httpsセキュリティ機構の原理とhttpsセキュリティサイトの実現

11422 ワード
httpd https apache
httpsの安全サイトを実現します.
https安全の原理:
  • クライアントは、サービス端末にhttps要求
    • を送信する.
  • サーバはクライアント証明書に返信する(証明書の主な内容はCAの秘密鍵で署名されたサービス端末の公開鍵である)
    • .
  • サービス端末は、CAの公開鍵を用いて解読し、安全で信頼できるサービス端末の公開鍵
    • を得る.
  • は、サービス端末の公開鍵を使って通信鍵を暗号化する(通信鍵は暗号化効率の高い対称鍵であり、実際には非対称鍵を使ってデータを暗号化することは不可能であり、効率が低いので)、サービス端末
    • に送信する.
  • 双方は、通信鍵を用いてデータを暗号化して通信する
    • .
    [root@localhost conf.d]# yum install mod_ssl -y
[root@localhost conf.d]# rpm -ql mod_ssl		
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so   			 ##        
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl
[root@localhost conf.d]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so


    [root@localhost conf.d]# rpm -q --scripts mod_ssl		##   mod_ssl              
postinstall scriptlet (using /bin/sh):
umask 077

if [ -f /etc/pki/tls/private/localhost.key -o -f /etc/pki/tls/certs/localhost.crt ]; then
   exit 0
fi

/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > /etc/pki/tls/private/localhost.key 2> /dev/null

FQDN=`hostname`
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
   FQDN=localhost.localdomain
fi

cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
         -x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
         -out /etc/pki/tls/certs/localhost.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF

    [root@localhost conf.d]# egrep -v "#|^$" /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>           ##          443       
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

 ##CA       CA           ,                。     ‘    ’       
 ##                         
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
##  ,                 
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key       

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

[root@localhost conf.d]# systemctl restart httpd    ##    ,
    httpとhttpsの性能比較
    -http圧測定
    [root@vm1 ~]# ab -c10 -n 100 http://www.a.com/messages.txt
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.a.com (be patient).....done


Server Software:        Apache
Server Hostname:        www.a.com
Server Port:            80

Document Path:          /messages.txt
Document Length:        49652 bytes

Concurrency Level:      10
Time taken for tests:   0.049 seconds
Complete requests:      100
Failed requests:        0
Write errors:           0
Total transferred:      4992600 bytes
HTML transferred:       4965200 bytes
Requests per second:    2035.62 [#/sec] (mean)					##    2000   
Time per request:       4.912 [ms] (mean)
Time per request:       0.491 [ms] (mean, across all concurrent requests)
Transfer rate:          99248.57 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    1   0.8      1       4
Processing:     1    3   1.7      3       8
Waiting:        0    2   1.5      2       7
Total:          2    5   2.2      4      10

Percentage of the requests served within a certain time (ms)
  50%      4
  66%      4
  75%      5
  80%      6
  90%      9
  95%      9
  98%     10
  99%     10
 100%     10 (longest request)
    -https圧測定
    [root@vm1 ~]# ab -c10 -n 100 https://www.a.com/messages.txt
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.a.com (be patient).....done


Server Software:        Apache
Server Hostname:        www.a.com
Server Port:            443
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256

Document Path:          /messages.txt
Document Length:        214 bytes

Concurrency Level:      10
Time taken for tests:   0.095 seconds
Complete requests:      100
Failed requests:        0
Write errors:           0
Non-2xx responses:      100
Total transferred:      37800 bytes
HTML transferred:       21400 bytes
Requests per second:    1055.74 [#/sec] (mean)               ##    1000   
Time per request:       9.472 [ms] (mean)
Time per request:       0.947 [ms] (mean, across all concurrent requests)
Transfer rate:          389.72 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        4    7   1.4      7      12
Processing:     0    1   0.7      1       3
Waiting:        0    1   0.5      1       2
Total:          4    8   1.6      8      15

Percentage of the requests served within a certain time (ms)
  50%      8
  66%      8
  75%      9
  80%      9
  90%     10
  95%     10
  98%     13
  99%     15
 100%     15 (longest request)
    Kubergnetesはflannelを使ってホストにまたがる通信の注意点をします.
    同じページに複数のJSライブラリを導入して発生する衝突解決策(転送)