版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_25203255/article/details/55259859
一 什么是HTTPS
由于HTTP协议是已明文进行传输的,这就造成了传输的数据易被拦截泄露。为解决HTTP传输的过程中无法保证其安全性的问题,HTTPS就诞生了。https 是具有安全性的ssl加密传输协议,数据在离开发送端前被加密,到客户端是在进行解密。这样就使得数据在传输过程中的安全性大大提高了,但同时由于其数据被加密,加密后的大小明显大于未加密之前的数据,也增加了传输链路的负担。
二 HTTPS搭建
- 申请证书
[root@localhost certs]#
[root@localhost certs]#
[root@localhost ~]# cd /etc/pki/tls/certs/
[root@localhost certs]#
[root@localhost certs]#
#建立服务器私钥
[root@localhost certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
..........................+++
.................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@localhost certs]#
[root@localhost certs]#
#删除密钥中的口令,防止系统启动被询问口令
[root@localhost certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
[root@localhost certs]#
[root@localhost certs]#
[root@localhost certs]# ls
ca-bundle.crt make-dummy-cert renew-dummy-cert
ca-bundle.trust.crt Makefile server.key
[root@localhost certs]#
[root@localhost certs]#
#建立服务器公钥
[root@localhost certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:HH
State or Province Name (full name) []:HH
Locality Name (eg, city) [Default City]:HH
Organization Name (eg, company) [Default Company Ltd]:HH
Organizational Unit Name (eg, section) []:HH
Common Name (eg, your name or your server''s hostname) []:HH
Email Address []:878490964@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost certs]#
[root@localhost certs]# ls
ca-bundle.crt make-dummy-cert renew-dummy-cert server.key
ca-bundle.trust.crt Makefile server.csr
[root@localhost certs]#
[root@localhost certs]#
#建立服务器证书,过期时间1年
[root@localhost certs]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365
Signature ok
subject=/C=HH/ST=HH/L=HH/O=HH/OU=HH/CN=HH/emailAddress=878490964@qq.com
Getting Private key
[root@localhost certs]#
[root@localhost certs]#
[root@localhost certs]# ls
ca-bundle.crt make-dummy-cert renew-dummy-cert server.key
ca-bundle.trust.crt Makefile server.csr server.pem
[root@localhost certs]# chmod 400 server.*
[root@localhost certs]#
- 安装配置mod_ssl模块
[root@localhost certs]# yum install -y mod_ssl
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos 将被 安装
--> 解决依赖关系完成
依赖关系解决
================================================================================
Package 架构 版本 源 大小
================================================================================
正在安装:
mod_ssl x86_64 1:2.4.6-40.el7.centos c7-media 103 k
事务概要
================================================================================
安装 1 软件包
总下载量:103 k
安装大小:224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : 1:mod_ssl-2.4.6-40.el7.centos.x86_64 1/1
验证中 : 1:mod_ssl-2.4.6-40.el7.centos.x86_64 1/1
已安装:
mod_ssl.x86_64 1:2.4.6-40.el7.centos
完毕!
[root@localhost certs]#
[root@localhost certs]#
[root@localhost certs]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim ssl.conf
去掉#DocumentRoot "/var/www/html"最前面的#
[root@localhost conf.d]# systemctl restart httpd
[root@localhost conf.d]#
- 测试是否成功
先使用http访问一下网站,看是否能成功访问
可以访问,我们在使用https进行访问,如果出现一下警告,就代表成功安装了
因为证书是自己生成的,要添加下例外,就能访问https网站了
- 只能https访问
上面我们可以进行http访问,也能进行https访问,但很多https网站我们使用http访问是会重新导向https
#只需要在httpd.conf文件的<Directory "/var/www/html">下添加这几句,使其访问http的网页都转向https
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}/$1 [L,R]