標籤:http any errors bak stat ice 擴充 update trie
https http over ssl = https 443/tcp ssl: v3 tls: v1 https:// SSL會話的簡化過程 (1) 用戶端發送可供選擇的加密方式,並向伺服器請求認證; (2) 伺服器端發送認證以及選定的加密方式給用戶端; (3) 用戶端取得認證並進行認證驗正: 如果信任給其發認證的CA: (a) 驗正認證來源的合法性;用CA的公開金鑰解密認證上數位簽章; (b) 驗正認證的內容的合法性:完整性驗正 (c) 檢查認證的有效期間限; (d) 檢查認證是否被吊銷; (e) 認證中擁有者的名字,與訪問的目標主機要一致; (4) 用戶端產生臨時工作階段金鑰(對稱金鑰),並使用伺服器端的公開金鑰加密此資料發送給伺服器,完成金鑰交換; (5) 服務用此祕密金鑰加密使用者請求的資源,響應給用戶端; 注意:SSL會話是基於IP地址建立;所以單IP的主機上,僅可以使用一個https虛擬機器主機; 回顧幾個術語:PKI,CA,CRL,X.509 (v1, v2, v3) 配置httpd支援https: (1) 為伺服器申請數位憑證; 測試:通過私建CA發認證 (a) 建立私人CA (b) 在伺服器建立認證簽署請求 (c) CA簽證 (2) 配置httpd支援使用ssl,及使用的認證; # yum -y install mod_ssl 設定檔:/etc/httpd/conf.d/ssl.conf DocumentRoot ServerName SSLCertificateFile SSLCertificateKeyFile (3) 測試基於https訪問相應的主機; # openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]測試執行個體過程:用centos7:192.168.244.101 作為CA伺服器[[email protected] ~]# cd /etc/pki/CA/[[email protected] CA]# lscerts crl newcerts private[[email protected] CA]# (umask 077;openssl genrsa -out private//cakey.pem 2048) #產生私密金鑰Generating RSA private key, 2048 bit long modulus...............................................................................................................................................+++........................+++e is 65537 (0x10001)[[email protected] CA]# lltotal 0drwxr-xr-x. 2 root root 6 Jun 29 2015 certsdrwxr-xr-x. 2 root root 6 Jun 29 2015 crldrwxr-xr-x. 2 root root 6 Jun 29 2015 newcertsdrwx------. 2 root root 22 May 9 22:00 private[[email protected] CA]# ll private/total 4-rw-------. 1 root root 1675 May 9 22:00 cakey.pem[[email protected] CA]# lscerts crl newcerts private[[email protected] CA]# touch index.txt[[email protected] CA]# echo 01 > serial[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300 #給自己建立一個自簽認證You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:FuJianLocality Name (eg, city) [Default City]:XiaMenOrganization Name (eg, company) [Default Company Ltd]:wangsuOrganizational Unit Name (eg, section) []:TechCommon Name (eg, your name or your server‘s hostname) []:www.fush.comEmail Address []:[email protected] [[email protected] CA]# lltotal 8-rw-r--r--. 1 root root 1407 May 9 22:05 cacert.pemdrwxr-xr-x. 2 root root 6 Jun 29 2015 certsdrwxr-xr-x. 2 root root 6 Jun 29 2015 crl-rw-r--r--. 1 root root 0 May 9 22:01 index.txtdrwxr-xr-x. 2 root root 6 Jun 29 2015 newcertsdrwx------. 2 root root 22 May 9 22:00 private-rw-r--r--. 1 root root 3 May 9 22:01 serial 到web(httpd)伺服器上192.168.244.100:[[email protected] conf]# cd /etc/httpd/[[email protected] httpd]# mkdir ssl[[email protected] httpd]# cd ssl/[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 1024) ###產生keyGenerating RSA private key, 1024 bit long modulus.++++++.............++++++e is 65537 (0x10001)[[email protected] ssl]# lltotal 4-rw------- 1 root root 891 Jun 13 07:35 httpd.key[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr ###產生認證簽署請求You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:FuJianLocality Name (eg, city) [Default City]:XiaMenOrganization Name (eg, company) [Default Company Ltd]:wangsuOrganizational Unit Name (eg, section) []:TechCommon Name (eg, your name or your server‘s hostname) []:www.web1.comEmail Address []:[email protected] Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:[[email protected] ssl]# lltotal 8-rw-r--r-- 1 root root 696 Jun 13 07:38 httpd.csr-rw------- 1 root root 891 Jun 13 07:35 httpd.key接下來把httpd.csr 傳給ca伺服器[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/在ca伺服器簽署認證[[email protected] CA]# openssl ca -in /tmp/httpd.csr -out certs/www.web1.com.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: May 10 02:30:52 2017 GMT Not After : May 10 02:30:52 2018 GMT Subject: countryName = CN stateOrProvinceName = FuJian organizationName = wangsu organizationalUnitName = Tech commonName = www.web1.