一.HTTPS简介
HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符
体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口
及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯
方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。
HTTPS实际上应用了Netscape的安全套接字层ssl作为http应用层的子层。(HTTPS使用端口443,而不是像HTTP那样使用端口80来和TCP/IP进行通信。)SSL使用40 位关键字作为RC4流加密算法,这对于商业信息的加密是合适的。HTTPS和SSL支持使用X.509数字认证,如果需要的话用户可以确认发送者是谁。也就是说它的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。
二.案例
在linux主机上安装https服务,实现安全验证和加密访问,配置具体步骤如下
1.做身份验证
编辑/etc/httpd/conf/httpd.conf文件
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
306 <Directory "/var/www/html">
307
308 #
309 # Possible values for the Options directive are "None", "All",
310 # or any combination of:
311 #
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
312 #
313 # Note that "MultiViews" must be named *explicitly* --- "Options All"
314 # doesn't give it to you.
315 #
316 # The Options directive is both complicated and important. Please see
317 # http://httpd.apache.org/docs/2.2/mod/core.html#options
318 # for more information.
319 #
320
Options Indexes FollowSymLinks
321
322 #
323 # AllowOverride controls what directives may be placed in .htaccess files.
324 # It can be "All", "None", or any combination of the keywords:
325 #
Options FileInfo AuthConfig Limit
326 #
327
AllowOverride all
328
329 #
330 # Controls who can get stuff from this server.
331 #
332
Order allow,deny
333
Allow from all
334
335 </Directory>
进入站点主目录编辑 .htaccess文件 对来访者身份验证
[root@localhost html]# cd /var/www/html/
[root@localhost html]# vim .htaccess
authuserfile
/var/www/.htpasswd
authtype
basic
authname
"please input your name and password"
require
valid-user
~
~
产生httpd的帐号文件
[root@localhost www]# htpasswd -c .htpasswd user1
New password:
Re-type new password:
Adding password for user user1
加密访问https
编辑/etc/pki/ tls/openssl.cnf文件
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# vim tls/openssl.cnf
43 [ CA_default ]
44
45 dir
= /etc/pki/CA # Where everything is kept
46 certs
= $dir/certs # Where the issued certs are kept
47 crl_dir
= $dir/crl # Where the issued crl are kept
48 database
= $dir/index.txt # database index file.
49 #unique_subject = no
# Set to 'no' to allow creation of
50
# several ctificates with same subject.
51 new_certs_dir
= $dir/newcerts # default place for new certs.
52
53 certificate
= $dir/cacert.pem # The CA certificate
54 serial
= $dir/serial # The current serial number
55 crlnumber
= $dir/crlnumber # the current crl number
56
# must be commented out to leave a V1 CRL
57 crl
= $dir/crl.pem # The current CRL
58 private_key
= $dir/private/cakey.pem# The private key
59 RANDFILE
= $dir/private/.rand # private random number file
60
61 x509_extensions = usr_cert
# The extentions t
87 [ policy_match ]
88 countryName
= optional
89 stateOrProvinceName
= optional
90 organizationName
= optional
91 organizationalUnitName = optional
92 commonName
= supplied
93 emailAddress
= optional
134 [ req_distinguished_name ]
135 countryName
= Country Name (2 letter code)
136 countryName_default
= CN
137 countryName_min
= 2
138 countryName_max
= 2
139
140 stateOrProvinceName
= State or Province Name (full name)
141 stateOrProvinceName_default
= BEIJING
142
143 localityName
= Locality Name (eg, city)
144 localityName_default
= BEIJING
创建目录文件
[root@localhost pki]# cd CA/
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# mkdir crl certs newcerts
[root@localhost CA]# touch index.txt serial
[root@localhost CA]# ll
总计 20
drwxr-xr-x 2 root root 4096 07-24 23:58 certs
drwxr-xr-x 2 root root 4096 07-24 23:58 crl
-rw-r--r-- 1 root root
0 07-24 23:58 index.txt
drwxr-xr-x 2 root root 4096 07-24 23:58 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root
0 07-24 23:58 serial
修改初始序列号
[root@localhost CA]# echo "01">serial
产生私钥
[root@localhost CA]# openssl genrsa 2048 >private/cakey.pem
Generating RSA private key, 2048 bit long modulus
..................+++
.................+++
e is 65537 (0x10001)
修改私钥权限
[root@localhost CA]# ll private/
总计 4
-rw-r--r-- 1 root root 1675 07-25 00:03 cakey.pem
[root@localhost CA]# chmod 600 private/*
[root@localhost CA]# ll private/
总计 4
-rw------- 1 root root 1675 07-25 00:03 cakey.pem
产生证书
[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:seccenter
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
2.web服务器配置
将产生的私钥和证书放在一个目录
[root@localhost CA]# mkdir -pv /etc/httpd/certs
mkdir: 已创建目录 “/etc/httpd/certs”
[root@localhost CA]# cd /etc/httpd/certs
产生私钥
[root@localhost certs]# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
.....++++++
.................................++++++
e is 65537 (0x10001)
做证书请求
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengz^H^[[3~
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.zzdx.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
申请证书
[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 16:42:40 2012 GMT
Not After : Jul 24 16:42:40 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = zzdx
organizationalUnitName = tec
commonName = www.zzdx.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
53:79:77:FA:3F:50:90:4B:49:BA:30:70:E0:05:9A:D7:F2:0B:A4:22
X509v3 Authority Key Identifier:
keyid:35:C3:85:19:22:F8:33:5B:40:07:1A:5C:BA:34:9C:3A:2C:90:A6:10
Certificate is to be certified until Jul 24 16:42:40 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
修改权限
[root@localhost certs]# chmod 600 *
[root@localhost certs]# ll
总计 12
-rw------- 1 root root 3697 07-25 00:43 httpd.cert
-rw------- 1 root root 647 07-25 00:42 httpd.csr
-rw------- 1 root root 887 07-25 00:27 httpd.key
安装ssl模块
[root@localhost Server]# mount /dev/cdrom /mnt/cdrom
[root@localhost Server]# yum install mod_ssl-2.2.3-31.el5.i386.rpm
编辑ssl.conf文件
[root@localhost Server]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim ssl.conf
112 SSLCertificateFile /etc/httpd/certs/httpd.cert
113
114 #
Server Private Key:
115 #
If the key is not combined with the certificate, use this
116 #
directive to point at the key file. Keep in mind that if
117 #
you've both a RSA and a DSA private key you can configure
118 #
both in parallel (to also allow the use of DSA ciphers, etc.)
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
检测语法错误与否
[root@localhost conf.d]# service httpd configtest
Syntax OK
重启服务
[root@localhost conf.d]# service httpd restart
停止 httpd:
[确定]
启动 httpd:
[确定]
查看端口
[root@localhost conf.d]# netstat -tupln |grep http
tcp
0 0 :::80 :::* LISTEN 5250/httpd
tcp
0 0 :::443 :::*
测试:
明文访问
访问成功!
下面做密文访问测试
首先编辑ssl.conf文件×××路径
[root@localhost conf.d]# vim ssl.conf
SSLCertificateChainFile /etc/pki/CA/cacert.pem
打开浏览器
查看证书并安装证书
再次访问站点
编辑host文件再次访问站点
关闭80端口,结果如下
测试成功!
转载于:https://blog.51cto.com/niuxiaolin/968554