HTTP implemented as HTTPS in Linux

HTTP is the Hypertext Transfer Protocol (hypertext Transfer Protocol).

This is a file transfer protocol, when we surf the Internet, all the files are transmitted through the HTTP protocol, from the server to the client's computer. At the same time the HTTP protocol works at the application level, so you must have the appropriate application support to run this protocol.

Here we first understand what is the client, what is the server

Client: usually refers to our browser, such as Google Chrome, Firefox, ie, etc., the browser is installed on the customer's computer, so in the description of HTTP, the client usually refers to those who installed the browser computer.

Server: Typically those computers that have Web services software installed, such as httpd apache,nginx,lighttpd, which are called servers.

When we pull files from the client to the server, they will give you the resources you need, based on your request command. And these resources in the transmission process will be in a static HTML format file transfer, and its transmission is clear. This way of transmission will make some of your important information be intercepted by some conscientious, so HTTP-based transmission is not secure.

This allows HTTPS to appear

HTTPS (full name: Httpover ssl,hyper Text Transfer Protocol over secure Socket Layer), it is a security-targeted HTTP channel, simply speaking is the security version of HTTP. That is, the SSL sub-layer is added under HTTP, and the security base of HTTPS is SSL. SSL uses a variety of symmetric encryption algorithms, asymmetric encryption algorithms to encrypt the transfer of data, HTTPS and SSL support with the use of digital authentication, which provides both sides of the communication authentication, to ensure that client-to-server communication is protected. So with this, the transmission of data has been ensured by security.

The process of establishing a session over SSL requires the following steps:

1, the client and Server Exchange Protocol version number

2. Select the encryption method supported by both parties and request a certificate from the server

3, server-side send certificate and selected encryption method to the client

4. The client obtains the certificate and verifies the certificate.

After the client receives the certificate, perform the following five steps:

(a) verifying the legality of the source of the certificate; decrypting a digital signature on a certificate with a CA's public key

(b) Legality of verifying the contents of a Certificate: Integrity verification

(c) Examination of the validity period of the certificate

(d) Check whether the certificate has been revoked

(e) The name of the owner of the certificate, consistent with the target host being accessed

4, the client generates a temporary session key (symmetric key), and uses the server-side public key encryption, sends this data to the service side, completes the secret key exchange

5, the server uses this key to encrypt the resource requested by the user, responding to the client

Implementation of HTTPS

1, HTTP want to implement for HTTPS is required to configure SSL, and its use of the certificate. These are supported in HTTP with a dedicated MOD_SSL module.

Yum-y Install Mod_ssl #安装mod_ssl模块

After the module is installed, it will automatically modify the configuration file, adding LoadModule ssl_module modules/mod_ssl.so in the httpd sub-configuration file/etc/httpd/conf.d/ The ssl.conf also opens port 443 and specifies the storage path for the certificate.

The reason is that when the installation, the installation package will have a script to generate the private key file/etc/pki/tls/private/localhost.key, but also generate a certificate file/etc/pki/tls/certs/ LOCALHOST.CRT, and this certificate file is self-signed, at this time the HTTPS Web site can be accessed, but because of this HTTPS server certificate has a problem, the authority issued to the wrong, not the corresponding site name. Therefore, you will need to re-request the CA to use the HTTPS site correctly after obtaining a CA-issued certificate.

2. Apply for CA Certificate

To generate a certificate you need to generate a private key for the server and use it to provide the certificate file;

Mkdir/etc/httpd/ssl && Cd/etc/httpd/ssl #建立目录存放私钥文件
(Umask 077; OpenSSL genrsa-out httpd.key 1024x768) #生成1024位的私钥
OpenSSL req-new-key httpd.key-out HTTPD.CSR #用此私钥生成签署证书文件 and submits the resulting file to the CA agency for signing the certificate

Note: The name of the country, province, etc. in the certificate should be consistent with the name of the root CA, and the host service name must be written to provide the service name of the Web service in the future

3. CA Visa

When the CA is signed, the root CA passes the server's certificate back to the server, and the root certificate Cacert.pem to the server server.

