How to configure Django + HTTPS development environment?

A, HTTP and drawbacks of the origin HTTPS

• As we all know HTTP protocol is a network protocol TCP protocol as the cornerstone for the birth of a transfer Web content, in 网络分层模型belonging to 应用层协议one.

• From a security perspective to explore the use of the security issues inherent in the protocol for transferring data:

  • (1), the communication using the plaintext (not encrypted), the content may be intercepted;
  • (2), does not authenticate the communication party, and therefore may encounter disguise;
  • (3) can not prove a complete line of messages, it may be tampered with.

• SSL is to solve the security problems of the HTTP protocol , by the 1990s, Netscape (NetScape) designed the SSL(Secure Sockets Layer) protocol - 安全套接层protocol. After years of development SSL is widely used on the Internet, the name was changed after normalization TLS(Transport Layer Security) - 传输层安全protocol.
  

• It called HTTPSthat is HTTP + SSL/TLSused in combination. The solution is security issues HTTP protocol for data transmission;

• Principle: In HTTP 协议层and TCP传输层added between 安全层, so that application layer data packets are encrypted before transmission to ensure the integrity of data during transmission.

• So, SSL / TLS in the data transmission process is how to implement encryption to ensure data integrity it?

  • Here, we need to further explore the encryption logic of the agreement. There are two encryption algorithms: namely, 对称加密and 非对称加密.
    
    

Two, symmetric encryption

• About "symmetric encryption" may be understood as a "reciprocal" mathematical operation (one-way encryption contrast it is a reversible encryption algorithm). That is encrypted, it can decrypt, but no matter the encryption or decryption process, there must be a crucial called "key" things involved in computing.
  
• Symmetric encryption biggest feature: is that encryption and decryption using the "same" key. So the key question - the client and server interaction using a common "key" to encrypt communications, which requires the server to the client will transfer key, but doing so and how it can ensure that key during transmission security it? If the key suffered a third-party interception during transmission, that means double-ended communication is to the third party in terms of communication and clear text no difference. That does not apply symmetric encryption key scenarios require the network.

Thus, it was born 非对称加密! ! !

Three, asymmetric encryption

• So-called "asymmetric encryption" is used for encryption and decryption keys are different, each producing double-side communication public key and private key, and public key exchange for a two-terminal encrypted communication. As shown below, when the server public key to the client, the client public key used in data communication is encrypted, even if a third party public key encounter interception during transmission, since the decryption key is always stored in the service end and will not be made public, so the only way to intercept a public key can not decrypt data.

• However, these scenarios are still some risk of eavesdropping. After That, as the eavesdropper to intercept the server responds to the client's public key, forged the identity of the server, the client response to public eavesdropper. After the client public key used to encrypt data eavesdropping, the eavesdropper intercepting a data message using his private key to decrypt the plaintext data to obtain data tampering, then the server's public key to encrypt data and server communications. The whole process of communication, clients are not aware of their own peer communications in the end is an eavesdropper or server.

• 观察下图中的图示模型，假设通信过程已被窃听。那么问题到底出在哪里?

• Eavesdropping risk illustrates asymmetric encryption is as follows:
  

• We can start a whole process to analyze:

  • The first client requests the public key, and the public key obtained from a "peer" in the response. Then by using the "public key" of communication. The problem is the part of this - obvious, as a client and not the "public key" and "source" doing verification. In other words, the client is not clear, the "public" is really true from the server rather than a third party eavesdropper.

  • After that, the client must do verification of the "public key" to determine that the public key really is from a legitimate server, to ensure the safety of double-ended communication.
    
    

Four, CA authentication mechanism

• It should be the introduction of third-party organizations:

  • 证书颁发机构CA(Certificate Authority): ie 颁发数字证书的机构. It is the authority responsible for issuing and managing digital certificates, e-commerce transactions as a trusted third party, responsible for the legitimacy of public inspection in the public system.

  • CA center will be issued a digital certificate for each user using the public key, the role of digital certificates that prove the legitimacy of the user's public key listed in the certificate. CA's digital signature mechanism allows an attacker can not be forged and tampered with the certificate. In other words, the certificate can not be tampered with, as long as the certificate is valid and legal, then the public key in the certificate is valid and legitimate!

  • The server will provide the public key to the CA, CA agency uses its own private key public key encryption server after the CA certificate (the certificate server's public key is stored) back to the server. General operating system or browser will be built CA root certificate. When a client uses after (such as browser) when the request to the server, the server CA certificate will be provided to the client, the client gets to the root CA certificate CA certificate local authentication (verification by signifies legitimacy server CA certificate, indirect indicate the source of the legitimacy of the public key).
    
    

Fifth, self-signed certificates to achieve Django + HTTP + SSL

• Since the formal application to the CA certificate requires institutions, in this, I'm a django server-based communication via https self-signed certificate in the form of a simple configuration.

  (1) Create a root certificate issued by CA's profile MyCompanyCA.cnf
  

  (2) Create expand the profile (for creating server CA certificate)MyCompanyLocalhost.ext
  

  (3) create a CA certificate and key (need to use openssl, can be installed through the package management tool)
  

  (4), create an SSL certificate and key application documents
  

  (5) issuing SSL certificates
  

• After the above procedure, OpenSSL achieved by self-signed certificate, wherein MyCompanyCA. cer for the CA root certificate (this is because of our self-signed, system or browser, and the root certificate is not built, we need to add manually). SSL certificate file is MyCompanyLocalhost. cer, SSL certificate key file is MyCompanyLocalhost.pvk.
  
  

Six, Django test server start HTTPS

• Start test HTTPS server as follows:

  (1), the installation dependencies
  

  (2) modify the configuration file Django
  

  (3), start with https service django
  

• Since Django has started HTTPS service, but still can not use the browser to access HTTPS (server certificate is not trusted).
  

Seven, install the CA root certificate

• CA needs to be installed self-signed root certificate to require the use of HTTPS to access client. The following is added to the certificate illustrated macos operating system (windows is also related interface operation):

  (1), add root certificates
  

  (2), set the system to trust the certificate
  

• Since then, one of the client (browser) the addition is complete, you can use https to access the server.