利用HTTPS实现站点访问

最新推荐文章于 2020-07-12 09:02:33 发布

weixin_33975951

最新推荐文章于 2020-07-12 09:02:33 发布

阅读量150

点赞数

原文链接：http://blog.51cto.com/niuxiaolin/968554

版权

一.HTTPS简介

HTTPS（全称：Hypertext Transfer Protocol over Secure Socket Layer），是以安全为目标的HTTP通道，简单讲是HTTP的安全版。即HTTP下加入SSL层，HTTPS的安全基础是SSL，因此加密的详细内容就需要SSL。它是一个URI scheme（抽象标识符体系），句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP，但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层（在HTTP与TCP之间）。这个系统的最初研发由网景公司进行，提供了身份验证与加密通讯方法，现在它被广泛用于万维网上安全敏感的通讯，例如交易支付方面。

HTTPS实际上应用了Netscape的安全套接字层ssl作为http应用层的子层。（HTTPS使用端口443，而不是像HTTP那样使用端口80来和TCP/IP进行通信。）SSL使用40 位关键字作为RC4流加密算法，这对于商业信息的加密是合适的。HTTPS和SSL支持使用X.509数字认证，如果需要的话用户可以确认发送者是谁。也就是说它的主要作用可以分为两种：一种是建立一个信息安全通道，来保证数据传输的安全；另一种就是确认网站的真实性。

二.案例

在linux主机上安装https服务，实现安全验证和加密访问，配置具体步骤如下

1.做身份验证

编辑/etc/httpd/conf/httpd.conf文件

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

306 <Directory "/var/www/html">

307

308 #

309 # Possible values for the Options directive are "None", "All",

310 # or any combination of:

311 # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

312 #

313 # Note that "MultiViews" must be named *explicitly* --- "Options All"

314 # doesn't give it to you.

315 #

316 # The Options directive is both complicated and important. Please see

317 # http://httpd.apache.org/docs/2.2/mod/core.html#options

318 # for more information.

319 #

320 Options Indexes FollowSymLinks

321

322 #

323 # AllowOverride controls what directives may be placed in .htaccess files.

324 # It can be "All", "None", or any combination of the keywords:

325 # Options FileInfo AuthConfig Limit

326 #

327 AllowOverride all

328

329 #

330 # Controls who can get stuff from this server.

331 #

332 Order allow,deny

333 Allow from all

334

335 </Directory>

进入站点主目录编辑 .htaccess文件对来访者身份验证

[root@localhost html]# cd /var/www/html/

[root@localhost html]# vim .htaccess

authuserfile /var/www/.htpasswd

authtype basic

authname "please input your name and password"

require valid-user

产生httpd的帐号文件

[root@localhost www]# htpasswd -c .htpasswd user1

New password:

Re-type new password:

Adding password for user user1

加密访问https

编辑/etc/pki/ tls/openssl.cnf文件

[root@localhost ~]# cd /etc/pki/

[root@localhost pki]# vim tls/openssl.cnf

43 [ CA_default ]

45 dir = /etc/pki/CA # Where everything is kept

46 certs = $dir/certs # Where the issued certs are kept

47 crl_dir = $dir/crl # Where the issued crl are kept

48 database = $dir/index.txt # database index file.

49 #unique_subject = no # Set to 'no' to allow creation of

50 # several ctificates with same subject.

51 new_certs_dir = $dir/newcerts # default place for new certs.

53 certificate = $dir/cacert.pem # The CA certificate

54 serial = $dir/serial # The current serial number

55 crlnumber = $dir/crlnumber # the current crl number

56 # must be commented out to leave a V1 CRL

57 crl = $dir/crl.pem # The current CRL

58 private_key = $dir/private/cakey.pem# The private key

59 RANDFILE = $dir/private/.rand # private random number file

61 x509_extensions = usr_cert # The extentions t

87 [ policy_match ]

88 countryName = optional

89 stateOrProvinceName = optional

90 organizationName = optional

91 organizationalUnitName = optional

92 commonName = supplied

93 emailAddress = optional

134 [ req_distinguished_name ]

135 countryName = Country Name (2 letter code)

136 countryName_default = CN

137 countryName_min = 2

138 countryName_max = 2

139

140 stateOrProvinceName = State or Province Name (full name)

141 stateOrProvinceName_default = BEIJING

142

143 localityName = Locality Name (eg, city)

