Table of contents
Linux static website based on HTTPS
Encrypted authentication website using Apache+mod_ssl component
Main parameters of ssl configuration file
Case 1 --- Build an HTTP+SSL encrypted and authenticated web server
Linux static website based on HTTPS
definition
Hypertext Transfer Protocol HTTP protocol is used to transfer information between web browsers and website servers
The HTTP protocol sends content in clear text and does not provide any form of data encryption. If an attacker intercepts the transmission message between the web browser and the website server, he can directly read the information in it. Therefore, the HTTP protocol is not suitable for transmitting some data. Sensitive information, such as credit card numbers, passwords, etc. In order to solve this shortcoming of the HTTP protocol, another protocol needs to be used: Secure Socket Layer Hypertext Transfer Protocol HTTPS
HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer or Hypertext Transfer Protocol Secure, Hypertext Transfer Security Protocol) is an HTTP channel aimed at security
HTTPS is not a new protocol, but HTTP+SSL ( TLS). Originally, HTTP first communicated directly with TCP (assuming that the transport layer is the TCP protocol), but after adding SSL, it became HTTP first communicated with SSL, and then SSL communicated with TCP, which is equivalent to SSL being embedded between HTTP and TCP.
SSL protocol
definition
SSL --- is the abbreviation of "Secure Sockets Layer", which is called "Secure Sockets Layer" in Chinese. It was designed by Netscape in the mid-1990s. By 1999, SSL was widely used and had become the de facto standard on the Internet . The IETF standardizes SSL. After standardization, SSL was changed to TLS (Transport Layer Security)
SSL protocol layering
SSL Record Protocol is built on a reliable transmission protocol (such as TCP) and provides basic functions such as data encapsulation, compression, and encryption for high-level protocols.
SSL Handshake Protocol: It is built on the SSL record protocol and is used for identity authentication, negotiation of encryption algorithms, and exchange of encryption keys between the communicating parties before the actual data transmission begins.
Services provided by SSL protocol
-
Authenticate users and servers to ensure data is sent to the correct client and server
-
Encrypt data to prevent it from being stolen en route
-
Maintain data integrity and ensure data is not altered during transmission
Encrypted authentication website using Apache+mod_ssl component
mod_ssl module
mod_ssl component --- is a module of apache. It is a component module that provides password protection for apache based on the openssl toolbox.
Install
[root@www conf.d]# yum install mod_ssl -y
Configuration file
-
Main configuration file --- /etc/httpd/conf.d/ssl.conf
-
Certificate file --- /etc/pki/tls/certs/xxxx.crt
-
Private key file ---/etc/pki/tls/private/xxxx.key
Main parameters of ssl configuration file
[root@www /]# vim /etc/httpd/conf.d/ssl.conf
# 常用参数如下:
5 Listen 443 https # 监听的端口号
18 SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog # 存储证书的密码信息
23 SSLSessionCache shmcb:/run/httpd/sslcache(512000) # ssl的缓存,位置
24 SSLSessionCacheTimeout 300 # 换存的超时时长
40 <VirtualHost _default_:443> # 重要,定义虚拟主机的信息
48 ErrorLog logs/ssl_error_log # 错误日志
49 TransferLog logs/ssl_access_log # 传输日志
50 LogLevel warn # 日志等级
54 SSLEngine on # ssl引擎开启
66 SSLHonorCipherOrder on # 协商算法
85 SSLCertificateFile /etc/pki/tls/certs/localhost.crt # 证书存储路径
93 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # 私钥文件路径
202 </VirtualHost> # 虚拟主机结束定义
Case
Case 1 --- Build an HTTP+SSL encrypted and authenticated web server
Create a directory to store web pages and upload web page data via xftp
[root@www /]# mkdir -p /test/zy
[root@www /]# cd /test/zy/
[root@www zy]# vim index.html
[root@www zy]# cat index.html
this is zy
Generate a private key file in the /etc/pki/tls/private/ directory
[root@www zy]# cd /etc/pki/tls/private/
