:443>
57
58 # General setup for the virtual host, inherited from global configuration
59 DocumentRoot "/var/www/html" #文件路径
60 ServerName api.biuayi.cn:443 #证书绑定的域名
61
62 # Use separate log files for the SSL virtual host; note that LogLevel
63 # is not inherited from httpd.conf.
64 ErrorLog logs/ssl_error_log
65 TransferLog logs/ssl_access_log
66 LogLevel warn
67
68 # SSL Engine Switch:
69 # Enable/Disable SSL for this virtual host.
70 SSLEngine on #这里是on
71
72 # SSL Protocol support:
73 # List the enable protocol levels with which clients will be able to
74 # connect. Disable SSLv2 access by default:
75 SSLProtocol all -SSLv2 -SSLv3
76
77 # SSL Cipher Suite:
78 # List the ciphers that the client is permitted to negotiate.
79 # See the mod_ssl documentation for a complete list.
80 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
81
82 # Speed-optimized SSL Cipher configuration:
83 # If speed is your main concern (on busy HTTPS servers e.g.),
84 # you might want to force clients to specific, performance
85 # optimized ciphers. In this case, prepend those ciphers
86 # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
87 # Caveat: by giving precedence to RC4-SHA and AES128-SHA
88 # (as in the example below), most connections will no longer
89 # have perfect forward secrecy - if the server's key is
90 # compromised, captures of past or future traffic must be
91 # considered compromised, too.
92 SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
93 SSLHonorCipherOrder on
94
95 # Server Certificate:
96 # Point SSLCertificateFile at a PEM encoded certificate. If
97 # the certificate is encrypted, then you will be prompted for a
98 # pass phrase. Note that a kill -HUP will prompt again. A new
99 # certificate can be generated using the genkey(1) command.
100 SSLCertificateFile /etc/pki/tls/certs/2_api.biuayi.cn.crt #前面下载的证书路径证书
101
102 # Server Private Key:
103 # If the key is not combined with the certificate, use this
104 # directive to point at the key file. Keep in mind that if
105 # you've both a RSA and a DSA private key you can configure
106 # both in parallel (to also allow the use of DSA ciphers, etc.)
107 SSLCertificateKeyFile /etc/pki/tls/private/3_api.biuayi.cn.key #我们前面下载的文件路径
108
109 # Server Certificate Chain:
- 重启httpd服务
[root@qmfz httpd]#systemctl restart httpd
然后使用我们刚刚的域名在本机浏览器上访问
看到这里,搜索栏里有把小锁就代表成功了。
但正常情况下,应该是找不到域名的状态,由于本次实验使用的域名已经在.cn的域名服务器上做过解析,所以客户端是可以直接使用这个域名访问的。而不同的是本地计算机无法识别我们自己写的域名。
所以需要我们在本地做一些更改。
- 打开C:\Windows\System32\drivers\etc,找到hosts这个文件,在空白处加入虚拟机的IP地址后面跟着你的域名。
- 修改好后回到浏览器,刷新就可以看到地址开头有个小锁了。
- 如果你是自建的证书,需要在浏览器(chrome://settings/security)导入你的证书,成功后再回去刷新即可