Noi dung Cơ chế của dich vu web
Cai dat va cau hinh webserver
Cac thao tac co’ ban cua webserver
Khâi niệm SSL
Trang 7Cai dat Apache
1 Obtaining of Apache
Official site of apache
The Apache Software Foundation http: //www.apache.org/ 2 Decompression and development # gzip -cd httpd-2.8.50.tar.gz | tar xvf - # 1s -F httpd-2.6.56/
ABOUT_APACHE InstallBin.dsp NwWGNUmaketile apachenw.mcp.zip docs/ 05/
Apache dsp LAYOUT README build/ emacs-style server/ Apache.dsw LICENSE README.platforms buildconf* httpd spec srclib/
BuildBin.dsp Makefile.in VERSIONING config layout include/ support/
CHANGES Makefile.win acconfig.h configure* libhttpd.dsp test/
Trang 8Thanh phan cua Apache Server Program (httpd) <Core program> Basic function part of Apache ~ Apache core program
DSO will be built in after Apache is started,
when its function is used r <Standard module> Module included in package of Apache Module made by third par (DSO)
The module of a static link is
linked with the program file of Apache ‘| =1
<Module made by third party> Module not included in package of Apache “Module>
Enhancing program group which offers various _————~ 5 functions Nha:
Trang 10Cấu hình câc mô * Module built-in dun (tinh) # cd httpd-2.0.56/ i# /configure enable-ssl disable-userdir ——— Module ‘mod_ss!' is added, and module ‘mod_userdir’ is deleted # make # make install = * Verification of module built-in It displays static linked modules list We can see that the module mod_ ss! is built-in |# /usr/local/apache2/bin/httpd -1 » —— Compiled '£ôPe.€ in modules: _ _ mod_status.c mod_access.c mod_autoindex.c mod_auth.c mod_asis.c mod_include.c mod_cgi.c mod_env.c -đTF.C mod_setenvif.c mod_imap.c mod_ssl.c mod_actions.c prefork.c mod_alias.c http_core.c mod_so.c : mod_mime.c
We can see that module ‘mod_userdir’, which is usually built in by default, is not built-in
Trang 11Cđu hình câc mô đun (động) * Module built-in # cd httpd-2.0.56/ \# /configure enable-echo=shared $— Mociulle ‘mod_echo’ is added as DSO # make # make install 5 * Verification of module built-in f od fusr/local/apache2/modules/ # ls httpd.exp [| med echo.so It verifies that module ‘mod_echo’ is installed i under ‘/usr/local/apach2/modules’ * Verification of module built-in (verification of ‘/usr/local/apache2/conft/httpd.conf' file) Ỉ # Dynamic Shared Objcct (DSO) Support t
: Verify description to build-in module | LoadModule echo_module modules/mod_ echo so ¬ 'mod_echo' has been added
Trang 13
Cac tĩp cau hinh
¢ /etc/apache2.conf
Trang 15Câc lệnh cấu hình
¢ Chi dung một dòng, không có thẻ mở vă đóng
© Có thể năm ở ngoăi hoặc trong một môi
trường
Trang 18Khai bao mot thu muc
<directory></directory>
.htaccess
Allowoverride [None, Directive]
— Su dung Directive trong htaccess
Allow, Deny
— Allow from all
— Allow from 192.168.192.0/18 hut.edu.vn
Trang 20.htaccess
¢ Khai bao câc thuộc tính của thư mục
Trang 22Cau hinh DNS
1 Editting the zone data file
Trang 24Bao mat webserver
^^ ^^ {ty ~ +Atinn ' P Ay ras } ~~
Trang 27vi PE Ee ee ~
Access request Ý3z<m B84) OND OS 7490-9) 7nd) 9‹xYip ¬s7gP
Trang 28Liín hệ giữa tệp cấu hình vă tệp kiểm
soât tăi khoản fusr/local/apache2/conf/httpd.conf <Directory "“/usr/local/apache2/htdocs"> Options Indexes FollowSymLinks AllowOverride ALL | Smee = /usi/l0ocal/apache2/htdocs/.htaccess
</Directory> at 5` Permission to overwrite all
settings concerning directory ‘/usr/locaVapache2/htdocs’ AccessFileName htaccess Setting concerning directory ‘fusr/local/apache2/htdocs’ SS,
The name of the access
control file is specified as
‘htaccess’
