Experiment-----Implement HTTPS

Briefly:

Https:http over SSL using 443 ports

The simplified process for SSL sessions:

(1) The client sends an alternative encryption method and requests a certificate from the server

(2) The server-side sends the certificate and the selected encryption method to the client

(3) The client obtains the certificate and verifies the certificate

If you trust the CA to which the certificate is issued:

(a) verifying the legality of the source of the certificate; decrypting a digital signature on a certificate with a CA's public key

(b) Legality of verifying the contents of a Certificate: Integrity verification

(c) Examination of the validity period of the certificate

(d) Check whether the certificate has been revoked

(e) The name of the owner of the certificate, consistent with the target host being accessed

(4) The client generates a temporary session key (symmetric key) and uses the server-side public key to encrypt this data to send to the server, completing the key exchange

(5) The service uses this key to encrypt the resource requested by the user, responding to the client

Note: SSL is based on IP address, a single IP host can use only one HTTPS virtual host

Experiment: Implementing HTTPS

Method one, HTTPS with self-signed certificate

(1) yum-y Install Mod_ssl

Once the installation is complete, HTTPS is supported as long as the httpd service is restarted.

(2) Test: HTTPS-based access

curl-k https://192.168.119.129 -K indicates that the certificate is ignored for SSL connection and no-K cannot get the Web page

650) this.width=650; "src=" https://s5.51cto.com/oss/201710/20/083217353ce67190715039e4439145ee.jpg "style=" float: none; "title=" image 1.jpg "alt=" 083217353ce67190715039e4439145ee.jpg "/>

test: Curl--cacert CACERT.PEM https://www.magedu.com -cafile Cacert.pem

650) this.width=650; "src=" Https://s4.51cto.com/oss/201710/20/ebb42de7b491abe4804f4a830dff87df.jpg "title=" Picture 2.jpg "style=" Float:none; "alt=" ebb42de7b491abe4804f4a830dff87df.jpg "/>

650) this.width=650; "src=" Https://s4.51cto.com/oss/201710/20/c8f404c515ab10d7c3f8bbb96abfaa2f.jpg "title=" Picture 3.jpg "style=" Float:none; "alt=" c8f404c515ab10d7c3f8bbb96abfaa2f.jpg "/>

Way two, to CA application for a certificate HTTPS

1, yum-y Install Mod_ssl

2. Create a private CA

Detailed steps and meanings See blog post: http://13150617.blog.51cto.com/13140617/1968017

This article lists only the required commands and files here:

Cd/etc/pki/ca

echo > Serial

Touch Index.txt

(Umask 066;openssl genrsa-out private/cakey.pem 4096) Create a private key file

OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650 Create CA

650) this.width=650; "src=" Https://s4.51cto.com/oss/201710/20/0a02998bb1ad60b1df5a7caa8c6b67d6.jpg "title=" Picture 4.jpg "style=" Float:none; "alt=" 0a02998bb1ad60b1df5a7caa8c6b67d6.jpg "/>3, client request Certificate

(Umask 066;openssl genrsa-out/etc/httpd/conf.d/ssl/httpd.key 2048) Create a private key file

OpenSSL REQ-NEW-KEY/ETC/HTTPD/CONF.D/SSL/HTTPD.KEY-OUT/ETC/HTTPD/CONF.D/SSL/HTTPD.CSR generate certificate signing request

650) this.width=650; "src=" https://s3.51cto.com/oss/201710/20/bae2ceca93587a2448a987167f68efff.jpg "style=" float: none; "title=" Image 5.jpg "alt=" Bae2ceca93587a2448a987167f68efff.jpg "/>

SCP/ETC/HTTPD/CONF.D/SSL/HTTPD.CSR 192.168.119.128:/etc/pki/ca/ Send a signed request to CA

4, CA sign certificate, and issue certificate

OpenSSL ca-in httpd.csr-out certs/httpd.crt-days 365 signing certificate

SCP CERTS/HTTPD.CRT 192.168.119.129:/etc/httpd/conf.d/ssl/Issuance Certificate

SCP CACERT.PEM 192.168.119.129:/ETC/HTTPD/CONF.D/SSL/CA certificate file

5. Modify the configuration file so that it supports the use of SSL, and the certificate used

Vim/etc/httpd/conf.d/ssl.conf

Sslcertificatekeyfile/etc/httpd/conf.d/ssl/httpd.key private Key File

SSLCERTIFICATEFILE/ETC/HTTPD/CONF.D/SSL/HTTPD.CRT certificate file

SSLCACERTIFICATEFILE/ETC/HTTPD/CONF.D/SSL/CACERT.PEM CA Certificate

6. Test: Access https://192.168.119.129 in the browser

Because the CA you build is not trusted, there are risk alerts

650) this.width=650; "src=" Https://s3.51cto.com/oss/201710/20/6b3a5c206a96a75eeee4cedd6b719361.jpg "title=" Picture 6.jpg "style=" Float:none; "alt=" 6b3a5c206a96a75eeee4cedd6b719361.jpg "/>

