Rails + apache2 + passenger + ssl implement https two-way authentication Communication

Rails + apache2 + passenger + ssl implement https two-way authentication Communication
Rails + apache2 + passenger + ssl implement https two-way authentication Communication

Environment:
System: Centos7
Server: apache (httpd) 2.4.6
Production tool: openssl 1.0.1
Rails version: 4.1.6

Preparations:

Install apache and openssl
# Yum install httpd-devel httpd-tools
# Yum install openssl

Installing mod_ssl
# Yum install mod_ssl


1. Create a root certificate
1. Create a CA private key
# Openssl genrsa-out ca. key 1024

2. Create a CA signature request (enter the information as required. Do not enter the password option. Press enter directly. Otherwise, you must enter the password each time the server starts, relatively troublesome)
# Openssl req-new-key ca. key-out ca. csr

(
The following is the information to be filled in. Just fill in the information as prompted.

Country Name (2 letter code) [GB]: CN // enter the Country Name
State or Province Name (full name) [Berkshire]: AnHui // Province Name
Locality Name (eg, city) [Newbury]: BoZhou // city
Organization Name (eg, company) [My Company Ltd]: xuewb.com // Organization Name
Organizational Unit Name (eg, section) []: xuewb.com // Unit Name
Common Name (eg, your name or your server's hostname) []: * .xuewb.com // enter it based on the actual situation. Do not write an error
Email Address []: lykperson@163.com // mailbox
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: // password. You can leave it empty. If you want to write it, you need to enter it every time you use it.
An optional company name []: // you can leave it empty.
)

3. manually issue the CA root certificate
# Openssl x509-req-days 365-signkey ca. key-in ca. csr-out ca. crt

Ii. Issue a server certificate
1. Create a server Private Key
# Openssl genrsa-out server. key 1024

2. Create a server certificate issuing request
# Openssl req-new-key server. key-out server. csr

3. Use the CA root certificate created in the previous step to issue the server certificate
Openssl x509-req-days 365-CA ca. crt-CAkey ca. key-CAserial ca. srl-CAcreateserial-in server. csr-out server. crt


3. Issue Client Authentication
1. Create the Client Private Key
# Openssl genrsa-out client. key 1024

2. Create a client certificate issuance request
# Openssl req-new-key client. key-out client. csr

3. Use the CA root certificate to issue client certificates
# Openssl x509-req-days 3650-CA ca. crt-CAkey ca. key-CAcreateserial-in client. csr-out client. crt

4. Convert the client certificate to the p12 format (this format can be used to import your certificate to the browser. This option)
# Openssl pkcs12-export-clcerts-inkey client. key-in client. crt-out client. p12


==================================
Note: run the following command to view the content of the corresponding file:
1. view private key information
# Openssl rsa-noout-text-in ca. key
2. view the generated signature request file
# Openssl req-noout-text-in ca. csr
3. view the CA root certificate
# Openssl x509-noout-text-in ca. crt
==================================



4. Import the root certificate, server certificate, and client certificate created in the preceding steps into the browser.
(1) My Firefox browser,
Import these certificates:
Edit ----> preferences ----> advanced ----> certificate ----> View certificate --> server ----> Import
Then import the CA root certificate (ca. crt) and server certificate (server. crt) created in the preceding steps
(2) import the client certificate:
Edit ----> preferences ----> advanced ----> certificate ----> View certificate --> your certificate ----> Import
Note that the client. crt file is not imported in this step, but the client. p12 file is converted.

5. Configure The apache2 server (httpd)

The configuration file rails_ssl.conf is as follows (this file is complete, but do not install the ssl generated after mod_ssl. delete the conf file. You don't need to change it. There are some basic configurations in it. If you want to change it, you can also put some basic configurations under this configuration file ):

#===================================================== ======================================
# Remarks:

DocumentRoot/var/www/html/xuewb/public
In this line, xuewb is the name of the rails project I created.

SSLCertificateFile/etc/httpd/cfb_crt/cfb/server. crt
In this line,/etc/httpd/cfb_crt/cfb/server. crt is the path for storing the files created in the previous step. I copied the files that have been created.
/Etc/httpd/cfb_crt/cfb is in this directory. You can change it to the place where your files are stored during configuration, but you must have access permissions.
#===================================================== ==================================

6. Modify the hosts file to map the s.crowdroid.com domain name to the local server.

Vim/etc/hosts

127.0.0.1 s.xuewb.com

Save and exit (wq !)


7. Restart httpd
# Sudo service httpd restart

8. Disable SElinux first. Otherwise, no access is restricted.
# Sudo setenforce 0

#===================================================== ================
Note:
View status: # getenforce
(If it is in permissive mode, it indicates that it has been disabled. If it is in enforcing mode, it indicates that it is not in the closed state. If it is in this mode, it is temporarily disabled. The server will be restarted next time, if you want to disable the service permanently, you can use the root user, vim/etc/sysconfig/selinux, and modify SELINUX = enforcing to SELINUX = disabled for the Service to take effect after restart)
#===================================================== ================


9. Access https://s.xuewb.com

References:
Http://httpd.apache.org/docs/2.4/en/ssl/
Http://kyfxbl.iteye.com/blog/1910891
Http://blog.chinaunix.net/uid-20553497-id-2239318.html


#========== Simple explanation ======================
Symmetric encryption algorithm

Symmetric encryption algorithms are used to encrypt sensitive data and other information. common algorithms include:

DES (Data Encryption Standard): Data Encryption Standard, fast, suitable for encrypting a large amount of Data.

3DES (Triple DES): Based on DES, three different keys are used to encrypt a piece of data three times, which is more powerful.

AES (Advanced Encryption Standard): Advanced Encryption Standard, which is the next generation of Encryption algorithm Standard with fast speed and high security level;


Asymmetric algorithms

Common asymmetric encryption algorithms are as follows:

RSA: A Public Key algorithm that supports variable-length keys. The length of the file block to be encrypted is variable;

DSA (Digital Signature Algorithm): Digital Signature Algorithm, which is a standard DSS (Digital Signature Standard );

ECC (Elliptic Curves Cryptography): Elliptic Curve Cryptography