附加题:
u 案例需求
1. 基于编译安装的httpd服务器,添加HTTPS协议支持以提高安全性。
2. 当客户机通过HTTP方式访问站点时,能够自动跳转为HTTPS方式访问。
u 知识提示
HTTPS指的是Hyper Text Transfer Protocol Secure,安全超文本传输协议。HTTPS实际上使用了SSL(安全套接字层)作为HTTP应用层的子层,针对明文传输的HTTP通信流进行加密,从而避免敏感信息被捕获或窃听,因此HTTPS协议在网上银行、安全邮箱等Web访问场合比较常见。
1. 确认系统中已安装有openssl软件包,用来为服务器生成证书
[root@localhost ~]# rpm -qa | grep openssl
openssl-0.9.8e-12.el5_4.6
openssl-devel-0.9.8e-12.el5_4.6
2. 确认在编译httpd软件包时添加了ssl支持选项、rewrite支持选项
[root@localhost httpd-2.2.17]# ./configure --prefix=/usr/local/httpd --enable-so --enable-rewrite --enable-charset-lite --enable-cgi --with-ssl=/usr/lib --enable-ssl
[root@localhost httpd-2.2.17]# make
[root@localhost httpd-2.2.17]# make install
3. 生成KEY密钥文件和签发CRT证书
为了降低实验复杂度,这里可直接使用RHEL5系统中的localhost.crt、localhost.key文件:
[root@localhost httpd-2.2.17]# cd /etc/pki/tls/
[root@localhost tls]# cp certs/localhost.crt /usr/local/httpd/conf/server.crt
[root@localhost tls]# cp private/localhost.key /usr/local/httpd/conf/server.key
—— 或者,也可以使用openssl工具来生成新的密钥和证书文件:
[root@localhost ~]# cd /usr/local/httpd/conf/
[root@localhost conf]# openssl genrsa -out server.key 1024 //生成服务器密钥文件
Generating RSA private key, 1024 bit long modulus
.......................................................................................++++++
..........++++++
e is 65537 (0x10001)
[root@localhost conf]# chmod 600 server.key
[root@localhost conf]# openssl req -new -key server.key -out server.csr
//生成服务器证书文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:China
Locality Name (eg, city) [Newbury]:Beijing
Organization Name (eg, company) [My Company Ltd]:Aptech
Organizational Unit Name (eg, section) []:Benet4.0
Common Name (eg, your name or your server‘s hostname) []:mail.benet.com
Email Address []:root@benet.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost conf]# ls -l server.key server.csr
-rw-r--r-- 1 root root 700 12-06 19:52 server.csr
-rw------- 1 root root 887 12-06 19:46 server.key
[root@localhost ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
//签署服务器证书
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Aptech/OU=BENET/CN=mail.benet.com/emailAddress=root@benet.com
Getting Private key
[root@localhost conf]# ls -l server.key server.csr server.crt
-rw-r--r-- 1 root root 944 12-06 19:55 server.crt
-rw-r--r-- 1 root root 700 12-06 19:52 server.csr
-rw------- 1 root root 887 12-06 19:46 server.key
4. 调整httpd服务配置,添加SSL、Rewrite支持
[root@localhost conf]# vi httpd.conf
…… //省略部分内容
Include conf/extra/httpd-ssl.conf //启用默认SSL配置文件
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
RewriteEngine on //启用并添加地址重写策略
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/ [R]
[root@localhost conf]# /usr/local/httpd/bin/apachectl restart
5. 在客户机浏览器中访问测试
当访问http://your_server_ip/ 时会自动跳转为https://your_server_ip/ 。本案例中所用的网站证书为服务器自行签发,而并非来自于权威证书管理机构,因此在访问时提示证书错误(如图1所示),只要点击“继续浏览此网站(不推荐)”链接就可以继续访问了(如图2所示)。
图1 第一次访问时提示证书错误
图2 接受证书后转为HTTPS访问
原文地址:http://luwenjuan.blog.51cto.com/10967115/1721766