[root@www private]# ls
sendmail.key
[root@www private]# openssl genrsa -aes128 2048 > zy.key
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
........................+++++
e is 65537 (0x010001)
Enter pass phrase: # 设置对私钥加密的密码,123456
Verifying - Enter pass phrase: # 在输入一遍
[root@www private]#
Create a new digital certificate in the /etc/pki/tls/certs/ directory
[root@www private]# cd /etc/pki/tls/certs/
[root@www certs]# ls
ca-bundle.crt ca-bundle.trust.crt sendmail.pem
[root@www certs]# openssl req -utf8 -new -key /etc/pki/tls/private/zy.key -x509 -days 365 -out zy.crt
Enter pass phrase for /etc/pki/tls/private/zy.key: # 输入私钥加密的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86 # 国家代码
State or Province Name (full name) []:shanxi # 省份
Locality Name (eg, city) [Default City]:xi'an # 城市
Organization Name (eg, company) [Default Company Ltd]:tiandi # 公司
Organizational Unit Name (eg, section) []:Hcip # 部门
Common Name (eg, your name or your server's hostname) []:192.168.149.130 # 主机名
Email Address []:[email protected] # 邮件地址
Edit configuration file
[root@www certs]# cd ~
[root@www ~]# vim /etc/httpd/conf.d/ssl.conf
<virtualhost 192.168.149.130:443> # https的虚拟主机设置
SSLEngine on # 开启引擎
SSLCertificateFile /etc/pki/tls/certs/zy.crt # 证书存储路径
SSLCertificateKeyFile /etc/pki/tls/private/zy.key # 私钥文件存储路径
servername 192.168.149.130 # 域名
documentroot /test/zy # 启动目录
<directory /test/zy > # 启动目录权限设置
allowoverride none
require all granted
</directory>
</virtualhost>
Restart service
[root@localhost ~]# systemctl restart httpd
Enter TLS private key passphrase for 192.168.149.128:443 (RSA) : ****** #密码为先前设置的123456
Case 2 --- Create a website www.joker.com with multiple subdirectories. The website has two subdirectories www.joker.com/file and www.joker.com/ftp. The file data is required to be read using http and the ftp data is required. Read using https
Install mod_ssl and Apache
[root@localhost ~]# yum install httpd
[root@localhost ~]# yum install mod_ssl -y
#关闭selinux以及防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
Create a new web directory and create files
[root@localhost ~]# mkdir -p /www/file
[root@localhost ~]# mkdir -p /www/ftp
[root@localhost ~]# vim /www/file/index.html
[root@localhost ~]# vim /www/ftp/index.html
[root@localhost ~]# cat /www/file/index.html
this is joker/file
[root@localhost ~]# cat /www/ftp/index.html
this is ftp
Modify the mapping of /etc/hosts
[root@localhost ~]# vim /etc/hosts
Create a file website
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
<virtualhost 192.168.149.128>
servername 'file'
documentroot /www/file
alias /file /www/file
<directory /www/file>
allowoverride none
require all granted
</directory>
</virtualhost>
Create https ftp website
[root@localhost ~]# openssl genrsa -aes128 2048 > /etc/pki/tls/private/sxhkt.key
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................................................................................................+++++
..............................................................................+++++e is 65537 (0x010001)
Enter pass phrase: #密码123456
Verifying - Enter pass phrase:
[root@localhost ~]# touch /etc/pki/tls/certs/sxhkt.crt
[root@localhost ~]# openssl req -utf8 -new -key /etc/pki/tls/private/sxhkt.key -x509 -days 365 -out /etc/pki/tls/certs/sxhkt.crt
Enter pass phrase for /etc/pki/tls/private/sxhkt.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:joker
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:192.168.149.128
Email Address []:joker.com
Edit configuration file
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
<virtualhost 192.168.149.128:443>
sslengine on
SSLCertificateFile /etc/pki/tls/certs/sxhkt.crt
SSLCertificateKeyFile /etc/pki/tls/private/sxhkt.key
servername 'ftp'
documentroot /www/ftp
alias /ftp /www/ftp # 设置别名访问二级目录
<directory /www/ftp>
allowoverride none
require all granted
</directory>
</virtualhost>
Restart the service and test
[root@localhost ~]# systemctl restart httpd