Rails+apache2+passenger+ssl Implement HTTPS bidirectional authentication communication
Environment:
System: CENTOS7
Server: Apache (httpd) 2.4.6
Production tool: OpenSSL 1.0.1
Rails version: 4.1.6
Preparatory work:
Installing Apache and OpenSSL
#yum Install httpd httpd-devel httpd-tools
#yum Install OpenSSL
Andrew Zhang Mod_ssl
#yum Install Mod_ssl
First, create a root certificate
1 Creating the CA private key
#openssl Genrsa-out Ca.key 1024
2 Create a CA signing request (fill in the information according to the requirements, password that option do not fill, the direct return on the line, or in the back of the server when the start, each start to enter the password, more trouble)
#openssl Req-new-key ca.key-out CA.CSR
(
The following post is to fill in the information, according to the prompt to fill in the line
Country name (2 letter code) [GB]:CN//Enter country name
State or province name (full name) [Berkshire]:anhui//province name]
Locality Name (eg, city) [Newbury]:bozhou//Cities
Organization name (eg, company) [My company ltd]:xuewb.com//Organization Name
Organizational unit name (eg, section) []:xuewb.com//unit names
Common name (eg, your name or your server ' s hostname) []: *.xuewb.com//According to the specific situation, do not write wrong
email address []:[email protected]//email
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []://password, can not write, write, each time you use to enter
An optional company name []://Can not write
)
3 issuing the CA root certificate yourself
#openssl x509-req-days 365-signkey ca.key-in ca.csr-out ca.crt
Ii. issuing server-side certificates
1 Creating a server private key
#openssl Genrsa-out Server.key 1024
2 Creating a service-side certificate issuance request
#openssl Req-new-key server.key-out SERVER.CSR
3 issuing a server certificate by using the CA root certificate created in the previous step
OpenSSL x509-req-days 365-ca ca.crt-cakey ca.key-caserial ca.srl-cacreateserial-in server.csr-out server.crt
III. Issuance of client authentication
1 Creating the Client private key
#openssl Genrsa-out Client.key 1024
2 Creating a client certificate issuance request
#openssl Req-new-key client.key-out CLIENT.CSR
3 issuing a client certificate with the CA root certificate
#openssl x509-req-days 3650-ca ca.crt-cakey ca.key-cacreateserial-in client.csr-out client.crt
4 Convert the client certificate to P12 format (the function is that this format can be imported into the browser of your certificate, this option)
#openssl Pkcs12-export-clcerts-inkey client.key-in client.crt-out client.p12
=============================
Note: Use the following command to view the contents of the corresponding file
1 Viewing private key information
#openssl rsa-noout-text-in Ca.key
2 Viewing the generated signature request file
#openssl req-noout-text-in CA.CSR
3 Viewing the CA root certificate
#openssl x509-noout-text-in CA.CRT
=============================
Iv. Import the root certificate, server certificate, and client certificate from the above steps into the browser
(1) I use the Firefox browser,
Import these certificates:
Edit----> Preferences----> Advanced----> Certificates----> View Certificates-Server----> Import
Then import the CA root certificate (CA.CRT) and server certificate (SERVER.CRT) created by the above steps.
(2) Import the client certificate:
Edit----> Preferences----> Advanced----> Certificates----> View Certificates--Your certificates----> Import
Note that this step imports not the Client.crt file, but the converted Client.p12 file
V. Configuring the APACHE2 Server (httpd)
The configuration file rails_ssl.conf as follows (this file is complete, but do not remove the ssl.conf files generated after installing MOD_SSL, do not move it, there are some basic configuration, if you want to move, put some basic configuration under this configuration file can also):
#===================================================================
#备注:
Documentroot/var/www/html/xuewb/public
The XUEWB in this line is the project name I built for rails.
Sslcertificatefile/etc/httpd/cfb_crt/cfb/server.crt
This line of/ETC/HTTPD/CFB_CRT/CFB/SERVER.CRT is my path to store the above steps to make a good file, I have made the necessary files to copy to
/ETC/HTTPD/CFB_CRT/CFB This directory, you configure the time to change to the location of your own files, but to have access rights
#====================================================================
Vi. Modify the Hosts file to map the s.crowdroid.com domain to the local server
Vim/etc/hosts
127.0.0.1 s.xuewb.com
Save Exit (wq!)
Seven, restart httpd
#sudo Service httpd Restart
Eight, the SELinux first off, or no access is restricted
#sudo Setenforce 0
#===================================================
Note:
View Status: #getenforce
(If the permissive mode, the description has been closed, if the enforcing mode, indicating that there is no shutdown status, the implementation of the shutdown is temporary, the next time the server restarts, if you want to shut down permanently, you can use the root user, vim/etc/ Sysconfig/selinux, change selinux=enforcing to selinux=disabled after reboot to take effect)
#===================================================
Ix. visit to Https://s.xuewb.com
Resources:
http://httpd.apache.org/docs/2.4/en/ssl/
http://kyfxbl.iteye.com/blog/1910891
Http://blog.chinaunix.net/uid-20553497-id-2239318.html
#========= Simple interpretation of ============
Symmetric encryption algorithm
Symmetric encryption algorithms are used to encrypt information such as sensitive data, commonly used algorithms include:
DES (Data Encryption Standard): Encryption standards, fast, suitable for encrypting large amounts of data.
3DES (Triple des): Based on DES, a piece of data is encrypted three times with three different keys, with a higher intensity.
AES (Advanced encryption): High Encryption Standard, the next generation of encryption algorithm standard, fast, high security level;
Asymmetric algorithms
The common asymmetric encryption algorithm is as follows:
RSA: Invented by RSA, is a public key algorithm that supports variable-length keys, and the length of file blocks that need to be encrypted is also variable;
DSA (Digitally Signature algorithm): Digital Signature Algorithm, is a standard DSS (digital signature standard);
ECC (Elliptic Curves cryptography): Elliptic curve cipher
RAILS+APACHE2+PASSENGER+SSL implement HTTPS bidirectional authentication communication