Configure https web site access in linux

HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer) is an HTTP channel targeted at security. It is simply a Secure version of HTTP. The function can be divided into two types: one is to establish an Information Security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website. That is, the SSL layer is added under HTTP. The Security Foundation of HTTPS is SSL, so the detailed content of encryption requires SSL.

Problems solved by HTTPS:

1. Solve the Problem of trusted hosts: servers using https must apply for a Certificate from CA (Certificate Authority) to prove the server usage type. The client trusts the host only when the certificate is used on the corresponding server. The customer trusts the host by trusting the certificate.

2. Solve the Problem of Data leaks and tampering during communication: All communications between the server and the client are encrypted, and the encrypted details require SSL

The client accesses the server through https:

1. The client accesses the web server through https, and the web server presents its certificate to the client

2. The client verifies the validity of the certificate, including the issuing time, issuing authority, and performer identification.

3. If the client verifies that the Certificate passes, the client generates a 128-bit key at random, and then encrypts the key using the public key passed in the certificate file.

4. encrypted data is transmitted to the server. The server decrypts the Encrypted key with its own public key to obtain the random key value of the client.

5. The key values at both ends are the same, and the key is used for encrypted communication.

The detailed configuration process is as follows:

Enable a linux server as a web server with the address 192.168.145.100. First install httpd on the web server;

Create a mount point:

Because yum is used, edit the yum file first:

After editing, save and exit.

Install the httpd package and create a www server:

Make a small page on the www server with the content "hello internet ":

Edit the main configuration document of httpd:

Change the 328 command line and enable authentication:

Edit the. htaccess file (this is a hidden file), which is used to create an authentication file:

Add several lines of commands:

Verify the location of the user file, the basic authentication method, the prompt, and the setting that only a valid account can access

Save and exit after editing;

Add a web login user:

User user1 added;

If you add another user, do not add the parameter-c ,:

If-c is added, user1 will be squeezed out, so the parameter-c is added only when the user is added for the first time;

View information:

Start the httpd service:

After completing a series of httpd actions, you can also use the http Service web site, but it is not secure. We need to Use https to securely access the web site, so that we need to be a CA server.

Create a certificate CA Server:

Return to the pki directory:

Edit the CA configuration file:

Change the original parameter to optional so that the external site can access the CA:

Change the default value. When you submit an application to the CA, it is easy to understand:

Create the directories and files mentioned in the above files:

Create a serial number and append it to serial:

First generate the private key of the CA Server:

Add a 1024-bit asymmetric key:

Put the generated private key in the private/cakey. pem file:

Remove the permissions for security:

With the key, generate the CA server's own certificate:

Enter the content as needed:

Then make the certificate and private key of the WEB server:

Create a new file to store the private key and certificate:

Create the private key of the Web server:

The Web server creates a certificate request using its own private key:

The CA server sends a certificate to the web server according to the request:

To ensure certificate security, modify the Certificate file permissions:

If the Web server has a certificate and a private key, you must display your certificate to the client. You must install the ssl module:

Return to the Server directory and you can see the mod-ssl package:

Yum has been installed above, so you can directly use yum to install the mod-ssl package:

Return to the httpd configuration file directory and you can see a new file named ssl. conf:

Edit this file:

Change several command lines and fill in the web server certificate storage location in line 112;

The location of the web private key in line 3; the comment in line 3 was originally a certificate chain. Now open and write the certificate path;

Check whether the edited syntax is correct:

Restart the httpd service:

After that, you can access the service securely:

Test results:

Enter the client of an XP system:

Add the following information to the hosts file of the client pc:

Then open the accessed site www.zzdx.com in the browser.

Enter the login user and password:

We can see the webpage content on the web server:

Of course, we can see the details of the certificate on the pop-up security alarm:

In this way, we have completed https access to the web site;

This article from the "Network Technology RedHat" blog, please be sure to keep this source http://sf418.blog.51cto.com/5627295/972281