搭建一个简单的https服务

  为了测试ab工具压测https接口，简单搭了一下https，记录一下过程。
 

环境准备

在docker中建了3个容器:
A: 证书颁发（CA）
B: 服务端
C: 客户端

docker run -d --name ca  centos:centos7 /bin/bash

docker run --privileged=true -d --name https-server -p 8000:80 -p 8443:443 centos:centos7 /usr/sbin/init

docker run  -d --name https-client  centos:centos7 /bin/bash

systemd维护系统服务程序，它需要特权去会访问Linux内核。而容器并不是一个完整的操作系统，只有一个文件系统，而且默认启动只是普通用户这样的权限访问Linux内核，也就是没有特权，所以默认启动容器会用不了systemctl，因此服务端在启动容器的时候需要加上privileged=true，和/user/sbin/init，这样docker容器会自动将dbus等服务启动起来。

docker inspect ca     #查看各个容器的ip，IPAddress对应值
docker inspect https-server
docker inspect https-server

正式搭建

一、在CA上先生成根CA

1、创建所需要的文件

docker exec -it ca /bin/bash        #进入CA容器

[root@9547dc9d4123 /]# cd /etc/pki/CA/                 #先进入到CA的目录下（创建秘钥都要在此文件下或其子文件下）
[root@9547dc9d4123 /etc/pki/CA]# touch index.txt      #生成证书索引数据库文件
[root@9547dc9d4123 /etc/pki/CA]# echo 01 > serial     #指定第一个颁发证书的序列号
#注意，这两个文件若是不事先创建好，在颁发证书时会报错，到时候再创建也行（你可以都试一下，我这里是先创建的）

2、生成私钥

[root@9547dc9d4123 /etc/pki/CA]# umask 066;openssl genrsa -out private/cakey.pem -des3 2048    #umask设定权限；名字必须叫cakey.pem，-des3加密类型和2048位数位置不能反。(若是懒得输密码，就不用加密即不加-des3选项)
Generating RSA private key, 2048 bit long modulus
...+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:                                             #设置口令密码
Verifying - Enter pass phrase for private/cakey.pem:                                 #再次输入密码

3、自签名证书（自己颁发给自己的证书)

[root@9547dc9d4123 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7500      #其中：-new: 生成新证书签署请求、-x509: 专用于CA生成自签证书、-key: 生成请求时用到的私钥文件、-days n：证书的有效期限、-out /PATH/TO/SOMECERTFILE: 证书的保存路径
Enter pass phrase for private/cakey.pem:                                                             #因为我们创建私钥时有加密，所以这里要输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                               #国家；在申请证书时，申请发和被申请方按照配置文件要求，国家、省、公司三项必须相同（当然也可以改配置文件使其不要相同）
State or Province Name (full name) []:jiangsu                                                      #省；
Locality Name (eg, city) [Default City]:nanjing                                                  #市；   
Organization Name (eg, company) [Default Company Ltd]:miuye.com                                   #公司；
Organizational Unit Name (eg, section) []:opt                                                      #部门；
Common Name (eg, your name or your server's hostname) []:www.miuye.com                            #申请方的明字
Email Address []:                                                                                  #邮箱（可写可不写）                                                                               #邮箱（可写可不写）

二、服务器B向CA申请证书

1、进入容器并安装相关包

docker exec -it https-server /bin/bash

[root@8df1d6a0f43f /]# yum install wget mod_ssl httpd openssh-clients -y

2、建立自己的私钥

[root@8df1d6a0f43f /]# mkdir /etc/httpd/conf.d/ssl/                                            #因为要做的是跟http有关，所以可以放在它的配置文件下                    
[root@server ~]# umask 066;openssl genrsa -out /etc/httpd/conf.d/ssl/httpd.key 2048      #生成自己的私钥文件
Generating RSA private key, 2048 bit long modulus
................................................+++
.........+++
e is 65537 (0x10001)

