Apache+openssl set up HTTPS one-way authentication and bidirectional authentication and reverse proxy

Less gossip, the following describes how the enterprise needs to access the application server through HTTPS (one-way or two-way authentication) during the project development process by using the domain name of its own application.

1, the domain name application, this should it people know. Apply for a free, or paid domain name on the Internet. In the process of applying for domain name, bind your enterprise's external IP address.

2. Deploy Apache and OpenSSL pre-built Linux servers. Detailed description later

3. Configure HTTPS one-way and two-way authentication Service

4. Configuring the Reverse Proxy service the following is a description of deploying a pre-built Linux server install OpenSSL

First we need to install the OpenSSL, the method of installation on the internet there are many statements, and some directly using Yum for networking installation. But if it is in some corporate institutions, Yum may not be able to use it. Then you need readers to login to the OpenSSL website to download. The version I downloaded is: openssl-0.9.8zg.tar.gz

Upload the GZ package to the corresponding front-facing server and extract it.

Enter the unpacked directory CD openssl-0.9.8zg/

There should be a config file in the directory. Execute the following command (we are installing to/USR/LOCAL/SSL)

./config--prefix=/usr/local/ssl-fpic

Note: #其中-fpic This parameter needs to be used in some Linux environments (such as redhat5.4). Or there's going to be problems later.

After registering, you need to compile the installation. Execute the following statement in the current directory

Make && make install

Wait a while and the installation should complete. Installing Apache

After the general Linux installation, it will bring an Apache service. But instead of using the Apache service that comes with Linux today, we re-download an Apache service from the Apache website.

The version is as follows: httpd-2.2.31.tar.gz (other versions may vary in configuration and require the reader to check the official information themselves)

The downloaded GZ file is a version that has not been compiled and installed, so we need to compile and install it.

Put the GZ file in a directory and unzip it in the directory

Enter the unpacked directory CD httpd-2.2.31

There should be a configure file, execute the following command (we are installing to the/usr/local/apache directory)

./configure--prefix=/usr/local/apache--enable-proxy--enable-proxy-balancer--enable-proxy-http--enable-ssl-- With-ssl=/usr/local/ssl--enable-mods-shared=most

After registering, you need to compile the installation. Execute the following statement in the current directory

Make && make install

Wait a while and the installation should complete.

There's a little bit of content here,simply explain the principle of HTTPS and the work it has done. HTTPS certificates are roughly divided into three categories
1. Root certificate (CA certificate)
2. Service-Side Certificate
3. Client Certificate
The relationship between them is as follows:
The CA root certificate is responsible for authenticating and issuing server-side certificates and client certificates
There is no interaction between the server-side certificate and the client certificate. The only thing that is related to this is that in an enterprise application, his server-side certificate and client certificate are issued and authenticated in principle by a CA certificate.
The CA root certificate can be self-certified through OpenSSL's own generation. The certification request can also be submitted to a legitimate certification body for certification by submitting a certification request.

HTTPS is a communication protocol and communication scheme that provides a secure data transmission channel. So how does he achieve and ensure the security of data transmission?
A: We need to talk about the entire communication process from HTTPS. As follows:
1. The client (browser) accesses an HTTPS web site or service
2. The website (service) returns the service-side certificate of this website to the client
3, the client will verify whether the service-side certificate is issued by the credit agency. The CA certificates of the three major certification bodies in the world are installed by default on each manufacturer's browser, so the server can verify the service-side certificate through its own installed CA certificate. If the enterprise's own generated CA certificate is already installed on the client, the browser can also automatically assume that the server-side certificate is trustworthy. That way, the security warning will not appear on the browser.
4, after the client verifies the service-side certificate, it will use the public key in the certificate to encrypt the client's randomly generated communication password. and send this encrypted communication password to the server (note: The current browser has the ability to randomly generate the communication password)
5. The server decrypts the encrypted password sent by the client (using the server's own secret key). and returns a confirmation message to the client
6, after the client receives the confirmation information from the server, the communication data is encrypted using the randomly generated random password during the subsequent communication.

