Linux上配置HTTPS
一.HTTP簡介
HTTP即超文字傳輸協議(Hypertext Transfer Protocol)。
這是一個檔案的傳輸協議,我們上網的時候,所有的檔案都是通過HTTP這個協議,從伺服器上傳輸到客戶端的電腦裡面的。同時HTTP協議工作在應用層,所以想要執行這個協議必須有相應的應用程式支撐。
這裡我們就先了解下什麼是客戶端,什麼是服務端
客戶端:通常是指我們的瀏覽器,比如谷歌瀏覽器、火狐瀏覽器、IE等,瀏覽器安裝在客戶使用的電腦上,所以,在描述http時,客戶端通常也代指那些安裝了瀏覽器的電腦。
服務端:通常是指那些安裝了web服務軟體的計算機,如httpd apache,nginx,lighttpd,這些服務端的計算機被稱為伺服器。
當我們從客戶端到服務端拉取檔案時,這些伺服器就會根據你的請求命令給你返回你所需要的資源。而這些資源在傳輸過程中都會以靜態的html格式檔案傳輸,同時它的傳輸方式是明文的。這樣的傳輸方式就會使你的一些重要資訊被一些有心人擷取下來,所以基於http的傳輸方式並不是安全的。這就使HTTPS得以出現。
二.HTTPS簡介
HTTPS(全稱:httpover ssl,Hyper Text Transfer Protocol over Secure Socket Layer),HTTPS簡單來說就是http+ssl,基於安全套接字層的超文字傳輸協議。它是以安全為目標的HTTP通道,簡單講就是HTTP的安全版。即在HTTP下加入了SSL子層,HTTPS的安全基礎是SSL。SSL會使用各種對稱加密演算法、非對稱加密演算法來加密傳送資料。
三.HTTP與HTTPS區別
區別就是在於https這個多出來的 s。SSL及其繼任者傳輸層安全是為網路通訊提供安全及資料完整性的一種安全協議。TLS與SSL在傳輸層對網路連線進行加密。
其他要說很明顯能感覺到的,就是:
- http預設埠是80,https是443
- http不會對傳輸的資料進行加密,https會。
四.SSL會話的簡單過程
(1) 客戶端傳送可供選擇的加密方式,並向伺服器請求證書;
(2) 伺服器端傳送證書以及選定的加密方式給客戶端;
(3) 客戶端取得證書並進行證書驗正:
如果信任給其發證書的CA:
(a) 驗正證書來源的合法性;用CA的公鑰解密證書上數字簽名;
(b) 驗正證書的內容的合法性:完整性驗正
(c) 檢查證書的有效期限;
(d) 檢查證書是否被吊銷;
(e) 證書中擁有者的名字,與訪問的目標主機要一致;
(4) 客戶端生成臨時會話金鑰(對稱金鑰),並使用伺服器端的公鑰加密此資料傳送給伺服器,完成金鑰交換;
(5) 服務用此金鑰加密使用者請求的資源,響應給客戶端;
注意:SSL會話是基於IP地址建立;所以單IP的主機上,僅可以使用一個https虛擬主機;
五.HTTPS的實現
1.安裝專門的mod_ssl模組
[[email protected] ~]# yum install mod_ssl
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-80.el7.centos will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================
Package Arch Version Repository Size
======================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-80.el7.centos base 111 k
Transaction Summary
======================================================================================================================
Install 1 Package
Total download size: 111 k
Installed size: 224 k
Is this ok [y/d/N]: y
Downloading packages:
mod_ssl-2.4.6-80.el7.centos.x86_64.rpm | 111 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:mod_ssl-2.4.6-80.el7.centos.x86_64 1/1
Verifying : 1:mod_ssl-2.4.6-80.el7.centos.x86_64 1/1
Installed:
mod_ssl.x86_64 1:2.4.6-80.el7.centos
Complete!
2.申請CA證書
要生成證書就需要為服務端生成私鑰,並用它來為其提供證書檔案;
[[email protected] ~]# cd /etc/pki/CA
[[email protected] /etc/pki/CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....++
.........................................................++
e is 65537 (0x10001)
[[email protected] /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[[email protected] /etc/pki/CA]# touch index.txt
[[email protected] /etc/pki/CA]# echo 00 > serial
[[email protected] /etc/pki/CA]# mkdir /etc/httpd/conf.d/ssl
[[email protected] /etc/pki/CA]# cd /etc/httpd/conf.d/ssl/
[[email protected] /etc/httpd/conf.d/ssl]# (umask 066;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......++++++
.............++++++
e is 65537 (0x10001)
[[email protected] /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
[[email protected] /etc/httpd/conf.d/ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
[[email protected] /etc/httpd/conf.d/ssl]# cp /etc/pki/CA/cacert.pem .
3.編輯.conf配置檔案
將程式碼修改為下列三行
[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
4.修改配置檔案
[[email protected] ~]# vim /etc/httpd/conf.d/vhost.conf
<VirtualHost *:443>
ServerName www.baidu.com
DocumentRoot "/app/website1"
CustomLog "logs/www.baidu.com_access_log" combined
<Directory "/app/website1">
Require all granted
</Directory>
</VirtualHost>
~
4.重新啟動服務
[[email protected] ~]# systemctl restart httpd