https
https:http over ssl
SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书 (2) 服务器端发送证书以及选定的加密方式给客户端 (3) 客户端取得证书并进行证书验证
如果信任给其发证书的CA
(a) 验证证书来源的合法性;用CA的公钥解密证书上数字签名 (b) 验证证书的内容的合法性:完整性验证 (c) 检查证书的有效期限 (d) 检查证书是否被吊销 (e) 证书中拥有者的名字,与访问的目标主机要一致
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换
(5) 服务用此密钥加密用户请求的资源,响应给客户端
注意:SSL是基于IP地址实现,单IP的主机仅可以使用一个https虚拟主机
https实现
(1) 为服务器申请数字证书
测试:通过私建CA发证书
(a) 创建私有CA (b) 在服务器创建证书签署请求 (c) CA签证
(2) 配置httpd支持使用ssl,及使用的证书
yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot ServerName SSLCertificateFile SSLCertificateKeyFile
(3) 测试基于https访问相应的主机
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
实现HTTP网站加密
第一种申请证书方式(自签名证书)
A主机:192.168.34.100 提供加密的网站
B主机:192.168.34.101 客户端
(1)在A主机安装mod_ssl模块
[root@centos7 ~]# yum install mod_ssl -y
(2)可以查看到安装mod_ssl模块时,执行了以下哎脚本就已经自动生成了公私钥文件,不需要我们再进行自签名证书
[root@centos7 ~]# rpm -q --scripts mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077
if [ -f /etc/pki/tls/private/localhost.key -o -f /etc/pki/tls/certs/localhost.crt ]; then
exit 0
fi
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > /etc/pki/tls/private/localhost.key 2> /dev/null
FQDN=`hostname`
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
FQDN=localhost.localdomain
fi
cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
-x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
-out /etc/pki/tls/certs/localhost.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
证书存放路径:
[root@centos7 asite]# cd /etc/pki/tls/certs/ [root@centos7 certs]# ll total 16 lrwxrwxrwx. 1 root root 49 Jan 4 16:32 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Jan 4 16:32 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw------- 1 root root 1391 Mar 31 10:43 localhost.crt # 自签名颁发的证书 -rwxr-xr-x. 1 root root 610 Aug 9 2019 make-dummy-cert -rw-r--r--. 1 root root 2516 Aug 9 2019 Makefile -rwxr-xr-x. 1 root root 829 Aug 9 2019 renew-dummy-cert
(3)此时我们的/etc/httpd/conf.d/目录下就会生产一个ssl.conf加密文件,加密的关键信息,就是监听了443端口,并指定了https类型,不指定会默认为http,且加密默认访问的住配置文件的网站在/var/www/html目录下
vim /etc/httpd/conf.d/ssl.conf 生成的ssl.conf配置文件不需要修改,这里只是展示重要信息而已。
Listen 443 https SSLCertificateFile /etc/pki/tls/certs/localhost.crt # 证书存放路径 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # 私钥存放路径
(4)注释掉httpd主配置文件的documenroot "/var/www/html"路径,并自定义访问路径。
1、注释掉httpd主配置文件的路径
[root@centos7 www]# vim /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html" # 注释掉此行即可。
2、指定自定义的/data/www目录下访问网站
[root@centos7 www]# cat /etc/httpd/conf.d/test.conf documentroot "/data/www" # 指定访问的网站路径 <directory "/data/www"> require all granted # 授权所有人都可以访问 </directory>
3、定义访问页面:
[root@centos7 www]# echo welcome to shanghai > /data/www/index.html
访问网站
1、在B主机客户端访问效果
[root@centos7 ~]# curl -k https://192.168.7.100 # -k是跳过检查 welcome to shanghai
2、此时就会提示不安全的网站:
第二种方法:搭建私有CA,实现HTTPS加密
(1)在A主机的/etc/pki/CA目录下生成私钥
[root@centos7html]#cd /etc/pki/CA [root@centos7CA]#tree . ├── certs ├── crl ├── newcerts └── private 4 directories, 0 files [root@centos7CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048) 生成私钥证书 Generating RSA private key, 2048 bit long modulus ..........................................................................................................+++ .......................................+++ e is 65537 (0x10001)
(2)在A主机上申请自签名证书:
