搭建一个简单的https服务
为了测试ab工具压测https接口,简单搭了一下https,记录一下过程。 环境准备在docker中建了3个容器:A: 证书颁发(CA)B: 服务端C: 客户端docker run -d --name cacentos:centos7 /bin/bashdocker run --privileged=true -d --name https-server -p 8
·
为了测试ab工具压测https接口,简单搭了一下https,记录一下过程。
环境准备
在docker中建了3个容器:
A: 证书颁发(CA)
B: 服务端
C: 客户端
docker run -d --name ca centos:centos7 /bin/bash
docker run --privileged=true -d --name https-server -p 8000:80 -p 8443:443 centos:centos7 /usr/sbin/init
docker run -d --name https-client centos:centos7 /bin/bash
systemd维护系统服务程序,它需要特权去会访问Linux内核。而容器并不是一个完整的操作系统,只有一个文件系统,而且默认启动只是普通用户这样的权限访问Linux内核,也就是没有特权,所以默认启动容器会用不了systemctl,因此服务端在启动容器的时候需要加上privileged=true,和/user/sbin/init,这样docker容器会自动将dbus等服务启动起来。
docker inspect ca #查看各个容器的ip,IPAddress对应值
docker inspect https-server
docker inspect https-server
正式搭建
一、在CA上先生成根CA
1、创建所需要的文件
docker exec -it ca /bin/bash #进入CA容器
[root@9547dc9d4123 /]# cd /etc/pki/CA/ #先进入到CA的目录下(创建秘钥都要在此文件下或其子文件下)
[root@9547dc9d4123 /etc/pki/CA]# touch index.txt #生成证书索引数据库文件
[root@9547dc9d4123 /etc/pki/CA]# echo 01 > serial #指定第一个颁发证书的序列号
#注意,这两个文件若是不事先创建好,在颁发证书时会报错,到时候再创建也行(你可以都试一下,我这里是先创建的)
2、生成私钥
[root@9547dc9d4123 /etc/pki/CA]# umask 066;openssl genrsa -out private/cakey.pem -des3 2048 #umask设定权限;名字必须叫cakey.pem,-des3加密类型和2048位数位置不能反。(若是懒得输密码,就不用加密即不加-des3选项)
Generating RSA private key, 2048 bit long modulus
...+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem: #设置口令密码
Verifying - Enter pass phrase for private/cakey.pem: #再次输入密码
3、自签名证书(自己颁发给自己的证书)
[root@9547dc9d4123 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7500 #其中:-new: 生成新证书签署请求、-x509: 专用于CA生成自签证书、-key: 生成请求时用到的私钥文件、-days n:证书的有效期限、-out /PATH/TO/SOMECERTFILE: 证书的保存路径
Enter pass phrase for private/cakey.pem: #因为我们创建私钥时有加密,所以这里要输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家;在申请证书时,申请发和被申请方按照配置文件要求,国家、省、公司三项必须相同(当然也可以改配置文件使其不要相同)
State or Province Name (full name) []:jiangsu #省;
Locality Name (eg, city) [Default City]:nanjing #市;
Organization Name (eg, company) [Default Company Ltd]:miuye.com #公司;
Organizational Unit Name (eg, section) []:opt #部门;
Common Name (eg, your name or your server's hostname) []:www.miuye.com #申请方的明字
Email Address []: #邮箱(可写可不写) #邮箱(可写可不写)
二、服务器B向CA申请证书
1、进入容器并安装相关包
docker exec -it https-server /bin/bash
[root@8df1d6a0f43f /]# yum install wget mod_ssl httpd openssh-clients -y
2、建立自己的私钥
[root@8df1d6a0f43f /]# mkdir /etc/httpd/conf.d/ssl/ #因为要做的是跟http有关,所以可以放在它的配置文件下
[root@server ~]# umask 066;openssl genrsa -out /etc/httpd/conf.d/ssl/httpd.key 2048 #生成自己的私钥文件
Generating RSA private key, 2048 bit long modulus
................................................+++
.........+++
e is 65537 (0x10001)
3、生成证书申请文件
[root@8df1d6a0f43f /]# openssl req -new -key /etc/httpd/conf.d/ssl/httpd.key -out /etc/httpd/conf.d/ssl/httpd.csr #申请文件必须以.csr结尾