At this point, the entire HTTPS communication handshake is complete. But all that is said is one-way authentication (the legality of the authentication service)

If it is two-way authentication, it is in the above process, plus the service side of the client certificate of legality authentication. The process is as follows:
1. When the client accesses the server for the first time, the server will ask the client to deliver the client certificate.
2. The client prompts the user to select a valid client certificate for sending and sends the selected client certificate to the server
3. The service side is verified by the CA certificate deployed on the server (authentication method, mainly verifies whether the client certificate is signed and authenticated by the server's CA certificate). If the server authentication succeeds, then the website (service) returns the service-side certificate of this website to the client.
The latter link is consistent with the one-way certification follow-up environment.

Speaking of which, we should understand that the two-way authentication of HTTPS or one-way authentication, the essence of achieving the following objectives:
1, through the client's own CA certificate authentication Service-side certificate of legality (CA certificate includes the own and enterprise-generated CA certificate). The client certificate is validated through the server's self-created CA certificate or the secondary CA root certificate requested by the legitimate certification authority.
2, in the previous communication handshake process, the client and server respectively through the public key encryption communication password, using the private key to decrypt the communication password (asymmetric encryption). Finally, the security of communication password synchronization is reached.
3, after the successful handshake, the subsequent communication between the two sides, the unified use of the handshake generated by the communication password for information encryption (symmetric encryption method)
the certificate to use to create HTTPSTo this end, we mainly describe the work of generating CA root certificates and issuing service-side certificates and client certificates through OpenSSL itself.

The prerequisites for creating a certificate are already available through the installation deployment above. If you are an enterprise application, you also need to apply for a domain name. This domain name needs to be used when creating the certificate later. Here we will briefly explain the type of certificate and the relationship between them.
Above we have installed OpenSSL.
We enter the installation directory of OpenSSL
Cd/usr/local/ssl/bin
Create two directories under Bin, Private (Store certificate signature request file, private key) and certificates (store certificate)
mkdir Private
mkdir certificates

Create a CA root certificate, execute the following three sentences (not in order), create the private key of the CA certificate, the CA certificate signing request file, and the CA root certificate, respectively. Where the private key is encrypted using 2048-length, or it can be changed to 1024.

#证书和私钥都需要设置密码
#创建ca私钥和ca证书

#执行下面三句命令 (order cannot be messy)
#创建ca私钥
OpenSSL genrsa-out private/ca.key.2048 2048
#创建ca证书签发请求 after entering the following command, you need to enter the following information
#第一个是国家 CN
#第二个是省份 GD
#第三个是市区
#第四个是公司
#第五个是部门
The root certificate that you create #第六个是域名 you can enter * for wildcard. If the secondary certificate can be entered *.xxx.xxx (such as the domain name is www.ddd.com, enter *.ddd.com)
#后面还会提示输入密码, then enter a password, but remember the password
OpenSSL Req-new-key private/ca.key.2048-out PRIVATE/CA.CSR-This requires input * to common name (password Nanyue@msap)
#自己签发ca根证书 Enter information based on the prompts after the command executes. (The meaning of parameter 3650 is valid for 10 years)
OpenSSL x509-req-days 3650-sha1-extensions v3_ca-signkey private/ca.key.2048-in private/ca.csr-out certificates/ca. Cer

#执行下面三句命令 (order cannot be messy)
#创建服务端私钥
OpenSSL genrsa-out private/server.key.2048 2048

#创建服务端证书签发请求, after entering the following command, you need to enter the following information
#第一个是国家 CN
#第二个是省份 GD
#第三个是市区
#第四个是公司
#第五个是部门
#第六个是域名 If the domain name is www.ddd.com, enter wwww.ddd.com)
#后面还会提示输入密码, then enter a password, but remember the password
OpenSSL Req-new-key private/server.key.2048-out PRIVATE/SERVER.CSR-This requires entering a specific domain name and IP address (you need to enter a password, and remember)

