Web Server Architecture in Linux: Website Security Solution

HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer) is an HTTP channel targeted at security. It is simply a Secure version of HTTP. That is, the SSL layer is added under HTTP. The Security Foundation of HTTPS is SSL, so the detailed content of encryption requires SSL. It is a URI scheme (Abstract identifier system) with syntaxes similar to http: system. Secure HTTP data transmission. Https: the URL indicates that HTTP is used, but HTTPS has a default port different from HTTP and an encryption/authentication layer (between HTTP and TCP ). The system was initially developed by Netscape, which provides authentication and encrypted communication methods and is now widely used for secure and sensitive communications on the World Wide Web, such as transaction payment.

CASE Application 1: https1. enterprise implementation requirements of Web server architecture: a company requires to build a CA Certificate server within the company to improve the Certificate Service (implemented on windows server 2008 ); it also provides the Certificate Service and normal services for the company's internal WWW servers. 2. simplified topology of case applications: 3. case implementation steps: (1) Build a CA Certificate Server on windows Server (2) install the corresponding software on the web server [root @ www ~] # Mkdir/mnt/cdrom [root @ www ~] # Mount/dev/cdrom/mnt/cdrom/[root @ www ~] # Cd/mnt/cdrom/Server/[root @ www Server] # rpm-ivh Co., httpd-2.2.3-22.el5.i386.rpm [root @ www ~] # Yum install-y mod_ssl (3) configure the web server VM # create a webpage file [root @ www] # cat html/index.html -- www -- xjzhujunjie -- 2012/03/17 [root @ www] # cat tec/index.html -- tec -- xjzhujunjie -- 2012/03/17 [root @ www] # cat mkt/index.html -- mkt -- xjzhujunjie -- 2012/03/17 # edit the apache configuration file [root @ www ~] # Vim/etc/httpd/conf/httpd. conf134 Listen 80 973 NameVirtualHost 192.168.101.111: 80 992 <VirtualHost 192.168.101.111: 80> 993 ServerAdmin master@junjie.com994 DocumentRoot/var/www/html995 ServerName www.2cto. com996 ErrorLog logs/www-error_log997 CustomLog logs/www-access_log common998 </VirtualHost> 999 <VirtualHost 192.168.101.111: 80> 1000 ServerAdmin master@junjie.com1001 DocumentRoot/var/www/tec1 002 ServerName tec. junjie. com1003 ErrorLog logs/tec-error_log1004 CustomLog logs/tec-access_log common1005 </VirtualHost> 1006 <VirtualHost 192.168.101.111: 80> 1007 ServerAdmin master@junjie.com1008 DocumentRoot/var/www/mkt1009 ServerName mkt. junjie. com1010 ErrorLog logs/mkt-error_log1011 CustomLog logs/mkt-access_log common1012 </VirtualHost> (4) restart the web server and test the VM [root @ www ~] # Service httpd restart # restart the apache service Win7 client to test the addition in C: \ Windows \ System32 \ drivers \ etc \ hosts: 192.168.101.250 www.2cto.com 192.168.101.250 tec.2cto.com 192.168.101.250 mkt.2cto.com the test result of using the IE 9 browser on the Win7 client is as follows (completed by the VM): (5) apply for a certificate for the web server [root @ www httpd] # mkdir certs [root @ www httpd] # cd certs/[root @ www certs] # openssl genrsa 1024> httpd. key [root @ www certs] # chmod 600 httpd. keyCN/HENAN/ZHENGZHOU/zzu/junjie/www.2cto.com/xjzhujunjie@hotmail.com // start the desktop environment on the linux web server to apply for a certificate input in the firefox browser http://192.168.101.112/certsrv To apply for a certificate, select apply for a certificate to enter the apply for certificate page, fill in the generated request file below, you can see that the Certificate Server has returned information to the web server, the prompt is under review. Now, go to the windows server 2008 certificate server and start to review the certificate applied by the web server. Select the suspended certificate. Then, right-click the application information submitted by the web server, for all tasks, issue a certificate and issue a certificate to the web server. Then you can view the issued certificate in the issued certificate. For Linux web server, enter http://192.168.101.112/certsrv View the suspended certificate, and download the certificate you just downloaded. By default, it is saved on the desktop and moved to/etc/httpd/certs. (6) modify the web server certificate file [root @ junjie ~] # Cd/etc/httpd/conf. d/ssl. conf112 SSLCertificateFile/etc/httpd/certs/httpd. cer119 SSLCertificateKeyFile/etc/httpd/certs/httpd. key128 SSLCertificateChainFile/etc/httpd/certs/cacert. p7b [root @ www ~] # Service httpd restart # restart apache service (7) win7 client to Use https to access the webpage safely using IE9 test of win7, and enter the Security URL https://www.junjie.com In this case, the browser prompts a security warning, indicating that the security certificate of the website is faulty, and the warning information is displayed as follows: if the user forces to continue accessing, the side is still accessible, however, the browser's address bar has changed to red alarm information, prompting that the website is not secure. Note: I did not solve the