The access control file is referred when the access control file is effective
Trang 29
Log
192.168.6.48 - - [12/Aug/2004:20:05:42 +0900] "GET / HIIP/1.1" 401 512 192.168.8.4@ - taro [12/Aug/2004:20:67:24 +@900] "GET / HTTP/1.1” 299 1639 192.168.8.40 - taro [12/Aug/2004:20:67:25 +0900] “GET fapache_pb.gif HTTP/1.1" [Fri Aug 13 10:29:38 2004] [error] [client 192.168.9.4@] File does not exist: fusr/local/apache2/ntdocs/test.html [Fri Aug 13 10:29:43 2004] [error] [client 192.168.0.4@] (13)Permission denied: exec of ‘/usr/local/apache2/cgi-bin/printenv’ failed
Mozilla/5.@ (X11; U; Linux i686; ja-JP; rv:1.4) Gecko/20030922
Mozilla/S.@ (X11; U; Linux i686; ja-3P; rv:1.4) Gecko/2?@030922
Trang 30Cau hinh log HostnameLookups Off ErrorLog logs/error_log LogLevel warn LogFormat "%h %1 %u %t ¥"%Zr¥" Ys Sb ¥"¥{Referer}i¥" ¥"%{User-Agent }i¥"" combined LogFormat "%*h %1 Xu %t ¥"%r¥" %>s *%b" common LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent CustomLog logs/access_log common #CustomLog logs/referer log referer #CustomLog logs/agent_log agent
Trang 31
| SSL (Secure Socket Layer)
Protocol that encrypts communication root and authenticates other party of communication
Trang 32Sự cđn thiết của SSL
| Communication not using SSL |
Trang 33Cac loai ma hoa Common key cipher session key session key ( — |
@ Use the same key for the encryption and the decryption
@ The mechanism of the cipher communication being simple the encryption/decryption load is light
@ The problem is: how to receive and to pass the key ? Public key cipher 1 1 public 7 — ~~ private key (
@ Use a different key to encrypt and to decode
@ Make a pair of public key and private key, and open the public key to the public
Trang 34Cơ chế sử dụng SSL Certificate Authority Swe em HY HE (CA) E====== Seoret le Encryption = eS Sse of CA ——> —
Certificate of CA (public key) installed In
Trang 35Cai dat SSL
| Installation of SSL server |
| Making of key pair (private key and public key) |
| Making of certificate signature request |
| Contract with Certificate authority |
| Setting of SSL server |
Trang 37
# cd /usr/local/apache2/conf/ # mkdir ssl.key # chmod 700 ssl.key # 1s -ld ssl.key drwx - 2 root root —
Make directory for key pair
storage, and change right of access 4096 Aug 13 11:31 ssl.key # cd ssl key/ # cat /bin/ls /bin/co /bin/more #
Make data file for random > /tmp/random db number generation
# /usr/local/ssl/bin/openssl genrsa -des3 -rand /tmp/random.db 1624 > server key
144644 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus SS Make key pair e 1S 65537 (Øx109901
Enter pass phrase: ,
Trang 38Ký bằng chứng chỉ # cd /usr/local/apache2/conf # mkdir ssl.csr # chmod 700 ssl.csr Make a directory of storage for # 1s -ld ssl.csr drwx - 2 root root 4096 8H 13 13:12 ssl.csr # cd ssl.csr
certificate signature request
and change access right # /usr/local/ssl/bin/openssl req -new -key /ssl.key/server.key -out server.csr Enter pass phrase for /ssl.key/server.key: Make certificate signature request
Country Name (2 letter code) [AU]:3P
State or Province Name (full name) [Some-State]: Tokyo
Locality Name (eg, city) []:Ohta-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FLM Organizational Unit Name (eg, section) []:Lerning Service
Common Name (eg, YOUR name) []:www.foo.co jp
Email Address []:webmaster@foo.co.jp Input passphrase of the private key Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []:/ — An optional company name []: # chmod 400 server.csr # ls -l server.csr | -~[ - 1 root root 720 8j] 13 13:17 server.csr tị Input site information
