CentOS 6.2 compiles Apache to support HTTPS

Source: Internet
Author: User
Tags install openssl openssl x509 openldap

HTTPS Full name: Hypertext Transfer Protocol over Secure Socket Layer) is an HTTP channel targeted at security. In short, it is a Secure version of HTTP. That is, the SSL layer is added under HTTP. The Security Foundation of HTTPS is SSL, so the detailed content of encryption requires SSL. It is a URI scheme abstract identifier system), syntaxes are similar to http: system. Secure HTTP data transmission. Https: the URL indicates that HTTP is used, but HTTPS is different from the default port of HTTP and an encryption/authentication layer between HTTP and TCP ). The system was initially developed by Netscape and provides authentication and encrypted communication methods. It is now widely used for secure and sensitive communications on the World Wide Web, such as transaction payment. It is developed by Netscape and built in its browser. It is used to compress and decompress data and return the results of network upload and return. HTTPS actually uses Netscape's Secure Socket Layer SSL) as the child layer of the HTTP application layer. HTTPS uses port 443 instead of using port 80 as HTTP to communicate with TCP/IP .) SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is suitable for business information encryption. HTTPS and SSL support X.509 digital authentication. If necessary, you can confirm who the sender is.
That is to say, it has two main functions: one is to establish an Information Security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website. For instructions on how to configure an https server in Centos 6.2, refer. Differences between HTTPS and HTTP 1. the https protocol requires ca to apply for a certificate. Generally, there are few free certificates and you need to pay the fee.
2. http is Hypertext Transfer Protocol, information is transmitted in plaintext, and https is a secure ssl encrypted transmission protocol.
3. http and https use completely different connection methods, with different ports. The former is 80, and the latter is 443.
4. The http connection is simple and stateless. the HTTPS protocol is a network protocol built by the SSL + HTTP protocol for encrypted transmission and identity authentication, which is safer than the http protocol. Problems solved by HTTPS 1. Problems with trusted hosts. servers using https must apply for a Certificate from CA Certificate Authority to prove the purpose of the server. The client trusts the host only when the certificate is used on the corresponding server. Therefore, the key applications of all banking system websites are https. The customer trusts the host by trusting the certificate. In fact, this is very inefficient, but banks are more focused on security. This has no objection to us. The certificates used by our servers, whether published on our own or from the public, are their clients, therefore, we certainly trust the server. Ii. Data leaks and tampering during communication
1. In general, https means that the server has a certificate.
A) The main purpose is to ensure that the server is the server he claims. This is the same as that in section 1.1.
B) All communications between the server and the client are encrypted.
I. Specifically, the client generates a symmetric key and exchanges the key through the server certificate, that is, the handshake process in the general sense.
Ii. All subsequent information exchanges will be encrypted. Even if a third party intercepts the service, it makes no sense because it does not have a key. Of course, tampering is meaningless.
2. If you have a few requirements on the client, the client must also have a certificate.
A) The client certificate is similar to a CA-authenticated identity in addition to the user name and password. Because the personal certificate is generally not simulated by others, so that you can further confirm your identity.
B) at present, this is the practice of Professional edition of a few individual banks. The specific certificate may be a USB flash disk or ushield) as a backup carrier.
If you pay more attention to it, you will certainly be familiar with it. The above introduction comes from the RPM version installation. You can also use CentOS 6.2 to configure https and implement SSL virtual hosts) Note: the compilation parameters used here are used for the LDAP architecture service. If you only need the SSL Service or the web architecture, you must delete the corresponding parameters.Install Openssl
[root@chenyi ldmp]# tar zxf openssl-1.0.0e.tar.gz [root@chenyi ldmp]# cd openssl-1.0.0e[root@chenyi openssl-1.0.0e]# ./config --prefix=/software/ssl --openssldir=/software/openssl shared[root@chenyi openssl-1.0.0e]# make && make test &&make install
Install apr
[root@chenyi ldmp]# tar zxf apr-1.4.5.tar.gz [root@chenyi ldmp]# cd apr-1.4.5[root@chenyi apr-1.4.5]# ./configure --prefix=/software/apr[root@chenyi apr-1.4.5]# make && make install
Install apr-util
[root@chenyi apr-util-1.3.12]# tar zxf apr-util-1.3.12.tar.gz[root@chenyi apr-util-1.3.12]# cd apr-util-1.3.12[root@chenyi apr-util-1.3.12]#  ./configure --prefix=/software/apr-util --with-apr=/software/apr/ --with-ldap-include=/software/openldap/include/ --with-ldap-lib=/software/openldap/lib/ --with-berkeley-db=/software/BerkeleyDB.5.2/ [root@chenyi apr-util-1.3.12]# make && make install
Install apache
[root@chenyi httpd-2.2.21]# tar zxf httpd-2.2.21.tar.gz[root@chenyi httpd-2.2.21]# cd httpd-2.2.21[root@chenyi httpd-2.2.21]# ./configure --prefix=/software/apache2 --sysconfdir=/etc/httpd --enable-ssl --with-ssl=/software/openssl/ --with-z=/software/zlib/ --enable-rewrite=shared --enable-static-support --enable-deflate=shared --enable-so --enable-dav --enable-dav-fs --enable-ldap --enable-authnz-ldap --with-included-apr --with-ldap --with-ldap-include=/software/openldap/include/ --with-ldap-lib=/software/openldap/lib --with-apr=/software/apr/bin/apr-1-config --with-apr-util=/software/apr-util/bin/apu-1-config[root@chenyi httpd-2.2.21]# make && make install
Configuration supports SSL
[root@chenyi httpd-2.2.21]# cd /etc/httpd/[root@chenyi httpd]# mkdir ssl ssl.key ssl.crt[root@chenyi httpd]# openssl req -new -out server.csr[root@chenyi httpd]# openssl genrsa -out www.itchenyi.com.key 1024Generating RSA private key, 1024 bit long modulus........++++++............................++++++e is 65537 (0x10001)
 