144 localityName_default = BEIJING

创建目录文件

[root@localhost pki]# cd CA/

[root@localhost CA]# pwd

/etc/pki/CA

[root@localhost CA]# mkdir crl certs newcerts

[root@localhost CA]# touch index.txt serial

[root@localhost CA]# ll

总计 20

drwxr-xr-x 2 root root 4096 07-24 23:58 certs

drwxr-xr-x 2 root root 4096 07-24 23:58 crl

-rw-r--r-- 1 root root 0 07-24 23:58 index.txt

drwxr-xr-x 2 root root 4096 07-24 23:58 newcerts

drwx------ 2 root root 4096 2009-06-30 private

-rw-r--r-- 1 root root 0 07-24 23:58 serial

修改初始序列号

[root@localhost CA]# echo "01">serial

产生私钥

[root@localhost CA]# openssl genrsa 2048 >private/cakey.pem

Generating RSA private key, 2048 bit long modulus

..................+++

.................+++

e is 65537 (0x10001)

修改私钥权限

[root@localhost CA]# ll private/

总计 4

-rw-r--r-- 1 root root 1675 07-25 00:03 cakey.pem

[root@localhost CA]# chmod 600 private/*

[root@localhost CA]# ll private/

总计 4

-rw------- 1 root root 1675 07-25 00:03 cakey.pem

产生证书

[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [My Company Ltd]:seccenter

Organizational Unit Name (eg, section) []:tec

Common Name (eg, your name or your server's hostname) []:rootca.net.net

Email Address []:

2.web服务器配置

将产生的私钥和证书放在一个目录

[root@localhost CA]# mkdir -pv /etc/httpd/certs

mkdir: 已创建目录 “/etc/httpd/certs”

[root@localhost CA]# cd /etc/httpd/certs

产生私钥

[root@localhost certs]# openssl genrsa 1024 >httpd.key

Generating RSA private key, 1024 bit long modulus

.....++++++

.................................++++++

e is 65537 (0x10001)

做证书请求

[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:henan

Locality Name (eg, city) [BEIJING]:zhengz^H^[[3~

[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:henan

Locality Name (eg, city) [BEIJING]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:zzdx

Organizational Unit Name (eg, section) []:tec

Common Name (eg, your name or your server's hostname) []:www.zzdx.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

申请证书

[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jul 24 16:42:40 2012 GMT

Not After : Jul 24 16:42:40 2013 GMT

Subject:

countryName = CN

stateOrProvinceName = henan

organizationName = zzdx

organizationalUnitName = tec

commonName = www.zzdx.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

53:79:77:FA:3F:50:90:4B:49:BA:30:70:E0:05:9A:D7:F2:0B:A4:22

X509v3 Authority Key Identifier:

keyid:35:C3:85:19:22:F8:33:5B:40:07:1A:5C:BA:34:9C:3A:2C:90:A6:10

Certificate is to be certified until Jul 24 16:42:40 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

修改权限

[root@localhost certs]# chmod 600 *

[root@localhost certs]# ll

总计 12

-rw------- 1 root root 3697 07-25 00:43 httpd.cert

-rw------- 1 root root 647 07-25 00:42 httpd.csr

-rw------- 1 root root 887 07-25 00:27 httpd.key

安装ssl模块

[root@localhost Server]# mount /dev/cdrom /mnt/cdrom

[root@localhost Server]# yum install mod_ssl-2.2.3-31.el5.i386.rpm

编辑ssl.conf文件

[root@localhost Server]# cd /etc/httpd/conf.d/

[root@localhost conf.d]# vim ssl.conf

112 SSLCertificateFile /etc/httpd/certs/httpd.cert

113

114 # Server Private Key:

115 # If the key is not combined with the certificate, use this

116 # directive to point at the key file. Keep in mind that if

117 # you've both a RSA and a DSA private key you can configure

118 # both in parallel (to also allow the use of DSA ciphers, etc.)

119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key

检测语法错误与否

[root@localhost conf.d]# service httpd configtest

Syntax OK

重启服务

[root@localhost conf.d]# service httpd restart

停止 httpd： [确定]

启动 httpd： [确定]

查看端口

[root@localhost conf.d]# netstat -tupln |grep http

tcp 0 0 :::80 :::* LISTEN 5250/httpd

tcp 0 0 :::443 :::*

测试：

明文访问

访问成功！

下面做密文访问测试

首先编辑ssl.conf文件×××路径

[root@localhost conf.d]# vim ssl.conf

SSLCertificateChainFile /etc/pki/CA/cacert.pem

打开浏览器

查看证书并安装证书

再次访问站点

编辑host文件再次访问站点

关闭80端口，结果如下

测试成功！

转载于:https://blog.51cto.com/niuxiaolin/968554

weixin_33975951

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