The signed certificate is:/ETC/HTTPD/SSL/HTTPD.CRT

The root certificate for the CA is:/ETC/HTTPD/SSL/CACERT.PEM

4, modify the configuration file:/etc/httpd/conf.d/ssl.conf need to modify the following items

documentroot/var/www/html #指明共享文件的根目录, this directory will overwrite the settings in/etc/httpd/conf/http.conf

ServerName www.Webname.com #指明这个Web网站服务器的名字

SSLCERTIFICATEFILE/ETC/HTTPD/SSL/HTTPD.CRT #指明证书存放的位置

Sslcertificatekey/etc/httpd/ssl/httpd.key #指明私钥文件的存放位置

Sslcacertificatefile/etc/httpd/ssl/cacert.pem #指明根证书的存放位置

5. Reload the configuration

Service httpd Reload #重载配置文件

6. Test whether the configuration is successful

Test command:

OpenSSL s_client [-connect host:port] [-cert filename] [-capath directory] [-cafile filename]

Example: OpenSSL s_client-connect hostip:443 #如果出现证书文件内容, which means HTTPS has been successfully built

Here hostip can also be written as your server domain name, if your domain name has been on the DNS server has done domain name resolution.

7. HTTP redirection to HTTPS

Redirection is the URL that forwards an HTTP request to HTTPS. The average user does not specifically remember whether this site is an encrypted site when requesting a file from the Web server. Therefore, it is necessary to automatically convert the user's HTTP requests to HTTPS requests on the server side.

It is recommended that the primary site for HTTP and HTTPS be set to the same site. Because the jump transfer will set all HTTP requests under the directory to jump, if HTTPS does not have an HTTP site directory, such as the HTTP default primary site is/var/www/html/, but the main site under HTTPS is/var/www/https, and there is no/var/ Www/https/web This site, when there is a request to request this/var/www/https/web page, then jump to show that the page does not exist and cause the page will not open.

Redirect:

(1) Jump based on redirect

Redirect-based jumps require the server to configure the jump file and indicate the path of the jump.

Syntax format for redirect:

REDIRECT [status] Url-path URL

Two states of Status:

Permanent:returns a Permanent redirect status (301) indicating that the resource have moved permanently (permanent jump)

Temp:returns a temporary REDIRECT status (302). This is the default (temporary jump)

Example: vim/etc/httpd/conf.d/redirect.conf

REDIRECT Permanent/var/www/html https://www.Webname.com #添加一条跳转路径, indicating the root directory after the jump

(2) based on HSTs jump

The current mainstream is the use of HSTs (HTTP stricttransport Security) technology to jump. After the server-side configuration supports HSTs, the HSTs field is carried in the HTTP header returned to the browser. After the browser obtains this information, it will make an internal rewrite of all HTTP access requests 307 jump to HTTPS. Without any network process. When the client sends an HTTP request for the first time, the server responds to the HTTPS result to the client, the client caches the response, and the next time the client browser accesses it, the browser will automatically convert the HTTP to HTTPS and then send the request to the server on HTTPS. The hsts can largely resolve the SSL Peel attack because the browser enforces https after the browser has created a secure connection with the server, even if the link is replaced with HTTP.

HSTS preload List

HSTS preload list is a HSTS pre-loaded list in the Chrome browser that is automatically converted to HTTPS when accessed by a Chrome browser on a Web site in that list. Firefox, Safari, Edge browser will also use this list. This is configured in the browser, so the Web site to the browser service providers, the browser will be supported.

Configure HSTs Forwarding:

Vim/etc/httpd/conf/httpd.conf

Header always set strict-transport-security "max-age=63072000" #告诉浏览器下次需要用https进行访问, this information has an expiration time of two years

Rewriteengine on #打开重写引擎

Rewriterule ^ (/.*) $ https://%{http_host}$1 [redirect=301] #定义重写规则

Finally, do not forget to reload the configuration after the modification is complete.

HTTP implemented as HTTPS in Linux