[root@centos7CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:ca.magedu.com Email Address []:
查看当前创建文件的tree结构
(3)在A主机上新建两个文件
[root@centos7CA]#touch index.txt [root@centos7CA]#echo 01 > serial
(4)在A主机向服务端申请证书
1、先生成私钥
[root@centos7CA]#cd /etc/httpd/conf.d [root@centos7conf.d]#ls autoindex.conf httpdgroup httpdpass manual.conf README ssl.conf test.conf userdir.conf welcome.conf [root@centos7conf.d]#mkdir ssl 新建一个ssl目录 [root@centos7conf.d]#cd ssl [root@centos7ssl]#pwd /etc/httpd/conf.d/ssl [root@centos7ssl]#(umask 077;openssl genrsa -out httpd.key 1024) 生成私钥 Generating RSA private key, 1024 bit long modulus ..........++++++ .......++++++ e is 65537 (0x10001)
2、生成证书申请文件
[root@centos7ssl]#openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN 国家一致 State or Province Name (full name) []:beijing 省份一致 Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:magedu 公司一致 Organizational Unit Name (eg, section) []:beiguobu Common Name (eg, your name or your server's hostname) []:*.magedu.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
(5)在A主机开始颁发证书
[root@centos7CA]#cd /etc/pki/CA 切换到CA目录下
[root@centos7CA]#openssl ca -in /etc/httpd/conf.d/ssl/httpd.csr -out certs/httpd.crt -days 100 颁发证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 28 14:09:59 2019 GMT
Not After : Mar 7 14:09:59 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = beiguobu
commonName = *.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:03:AB:A2:28:41:EB:41:A8:2F:35:DD:A1:D3:FA:F4:9B:2E:49:EB
X509v3 Authority Key Identifier:
keyid:E5:B6:6E:DC:62:18:90:3C:6E:BD:08:CF:4A:9A:1B:E5:2E:3A:15:F0
Certificate is to be certified until Mar 7 14:09:59 2020 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(6)将certs目录下的文件以及cacert.pem文件都复制到ssl目录下
[root@centos7CA]#cp certs/httpd.crt /etc/httpd/conf.d/ssl/ 复制httpd.crt文件到ssl目录下 [root@centos7CA]#cd /etc/httpd/conf.d/ssl [root@centos7ssl]#ls httpd.crt httpd.csr httpd.key [root@centos7CA]#cp cacert.pem /etc/httpd/conf.d/ssl 复制cacert.pem文件到ssl目录下 [root@centos7CA]#ls /etc/httpd/conf.d/ssl cacert.pem httpd.crt httpd.csr httpd.key
(7)修改mod_ssl配置文件信息
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt 证书文件路径 SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key 私钥文件路径 SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem CA证书文件路径
重启httpd服务:systemctl restart httpd
在网页上查看结果:将证书安装后,就会信任此证书,就不会再提示危险网址
http重定向https
(1)将http请求转发至https的URL
(2)重定向
Redirect [status] URL-path URL
(3)status状态:
Permanent: 返回永久重定向状态码 301
Temp:返回临时重定向状态码302. 此为默认值
示例:
Redirect temp / https://www.magedu.com/
HSTS
HSTS:HTTP Strict Transport Security (常用此功能)
服务器端配置支持HSTS后,会在给浏览器返回的HTTP首部中携带HSTS字段。浏览器获取到该信息后,会将所有HTTP访问请求在内部做307跳转到HTTPS。而无需任何网络过程
HSTS preload list
是Chrome浏览器中的HSTS预载入列表,在该列表中的网站,使用Chrome浏览器访问时,会自动转换成HTTPS。Firefox、Safari、Edge浏览器也会采用这个列表
实现HSTS示例:
vim /etc/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=31536000" 总是加密,但定义跳转时间有效期,以数s为单位,实际是1年
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
演示:网页跳转
修改httpd配置文件
vim /etc/httpd/conf/httpd.conf
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
在另一台主机上检测此时的主机跳转结果:
如果想定义一个跳转的有效期,就在/etc/httpd/conf/httpd.conf配置文件中加入一条代码,并实现HSTS功能,如下:
Header always set Strict-Transport-Security "max-age=31536000" 总是加密,定义跳转时间有效期,以数s为单位,算下来就是一年
vim /etc/httpd/conf/httpd.conf 在最底部写入此配置文件内容即可