Usually, do not input anything, and omit it with [Enter]
(Follows the instruction of certificate authority)
Change access right of certificate signature request
Trang 39
Xâc thực |?l*G ng sms XA2@0 79D HTT ———_—x
¡"1n 2A Qee gman ee 8 SoMa
PRIDE) 0 nen ate bolteterston ot ote | Congr: =:
vẤtiSyn Enrollment
ee ĐWSSXì HEƯYNN 2098 Mail content (certificate)
Sw?W1: nd name; -_ J aioe be Rẻ wee
ee NI TERT PTL ERNE, BEIT NRE FELONS Dear VeriSign Customer,
_ BI 4 Vg hpern vao 407 2~r`70Ey7
¬ - Thank you for ordering VeriSign Digital ID
Cee nes Chm semana Your Server ID (Certificate) has been issued and is attached at the
i end of this message
s Please refer to the following URL to install your Digital ID on Attach certificate signature request your server and to see the details of Secure Site Seal
—_ Please visit:
re
SE say Oe Est — b= 96 te £*—— €$ nttp:/www.verisign.co.jp/server/ops/s_id.htmi
Trang 40
Cau hinh server
Setting of certificate acquired from certificate authority # mkdir /usr/local/apache2/conf/ssl.crt k Make directory for certificate authority storage # my server.pem fusr/local/apache2/conf/ssl.crl /—— Store certificate acquired from certificate authority Edting of '/usr/local/apache2/conf/ssl.conf' file <IfDefine SSL> <VirtualHost default _:443> ServerName www foo.co jp:443 ServerAdmin webmaster@foo.co jp # SSL Engine Switch: §SLEngine ons ft Server Certificate: Use SSL (default)
‘SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.pem——4 Specify certificate's storage place
Trang 41Kiểm tra cấu hình
Startup of Apache for SSL Input the passphrase of the private key AaAaceAn l2 s=l số -
et, Ine @Red Hat Network TH (Ầihep 23Prodects 2Tralsing
Y ORM OCHMI Apache 7 vị Lo AY 3 N CÓ TT PL ET, HEI, =OT 4 E SWARY), š©^-ÿtW&$
Specify https for the broloooi
4ƒ Êø2778(ŠIXV €, SOS YMAATUS TL & 9M?
LON<—Tit, OT PTA IO wb $— NORIES RIEL f LREMOILARTVET, CMOR—7
Sự 72c 27{(t!477(-8M@W€ 2 oT 4 PETES, = Ded be Haye Lis wob #*—
ASEWAFEL f The Âpecbe Software Lion 12, COPA be wed H—-SOML NEN
Trang 42Giấu mat khau
Signature for private key
_ Sign for private key Input passphrase of private key
Editing ‘/usr/local/apache2/conf/ssl.conf’ file
Trang 43Cau hinh xac thuc client ~ FTF RHHRTH t
Certificate Authority (CA):
Set the CA certificate verification path where to find CA certificates for client authentication or alternatively one
huge file containing all of them (file must be PEM encoded)
Note: Tnside SSLCACertificatePath you need hash symlinks to point to the certificate files Use the provided Makefile to update the hash symlinks after changes SSLCACertificatePath /usr/local/apache2/conf/ssl.crt | SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/cacert.pem | FRR
FT Client Authentication (Type):
Client certificate verification type and depth Types are
Trang 44Chứng chỉ đơn giản
† cả /usfP/1ocal/ss1 Make simple certificate authority
# Jusr/local/ssl/misc/CA.sh -newca* (making of key pair of simple certificate
CA certificate filename (or enter to create) authority and certificate) Making CA certificate Generating a 1024 bit RSA private key S4 422.222 +++t++ -.+t+tt†++
writing new private key to ' ieee ni, /cakey.pem' =
Enter PEM pass phrase: + Tải xa ải xa E ot
Verifying - Enter PEM pass phrase: NY
-<—<-< =
°
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State] :Tokyo
Locality Name (eg, city) []:Ohta-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FLM Set simple certificate authority information
Organizational Unit Name (eg, section) []:CAMASTER
Common Name (eg, YOUR name) []:ca.foo.co.jp n tâ oi