https实现以及https跳转实现

http协议都是明文的，所以在基于Authtype控制访问页面的时候，利用抓包工具我们可以看到用户的账户和密码。https就是加密传输。对传输的数据进行加密

ssl会话过程

• 1、客户端发送可供选择的加密方式，并向服务器请求整数

• 2、服务器端发送证书以及选定的加密方式给客户端

• 3、客户端取得证书并进行证书验证，证书有以下几点注意

  • 如果信任其给的证书
    • a、验证证书的来源合法性；用CA的公钥解密证书上数字签名
    • b、验证证书的内容的合法性，完整性验证
    • c、检查证书的有效期限
    • d、检查证书是否被吊销
    • e、证书中拥有者的名字，与访问的目标主机要一致
  • 4、客户端生成临时会话密钥(对称密钥)，并使用服务器端的公钥加密比数据发送服务器，完成密钥交换
  • 5、服务器用此密钥加密用户请求的资源，响应给客户端

  ssl是基于ip地址实现，单ip地址的主机仅可以使用一个https虚拟机

https实现

首先创建私有ca自签证书
1）在CA主机上生成密钥

[root@CA CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................+++
......................+++
e is 65537 (0x10001)

2）在CA主机上生成自签证书

[root@CA CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ydong.com  
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.ydong.com
Email Address []:

3）创建CA证书所需要的文件

[root@CA CA]# touch index.txt
[root@CA CA]# echo 01 > serial

4）在httpd主机上安装ssl模块

[root@httpd ~]# yum install -y mod_ssl

5）在httpd主机上生成私钥

[root@httpd ~]# (umask 066;openssl genrsa -out /etc/pki/ssl/httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.............................................++++++
.............................................++++++
e is 65537 (0x10001)

6）httpd主机上生成签署请求

[root@httpd pki]# openssl req -new  -key ssl/httpd.key -out ssl/http.csr -days 365 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ydong.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.ydong.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

7）将http.csr传输到CA主机上

[root@httpd pki]# scp ssl/http.csr 192.168.199.233:/tmp

8）CA审核httpd的请求

[root@CA CA]# openssl ca -in http.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 16 13:34:07 2020 GMT
            Not After : Mar 16 13:34:07 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = ydong.com
            organizationalUnitName    = opt
            commonName                = www.ydong.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A4:46:CD:AC:9F:F4:72:BA:E2:AF:F7:B9:94:21:7B:C7:6C:6B:91:7D
            X509v3 Authority Key Identifier: 
                keyid:AB:DE:71:81:02:EC:DB:66:7F:56:FE:BC:DD:15:4E:9A:0A:62:2B:31

Certificate is to be certified until Mar 16 13:34:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

9）将httpd.crt发送到httpd主机上

[root@CA CA]# scp httpd.crt 192.168.199.243:/etc/pki/ssl

10）修改ssl.conf的配置文件

11）重启服务，测试

[root@httpd httpd]# ss -tnl | grep -E "80|443"
LISTEN     0      128       [::]:443                   [::]:*                  
LISTEN     0      128       [::]:80                    [::]:*  

http重定向https实现

使用Redirect实现。

[root@httpd httpd]# cat conf.d/test.conf 
<VirtualHost *:80>
	<Directory /var/www/html>
		Options none
		AllowOverride none
		Require all granted
	</Directory>
	Redirect temp "/index.html" "https://www.ydong.com/index.html" 
</VirtualHost>

temp：是临时重定向，意思就是也许以后之前的网址还会在用。只是临时的重定向
状态码是302

[root@httpd httpd]# cat conf.d/test.conf 
<VirtualHost *:80>
	<Directory /var/www/html>
		Options none
		AllowOverride none
		Require all granted
	</Directory>
	Redirect permanent "/index.html" "https://www.ydong.com/index.html" 
</VirtualHost>

permanent：是301永久重定向。

上述虽然可以进行跳转，但是也存在不安全的现象。因为它要先访问http，那么可不可以直接返回https，而不访问http呢？

HSTS就是用来解决这一问题的。
服务器端配置支持HSTS后，会在给浏览器返回的HTTP首部中携带HSTS字段。浏览器获取到该信息后，会将所有HTTP访问请求在内部做307跳转到HTTPS。而无需任何网络过程

[root@httpd httpd]# cat conf.d/test.conf 
<VirtualHost *:80>
	<Directory /var/www/html>
		Options none
		AllowOverride none
		Require all granted
	</Directory>
	Header always set Strict-Transport-Security "maxage=31536000"
	RewriteEngine on
	RewriteRule ^(/.*)$ https://%{
    
    HTTP_HOST}$1 [redirect=302]	
</VirtualHost>

为什么要使用Strict-Transport-Security