650) this.width=650; "src=" Https://s4.51cto.com/oss/201710/20/fd91a2c74a37dca21056543f9ea193b1.jpg "title=" Picture 7.jpg "style=" Float:none; "alt=" fd91a2c74a37dca21056543f9ea193b1.jpg "/>

installation CA Certificate and trust:

650) this.width=650; "src=" Https://s4.51cto.com/oss/201710/20/0ce770887f0b3f2982f5081bae6a9817.jpg "title=" Picture 8.jpg "style=" Float:none; "alt=" 0ce770887f0b3f2982f5081bae6a9817.jpg "/>

650) this.width=650; "src=" https://s2.51cto.com/oss/201710/20/abc964f4567fff9176ecf8c4bbab8cf4.jpg "style=" float: none; "title=" Image 9.jpg "alt=" Abc964f4567fff9176ecf8c4bbab8cf4.jpg "/>

650) this.width=650; "src=" https://s5.51cto.com/oss/201710/20/2a85d3adc226d79e587ff7942c1c9c0d.jpg "style=" float: none; "title=" Image 10.jpg "alt=" 2a85d3adc226d79e587ff7942c1c9c0d.jpg "/>

650) this.width=650; "src=" https://s5.51cto.com/oss/201710/20/22796abc8515c6e92dc99749f07c1585.jpg "style=" float: none; "title=" Image 11.jpg "alt=" 22796abc8515c6e92dc99749f07c1585.jpg "/>

650) this.width=650; "src=" https://s5.51cto.com/oss/201710/20/db4cd7f9f2c13ec0deacf50ff5e93cda.jpg "style=" float: none; "title=" Image 12.jpg "alt=" Db4cd7f9f2c13ec0deacf50ff5e93cda.jpg "/>

650) this.width=650; "src=" https://s1.51cto.com/oss/201710/20/5eac41539e23decfdcd616a5fc698595.jpg "style=" float: none; "title=" Image 13.jpg "alt=" 5eac41539e23decfdcd616a5fc698595.jpg "/>

650) this.width=650; "src=" https://s1.51cto.com/oss/201710/20/e0f415ed7bfd30327e3a4a49a6d67f1a.jpg "style=" float: none; "title=" Image 14.jpg "alt=" E0f415ed7bfd30327e3a4a49a6d67f1a.jpg "/>

because the certificate is issued to www.magedu.com , so URL it should be . https://www.magedu.com , then you need to add DNS parsing:

Modified: C:\Windows\System32\drivers\etc\hosts

Add a row 192.168.119.129 www.magedu.com

And then visit:

650) this.width=650; "Src=" https://s5.51cto.com/oss/201710/20/8e9a4fd7ce8891070c64485235693786.jpg " title= "Picture 15.jpg" style= "Float:none;" alt= "8e9a4fd7ce8891070c64485235693786.jpg"/>

Experiment: HTTP redirection to HTTPS

Vim/etc/httpd/conf.d/test.conf

Add two lines

Rewriteengine on Start redirect engine

Rewriterule ^ (/.*) $ https://%{http_host}$1 [redirect=301]

Description: 301 means permanent jump, 302 means temporary jump

Test:

650) this.width=650; "src=" Https://s5.51cto.com/oss/201710/20/24f3ea16d59ab07615ca6629559b449f.jpg "title=" Picture 16.jpg "style=" Float:none; "alt=" 24f3ea16d59ab07615ca6629559b449f.jpg "/>

Experiment: HSTS

Hsts:http Strict Transport Security

After the server-side configuration supports HSTs, the HSTs field is carried in the HTTP header returned to the browser. Once the browser obtains this information, it will make all HTTP access requests internally 307 to HTTPS. Without any network process

HSTS preload List

is a pre-loaded list of hsts in the Chrome browser, which is automatically converted to HTTPS when accessed using Chrome. Firefox, Safari, Edge browser will also use this list.

To implement the HSTs example:

Vim/etc/httpd/conf.d/test.conf

Header always set strict-transport-security "maxage=15768000" in seconds

Rewriteengine on

Rewriterule ^ (/.*) $ https://%{http_host}$1 [redirect=301]

Test:

650) this.width=650; "src=" Https://s5.51cto.com/oss/201710/20/d5742094a676a32c6ceabd83f1de1ad6.jpg "title=" Picture 17.jpg "style=" Float:none; "alt=" d5742094a676a32c6ceabd83f1de1ad6.jpg "/>

650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0080.gif "alt=" J_0080.gif "/>

Experiment-----Implement HTTPS