實驗環境
環境:ubuntu18.04, firefox70.0.1 (64 位), VMware Workstation,
這裏需要說明一下(遇到的坑),ubuntu本人剛開始用的是ubuntu server(因爲當時還在學習hadoop),但server是沒有圖形界面,極其難用。然後我嘗試過在server中安裝了圖形界面,但由於我的電腦配置過低,在server中運行圖形界面完全不行,所以推薦安裝ubuntu desktop(想折騰的話還是可以試下server的)。
另外,vmware在win10下運行好像需要關閉某項服務(win7釘子戶沒有這項煩惱),具體可百度解決
工具:LAMP(Linux+Apache+MySql+PHP)
在安裝工具前,建議更改安裝源,不然安裝速度極慢
更改源方法:https://blog.csdn.net/weixin_43960643/article/details/88425291
本人使用阿里雲源較穩定,其他源也可使用
- 安裝apache
sudo apt-get install apache2
安裝完成後,瀏覽器打開localhost,若顯示apache的頁面即安裝成功(前提是你沒把localhost的host改掉)
- 安裝MySQL
sudo apt-get install mysql-server mysql-client
這裏有一個坑,在ubuntu18中安裝過程不會直接讓你設置密碼,安裝完成後使用debian-sys-maint用戶的密碼登錄即可。方法:https://blog.csdn.net/qq_38737992/article/details/81090373
- 安裝PHP
sudo apt-get install php php7.2-mysql libapache2-mod-php7.2
這裏安裝第二條語句時,需查看下php版本,我安裝時以爲默認版本是7.0導致一直安裝失敗。
原理
在廣播環境中,明文傳播存在被竊聽的可能,例如可以通過網絡嗅探工具(如wireshark)抓取數據包。HTTPS通過SSL/TLS加密數據包,可達到對網絡服務器的身份認證,保護交換數據的隱私與完整性的功能。
HTTPS建立過程如下:
①首先,CA將自己的根證書頒發給瀏覽器廠商,再由瀏覽器廠商呈遞給用戶。其中根證書中包含CA的驗證信息和CA的公鑰。
②需要HTTPS服務的各大網站,將自己的證書(包含網站信息和服務器的公鑰)發送給CA。CA經過驗證網站信息後,用CA的私鑰對該證書進行簽名(相當於私鑰加密的過程),然後將簽名後的證書送回給服務器。
③用戶通過鏈接發出訪問網站的請求,服務器將自己的證書(帶CA簽名)發送給用戶,此過程稱爲SSL握手。由於用戶有CA的根證書中包含CA的公鑰,因此用戶可以利用CA公鑰對服務器證書進行解密,若解密成功則說明該證書是由CA簽名發出的。解密後,可覈對url信息是否與網站信息一致,此舉可防範中間人攻擊。若一切信息均滿足條件,則兩者溝通對稱加密方法。
對稱加密與非對稱加密
簡單來說,對稱加密是指密鑰匙加密,僅使用同一個密鑰對信息進行加密和解密。而非對稱加密則需兩個密鑰,分別是公鑰和私鑰。用公鑰加密的信息只能用私鑰解,同理,用私鑰加密的信息只能用公鑰解。通常使用爲:公鑰加密,私鑰簽名注意私鑰一般爲自己保存,並且務必妥善保管。現在常用的非對稱加密方法爲RSA。因爲對稱加密的效率較非對稱加密高,所以在SSL握手後,採用對稱加密可提高效率。
搭建HTTPS
在開始前,請記住每次完成後都拍照,不然真的會gg(慘痛教訓:整個vmware崩潰)
安裝OPENSSL
sudo apt-get install openssl
自建CA
mkdir -p myCA/signedcerts
mkdir myCA/private
cd myCA
注意若第一條語句不帶-p且當前目錄下沒有目錄名叫myCA則出錯。
myCA : 用於存放 CA 根證書,證書數據庫,以及後續服務器生成的證書,密鑰以及請求
signedcerts:保存簽名證書的副本
private: 存放CA私鑰
務必注意:下面的全部操作必須在myCA目錄下進行
配置CA參數
echo '01'>serial && touh index.txt && touch index.txt.attr
這裏需注意一下網上大多數教程都沒有touch index index.txt.attr這條語句,但我在最後發現沒有加這一條會發生報錯
創建並配置caconfig.cnf 文件
sudo vi ~/myCA/caconfig.cnf
若未用過vi請務必查手冊
caconfig.cnf文件內容如下
# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = /home/<username>/myCA # 這裏要將username替換爲你的用戶名
