Implementation of HTTPS

Web services are the most common types of services on the Internet, with the development of technology, security is the first priority for users, the following experiment simple to restore the Internet is now the most popular HTTPS implementation.

Experimental Purpose:

1. Implement the Domain Name Access webpage (DNS resolution);

2. Implementation of HTTPS (privately built CA, self-signed and certificate issued);

3. Implement HTTP redirect https,hsts;

Experiment Preparation:

Premise: All hosts turn off firewalls and selinux.

1. HTTP server:192.168.32.9,centos6.9;

2. DNS server:192.168.32.111,centos7.3;

3. ca:192.168.32.111,centos7.3;

4. client:192.168.32.101,centos6.9;

To build an HTTP service:

1. Install the HTTP service, or you can use RPM or compile your own installation

] #yum Install Httpd-y

2. Start the service, reboot

] #service httpd start] #chkconfig httpd on

3.ss-tan See if Port 80 is turned on

4. Add a home page file

] #cd/var/www/html] #vim index.html/var/www/html/:wq

5. Restart the service, native test

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/07/B9/wKiom1nOLrSRtrsLAAAYiTOijVw436.png-wh_500x0-wm_ 3-wmp_4-s_635207952.png "title=" qq picture 20170929192548.png "alt=" Wkiom1nolrsrtrslaaayitoijvw436.png-wh_50 "/>

Building a DNS server

1. Install the package, start the service and set the boot

] #yum install bind-y] #systemctl enable named] #systemctl start named

2.ss-tan See if Port 53 is turned on

3. Modify the master configuration file, do not bind the fixed port monitoring

] #vim/etc/named.conf listen-on port, {any;}; allow-query {any;};

4. Add the domain name you want to resolve

] #vim/etc/named.rfc1912.zoneszone "a.com" in {type Master; File "A.com.zone";};

5. Add the parse library file

] #vim  /var/named/a.com.zone$TTL 1D@       IN SOA   dns1   admin.xiaomage.com.  (                   31      ; serial                   1D       ; refresh                   1H      ; retry                   1W       ; expire                   3H )     ; minimum             ns   dns1dns1     in   a        92.168.32.111websrv     in   a        192.168.32.9www     in  cname       WEBSRV note Rights] #chown  named:named a.com.zone

6. Restart the service after the native test, modify the DNS address of the native DNS pointing to the building

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/A6/6B/wKioL1nONOnwJ-eVAAAX2feJi3c358.png-wh_500x0-wm_ 3-wmp_4-s_2617097726.png "title=" _20170929195608.png "alt=" Wkiol1nononwj-evaaax2feji3c358.png-wh_50 "/>

CA Build-up

1. Generating the private key

] #touch/etc/pki/ca/index.txt] #echo >/etc/pki/ca/seria]# (Umask066;openssl genrsa-out/etc/pki/ca/private/ CAKEY.PEM 2048)

2. Generate a self-signed certificate

] #openssl req-new-x509-key/etc/pki/ca/private/cakey.pem-days 7300-out/etc/pki/ca/cacert.pem] #openssl x509-in cacer T.pem-noout-text <=== viewing certificates as text

3.web Server Request Certificate

]#/ETC/HTTPD/CONF.D/SSL] #cat/etc/pki/tls/openssl.cnf <=== The default first three items must be the same as the CA certificate and can be modified. CountryName = Matchstateorprovincename = Matchorganizationname = Matchorganizationalunitname = opt Ionalcommonname = suppliedemailaddress = optional] #openssl req-new-key httpd.key-out HTTPD.CSR

4. Upload to the CA server for signing

]#/ETC/PKI/CA] #scp HTTPD.CSR 192.168.32.111:/etc/pki/ca/] #openssl ca-in httpd.csr-out httpd.crt-days] #scp HTTPD.CRT 192.168.32.9:/etc/httpd/conf.d/ssl/<=== passed to the server

5. Install the Encryption module mod_ssl

] #yum install-y mod_ssl] #rpm-ql mod_ssl/etc/httpd/conf.d/ssl.conf/usr/lib64/httpd/modules/mod_ssl.so/var/cache/ Mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem

Now you can visit it first, and it's not trusted. Of course, you can continue browsing this site.

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/A6/6D/wKioL1nOULTTFTXMAABsak9Xx-g944.jpg-wh_500x0-wm_ 3-wmp_4-s_3211625287.jpg "title=" 1506693273 (1). jpg "alt=" wkiol1noulttftxmaabsak9xx-g944.jpg-wh_50 "/>650" this.width=650, "src=" Https://s1.51cto.com/wyfs02/M02/07/BB/wKiom1nOUWiyadGnAAAaHmHcNb4029.jpg "title=" 1506693354 (1). jpg "alt=" wkiom1nouwiyadgnaaaahmhcnb4029.jpg "/>

6. Configuring the Mod_ssl configuration file

] #vim/etc/httpd/conf.d/ssl.conf sslcertificatefile/etc/httpd/conf.d/ssl/httpd.crt <=== certificate Path SSLCertificateChain              File/etc/httpd/conf.d/ssl/httpd.key <=== Key Path Sslcacertificatefile/etc/httpd/conf.d/ssl/cacert.pem <===CA Certificate

7. Restart the service and you can see that port 443 is open.

] #service httpd Reload] #ss-tanllisten 0::: +:::* LISTEN 0:: 443:::*

8. Install the root certificate into a trusted root certification authority, and open the Web site again is already trusted for HTTPS access.

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/07/BB/wKiom1nOTqTTSKReAABIujOOYXk491.jpg-wh_500x0-wm_ 3-wmp_4-s_574981016.jpg "title=" 1506692611 (1). jpg "alt=" wkiom1notqttskreaabiujooyxk491.jpg-wh_50 "/>

Now there is a problem, I manually enter the http://www.a.com or continue to access, and many sites are manually input www.a.com can jump directly to the encrypted site, and the network name is not to go online to enter the prefix manually.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M01/A6/6D/wKioL1nOU3DiVTxEAAAg6yZYVCk388.png "title=" _ 20170929220423.png "alt=" Wkiol1nou3divtxeaaag6yzyvck388.png "/>

Two addresses are distinguished from each other and can be redirected to HTTPS via HTTP to complete automatic jumps.

HTTP redirection;

] #vim/etc/httpd/conf.d/test.conf redirect temp/https://www.a.com/

Test] #curl http://www.a.com <! DOCTYPE HTML PUBLIC "-//ietf//dtd HTML 2.0//en" >
In the actual scenario, the HTTP jump to HTTPS is a common enterprise jump, first the client sends an HTTP request to Server,server return a response you want to access HTTPS, and then the client sends the HTTPS request again, The server returns the request data. This communication has been done four times, a waste of resources, to the server with increased burden. The result is a hsts, the principle is that after the server-side configuration supports HSTs, the HSTs field is carried in the HTTP header returned to the browser. Once the browser obtains this information, it will make all HTTP access requests internally 307 to HTTPS. Without any network process.
HTST implementation:
] #vim/etc/httpd/conf/httpd.confheader always set strict-transport-security "max-age=15768000" Rewriteengine Onrewriterule ^ (/.*) $ https://%{http_host}$1 [redirect=301]
Implementation of HTTPS