SSL

SSL

ssl secure socket layer 安全套接层

tls transfer layer secure 传输层安全

http+ssl/tls=https

做ssl加密的优点:

安全传输

　缺点:

影响性能，需要花费一定费用维护证书

https = http + ssl　　　（端口为443)

1，安装ssl包

# yum install httpd httpd-devel openssl* mod_ssl -y

# ls /etc/httpd/conf.d/ssl.conf --安装成功后，会产生一个http支持ssl的子配置文件

/etc/httpd/conf.d/ssl.conf

# ls /etc/httpd/modules/mod_ssl.so --也会有一个支持ssl的模块

/etc/httpd/modules/mod_ssl.so

2，使用rpm版的ssl创建证书和密钥

# cd /etc/pki/tls/certs/

# make httpd.crt --证书名字可以随意写，扩展名用crt（不一定）

umask 77 ; \

/usr/bin/openssl genrsa -des3 1024 > httpd.key

Generating RSA private key, 1024 bit long modulus

....................++++++

.........................++++++

e is 65537 (0x10001)

Enter pass phrase:

Verifying - Enter pass phrase: --两次密码，自己设定，以后有用

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key httpd.key -x509 -days 365 -out httpd.crt -set_serial 0

Enter pass phrase for httpd.key: --输密码

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:guangdong

Locality Name (eg, city) [Newbury]:shenzhen

Organization Name (eg, company) [My Company Ltd]:haha

Organizational Unit Name (eg, section) []:it

Common Name (eg, your name or your server's hostname) []:li.cluster.com

Email Address []:li@126.com

3,编译httpd配置文件，让它支持ssl

# vim /etc/httpd/conf.d/ssl.conf

105 SSLCertificateFile /etc/pki/tls/certs/httpd.crt --证书，就是公钥，散发到网上的

112 SSLCertificateKeyFile /etc/pki/tls/certs/httpd.key --私钥，自己保存的

4,重启apache

# /etc/init.d/httpd restart

Stopping httpd: [ OK ]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server localhost.localdomain:443 (RSA)

Enter pass phrase: --输入创建证书时的密码

OK: Pass Phrase Dialog successful.

[ OK ]

# netstat -ntlup |grep httpd

tcp 0 0 :::80 :::* LISTEN 5821/httpd

tcp 0 0 :::443 :::* LISTEN 5821/httpd

5,测试

使用另一台机器打开firefox

使用下面的url来访问，下载并确认证书

https://serverIP/

===============================================================

nginx+ssl

如果是源码编译的版本，则nginx在源码编译时要加--with-http_ssl_module编译参数来支持SSL

下面在centos7.3上使用rpm版来做

# cd /etc/pki/tls/certs/

# make nginx.crt --创建证书，得到nginx.crt和nginx.key

# yum install nginx*

# vim /etc/nginx/nginx.conf --在server { } 配置段里加上下面四句

listen 443　ssl;

ssl_certificate /etc/pki/tls/certs/nginx.crt;

ssl_certificate_key /etc/pki/tls/certs/nginx.key;

然后重启nginx就可以了

# systemctl stop httpd

# systemctl start nginx --启动报错

解决方法:

# cd /etc/pki/tls/certs/

# cp nginx.key nginx.key.bak

# openssl rsa -in nginx.key.bak -out nginx.key

# systemctl start nginx --再次启动ok

问题:比如我输入www.baidu.com会自动转成https://www.baidu.com

用rewrite规则可以实现

------------------------------------------------------------------------------------------------------------------

https

华为本部　 华为外包公司

ftp+ssl(自签)

smtp+ssl=smtps 465

pop3+ssl=pop3s 995

ftp+ssl=ftps

samba+ssl=smbs

tomcat+ssl=https

dns+ssl --没有

nfs+ssl --没有

rsync+ssl --没有

总结:一般ssl的应用主要是https,smtps和ftps也有应用。

posted @ 2018-06-19 22:06 Sky-wings 阅读(251) 评论(0) 编辑收藏举报

刷新页面返回顶部

sky