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:0F:DF:DE:6B:A2:CE:38:5E:E3:A4:8D:64:00:9B:0D:9B:AA:7B:16 X509v3 Authority Key Identifier: keyid:AE:F2:75:4B:53:5B:9E:2E:30:1F:AE:09:48:EE:0C:87:D2:87:E8:D0 Certificate is to be certified until May 10 02:30:52 2018 GMT (365 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[[email protected] CA]# lscacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old[[email protected] CA]# ls newcerts/01.pem[[email protected] CA]# ls certs/www.web1.com.crt再將簽署好的認證返回給httpd伺服器[[email protected] CA]# scp certs/www.web1.com.crt 192.168.244.100:/etc/httpd/ssl 接下來配置httpd,讓其支援使用ssl[[email protected] ssl]# yum install -y mod_ssl[[email protected] ssl]# httpd -M |grep ssl ssl_module (shared)[[email protected] ssl]# rpm -ql mod_ssl/etc/httpd/conf.d/ssl.conf/usr/lib64/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem編輯前先複製一份[[email protected] conf.d]# cp ssl.conf{,.bak}[[email protected] conf.d]# lltotal 32-rw-r--r-- 1 root root 392 Jan 13 2017 README-rw-r--r-- 1 root root 9465 Dec 13 2016 ssl.conf-rw-r--r-- 1 root root 9465 Jun 13 08:11 ssl.conf.bak-rw-r--r-- 1 root root 299 Dec 13 2016 welcome.conf[[email protected] conf.d]# vim /etc/httpd/conf.d/ssl.conf主要修改如下幾項:<VirtualHost *:443>DocumentRoot "/vhost/web1/htdocs"ServerName www.web1.com:443SSLCertificateFile /etc/httpd/ssl/www.web1.com.crtSSLCertificateKeyFile /etc/httpd/ssl/httpd.key[[email protected] conf.d]# ss -tnl|grep 443LISTEN 0 128 :::443 :::* 測試認證(用openssl s_client命令):# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename][[email protected] CA]# openssl s_client -connect 192.168.244.100:443 -CAfile /etc/pki/CA/cacert.pemGET / HTTP/1.1Host: www.web1.com 輸入紅色部分內容得到,連續斷行符號可以得到內容
HTTP/1.1 200 OKDate: Mon, 13 Jun 2016 00:47:59 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Sun, 12 Jun 2016 18:58:27 GMTETag: "216dd-13-535195b6de019"Accept-Ranges: bytesContent-Length: 19Vary: Accept-EncodingConnection: closeContent-Type: text/html; charset=UTF-8 192.168.244.100:80closed[[email protected] CA]# openssl s_client -connect 192.168.244.100:443 -servername www.web1.com 瀏覽器要先匯入ca通過瀏覽器測試:
18、httpd內建的工具程式 htpasswd: basic認證基於檔案實現時,用到的帳號密碼檔案產生工具; apachectl:httpd內建的服務控制指令碼,支援start, stop; apxs:由httpd-devel包提供的,擴充httpd使用第三方模組的工具; rotatelogs:日誌滾動工具; access.log --> access.log, access.1.log access.log, access.1.log, access.2.log suexec: 訪問某些有特殊許可權配置的資源時,臨時切換至指定使用者運行; ab: apache benchmark 19、http壓力測試工具 ab webbench http_load jmeter loadrunner tcpcopy ab [OPTIONS] URL -n: 總的請求數 -c:類比的並發數 (類似於多少個人同時請求) -k: 以持久串連模式測試 ulimit -n #: 調整目前使用者所同時開啟的檔案數;測試例子:[[email protected] CA]# ab -c 100 -n 10000 http://192.168.244.100/deflate.htmlThis is ApacheBench, Version 2.3 <$Revision: 1430300 $>Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking 192.168.244.100 (be patient)Completed 1000 requestsCompleted 2000 requestsCompleted 3000 requestsCompleted 4000 requestsCompleted 5000 requestsCompleted 6000 requestsCompleted 7000 requestsCompleted 8000 requestsCompleted 9000 requestsCompleted 10000 requestsFinished 10000 requests Server Software: Apache/2.2.15Server Hostname: 192.168.244.100Server Port: 80 Document Path: /deflate.htmlDocument Length: 20097 bytes Concurrency Level: 100Time taken for tests: 9.905 secondsComplete requests: 10000Failed requests: 0Write errors: 0Total transferred: 203920000 bytesHTML transferred: 200970000 bytesRequests per second: 1009.59 [#/sec] (mean)Time per request: 99.050 [ms] (mean)Time per request: 0.991 [ms] (mean, across all concurrent requests)Transfer rate: 20105.06 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median maxConnect: 0 2 7.6 0 122Processing: 15 96 56.9 76 443Waiting: 2 91 53.8 70 423Total: 47 98 57.8 77 443 Percentage of the requests served within a certain time (ms) 50% 77 66% 89 75% 108 80% 122 90% 163 95% 218 98% 297 99% 332 100% 443 (longest request)
https認證自簽