为了测试ab工具压测https接口,简单搭了一下https,记录一下过程。
 

环境准备

在docker中建了3个容器:
A: 证书颁发(CA)
B: 服务端
C: 客户端

docker run -d --name ca  centos:centos7 /bin/bash

docker run --privileged=true -d --name https-server -p 8000:80 -p 8443:443 centos:centos7 /usr/sbin/init

docker run  -d --name https-client  centos:centos7 /bin/bash

systemd维护系统服务程序,它需要特权去会访问Linux内核。而容器并不是一个完整的操作系统,只有一个文件系统,而且默认启动只是普通用户这样的权限访问Linux内核,也就是没有特权,所以默认启动容器会用不了systemctl,因此服务端在启动容器的时候需要加上privileged=true,和/user/sbin/init,这样docker容器会自动将dbus等服务启动起来。

docker inspect ca     #查看各个容器的ip,IPAddress对应值
docker inspect https-server
docker inspect https-server

 

正式搭建

 

一、在CA上先生成根CA
1、创建所需要的文件
docker exec -it ca /bin/bash        #进入CA容器
[root@9547dc9d4123 /]# cd /etc/pki/CA/                 #先进入到CA的目录下(创建秘钥都要在此文件下或其子文件下)
[root@9547dc9d4123 /etc/pki/CA]# touch index.txt      #生成证书索引数据库文件
[root@9547dc9d4123 /etc/pki/CA]# echo 01 > serial     #指定第一个颁发证书的序列号
#注意,这两个文件若是不事先创建好,在颁发证书时会报错,到时候再创建也行(你可以都试一下,我这里是先创建的)
2、生成私钥
[root@9547dc9d4123 /etc/pki/CA]# umask 066;openssl genrsa -out private/cakey.pem -des3 2048    #umask设定权限;名字必须叫cakey.pem,-des3加密类型和2048位数位置不能反。(若是懒得输密码,就不用加密即不加-des3选项)
Generating RSA private key, 2048 bit long modulus
...+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:                                             #设置口令密码
Verifying - Enter pass phrase for private/cakey.pem:                                 #再次输入密码
3、自签名证书(自己颁发给自己的证书)
[root@9547dc9d4123 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7500      #其中:-new: 生成新证书签署请求、-x509: 专用于CA生成自签证书、-key: 生成请求时用到的私钥文件、-days n:证书的有效期限、-out /PATH/TO/SOMECERTFILE: 证书的保存路径
Enter pass phrase for private/cakey.pem:                                                             #因为我们创建私钥时有加密,所以这里要输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                               #国家;在申请证书时,申请发和被申请方按照配置文件要求,国家、省、公司三项必须相同(当然也可以改配置文件使其不要相同)
State or Province Name (full name) []:jiangsu                                                      #省;
Locality Name (eg, city) [Default City]:nanjing                                                  #市;   
Organization Name (eg, company) [Default Company Ltd]:miuye.com                                   #公司;
Organizational Unit Name (eg, section) []:opt                                                      #部门;
Common Name (eg, your name or your server's hostname) []:www.miuye.com                            #申请方的明字
Email Address []:                                                                                  #邮箱(可写可不写)                                                                               #邮箱(可写可不写)

 