certificate problem because I didn't use the IE9 browser, the sogou browser is used to solve the certificate error! If you can help me solve the problem, please leave a message in this article. Thank you! Use the sogou browser alarm information as follows: in this case, choose View Certificate-certificate path-view install root certificate and web server certificate installation certificate; select Continue to install certificate, then you can check that there is no certificate problem, as shown below: In win7, The sogou high-speed browser, Google Chrome browser, and Internet Explorer 9 browser all show secure access, as shown below: **************************************** * ****** Case 1: https self-issuing for Web server architecture 1. enterprise implementation requirements: A company requires web server functionality on Linux and self-issuing certificates (and requirements: the linux server is the web server and the Certificate Server. simplified topology of case applications: 3. case implementation steps: (1) install the corresponding software on the web server [root @ www ~] # Mkdir/mnt/cdrom [root @ www ~] # Mount/dev/cdrom/mnt/cdrom/[root @ www ~] # Cd/mnt/cdrom/Server/[root @ www Server] # rpm-ivh Co., httpd-2.2.3-22.el5.i386.rpm [root @ www ~] # Yum install-y mod_ssl (2) Create the root certificate file of the CA Certificate Server [root @ www ~] # Cd/etc/pki/[root @ www pki] # vim tls/openssl. cnf45 dir =/etc/pki/CA # Where everything is kept46 certs = $ dir/certs # Where the issued certs are kept47 crl_dir = $ dir/crl # Where the issued crl are ke pt48 database = $ dir/index.txt # database index file.51 new_certs_dir = $ dir/newcerts # default place for new certs53 certificate = $ dir/cacert. pem # The CA certificate54 serial = $ dir/serial # The c Urrent serial number58 private_key = $ dir/private/cakey. pem # The private key 88 countryName = optional89 stateOrProvinceName = optional90 organizationName = optional [root @ www pki] # cd/etc/pki/CA/[root @ www CA] # mkdir certs crl newcerts [root @ www CA] # touch index.txt serial [root @ www CA] # echo "01"> serial [root @ www CA] # openssl genrsa 1024> private/cakey. pemGenerating RSA private key, 1024 bit long Modulus ........................ ++ .... ++ e is 65537 (0x10001) [root @ www CA] # chmod 600 private/cakey. pem [root @ www CA] # openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 365 Country Name (2 letter code) [GB]: CNState or Province Name (full name) [Berkshire]: HENANLocality Name (eg, city) [Newbury]: ZHENGZHOUOrganization Name (eg, company) [My Company Ltd]: zzuOrganizational Unit N Ame (eg, section) []: junjieCommon Name (eg, your name or your server's hostname) []: rootca. junjie. comEmail Address []: master@junjie.com (3) issue a certificate for the web server [root @ www CA] # mkdir/etc/httpd/certs [root @ www CA] # cd/etc/httpd/certs [root @ www certs] # openssl genrsa 1024> httpd. keyGenerating RSA private key, 1024 bit long modulus .............. ++ ........ ++ e is 65537 (0x10001) [root @ www certs] # chmod 600 h Ttpd. key [root @ www certs] # openssl req-new-key httpd. key-out httpd. csr Country Name (2 letter code) [GB]: CNState or Province Name (full name) [Berkshire]: HENANLocality Name (eg, city) [Newbury]: ZHENGZHOUOrganization Name (eg, company) [My Company Ltd]: zzuOrganizational Unit Name (eg, section) []: junjieCommon Name (eg, your name or your server's hostname) []: www.junjie.com//javasroot@www certs] # ope Nssl ca-in httpd. csr-out httpd. crt [root @ www certs] # chmod 600 * (4) issues a certificate for the web server [root @ www certs] # cd/etc/httpd/conf. d [root @ www conf. d] # vim ssl. conf112 SSLCertificateFile/etc/httpd/certs/httpd. crt119 SSLCertificateKeyFile/etc/httpd/certs/httpd. key128 SSLCertificateChainFile/etc/pki/CA/cacert. pem (5) win7 client uses https to securely access the webpage [root @ www ~] # Service httpd restart # restart the apache service Win7 client to test whether to add 192.168.101.250 www.junjie.com in C: \ Windows \ System32 \ drivers \ etc \ hosts. Enter the Security URL https://www.junjie.com In this case, the browser prompts a security warning, indicating that the security certificate of the website is faulty, and the warning information is displayed as follows: if the user forces to continue accessing, the side is still accessible, however, the browser's address bar has changed to red alarm information, prompting that the website is not secure. Note: I did not solve the certificate problem because I didn't use the IE9 browser, the sogou browser is used to solve the certificate error! If you can help me solve the problem, please leave a message in this article. Thank you! The solution for using sogou is as follows: select View Certificate-certificate path-view install root certificate and web server certificate installation certificate; select Continue to install certificate, then you can check that there is no certificate problem, as shown below: In win7, The sogou high-speed browser and Internet Explorer 9 browser will display secure access, as shown below: View Certificate Information: