Configure HTTP to use the mod_ssl module to work on the HTTPS Model

To configure httpd, follow these steps: the IP address of the httpd server used is 192.168.1.132.

(1) install the mod_ssl module

# Yum install-y mod_ssl

The main files generated after the module is installed are:

# Rpm-QL mod_ssl

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/54/wKiom1PnZbnxIajLAAD7K7nGTDs686.jpg "Title =" 2014-08-10 20_28_18-root @ localhost _~ -Xshell 4.jpg" alt = "wkiom1pnzbnxiajlaad7k7ngtds686.jpg"/>

/Etc/httpd/CONF. d/SSL. conf is the configuration file.

(2) generate a private key for the server and provide it with a certificate;

Because HTTPS is used for simulated testing, you need to build a self-built CA server to issue a server certificate to the httpd server. Therefore, you need to first create a CA server and create a private key:

# Cd/etc/pki/CA

# (Umask 077; OpenSSL genrsa-out private/cakey. pem2048)

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/54/wKioL1PnZ4Ljj9VKAADWZrx0pFw167.jpg "Title =" 2014-08-10 20_31_46-root @ localhost _ etc_pki_ca-xshell 4.jpg" alt = "Alt"/>

The private key file generated by the CA server itself is cakey. pem:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/54/wKioL1PnZ9WjmF4bAACRk7I7W64944.jpg "Title =" 2014-08-10 20_32_49-root @ localhost _ etc_pki_ca-xshell 4.jpg" alt = "regular"/>

Then generate a self-signed certificate:

# OpenSSL req-New-X509-key private/cakey. pem-out cacert. pem-days 3000

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/54/wKiom1PnaACxR87hAALDNktPGrI523.jpg "Title =" 20_38_31-root @ localhost _ etc_pki_ca-xshell 4.jpg" alt = "wkiom1pnaacxr87haaldnktpgri523.jpg"/>

You can view the generated self-signed document in the/etc/pki/CA directory:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/55/wKioL1PnaZiT6MjnAAEjwr-84nY032.jpg "Title =" 2014-08-10 20_40_10-root @ localhost _ etc_pki_ca-xshell 4.jpg" alt = "wKioL1PnaZiT6MjnAAEjwr-84nY032.jpg"/>

To generate a Certificate Signing file for the httpd server, follow these steps:

# Mkdir/etc/httpd/SSL & CD/etc/httpd/SSL

# (Umask 077; OpenSSL genrsa-out httpd. Key 1024); generate a private key;

# OpenSSL req-New-key httpd. Key-out httpd. CSR; generate the Certificate Signing Request File

The CA Server signs a certificate for the httpd server:

# OpenSSL ca-in httpd. CSR-out httpd. CRT-day 1000

The signed certificate is/etc/httpd/SSL/httpd. CRT.

(3) configure a virtual host using HTTPS. Assume that our virtual host name is www2.stux.com;

Modify the configuration file/etc/httpd/CONF. d/SSL. conf.

# Vim/etc/httpd/CONF. d/SSL. conf

Specify the path of the sslcertificatefile and sslcertificatekeyfile files:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/55/wKioL1PncFnQ2lifAAEZqek9KOg777.jpg "Title =" 2014-08-10 21_09_32-root@localhost__etc_httpd_conf.d-xshell 4.jpg" alt = "wkiol1pncfnq2lifaaezqek9kog777.jpg"/>

In the <virtualhost IP: 443> section, add the host name that requires the HTTPS model and the corresponding document root directory:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/55/wKiom1Pnc0CRHwSjAADJcGiEY8s667.jpg "Title =" 2014-08-10 21_26_34-root@localhost__etc_httpd_conf.d-xshell 4.jpg" alt = "wkiom1pnc0crhwsjaadjcgiey8s667.jpg"/>

(4) Reload the configuration # service httpd restart

(5) paste the cacert under the CA server's public key/etc/pki/CA directory. export the PEM file to another system. For example, in the window operating system, change the file suffix to CRT and import it to the browser for testing:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/55/wKioL1PndW-x-qqNAAC3F_r7gtM794.jpg "Title =" 2014-08-10 21_31_08-https1__www2.stux.com.jpg "alt =" wKioL1PndW-x-qqNAAC3F_r7gtM794.jpg "/>

We can see that the httpd server is already working in the HTTPS model and the certificate is in the authentication status.

In addition, we can use the OpenSSL s_client tool provided by the Linux system for testing. We need to copy the public key file to the testing machine:

# SCP 192.168.1.132:/etc/pki/CA/cacert. pem ./

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/55/wKiom1Pnd1qjr28BAAD5w-ECzQk421.jpg "Title =" 2014-08-10 21_41_42-root @ sueking _~ -Xshell 4.jpg" alt = "wKiom1Pnd1qjr28BAAD5w-ECzQk421.jpg"/>

# OpenSSL s_client-connect 192.168.1.132: 443-cafile/root/cacert. pem

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/56/wKioL1PneVjyg-01AACeQCc826g034.jpg "Title =" 2014-08-10 21_46_36-root @ sueking _~ -Xshell 4.jpg" alt = "wKioL1PneVjyg-01AACeQCc826g034.jpg"/>

As you can see, the returned results indicate that our server works normally under the HTTPS model.

Note: If you set the same virtual host in the httpd master configuration file to work in the HTTP model, both modes can coexist. Both HTTP and HTTPS can be used to access site resources, if the virtual host is defined only in the definition of the virtual host listening for port 443 working in SSL mode, you can only access the virtual host through HTTPS.

If multiple virtual hosts are running on a physical host at the same time, because SSL sessions are established based on IP addresses, the physical host has several IP addresses, only a few virtual hosts can use the SSL function.