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
#
#
# Default expiration and encryption policies for certificates.
#
default_crl_days = 365
default_days = 1825
default_md = SHA256
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Default policy to use when generating server certificates. The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
subjectAltName = DNS:localhost
basicConstraints = CA:false
nsCertType = server
#
#
# The default root certificate generation policy.
#
[ req ]
default_bits = 2048
default_keyfile = /home/<username>/myCA/private/cakey.pem # 這裏要將username替換爲你的用戶名
default_md = SHA256
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = MyOwn Root Certificate Authority # CA機構名
stateOrProvinceName = JS # CA所在省份
countryName = CN # CA所在國家(僅限2個字符)
emailAddress = [email protected] # 郵箱
organizationName = XXX #
organizationalUnitName = XXX #
#
[ root_ca_extensions ]
basicConstraints = CA:true
務必更改中文註釋內容
****天坑注意!!!務必把dir=…後的中文註釋去掉
生成 CA 根證書和密鑰
export OPENSSL_CONF=~/myCA/caconfig.cnf #該命令用於給環境變量 OPENSSL_CONF 賦值爲caconfig.cnf。
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
以上步驟生成了 CA 自簽名根證書,和 RSA 公/私密鑰對。證書的格式是 PEM,有效期是1825天。另外有一點需要注意的是,此次操作需要設置密碼,密碼過短會報錯,好像至少6位(具體我忘了)。
/myCA/cacert.pem: CA 根證書
/myCA/private/cakey.pem: CA 私鑰
創建服務器公私鑰
生成服務器配置文件exampleserver.cnf
sudo vi ~/myCA/exampleserver.cnf
文件內容如下:
#
# exampleserver.cnf
#
[ req ]
prompt = no
distinguished_name = server_distinguished_name
[ server_distinguished_name ]
commonName = localhost # 服務器域名
stateOrProvinceName = JS # 服務器所在省份
countryName = CN # 服務器所在國家(僅限2個字符)
emailAddress = [email protected] # 郵箱
organizationName = XXX #
organizationalUnitName = XXX #
同理生成生成服務器證書和密鑰
export OPENSSL_CONF =~/myCA/exampleserver.cnf
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
同樣設置的密碼不能過短
然後,爲了保護私鑰,我們將更改tempkey名稱
mv tempkey.pem server_key.pem
更改後每次啓動服務器都需輸入設置的密碼。
使用 CA key 對服務器證書籤名
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl ca -in tempkey.pem -out server_crt.pem
刪除臨時證書和密碼文件
sudo rm -f tempkey.pem && rm -f tempreq.pem
此操作執行完後便生成了
server_crt.pem : 服務器證書文件
server_key.pem : 服務器密鑰文件
配置 Apache
vim /etc/apache2/sites-available/lab-ssl.conf
文件內容如下:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/myzoo # 網站目錄
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# 網站證書和私鑰地址
SSLCertificateFile /home/<username>/myCA/server_crt.pem #將username改爲自己的
SSLCertificateKeyFile /home/<username>/myCA/server_key.pem #將username改爲自己的
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
務必把網站目錄及DocumentRoot中的中文註釋刪掉
最後,啓用ssl即可
sudo a2ensite /etc/apache2/sites-available/lab-ssl.conf
sudo a2enmod ssl
有時候,SSL不能正常啓用的話,重新啓動apache即可
檢驗
輸入https://localhost 查看網頁是否正常運行
若然瀏覽器顯示鏈接不安全,是因爲證書非CA頒發,瀏覽器不予信任,可手動將證書添加。具體操作爲:
編輯 ->首選項->搜索框輸入“證書”->查看證書->導入證書->選擇中myCA目錄下的“cacert.pem”->導入
若想修改鏈接,可自行修改host配置。