#利用CA根证书, issue a service-side certificate
OpenSSL x509-req-days 3650-sha1-extensions v3_req-ca certificates/ca.cer-cakey private/ca.key.2048-caserial CA.SRL -cacreateserial-in Private/server.csr-out Certificates/server.cer

#创建客户端证书 the input to the prompt and how to fill in the service-side certificate
OpenSSL genrsa-out private/client.key.2048 2048
OpenSSL Req-new-key private/client.key.2048-out PRIVATE/CLIENT.CSR--Password required

#利用CA根证书, issue client certificate OpenSSL x509-req-days 3650-sha1-extensions v3_req-ca certificates/ca.cer-cakey private/ca.key.2048 -caserial ca.srl-cacreateserial-in private/client_msap.csr-out Certificates/client.cer
If the client is iOS, then you need to create a P12 client certificate to the iOS developer.

OpenSSL pkcs12-export-clcerts-inkey private/client.key.2048-in certificates/client.cer-out certificates/client.p12 --Need to set a password and tell the developer of the password to iOS
At this point, the certificate is all about creating results. The following is a one-way or two- way Authentication setup in Apache. Before we have installed Apache, go to Apache installation directory # set Conf/extra inside the contents of the Httpd-ssl.conf file CD/ Usr/local/apache/conf/extra--Turn on SSL service

Sslengine on--turn on client authentication
Sslcacertificatefile "/usr/local/apache/conf/ca.cer
Sslverifyclient require
Sslverifydepth 10
--Open service-side authentication
Sslcertificatefile "/usr/local/apache/conf/server.cer
Sslcertificatekeyfile "/usr/local/apache/conf/server.key.2048


setting up a reverse proxyCd/usr/local/apache/conf
Vim httpd.conf
#设置httpd. conf inside the monitor port
Listen XX (the port you need to listen to)
#如果是根据上面的步骤进行编译安装apache, then the modules required by LoadModule are loaded. Otherwise, load it yourself and ensure that the module you need to use has been compiled
#设置servername
ServerName localhost:xx (IP and port for external service)
#包含扩张配置文件
Include conf/extra/httpd-vhosts.conf
Setting up a reverse proxy #进入httpd-vhosts.conf
Cd/usr/local/apache/conf/extra
Vim httpd-vhosts.conf
#注释掉NameVirtualHost这行
#注释原来的一堆例子, as follows
#<virtualhost *:80>
# ServerAdmin Webmaster@dummy-host.example.com
# documentroot "/usr/local/apache/docs/dummy-host.example.com"
# ServerName Dummy-host.example.com
# Serveralias Www.dummy-host.example.com
# errorlog "Logs/dummy-host.example.com-error_log"
# customlog "Logs/dummy-host.example.com-access_log" common
#</virtualhost>


#<virtualhost *:80>
# ServerAdmin Webmaster@dummy-host2.example.com
# documentroot "/usr/local/apache/docs/dummy-host2.example.com"
# ServerName Dummy-host2.example.com
# errorlog "Logs/dummy-host2.example.com-error_log"
# customlog "Logs/dummy-host2.example.com-access_log" common
#</virtualhost>


#新建一个virtualhost. This is the reverse proxy for HTTP.
<virtualhost *:82>
ServerName 10.211.55.5 (own IP)
Proxyrequests OFF
<proxy *>
Order Deny,allow
Allow from all
</Proxy>
(the following are forwarded to different HTTP service addresses according to the different access relative paths)


proxypass/http://11.8.121.72:7001/console/login/loginform.jsp
proxypassreverse/http://11.8.121.72:7001/console/login/loginform.jsp
Proxypass/console Http://11.8.121.72:7001/console
Proxypassreverse/console Http://11.8.121.72:7001/console
Errorlog Logs/82error_log
Customlog Logs/82access_log Common
</VirtualHost>

The setup is basically done here. Restart Apache and verify it.