3、生成证书申请文件

[root@8df1d6a0f43f /]# openssl req -new -key /etc/httpd/conf.d/ssl/httpd.key -out /etc/httpd/conf.d/ssl/httpd.csr     #申请文件必须以.csr结尾  
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                                           #国家；
State or Province Name (full name) []:jiangsu                                                                  #省；
Locality Name (eg, city) [Default City]:nanjing
Organization Name (eg, company) [Default Company Ltd]:miuye.com                                               #公司；这三项必须一致外，其余不要求
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.Friday.com
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                                                                     #这里让你设密码；可以设也可以不设；设过后，每次执行和秘钥有关的都要输入密码；这里我没有设；
An optional company name []:

4、将生成的请求文件发送给根 CA 主机；

[root@8df1d6a0f43f /]# scp /etc/httpd/conf.d/ssl/httpd.csr 172.17.0.2:/etc/pki/CA/                #传到CA所在机器上，并放在/etc/pki/CA 下

三、颁发证书

1、在CA上生成证书

[root@9547dc9d4123 /etc/pki/CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 300                    #颁发证书并设置有效期300天
[root@9547dc9d4123 /etc/pki/CA]# cat index.txt       # 颁发证书后生成的新的数据库文件，里面有申请方信息；而之前的数据库文件里面仍为空，并重命名为index.txt.old

2、将生成的证书和CA自己的证书传回Server

[root@9547dc9d4123 /etc/pki/CA]# scp certs/httpd.crt 172.17.0.3:/etc/httpd/conf.d/ssl/
[root@9547dc9d4123 /etc/pki/CA]# scp cacert.pem 172.17.0.3:/etc/httpd/conf.d/ssl/

四、定义服务器配置文件

在服务器B机器上的/etc/httpd/conf.d/ssl.conf里有三项需要改；其原来的内容是在装mod_ssl包是自动生成并创建了相关的证书文件；

	SSLCertificateFile /etc/pki/tls/certs/localhost.crt          #证书路径
	SSLCertificateKeyFile /etc/pki/tls/private/localhost.key     #key路径
	#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #CA的路径---》本来是被注释掉的，这样在查看证书时，就看不到根CA了，
改为：
	SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt               
	SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key   
	SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem   #我们可以启动，在证书里就可以看到根CA了

五、开干

1、服务端开启http服务

[root@8df1d6a0f43f /]# systemctl start httpd

2、进入客户端测试

docker exec -it https-client /bin/bash

[root@8be2c340763a /]yum install httpd-tools -y
[root@8be2c340763a /]ab -n 20000 -c 20000 https://172.17.0.3/

结果

Server Software:        Apache/2.4.6
Server Hostname:        172.17.0.2
Server Port:            443
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256

Document Path:          /
Document Length:        4897 bytes

Concurrency Level:      20000
Time taken for tests:   76.286 seconds
Complete requests:      20000
Failed requests:        465
   (Connect: 0, Receive: 0, Length: 465, Exceptions: 0)
Write errors:           0
Non-2xx responses:      19714
Total transferred:      101957927 bytes
HTML transferred:       96221153 bytes
Requests per second:    262.17 [#/sec] (mean)
Time per request:       76285.923 [ms] (mean)
Time per request:       3.814 [ms] (mean, across all concurrent requests)
Transfer rate:          1305.20 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0 3214 5249.7   2182   73614
Processing:    69 1937 9746.4    468   65202
Waiting:        0  144  69.3    154     516
Total:       1323 5150 10616.3   2683   74170

Percentage of the requests served within a certain time (ms)
  50%   2683
  66%   2774
  75%   2833
  80%   2888
  90%   6348
  95%  12532
  98%  65085
  99%  65106
 100%  74170 (longest request)

参考自：
https://blog.miuyun.work/archives/12054253
https://blog.csdn.net/OH_ON/article/details/78301297

如有不对烦请指出，万分感谢！