https HTTP over SSL = HTTPS 443/tcp ssl:v3 tls:v1 &NB Sp https:// SSL session simplification process (1) The client sends an alternative encryption method and requests a certificate from the server; &N Bsp (2) The server sends the certificate and the selected encryption method to the client; (3) The client obtains the certificate and carries on the certificate verification: If trusted to ca: &NBS P (a) legality of the source of the certificate of verification; Decrypt the digital signature on the certificate with the CA's public key; (b) Legality of the contents of the certificate: completeness (c) Check the validity period of the certificate;nbsp (d) Check whether the certificate has been revoked; &NB Sp (e) The name of the owner of the certificate, consistent with the target host of the visit; &NBSP ; (4) The client generates a temporary session key (symmetric key) and uses the server-side public key to encrypt this data to the server, complete key exchange; (5) Service This key encrypts the resource requested by the user, responds to the client; The note: SSL session is created based on IP address, so on a single IP host, Only one HTTPS virtual host can be used; Review several terms: pki,ca,crl,x.509 (v1, v2, v3) configuration httpd support https: (1) Request a digital certificate for the server; & nbsp testing: Issuing certificates through private CAS &NBSP ; (a) Create private ca (b) Create a certificate signing request on the server &nBsp (c) CA visa &N Bsp (2) Configure HTTPD support using SSL, and certificates used; # yum-y INS Tall mod_ssl Profiles:/ETC/HTTPD/CONF.D/SSL.CONF&N Bsp documentroot &NBSP ; servername sslcertificatefile . sslcertificatekeyfile (3) test-based HTTPS access to the appropriate host; &N Bsp # OpenSSL s_client [-connect host:port] [-cert filename] [-capath directory] [-C AfiLe filename] Test instance procedure: Use centos7:192.168.244.101 as the CA server [[email protected] ~]# cd/etc/pki/ca/[[email Protected] ca]# lscerts crl newcerts private[[email protected] ca]# (umask 077;openssl Genrsa- Out PRIVATE//CAKEY.PEM 2048) #生成私钥Generating RSA private key, 2048 bit long modulus ......... ............ ................................................................................................................ +++........................+++e is 65537 (0x10001) [[email protected] ca]# lltotal 0drwxr-xr-x. 2 root root 6 June 29 Certsdrwxr-xr-x. 2 root root 6 June 29 Crldrwxr-xr-x. 2 root root 6 June 29 newcertsdrwx------. 2 root root may 9 22:00 private[[email protected] ca]# ll private/total 4-RW-------. 1 root root 1675 may 9 22:00 cakey.pem[[email protected] ca]# lscerts crl newcerts private[[e Mail protected] ca]# Touch index.txt[[email pRotected] ca]# echo > serial[[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.p Em-days 7300 #给自己创建一个自签证书You is about-to is asked to enter information that'll be incorporatedinto your certific ATE request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:fujianlocality Name (eg, city) [default city]:xiamenorganization name (eg, company) [Default company ltd]:wangsuorganizational Unit name (eg, section) []:techcommon name (eg, your name or your server ' s hostname) []:www.fush.comemail Address []:[email protected] [[email protected] ca]# lltotal 8-rw-r--r--. 1 root root 1407 may 9 22:05 cacert.pemdrwxr-xr-x. 2 Root root 6 June 29 Certsdrwxr-xr-x. 2 Root root 6 June 29 Crl-rw-r--r--. 1 root root 0 may 9 22:01 index.txtdrwxr-xr-x. 2 Root root 6 June 29 newcertsdrwx------. 2 root root 22 may 9 22:00 private-rw-r--r--. 1 root root 3 may 9 22:01 serial to the Web (httpd) server 192.168.244.100:[[email protected] conf]# cd/etc/httpd/[[email protected] httpd]# mkdir ssl[[email protected] httpd]# CD ssl/[[email Protected] ssl]# (umask 077;openssl genrsa-out httpd.key 1024x768) # # #生成keyGenerating RSA private key, 1024x768 bit long m Odulus.++++++.............++++++e is 65537 (0x10001) [[email protected] ssl]# lltotal 4-rw-------1 root root 891 June 07:35 httpd.key[[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTPD.CSR ## #生成证书签署请求You is a Bout to being asked to enter information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distiNguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:cnstate or province name (full name) []:fujianlocality Name (eg, city) [default city]:xiamenorganization name (eg, company) [Default company ltd]:wangsuorganizational Unit name (eg, section) []:techcommon name (eg, your name or your server ' s hostname) []:www.web1.comemail Address []:[email protected] Please enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:an optional C Ompany name []:[[email protected] ssl]# lltotal 8-rw-r--r--1 root root 696 June 07:38 httpd.csr-rw-------1 root R Oot 891 June 07:35 Httpd.key then pass HTTPD.CSR to the CA server [[email protected] ssl]# SCP HTTPD.CSR [email protected]:/ tmp/Signing certificate on CA server [[email protected] ca]# OpenSSL ca-in/tmp/httpd.csr-out certs/www.web1.com.crt-days 365UsinG configuration from/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature okcertificate Details: Serial number:1 (0x1) validity & nbsp Not Before:may 02:30:52 gmt not after:may 02:30:52 2018 gmt & nbsp subject: countryname &NBSP ; = cn stateorprovincename = fujian &N Bsp organizationname = wangsu organizationalunitname = tech commonname = www.web1.com emailaddress &NBSP ; &nbsP = [email protected] X509v3 extensions: &NB Sp X509v3 Basic constraints: ca:false &NBSP ; Netscape comment: OpenSSL Generated certificate X509v3 Subject Key identifier: 84:0F:D f:de:6b:a2:ce:38:5e:e3:a4:8d:64:00:9b:0d:9b:aa:7b:16 X509v3 Authority Key identifier: KEYID:AE:F2:75:4B:53:5B:9E:2E:30:1F:AE:09:48:EE:0C : 87:d2:87:e8:d0 certificate is to being certified until May 02:30:52 2018 GMT (365 days) sign the Certificate? [Y/n]:y 1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[[email protected] CA]# lscacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old[[email protected] ca]# ls newcerts/01.pem[[email protected] CA]# ls CERTS/WWW.WEB1.COM.CRT the signed certificate back to the httpd server [[email protected] ca]# SCP certs/www.web1.com.crt 192.168.244.100:/ etc/httpd/ssl Next Configure httpd, let IT support using ssl[[email protected] ssl]# yum install-y mod_ssl[[email protected] ssl]# httpd-m |grep ssl ssl_module (GKFX) [[email protected] ssl]# rpm-ql mod_ssl/etc/httpd/conf.d/ ssl.conf/usr/lib64/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/ Scache.pag/var/cache/mod_ssl/scache.sem copy [[email protected] conf.d]# CP ssl.conf{,.bak}[[email before editing Protected] conf.d]# lltotal 32-rw-r--r--1 root root 392 Jan 13 readme-rw-r--r--1 root root 9465 Dec 13& nbsp ssl.conf-rw-r--r--1 root root 9465 June 08:11 ssl.conf.bak-rw-r--r--1Root root 299 Dec 13 welcome.conf[[email protected] conf.d]# vim/etc/httpd/conf.d/ Ssl.conf mainly modifies the following items: <virtualhost *:443>documentroot "/vhost/web1/htdocs" ServerName www.web1.com : 443sslcertificatefile/etc/httpd/ssl/www.web1.com.crtsslcertificatekeyfile/etc/httpd/ssl/httpd.key[[email protected] conf.d]# ss -tnl|grep 443listen 0 128 &N Bsp :::443 &NBS P :::* test certificate (with OpenSSL s_client command): # OpenSSL s_client [-connect host:port] [-cert filename] [ -capath directory] [-cafile filename][[email protected] ca]# OpenSSL s_client-connect 192.168.244.100:443-cafile /etc/pki/ca/cacert.pemget/http/1.1host:www.web1.com Input Red part of the content, continuous carriage return can get content
http/1.1 Okdate:mon, June 00:47:59 gmtserver:apache/2.2.15 (CentOS) Last-modified:sun, June 18:58:27 G Mtetag: "216dd-13-535195b6de019" accept-ranges:bytescontent-length:19vary:accept-encodingconnection: closecontent-type:text/html; Charset=utf-8 192.168.244.100:80closed[[email protected] ca]# OpenSSL s_client-connect 192.168.244.100:443- ServerName Www.web1.com browser to first import the CA through the browser test:
18, HTTPD's own tool program HTPASSWD:BASIC certification based on file implementation, the account used Password file generation tool; APACHECTL:HTTPD comes with a service control script that supports start, stop; &NB Sp APXS: Tools provided by Httpd-devel package to extend httpd use of third-party modules; Rotatelogs: Log scrolling tool; Access.log--> Access.log, access.1.log Access.log, Access.1.log, ACCESS.2.LOG&NB Sp suexec: to access certain resources configured with special permissions, temporarily switch to the specified ; Ab:apache benchmark 19, HTTP pressure test tool &NB Sp ab webbench http_load   jmeter loadrunner &N Bsp tcpcopy AB [OPTIONS] url &N Bsp -N: Total requests -C: Analog concurrency (similar to how many individuals request at the same time) -K: Test in Persistent connect mode Ulimit-n #: Adjust the current user's open at the same time Number of files; test example: [[email protected] ca]# ab-c 100-n 10000 http://192.168.244.100/deflate.htmlThis is Apachebench, Version 2.3 < $Revision: 1430300 $>copyright 1996 Adam Twiss, Zeus technology LTD, http://www.zeustech.net/Licensed to the Ap Ache software Foundation, http://www.apache.org/ Benchmarking 192.168.244.100 (Be patient) completed 1000 requestscompleted requestscompleted requestscompleted 4000 requestscompleted 6000 requestscompleted requestscompleted 7000 RequeStscompleted 8000 requestscompleted 9000 requestscompleted 10000 requestsfinished 10000 requests Server software: apache/2.2.15server hostname: 192.168.244.100Server Port : 80 document path: /deflate.htmldocument length: 20097 bytes concurrency level: 100Time taken for tests: 9.905 secondscomplete requests: 10000Failed requests: 0Write errors: 0total transferred: 203920000 byteshtml transferred: &N Bsp 200970000 bytesrequests per second: 1009.59 [#/sec] (mean) time per request: 99.050 [MS] (mean) time per request: 0.991 [MS] (mean, across all concurrent requests) Trans Fer rate: 20105.06 [kbytes/sec] received connection times (ms) m in MEAN[+/-SD] median maxConnect: 0 2 7.6 &NB Sp 0 122Processing: 15 96 56.9 76 & nbsp;443waiting: 2 91 53.8 70 423total: 47 98 57.8 77 443& nbsp Percentage of the requests served within a certain time (ms) 50% 77 66% 89 75% 108 80% 122 90% 163 95% 218 98%&N Bsp 297 99% 332 100% 443 (longest request)
HTTPS certificate self-signed
