The Web server uses HTTP by default, which is a plain text protocol. As its name implies, a plain text protocol does not encrypt any form of data in transit. The HTTP-based Web server is very easy to configure, and it has significant security flaws. Any "middleman", through carefully prevented packet sniffers, is able to see the contents of any passing packet. Further, malicious users can even set a fake Web server in the transmission path to impersonate the actual target Web server. In this case, the end user may actually communicate with the impostor server rather than the real destination server. In this way, a malicious user can spoof an end user with a specially crafted form to obtain sensitive information, such as a user name password.
To handle these types of vulnerabilities, most vendors often apply the HTTPS protocol on their Web servers. For a read-only type of Web site, the user can only read the content and does not actually submit any information, HTTP is still a viable option. However, for websites that hold sensitive information, such as when a user needs to log in to get the service of a website, HTTPS is a must. HTTPS can provide the following capabilities for a Web site.
The first thing you need to do to build a Web server that supports HTTPS is to obtain a digital certificate. A digital certificate can be obtained in any of the following ways.
Self-signed certificates are recommended for testing purposes and personal projects. Self-signed certificates can also be used with service providers, but generally apply to situations where users trust each other. In addition, self-signed certificates are not paid for.
Certificates can be provided by community-based certification vendors such as the STARTSSL and CACert approaches. These certificates also do not require money, but are recommended for individual projects.
For global business sites, it is recommended to purchase a certificate from a reputable, trusted certification authority. These certificates cost money, but they add to the reputation of the network service provider.
Get ready
In this document, we will use a self-signed certificate. Assume that CentOS has an Apache Web server installed. We need to generate a self-signed certificate using OpenSSL. If OpenSSL is not already installed, it can be installed using Yum.
# yum Install mod_ssl OpenSSL
Generate a self-signed certificate
The following command can be used to generate a self-signed certificate. First, generate a 2048-bit encrypted private key.
# OpenSSL Genrsa-out Ca.key 2048
The certificate signing request (CSR) is then generated.
# OpenSSL Req-new-key ca.key-out CA.CSR
Finally, a self-signed certificate of type X509 is generated.
# OpenSSL x509-req-days 365-in ca.csr-signkey ca.key-out ca.crt
After the certificate is created, copy the file to the corresponding directory.
# cp ca.crt/etc/pki/tls/certs/# cp ca.key/etc/pki/tls/private/# CP ca.csr/etc/pki/tls/private/
Configure the Apache Web server
First, modify the following configuration file.
# vim/etc/httpd/conf.d/ssl.conf
# # # Overwrite the following parameters # # #Sslcertificatefile/etc/Pki/Tls/Certs/Ca.CrtSslcertificatekeyfile/etc/Pki/Tls/Private/Ca.Key# # # The following parameter does not need to being modified in case of a self-signed certificate. #### # If You is using a real certificate, you may receive a certificate bundle. The bundle is added using the following parameters # # #Sslcertificatechainfile /etc/PKI/ TLS/certs/example. COM. CA-bundle
Then restart the HTTPD service for the changes to take effect.
# Service httpd Restart
The Web server can now use HTTPS!
Tuning a virtual host
The Apache Web server can be configured as multiple Web sites. These sites are defined as virtual hosts in the httpd configuration file. For example, let's assume that our Apache Web server hosting site is virtual-web.example.com, and all of the files on the site are stored in the/var/www/html/virtual-web directory.
For virtual hosts, this is the typical HTTP configuration.
# vim/etc/httpd/conf/httpd.conf
Namevirtualhost*:80<VirtualHost*:80> Serveradmin [email protected].documentroot / var/www/html /virtual-web < Span class= "Typ" >servername virtual- web.. Com</virtualhost>
We can create an HTTPS virtual host by referring to the configuration above.
# vim/etc/httpd/conf/httpd.conf
Namevirtualhost*:443<VirtualHost*:443>SslengineOnSslcertificatefile/etc/Pki/Tls/Certs/Ca.CrtSslcertificatekeyfile/etc/Pki/Tls/Private/Ca.Key<Directory/Var/Www/Html/Virtual-Web>AllowOverrideAll </directory> serveradmin [email protected].documentroot /var /www/html/ virtual-webservername virtual-web.< Span class= "PLN" >example.</virtualhost>
Each virtual host needs to be defined according to the configuration above. After you add the virtual host, restart the Web service.
# Service httpd Restart
Now the virtual host can use HTTPS!
Optional configuration: Force Apache Web server to always use HTTPS
If for some reason you need the Web server for your site to use only HTTPS, you will need to redirect all HTTP requests (port 80) to HTTPS (port 443). Apache Web server can do this easily.
1, forcing the master to use
If you want to force the master to use HTTPS, we can modify the httpd configuration file as follows:
# vim/etc/httpd/conf/httpd.conf
ServerName www. Example. COM:Redirect permanent / HTTPS://www.example.com
# Service httpd Restart
2, forcing the virtual host
If you want to force HTTPS to be used on a virtual host, you can configure HTTP as follows:
# vim/etc/httpd/conf/httpd.conf
<virtualhost *:80> ServerName virtual-web.example.com Redirect permanent/https://virtual-web.exa mple.com/</VirtualHost>
# Service httpd Restart
In summary, the security of the server can be improved by the way HTTPS is always recommended when there are interactions such as user login. Certificates can be obtained in a variety of ways, such as self-signed, community-provided, or even commercial organizations that buy enough. The administrator should carefully select the type of certificate that will be used.
How to configure Apache's HTTPS service on CentOS