首先我们说俩句https
https:http over ssl
SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书
(2) 服务器端发送证书以及选定的加密方式给客户端
(3) 客户端取得证书并进行证书验证
如果信任给其发证书的CA
(a) 验证证书来源的合法性;用CA的公钥解密证书上数字签名
(b) 验证证书的内容的合法性:完整性验证
(c) 检查证书的有效期限
(d) 检查证书是否被吊销
(e) 证书中拥有者的名字,与访问的目标主机要一致
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密
此数据发送给服务器,完成密钥交换
(5) 服务用此密钥加密用户请求的资源,响应给客户端
注意:SSL是基于IP地址实现,单IP的主机仅可以使用一个https虚拟主机
CA: 107 centos7 web服务器:106 centos6,客户端:centos5
服务器操作centos7:
1CA
(umask066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )
opensslreq -new -x509 -key /etc/pki/CA/private/cakey.pem -out/etc/pki/CA/cacert.pem -days 3000
touch/etc/pki/CA/index.txt
echo00 > /etc/pki/CA/serial
2.Centos6操作: client 申请证书
创建一个目录专门放证书:mkdir/etc/httpd/conf.d/ssl/
(umask 066;openssl genrsa -out /etc/httpd/conf.d/ssl/httpd.key 2048 )
openssl req -new -key /etc/httpd/conf.d/ssl/httpd.key -out /etc/httpd/conf.d/ssl/httpd.csr
scp /etc/httpd/conf.d/ssl/httpd.csr 192.168.37.107:/etc/pki/CA/
3. 颁发证书 ,centos7操作
openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 300
然后就会发现证书文件已经存在
现在可以把证书拷给客户端了:
scp certs/httpd.crt 192.168.37.106:/etc/httpd/conf.d/ssl/
scp cacert.pem 192.168.37.106:/etc/httpd/conf.d/ssl/
补充:CA也是可以修改配置文件的
650) this.width=650;" src="https://s1.51cto.com/oss/201710/21/660a6a03f534e5b2a7837efffffccea9.png" title="1.png" alt="660a6a03f534e5b2a7837efffffccea9.png" />
在centos6里确认证书已经存在:cd /etc/httpd/conf.d/ssl
650) this.width=650;" src="https://s2.51cto.com/oss/201710/21/c33eca6e8a822cac4c235ceb77880254.png" title="2.png" alt="c33eca6e8a822cac4c235ceb77880254.png" />
4. 现在可以在配置http的服务了
安装包:yum -yinstall mod_ssl
修改配置文件:/etc/httpd/conf.d/ssl.conf
修改路径:
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCertificateFile/etc/httpd/conf.d/ssl/httpd.crt
SSLCACertificateFile/etc/httpd/conf.d/ssl/cacert.pem(上级CA的路径)
重新加载服务:servicehttpd reload
现在就可以访问了:在客户端
650) this.width=650;" src="https://s3.51cto.com/oss/201710/21/8153a50b10efa8608492927a95da962f.png" title="3.png" alt="8153a50b10efa8608492927a95da962f.png" />
现在依然不信任我们自己搭建的CA,so 我们可以自己把它导进去:
650) this.width=650;" src="https://s5.51cto.com/oss/201710/21/d644fa83eaa28e43ef11913585c3ee45.png" style="float:none;" title="4.png" alt="d644fa83eaa28e43ef11913585c3ee45.png" />
650) this.width=650;" src="https://s2.51cto.com/oss/201710/21/392d26f4042db72e265f5a58e0316633.png" title="5.png" alt="392d26f4042db72e265f5a58e0316633.png" />
650) this.width=650;" src="https://s5.51cto.com/oss/201710/21/88591e6ca8c3da637528885136d04daa.png" style="float:none;" title="6.png" alt="88591e6ca8c3da637528885136d04daa.png" />
650) this.width=650;" src="https://s1.51cto.com/oss/201710/21/6dac29e23de002b23c9d8218fe530ce2.png" title="7.png" alt="6dac29e23de002b23c9d8218fe530ce2.png" />
在hosts文件中添加一个域名解析(windows的hosts)
650) this.width=650;" src="https://s1.51cto.com/oss/201710/21/084f8a780d155533939b578e66709061.png" title="8.png" alt="084f8a780d155533939b578e66709061.png" />
5. 测试基于https访问相应的主机
1.curl--cacert cacert.pem https://www.magedu.com/
2.openssl s_client -connect www.magedu.com:443 -CAfile /etc/pki/CA/cacert.pem
然后输入:
650) this.width=650;" src="https://s2.51cto.com/oss/201710/21/4e7b7ec76996c276fc3983d85b151c80.png-wh_500x0-wm_3-wmp_4-s_2979229226.png" title="9.png" alt="4e7b7ec76996c276fc3983d85b151c80.png-wh_" />
650) this.width=650;" src="https://s2.51cto.com/oss/201710/21/35d04afeae31fc0f99619a21d3a65e98.png" title="10.png" alt="35d04afeae31fc0f99619a21d3a65e98.png" />
http重定向https
v 将http请求转发至https的URL
v 重定向
Redirect[status] URL-path URL
v status状态:
ü Permanent:Returns a permanent redirect status
(301)indicating that the resource has moved
permanently
ü Temp:Returns a temporary redirect status (302).
Thisis the default
v 示例:
Redirecttemp / https://www.magedu.com/
RewriteEngine on重写引擎
位置:/etc/httpd/conf.d/httpd.conf
650) this.width=650;" src="https://s2.51cto.com/oss/201710/21/9849c2e6fad3099612accf5908a6c39b.png" title="1.png" alt="9849c2e6fad3099612accf5908a6c39b.png" />
然后重载。
位置:/etc/hosts
650) this.width=650;" src="https://s1.51cto.com/oss/201710/21/7d51a20d5e90dfef73f26d6d0b7c8ff8.png" title="2.png" alt="7d51a20d5e90dfef73f26d6d0b7c8ff8.png" />
测试:
650) this.width=650;" src="https://s1.51cto.com/oss/201710/21/0529f859f0cdd3ce34ebc770dcd722c4.png" title="3.png" alt="0529f859f0cdd3ce34ebc770dcd722c4.png" />
第二种方法:
位置:
650) this.width=650;" src="https://s4.51cto.com/oss/201710/21/5b43b57e954c9b681d0a7c885e1af90f.png" title="4.png" alt="5b43b57e954c9b681d0a7c885e1af90f.png" />
然后重载:service httpdreload
位置:/etc/hosts
650) this.width=650;" src="https://s4.51cto.com/oss/201710/21/80bd80e0f5a8c823cab8c84f006e0f49.png" title="5.png" alt="80bd80e0f5a8c823cab8c84f006e0f49.png" />
测试:
650) this.width=650;" src="https://s3.51cto.com/oss/201710/21/313da4b2dbbb80001df4a6d8943b93d9.png" title="6.png" alt="313da4b2dbbb80001df4a6d8943b93d9.png" />
本文出自 “shell脚本” 博客,转载请与作者联系!
https的实现
原文地址:http://menglin.blog.51cto.com/13298759/1974906