HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。
下面介绍下在apache中配置https的详细步骤。
安装 mod_ssl
[root@ritto /]# yum -y install mod_ssl /*在线安装mod_ssl
Setting up Install Process
Parsing package install arguments
[root@ritto /]# cd usr/local/apache2/conf/
[root@ritto /]# mkdir keys
[root@ritto /]# cd keys/
[root@ritto /]# openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
………e is 65537 (0×10001)
Enter pass phrase for server.key: /*输入口令
Verifying – Enter pass phrase for server.key: /*确认口令,再次输入
建立服务器公钥
[root@ritto /]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: /*输入口令
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CN /*输入国名
State or Province Name (full name) [Berkshire]:zhejiang /*输入省名
Locality Name (eg, city) [Newbury]:hangzhou /*输入城市名
Organization Name (eg, company) [My Company Ltd]:grandstream /*输入组织名(任意 ="font-size: 10pt; color: #00b050; font-family: 'Cambria','serif'; mso-ascii-
theme-font: major-latin; mso-hansi-theme-font: major-latin">)
Organizational Unit Name (eg, section) []: /*不输入,直接回车
Common Name (eg, your name or your server's hostname) []:ipvideotalk /*输入通称(任意)
Email Address []:admin@hdwiki.com /*输入电子邮件地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: /*不输入,直接回车
An optional company name []: /*不输入,直接回车
建立服务器证书
[root@ritto /]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=zhejiang/L=hangzhou/O=greandstream/CN=ipvideotalk/emailAddress=admin@grandstream.com
Getting Private key
Enter pass phrase for server.key: /*确认密码
从密钥中删除密码
[root@ritto /]# openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:
writing RSA key
将原有server.key改名保存, 将删除密码的密钥改名为server.key
[root@ritto /]# mv server.key server.key.secure
[root@ritto /]# mv server.key.insecure server.key
[root@ritto keys]# ls
server.crt server.csr server.key server.key.secure
设置SSL
[root@ritto /]# vi /etc/httpd/conf.d/ssl.conf
#DocumentRoot “/var/www/html” /*找到这行,将行首的”#”去掉
DocumentRoot /var/www/html /*变为此状态
重启HTTP服务器,让SSL生效,如果防火墙是开启状态则设置防火墙允许SSL
[root@ritto /]# vi /etc/sysconfig/iptables /*编辑防火墙配置文件
-A RH-Firewall-1-INPUT –m state –-state NEW –m tcp –p tcp –-dport 80 –j ACCEPT
-A RH-Firewall-1-INPUT –m state –-state NEW –m tcp –p tcp –-dport 443 –j ACCEPT
或直接输入
iptables –I RH-Firewall-1-INPUT –m state –-state NEW –m tcp –p tcp –-dport 80 –j ACCEPT
iptables -I RH-Firewall-1-INPUT –m state –-state NEW –m tcp –p tcp –-dport 443 –j ACCEPT
然后重启防火墙让设置生效
service iptables restart |
