https是安全的连接
http是不安全的
因为https有ssl证书的存在,浏览器认为web-server的页面是安全的。
CA:颁发证书的机构,一般是比较权威的,CA先审核资质及安全性,然后发布证书,有这个证书就可以用https请求了
申请和签发证书:Web-server首先要生成私钥,然后提取带签名的公钥。然后发给CA签署,完成后CA返回给Web-server,web-server拿到证书文件后就可以配置了,然后就能用https了
在浏览器上就可以查看允许的被信任的证书了,在阿里云,腾讯云等上可以买到。
不过这里我就用假的来模拟了。
CA和Web服务都是虚拟的。
先来Nginx吧:
nginx:172.12.12.97
CA:172.16.12.96
nginx:
1、首先安装nginx
安装方法:https://blog.csdn.net/n_u_l_l_/article/details/103205863
安装还是比较容易的,配置,make,make install。
2、生成私钥和带签名的公钥。
[root@nginx-https ~]# openssl genrsa 1024 > web-nginx.key
私钥
Generating RSA private key, 1024 bit long modulus
................++++++
...++++++
e is 65537 (0x10001)
[root@nginx-https ~]# openssl req -new -key web-nginx.key -days 365 -out web.csr
带签名的公钥
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:BJ //州或省名称
Locality Name (eg, city) [Default City]:BJ //城市名
Organization Name (eg, company) [Default Company Ltd]:nginx-https //组织名称
Organizational Unit Name (eg, section) []:web //组织单位名称
Common Name (eg, your name or your server's hostname) []:172.16.12.97 //域名或者IP
Email Address []:nginx@163.com //联系人邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //公司密码不写
An optional company name []: //公司名不写,因为是测试环境嘛。。。
3、将带有签名的公钥发给CA签名。
这时会报一些错误,我就不演示了,直接把解决方法写上。
具体的错误:https://blog.csdn.net/n_u_l_l_/article/details/103536588
nginx:
[root@nginx-https ~]# scp web-nginx.csr 172.16.12.96:/root
nginx发给ca
CA:
[root@localhost ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
生成私钥
[root@localhost ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -x509 -out /etc/pki/CA/cacert.pem
生成自签名文件。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:nginx-https
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:172.16.12.96
Email Address []:ca@163.com
[root@localhost ~]# touch /etc/pki/CA/index.txt
创建索引文件
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
创建序列号文件
[root@localhost ~]# openssl ca -in web-nginx.csr -out web-nginx.crt
签发证书
Certificate is to be certified until Dec 13 10:41:35 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
注意:因为是测试环境,所以CA的自签名和nginx的签名公钥,要写一样的,否则报错。
生产环境就不用了这些了。
[root@localhost ~]# scp web-nginx.crt 172.16.12.97:/root
发回给nginx
4、配置nginx的ssl证书
nginx:
[root@nginx-https ~]# ls
web-nginx.crt //签名后的公钥
web-nginx.csr //签名前的公钥,有签名后的这个就没有用了
web-nginx.key //私钥
/usr/local/nginx/conf/nginx.conf
别的都没有什么异常,和我之前的博客里的没什么区别,就是加了https的这段:
https://blog.csdn.net/n_u_l_l_/article/details/103205863
[root@nginx-https ~]# vim /usr/local/nginx/conf/nginx.conf
# HTTPS server
server {
listen 443 ssl;
server_name 172.16.12.97;
ssl_certificate /etc/pki/tls/certs/web-nginx.crt; //指定公钥文件位置
ssl_certificate_key /etc/pki/tls/private/web-nginx.key; //指定私钥文件位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5; //使用这个MD5加密套件
ssl_prefer_server_ciphers on; //依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码
ssl_protocols SSLv2 SSLv3 TLSv1; //使用该协议进行配置
location / {
root html;
index index.html index.htm;
}
}
启动服务
[root@nginx-https ~]# /usr/local/nginx/sbin/nginx -s reload
[root@nginx-https ~]# netstat -antlup | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6594/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6594/nginx: master
可以看到 http的是80 端口,https的是443端口。
访问控制下:先访问80端口的http请求
能够正常访问。
下面是https的443.
直接就被浏览器拦截了,没办法,毕竟CA都是假的,没有在上边说的浏览器允许的证书颁发列表中。
不过就算不信任也是能查看到证书的,这个就是在CA和nginx上生成的带有签名的公钥那里写的信息。
高级 -> 接受风险。
然后就能看到nginx的测试页 了。
发现确实是https的请求,只不过不受信任…
然后再来apache
CA:172.16.12.96
apache:172.16.12.98
和nginx一样:
Apache:
1、安装apache
[root@apache-https ~]# yum install httpd -y
2、生成私钥和带签名的公钥发给CA:
[root@apache-https ~]# openssl genrsa 1024 > web-apache.key
Generating RSA private key, 1024 bit long modulus
...++++++
........................................++++++
e is 65537 (0x10001)
[root@apache-https ~]# openssl req -new -key web-apache.key -days 365 -out web-apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:apache-https
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:172.16.12.98
Email Address []:apache@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@apache-https ~]# ls
anaconda-ks.cfg original-ks.cfg web-apache.csr web-apache.key
[root@apache-https ~]# scp web-apache.csr 172.16.12.96:/root
发给CA
3、CA签名
[root@localhost ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
[root@localhost ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -x509 -out /etc/pki/CA/cacert.pem
[root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]# openssl ca -in web-apache.csr -out web-apache.crt
[root@localhost ~]# scp web-apache.crt 172.16.12.98:/root
4、apache配置ssl
安装个插件
[root@apache-https ~]# yum install mod_ssl -y
[root@apache-https ~]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /etc/pki/tls/certs/web-apache.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/web-apache.key
公钥和私钥改成自己的
启动服务
[root@apache-https ~]# systemctl restart httpd
[root@apache-https ~]# netstat -antlup | grep httpd
tcp6 0 0 :::80 :::* LISTEN 10564/httpd
tcp6 0 0 :::443 :::* LISTEN 10564/httpd
也可以看到 默认的80 和 https的443 端口。
依旧是不信任,依旧能看到证书:
以上。。。。。
其实购买的证书就非常方便了,购买然后下载下来证书直接安装,而且是真正的能用的证书。
附上阿里云安装ssl证书的官方文档:
CentOS系统Tomcat 8.5/9 :https://help.aliyun.com/document_detail/102939.html?spm=a2c4g.11186623.2.17.5040662a8q2EZX#concept-i2b-cdb-mgb