HTTPS support configuration for Apache services

Additional questions:

U Case Requirements

1. Add HTTPS protocol support to improve security based on the HTTPD server of the compiled installation.

2. When a client accesses a site via HTTP, it can automatically jump to HTTPS mode for access.

U Knowledge Tips

HTTPS refers to the Hyper Text Transfer Protocol secure, Hypertext Transfer Protocol. HTTPS actually uses SSL (Secure Sockets Layer) as a sub-layer of the HTTP application layer to encrypt the HTTP traffic transmitted by the plaintext, thus avoiding the capture or eavesdropping of sensitive information, so the HTTPS protocol is more common in Web Access such as Internet banking and secure mailbox.

1. Verify that the OpenSSL software package is installed on the system to generate a certificate for the server

[Email protected] ~]# rpm-qa | grep OpenSSL

openssl-0.9.8e-12.el5_4.6

openssl-devel-0.9.8e-12.el5_4.6

2. Confirm that SSL support options, rewrite support options are added when compiling the HTTPD software package

[Email protected] httpd-2.2.17]# /configure--prefix=/usr/local/httpd--enable-so--enable-rewrite-- Enable-charset-lite--enable-cgi--with-ssl=/usr/lib--enable-ssl

[[email protected] httpd-2.2.17]# make

[[email protected] httpd-2.2.17]# make install

3. Generate the key key file and issue the CRT certificate

To reduce the complexity of the experiment, the LOCALHOST.CRT, localhost.key files in the RHEL5 system can be used directly:

[Email protected] httpd-2.2.17]# cd/etc/pki/tls/

[Email protected] tls]# CP certs/localhost.crt/usr/local/httpd/conf/server.crt

[Email protected] tls]# CP Private/localhost.key/usr/local/httpd/conf/server.key

-Or, you can use the OpenSSL tool to generate a new key and certificate file:

[Email protected] ~]# cd/usr/local/httpd/conf/

[[email protected] conf]# OpenSSL genrsa-out server.key 1024x768 //Generate server key file

Generating RSA private key, 1024x768 bit long modulus

.......................................................................................++++++

..........++++++

E is 65537 (0x10001)

[Email protected] conf]# chmod server.key

[Email protected] conf]# OpenSSL req-new-key server.key-out SERVER.CSR

Generate Server certificate file

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [GB]:CN

State or province name (full name) [Berkshire]: China

Locality Name (eg, city) [Newbury]:Beijing

Organization Name (eg, company) [My company LTD]:Aptech

Organizational Unit Name (eg, section) []:Benet4.0

Common name (eg, your name or your server ' s hostname) []:mail.benet.com

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

[Email protected] conf]# ls-l server.key SERVER.CSR

-rw-r--r--1 root root 12-06 19:52 SERVER.CSR

-RW-------1 root root 887 12-06 19:46 Server.key

[Email protected] ~]# OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt

Signing a server certificate

Signature OK

Subject=/c=cn/st=beijing/l=beijing/o=aptech/ou=benet/cn=mail.benet.com/[email protected]

Getting Private Key

[Email protected] conf]# ls-l server.key SERVER.CSR server.crt

-rw-r--r--1 root root 944 12-06 19:55 server.crt

-rw-r--r--1 root root 12-06 19:52 SERVER.CSR

-RW-------1 root root 887 12-06 19:46 Server.key

4. Adjust httpd service configuration, add SSL, rewrite support

[Email protected] conf]# VI httpd.conf

...//Omit part of the content

Include conf/extra/httpd-ssl.conf//enable default SSL configuration file

<ifmodule ssl_module>

Sslrandomseed Startup Builtin

Sslrandomseed Connect Builtin

</IfModule>

Rewriteengine on//enable and add address rewriting policy

Rewritecond%{server_port}!^443$

Rewriterule (. *) https://%{server_name}/[R]

[Email protected] conf]# /usr/local/httpd/bin/apachectl Restart

5. Accessing the test in the client browser

When accessing http://your_server_ip/, it automatically jumps to https://your_server_ip/. The website certificate used in this case is self-signed by the server, not from the authoritative certificate authority, so when the access is prompted with a certificate error (1), simply click on the "continue browsing this website (not recommended)" link to continue to access (2).

650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; margin:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image002 "border=" 0 "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/M01/77/8B/ Wkiom1zpfnkycwe3aaayedetuns197.jpg "" 244 "height=" 159 "/>

Figure 1 Prompt for certificate error on first visit

650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image004 "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M01/77/8A/ Wkiol1zpfnpckzikaaaew2rxkze529.jpg "" 244 "height="/>

Figure 2 Switch to HTTPS access after accepting a certificate

HTTPS support configuration for Apache services