附加題:
u 案例需求
1. 基于編譯安裝的httpd伺服器,添加HTTPS協定支援以提高安全性。
2. 當客戶機通過HTTP方式通路站點時,能夠自動跳轉為HTTPS方式通路。
u 知識提示
HTTPS指的是Hyper Text Transfer Protocol Secure,安全超文本傳輸協定。HTTPS實際上使用了SSL(安全套接字層)作為HTTP應用層的子層,針對明文傳輸的HTTP通信流進行加密,進而避免敏感資訊被捕獲或竊聽,是以HTTPS協定在網上銀行、安全郵箱等Web通路場合比較常見。
1. 确認系統中已安裝有openssl軟體包,用來為伺服器生成證書
[root@localhost ~]# rpm -qa | grep openssl
openssl-0.9.8e-12.el5_4.6
openssl-devel-0.9.8e-12.el5_4.6
2. 确認在編譯httpd軟體包時添加了ssl支援選項、rewrite支援選項
[root@localhost httpd-2.2.17]# ./configure --prefix=/usr/local/httpd --enable-so --enable-rewrite --enable-charset-lite --enable-cgi --with-ssl=/usr/lib --enable-ssl
[root@localhost httpd-2.2.17]# make
[root@localhost httpd-2.2.17]# make install
3. 生成KEY密鑰檔案和簽發CRT證書
為了降低實驗複雜度,這裡可直接使用RHEL5系統中的localhost.crt、localhost.key檔案:
[root@localhost httpd-2.2.17]# cd /etc/pki/tls/
[root@localhost tls]# cp certs/localhost.crt /usr/local/httpd/conf/server.crt
[root@localhost tls]# cp private/localhost.key /usr/local/httpd/conf/server.key
—— 或者,也可以使用openssl工具來生成新的密鑰和證書檔案:
[root@localhost ~]# cd /usr/local/httpd/conf/
[root@localhost conf]# openssl genrsa -out server.key 1024 //生成伺服器密鑰檔案
Generating RSA private key, 1024 bit long modulus
.......................................................................................++++++
..........++++++
e is 65537 (0x10001)
[root@localhost conf]# chmod 600 server.key
[root@localhost conf]# openssl req -new -key server.key -out server.csr
//生成伺服器證書檔案
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:China
Locality Name (eg, city) [Newbury]:Beijing
Organization Name (eg, company) [My Company Ltd]:Aptech
Organizational Unit Name (eg, section) []:Benet4.0
Common Name (eg, your name or your server's hostname) []:mail.benet.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost conf]# ls -l server.key server.csr
-rw-r--r-- 1 root root 700 12-06 19:52 server.csr
-rw------- 1 root root 887 12-06 19:46 server.key
[root@localhost ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
//簽署伺服器證書
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Aptech/OU=BENET/CN=mail.benet.com/[email protected]
Getting Private key
[root@localhost conf]# ls -l server.key server.csr server.crt
-rw-r--r-- 1 root root 944 12-06 19:55 server.crt
4. 調整httpd服務配置,添加SSL、Rewrite支援
[root@localhost conf]# vi httpd.conf
…… //省略部分内容
Include conf/extra/httpd-ssl.conf //啟用預設SSL配置檔案
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
RewriteEngine on //啟用并添加位址重寫政策
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/ [R]
[root@localhost conf]# /usr/local/httpd/bin/apachectl restart
5. 在客戶機浏覽器中通路測試
當通路http://your_server_ip/ 時會自動跳轉為https://your_server_ip/ 。本案例中所用的網站證書為伺服器自行簽發,而并非來自于權威證書管理機構,是以在通路時提示證書錯誤(如圖1所示),隻要點選“繼續浏覽此網站(不推薦)”連結就可以繼續通路了(如圖2所示)。
圖1 第一次通路時提示證書錯誤
圖2 接受證書後轉為HTTPS通路