Additional questions:
U Case Requirements
1. Add HTTPS protocol support to improve security based on the HTTPD server of the compiled installation.
2. When a client accesses a site via HTTP, it can automatically jump to HTTPS mode for access.
U Knowledge Tips
HTTPS refers to the Hyper Text Transfer Protocol secure, Hypertext Transfer Protocol. HTTPS actually uses SSL (Secure Sockets Layer) as a sub-layer of the HTTP application layer to encrypt the HTTP traffic transmitted by the plaintext, thus avoiding the capture or eavesdropping of sensitive information, so the HTTPS protocol is more common in Web Access such as Internet banking and secure mailbox.
1. Verify that the OpenSSL software package is installed on the system to generate a certificate for the server
[Email protected] ~]# rpm-qa | grep OpenSSL
openssl-0.9.8e-12.el5_4.6
openssl-devel-0.9.8e-12.el5_4.6
2. Confirm that SSL support options, rewrite support options are added when compiling the HTTPD software package
[Email protected] httpd-2.2.17]# /configure--prefix=/usr/local/httpd--enable-so--enable-rewrite-- Enable-charset-lite--enable-cgi--with-ssl=/usr/lib--enable-ssl
[[email protected] httpd-2.2.17]# make
[[email protected] httpd-2.2.17]# make install
3. Generate the key key file and issue the CRT certificate
To reduce the complexity of the experiment, the LOCALHOST.CRT, localhost.key files in the RHEL5 system can be used directly:
[Email protected] httpd-2.2.17]# cd/etc/pki/tls/
[Email protected] tls]# CP certs/localhost.crt/usr/local/httpd/conf/server.crt
[Email protected] tls]# CP Private/localhost.key/usr/local/httpd/conf/server.key
-Or, you can use the OpenSSL tool to generate a new key and certificate file:
[Email protected] ~]# cd/usr/local/httpd/conf/
[[email protected] conf]# OpenSSL genrsa-out server.key 1024x768 //Generate server key file
Generating RSA private key, 1024x768 bit long modulus
.......................................................................................++++++
..........++++++
E is 65537 (0x10001)
[Email protected] conf]# chmod server.key
[Email protected] conf]# OpenSSL req-new-key server.key-out SERVER.CSR
Generate Server certificate file
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [GB]:CN
State or province name (full name) [Berkshire]: China
Locality Name (eg, city) [Newbury]:Beijing
Organization Name (eg, company) [My company LTD]:Aptech
Organizational Unit Name (eg, section) []:Benet4.0
Common name (eg, your name or your server ' s hostname) []:mail.benet.com
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
[Email protected] conf]# ls-l server.key SERVER.CSR
-rw-r--r--1 root root 12-06 19:52 SERVER.CSR
-RW-------1 root root 887 12-06 19:46 Server.key
[Email protected] ~]# OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt
Signing a server certificate
Signature OK
Subject=/c=cn/st=beijing/l=beijing/o=aptech/ou=benet/cn=mail.benet.com/[email protected]
Getting Private Key
[Email protected] conf]# ls-l server.key SERVER.CSR server.crt
-rw-r--r--1 root root 944 12-06 19:55 server.crt
-rw-r--r--1 root root 12-06 19:52 SERVER.CSR
-RW-------1 root root 887 12-06 19:46 Server.key
4. Adjust httpd service configuration, add SSL, rewrite support
[Email protected] conf]# VI httpd.conf
...//Omit part of the content
Include conf/extra/httpd-ssl.conf//enable default SSL configuration file
<ifmodule ssl_module>
Sslrandomseed Startup Builtin
Sslrandomseed Connect Builtin
</IfModule>
Rewriteengine on//enable and add address rewriting policy
Rewritecond%{server_port}!^443$
Rewriterule (. *) https://%{server_name}/[R]
[Email protected] conf]# /usr/local/httpd/bin/apachectl Restart
5. Accessing the test in the client browser
When accessing http://your_server_ip/, it automatically jumps to https://your_server_ip/. The website certificate used in this case is self-signed by the server, not from the authoritative certificate authority, so when the access is prompted with a certificate error (1), simply click on the "continue browsing this website (not recommended)" link to continue to access (2).
650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; margin:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image002 "border=" 0 "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/M01/77/8B/ Wkiom1zpfnkycwe3aaayedetuns197.jpg "" 244 "height=" 159 "/>
Figure 1 Prompt for certificate error on first visit
650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image004 "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M01/77/8A/ Wkiol1zpfnpckzikaaaew2rxkze529.jpg "" 244 "height="/>
Figure 2 Switch to HTTPS access after accepting a certificate
HTTPS support configuration for Apache services