Home >Operation and Maintenance >Linux Operation and Maintenance >How to configure https in Linux apache
The application layer protocol using port 80 by default uses the TCP protocol for transmission. The http protocol is mainly used to access resources on the World Wide Web.
The full name is Secure Sockets Layer. Between the work and transport layers, network connections for application layer protocols are encrypted and protected.
http protocol ssl protocol. By default, TCP port 443 is used.
Working process of https protocol:
Client initiates HTTPS request
The user enters an https URL in the browser, and then connects to the 443 port of the server
Configuration of the server
A server that uses the HTTPS protocol must There is a set of digital certificates that you can make yourself or apply to an organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access it, while if you use a certificate applied by a trusted company, the prompt page will not pop up. This set of certificates is actually a pair of public and private keys.
Transfers the server’s certificate to the client
The certificate is actually the public key, and it also contains many Information, such as the issuing authority of the certificate, expiration time, etc.
Client parses and verifies the server certificate
This part of the work is completed by the client's TLS. First It will verify whether the public key is valid, such as the issuing authority, expiration time, etc. If an abnormality is found, a warning box will pop up, indicating that there is a problem with the certificate. If there is no problem with the certificate, then a random value is generated. Then use the public key in the certificate to asymmetrically encrypt the random value
The client transmits the encrypted information to the server
This part of the transmission is encrypted with the certificate The purpose of the random value is to let the server get this random value. In the future, the communication between the client and the server can be encrypted and decrypted through this random value.
Server-side decryption information
After the server decrypts the encrypted information sent by the client with the server's private key, it obtains the random value passed by the client
The server encrypts the information and sends the information
The server symmetrically encrypts the data using random values, and then sends it to the client
The client receives and decrypts the information
The client uses the previously generated The random value decrypts the data passed by the service segment, and then obtains the decrypted content
The process of apache implementing https:
Apache is a modularized Feature software, many functions rely on different modules to provide. Loading the corresponding module can realize the corresponding function.
Process:
1. Apply for a certificate for the apache server
2. Configure the https function of apache
3. Verify https
How apache applies for a certificate
1. Build a private CA to issue certificates
2. Use CentOS7 to quickly generate a self-signed certificate
[root@ansible certs]# pwd /etc/pki/tls/certs [root@ansible certs]# ls ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert #取消makefile文件中对私钥文件的加密 [root@ansible certs]# vim Makefile %.key: umask 77 ; \ #/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ /usr/bin/openssl genrsa $(KEYLEN) > $@ #生成证书 [root@ansible certs]# make Makefile httpds.crt
3. Through websites such as Alibaba Cloud Download the free certificate (requires a domain name)
Configure the https function of apache
Install the mod_ssl software package. After installing the mod_ssl software package, the ssl configuration file and module of apache will be automatically generated.
[root@CentOS8 ~]# rpm -ql mod_ssl /etc/httpd/conf.d/ssl.conf #ssl模块的配置文件 /etc/httpd/conf.modules.d/00-ssl.conf #加载ssl模块 /usr/lib/.build-id /usr/lib/.build-id/e6/046e586d8d19fb92e3f8484a62203e841c3e2a /usr/lib/systemd/system/httpd-init.service /usr/lib/systemd/system/httpd.socket.d/10-listen443.conf /usr/lib64/httpd/modules/mod_ssl.so #模块文件 /usr/libexec/httpd-ssl-gencerts /usr/libexec/httpd-ssl-pass-dialog /usr/share/man/man8/httpd-init.service.8.gz /var/cache/httpd/ssl
Modify the configuration file:
[root@CentOS8 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /data/apache/apache1.crt #apache的证书文件 SSLCertificateKeyFile /data/apache/apache1.key #apache的私钥文件 SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #apache的证书链文件 证书链文件:不指定证书链文件,它就不知道这个证书是谁颁发的。证书链就是上级CA的证书
Verification:
Set the windows hosts file for verification
windows的hosts文件位置:C:\Windows\System32\drivers\etc 格式:ip地址 名字
The above is the detailed content of How to configure https in Linux apache. For more information, please follow other related articles on the PHP Chinese website!