A .web access control:
Type 1.httpd service access control:
client address and user authorization restrictions limit
1) the client address restrictions: controlled according to the IP address of the client, realization of the website to protect sensitive resources.
2) user authorization restrictions: require the client to provide the user's password when accessing a specific resource to verify complete, user authorization restrictions more flexible than the IP address restrictions.
2. The client address restrictions achieved by:
1) edit the master configuration file httpd.conf <Directory "Directory"> </ Directory> area configuration.
2) controls client configuration:
the Order the allow, the deny control procedure ##, after first allowing rejected; may refuse to allow the
Allow from address ## to allow the client access to the client address, the address is ALL (all) or segments or IP address or multiple addresses separated by a space
3. user licensing restrictions:
1) editing position with the client address limit
2) restrict user authorization configuration:
Step 1: create httpd user and password
htpasswd -c user files user name # # create a user
htpasswd user user name file ## to create a second or subsequent user
Step two: modify the configuration file to implement authorization
AuthName "authentication prompt text"
AuthType Basic ## type certification for the Basic
AuthUserFile "user file" ## specified user file
Require valid-user ## can only be accessed by the user authentication of
the third step: restart the service, access authentication
Two .web Web Hosting
1.web Web Hosting:
by configuring multiple websites on a single server, each site is not exclusively physical services.
2.apahce supported virtual host type:
name-based (same IP, same port, different domain name); based on IP (different IP, different name, the same port); based on port (the same IP, same domain, different ports).
3. The name-based virtual host configuration process:
1) provides configuration dns DNS (domain name registration work, and add analysis)
2) Modify httpd.conf and extra / httpd-vhosts.conf support virtual host
3) migrate master
4) restart services, testing
Three configuration the HTTPS:
1. understanding of cryptographic algorithms:
Classification encryption algorithms: symmetric encryption and asymmetric encryption
1) symmetric encryption: encryption and decryption using the same key, the advantage of speed, the disadvantage is difficult to share the key. Typical symmetric encryption algorithms are DES / AES / RC5 / 3DES and the like.
2) Asymmetric encryption: generating a secret (public and private), the encryption process may be a public key to decrypt the encrypted private key; public key encryption may be decrypted private key; private key stored by the server in general, well shared key to the client, using well solution plus private manner. It is characterized by whether you get public or private key is not pushed against the other half of the key pair, which guarantees the security of keys. The disadvantage is very slow encryption, encryption is not suitable for large volumes of data traffic. A typical asymmetric encryption algorithm RSA / DSA.
How to choose the encryption algorithm?
If the selected symmetric encryption, a shared secret (transmission) process unsafe; if the selected asymmetric encryption, encryption is slow.
A perfect solution:
with a symmetric encryption key used to encrypt data, using asymmetric encryption to protect symmetric encryption key, and is fast and secure data encryption. To ensure the privacy of data.
2. Certificate Server: CA
There is also a problem in the above scenario: how to verify the public key is the real key to the owner of the shared (transport) of. To solve this problem is authentication certificate, CA certificate server provides authentication services.
Certificate authentication procedure:
1) The server generates a key pair (public and private) and an authentication request,
2) the CA root certificate issued by the server for the server according to the authentication request,
3), and a shared server obtains the root certificate to the client, which introduced root certificate.
4) communication process, the client confirmed the legitimacy of the public key based on a root certificate.
Certificate Server is divided into: public certificate server (such as Microsoft, google, etc.) and corporate self-built private certificate server (openssl achieve). Certificate authentication server provides non-repudiation of data.
3. Digital Signature: the HASH
In the above embodiment, there is a problem remains: unable to determine the integrity of the data transmission process (whether tampered with).
Typical HASH algorithm: MD5, SHA1, SHA256, SHA512 and so on.
Digital signature process:
The server uses the data required transmission HASH algorithm performs a hash calculation of a string of numbers, and the string of numbers released after the data transfer from the server to the client, the client uses the same hash algorithm hash value, and if the digital signature is consistent server publishing, the data has not been tampered with, and vice versa. This ensures data integrity.
4. Understand https works:
1) https (Hypertext Transfer Protocol over Secure the Socket Layer), that is added to the SSL under http, the default port 443. The
2) SSL: Secure Sockets Layer, is a major design company with netscape for secure transmission.
3) https communication process:
. A client requests https link (via https: // achieve), returned from the server certificate (carries the public key certificate issued by the agency, a group selection information encryption algorithm and HASH algorithm, etc.) to the customer end.
b after the client receives a certificate: verify the legitimacy of the certificate, generates a random password (using the negotiated symmetric encryption algorithm), using public key encryption, using the convention of calculating HASH handshake message using a random password to encrypt the message.
c. The client random password will be encrypted by the public key encryption and a random password had HASH digital signature to the server.
After d server (Web site) receive random passwords and digital signatures: get a private key to decrypt random password, random password decrypted digital signatures, digital signatures to verify the integrity handshake messages. And use random password encryption for a handshake message to the client (browser).
e. browser to decrypt the handshake and the handshake calculated hash, ensure data integrity. After the communication data is encrypted using a random password (symmetric algorithms).
Reproduced in: https: //blog.51cto.com/14386255/2406852