二、服务器B向CA申请证书
1、进入容器并安装相关包
docker exec -it https-server /bin/bash

[root@8df1d6a0f43f /]# yum install wget mod_ssl httpd openssh-clients -y
2、建立自己的私钥
[root@8df1d6a0f43f /]# mkdir /etc/httpd/conf.d/ssl/                                            #因为要做的是跟http有关,所以可以放在它的配置文件下                    
[root@server ~]# umask 066;openssl genrsa -out /etc/httpd/conf.d/ssl/httpd.key 2048      #生成自己的私钥文件
Generating RSA private key, 2048 bit long modulus
................................................+++
.........+++
e is 65537 (0x10001)
3、生成证书申请文件
[root@8df1d6a0f43f /]# openssl req -new -key /etc/httpd/conf.d/ssl/httpd.key -out /etc/httpd/conf.d/ssl/httpd.csr     #申请文件必须以.csr结尾  
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                                           #国家;
State or Province Name (full name) []:jiangsu                                                                  #省;
Locality Name (eg, city) [Default City]:nanjing
Organization Name (eg, company) [Default Company Ltd]:miuye.com                                               #公司;这三项必须一致外,其余不要求
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.Friday.com
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                                                                     #这里让你设密码;可以设也可以不设;设过后,每次执行和秘钥有关的都要输入密码;这里我没有设;
An optional company name []:
4、将生成的请求文件发送给根 CA 主机;
[root@8df1d6a0f43f /]# scp /etc/httpd/conf.d/ssl/httpd.csr 172.17.0.2:/etc/pki/CA/                #传到CA所在机器上,并放在/etc/pki/CA 下

 

三、颁发证书
1、在CA上生成证书
[root@9547dc9d4123 /etc/pki/CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 300                    #颁发证书并设置有效期300天
[root@9547dc9d4123 /etc/pki/CA]# cat index.txt       # 颁发证书后生成的新的数据库文件,里面有申请方信息;而之前的数据库文件里面仍为空,并重命名为index.txt.old
2、将生成的证书和CA自己的证书传回Server
[root@9547dc9d4123 /etc/pki/CA]# scp certs/httpd.crt 172.17.0.3:/etc/httpd/conf.d/ssl/
[root@9547dc9d4123 /etc/pki/CA]# scp cacert.pem 172.17.0.3:/etc/httpd/conf.d/ssl/

 

四、定义服务器配置文件

在服务器B机器上的/etc/httpd/conf.d/ssl.conf里有三项需要改;其原来的内容是在装mod_ssl包是自动生成并创建了相关的证书文件;

	SSLCertificateFile /etc/pki/tls/certs/localhost.crt          #证书路径
	SSLCertificateKeyFile /etc/pki/tls/private/localhost.key     #key路径
	#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #CA的路径---》本来是被注释掉的,这样在查看证书时,就看不到根CA了,
改为:
	SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt               
	SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key   
	SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem   #我们可以启动,在证书里就可以看到根CA了

 

五、开干
1、服务端开启http服务
[root@8df1d6a0f43f /]# systemctl start httpd
2、进入客户端测试
docker exec -it https-client /bin/bash
[root@8be2c340763a /]yum install httpd-tools -y
[root@8be2c340763a /]ab -n 20000 -c 20000 https://172.17.0.3/

结果

Server Software:        Apache/2.4.6
Server Hostname:        172.17.0.2
Server Port:            443
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256

Document Path:          /
Document Length:        4897 bytes

Concurrency Level:      20000
Time taken for tests:   76.286 seconds
Complete requests:      20000
Failed requests:        465
   (Connect: 0, Receive: 0, Length: 465, Exceptions: 0)
Write errors:           0
Non-2xx responses:      19714
Total transferred:      101957927 bytes
HTML transferred:       96221153 bytes
Requests per second:    262.17 [#/sec] (mean)
Time per request:       76285.923 [ms] (mean)
Time per request:       3.814 [ms] (mean, across all concurrent requests)
Transfer rate:          1305.20 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0 3214 5249.7   2182   73614
Processing:    69 1937 9746.4    468   65202
Waiting:        0  144  69.3    154     516
Total:       1323 5150 10616.3   2683   74170

Percentage of the requests served within a certain time (ms)
  50%   2683
  66%   2774
  75%   2833
  80%   2888
  90%   6348
  95%  12532
  98%  65085
  99%  65106
 100%  74170 (longest request)

参考自:
https://blog.miuyun.work/archives/12054253
https://blog.csdn.net/OH_ON/article/details/78301297

如有不对烦请指出,万分感谢!

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