How to configure https in Linux apache

http protocol:

The application layer protocol using port 80 by default uses the TCP protocol for transmission. The http protocol is mainly used to access resources on the World Wide Web.

ssl (Secure Sockets Layer) protocol:

  The full name is Secure Sockets Layer. Between the work and transport layers, network connections for application layer protocols are encrypted and protected.

https protocol:

  http protocol ssl protocol. By default, TCP port 443 is used.

Working process of https protocol:

• Client initiates HTTPS request
    The user enters an https URL in the browser, and then connects to the 443 port of the server

• Configuration of the server
    A server that uses the HTTPS protocol must There is a set of digital certificates that you can make yourself or apply to an organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access it, while if you use a certificate applied by a trusted company, the prompt page will not pop up. This set of certificates is actually a pair of public and private keys.

• Transfers the server’s certificate to the client
    The certificate is actually the public key, and it also contains many Information, such as the issuing authority of the certificate, expiration time, etc.

• Client parses and verifies the server certificate
    This part of the work is completed by the client's TLS. First It will verify whether the public key is valid, such as the issuing authority, expiration time, etc. If an abnormality is found, a warning box will pop up, indicating that there is a problem with the certificate. If there is no problem with the certificate, then a random value is generated. Then use the public key in the certificate to asymmetrically encrypt the random value

• The client transmits the encrypted information to the server
    This part of the transmission is encrypted with the certificate The purpose of the random value is to let the server get this random value. In the future, the communication between the client and the server can be encrypted and decrypted through this random value.

• Server-side decryption information
    After the server decrypts the encrypted information sent by the client with the server's private key, it obtains the random value passed by the client

• The server encrypts the information and sends the information
    The server symmetrically encrypts the data using random values, and then sends it to the client

• The client receives and decrypts the information
    The client uses the previously generated The random value decrypts the data passed by the service segment, and then obtains the decrypted content

The process of apache implementing https:

Apache is a modularized Feature software, many functions rely on different modules to provide. Loading the corresponding module can realize the corresponding function.

Process:

1. Apply for a certificate for the apache server

2. Configure the https function of apache

3. Verify https

How apache applies for a certificate

1. Build a private CA to issue certificates

2. Use CentOS7 to quickly generate a self-signed certificate

[root@ansible certs]# pwd
/etc/pki/tls/certs

[root@ansible certs]# ls
ca-bundle.crt  ca-bundle.trust.crt   make-dummy-cert  Makefile  renew-dummy-cert

#取消makefile文件中对私钥文件的加密
[root@ansible certs]# vim Makefile
%.key:
        umask 77 ; \
        #/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
        /usr/bin/openssl genrsa  $(KEYLEN) > $@

#生成证书
[root@ansible certs]# make Makefile httpds.crt

3. Through websites such as Alibaba Cloud Download the free certificate (requires a domain name)

Configure the https function of apache

Install the mod_ssl software package. After installing the mod_ssl software package, the ssl configuration file and module of apache will be automatically generated.

[root@CentOS8 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf  #ssl模块的配置文件
/etc/httpd/conf.modules.d/00-ssl.conf #加载ssl模块
/usr/lib/.build-id
/usr/lib/.build-id/e6/046e586d8d19fb92e3f8484a62203e841c3e2a
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so  #模块文件
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl

Modify the configuration file:

[root@CentOS8 ~]# vim /etc/httpd/conf.d/ssl.conf
  SSLCertificateFile /data/apache/apache1.crt  #apache的证书文件
  SSLCertificateKeyFile /data/apache/apache1.key  #apache的私钥文件
  SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #apache的证书链文件
  
  证书链文件：不指定证书链文件，它就不知道这个证书是谁颁发的。证书链就是上级CA的证书

Verification:

  Set the windows hosts file for verification

windows的hosts文件位置：C:\Windows\System32\drivers\etc

格式：ip地址 名字

The above is the detailed content of How to configure https in Linux apache. For more information, please follow other related articles on the PHP Chinese website!