[root@chenyi httpd]# openssl req -new -key www.itchenyi.com.key -out www.itchenyi.com.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:shanghaiLocality Name (eg, city) [Default City]:pudongOrganization Name (eg, company) [Default Company Ltd]:chenyiOrganizational Unit Name (eg, section) []:wwwCommon Name (eg, your name or your server's hostname) []:www.itchenyi.comEmail Address []:itchenyi@gmail.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
[root@chenyi httpd]# openssl x509 -req -days 365 -in www.itchenyi.com.csr -signkey www.itchenyi.com.key -out www.itchenyi.com.crtSignature oksubject=/C=CN/ST=shanghai/L=pudong/O=chenyi/OU=ww/CN=www.itchenyi.com/emailAddress=itchenyi@gmail.comGetting Private key
View the relevant configuration here is also the place you need to modify)
[root@chenyi extra]# cat httpd-ssl.conf  | grep SSLCertificateFile#   Point SSLCertificateFile at a PEM encoded certificate.  IfSSLCertificateFile "/etc/httpd/www.itchenyi.com.crt"#SSLCertificateFile "/etc/httpd/server-dsa.crt"#   the referenced file can be the same as SSLCertificateFile[root@chenyi extra]# cat httpd-ssl.conf  | grep SSLCertificateFile#   Point SSLCertificateFile at a PEM encoded certificate.  IfSSLCertificateFile "/etc/httpd/www.itchenyi.com.crt"#SSLCertificateFile "/etc/httpd/server-dsa.crt"#   the referenced file can be the same as SSLCertificateFile
Modify http-ssl.conf Note: [Directory is inaccessible if improperly set]
DocumentRoot "/home/wwwroot "<Directory /home/wwwroot>        Order deny,allow        Allow from all</Directory>ServerName www.itchenyi.com:443ServerAdmin itchenyi@gmail.comErrorLog "/software/apache2/logs/error_log"TransferLog "/software/apache2/logs/access_log"
Modify/etc/httpd. conf to uncomment about 408 lines
Include /etc/httpd/extra/httpd-ssl.conf
Restart the http service and view the following through netstat:
[root@chenyi extra]# netstat -pant | grep httpdtcp        0      0 :::80                       :::*                        LISTEN      6124/httpd          tcp        0      0 :::443                      :::*                        LISTEN      6124/httpd
650 can be accessed through https: www.itchenyi.com) this. width = 650; "src =" ../attachment/201304/112901732 .jpg" alt = "" border = "0"/>

This article from the "IT Chen Yi" blog, please be sure to keep this source http://itchenyi.blog.51cto.com/4745638/1189006

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.