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家;
State or Province Name (full name) []:jiangsu #省;
Locality Name (eg, city) [Default City]:nanjing
Organization Name (eg, company) [Default Company Ltd]:miuye.com #公司;这三项必须一致外,其余不要求
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.Friday.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #这里让你设密码;可以设也可以不设;设过后,每次执行和秘钥有关的都要输入密码;这里我没有设;
An optional company name []:
4、将生成的请求文件发送给根 CA 主机;
[root@8df1d6a0f43f /]# scp /etc/httpd/conf.d/ssl/httpd.csr 172.17.0.2:/etc/pki/CA/ #传到CA所在机器上,并放在/etc/pki/CA 下
三、颁发证书
1、在CA上生成证书
[root@9547dc9d4123 /etc/pki/CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 300 #颁发证书并设置有效期300天
[root@9547dc9d4123 /etc/pki/CA]# cat index.txt # 颁发证书后生成的新的数据库文件,里面有申请方信息;而之前的数据库文件里面仍为空,并重命名为index.txt.old
2、将生成的证书和CA自己的证书传回Server
[root@9547dc9d4123 /etc/pki/CA]# scp certs/httpd.crt 172.17.0.3:/etc/httpd/conf.d/ssl/
[root@9547dc9d4123 /etc/pki/CA]# scp cacert.pem 172.17.0.3:/etc/httpd/conf.d/ssl/
四、定义服务器配置文件
在服务器B机器上的/etc/httpd/conf.d/ssl.conf里有三项需要改;其原来的内容是在装mod_ssl包是自动生成并创建了相关的证书文件;
SSLCertificateFile /etc/pki/tls/certs/localhost.crt #证书路径
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #key路径
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #CA的路径---》本来是被注释掉的,这样在查看证书时,就看不到根CA了,
改为:
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem #我们可以启动,在证书里就可以看到根CA了
五、开干
1、服务端开启http服务
[root@8df1d6a0f43f /]# systemctl start httpd
2、进入客户端测试
docker exec -it https-client /bin/bash
[root@8be2c340763a /]yum install httpd-tools -y
[root@8be2c340763a /]ab -n 20000 -c 20000 https://172.17.0.3/
结果
Server Software: Apache/2.4.6
Server Hostname: 172.17.0.2
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /
Document Length: 4897 bytes
Concurrency Level: 20000
Time taken for tests: 76.286 seconds
Complete requests: 20000
Failed requests: 465
(Connect: 0, Receive: 0, Length: 465, Exceptions: 0)
Write errors: 0
Non-2xx responses: 19714
Total transferred: 101957927 bytes
HTML transferred: 96221153 bytes
Requests per second: 262.17 [#/sec] (mean)
Time per request: 76285.923 [ms] (mean)
Time per request: 3.814 [ms] (mean, across all concurrent requests)
Transfer rate: 1305.20 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 3214 5249.7 2182 73614
Processing: 69 1937 9746.4 468 65202
Waiting: 0 144 69.3 154 516
Total: 1323 5150 10616.3 2683 74170
Percentage of the requests served within a certain time (ms)
50% 2683
66% 2774
75% 2833
80% 2888
90% 6348
95% 12532
98% 65085
99% 65106
100% 74170 (longest request)
参考自:
https://blog.miuyun.work/archives/12054253
https://blog.csdn.net/OH_ON/article/details/78301297
如有不对烦请指出,万分感谢!
权威|前沿|技术|干货|国内首个API全生命周期开发者社区
更多推荐
1
0- 0
已为社区贡献1条内容
所有评论(0)