Cacti启用HTTPS登录
HTTP协议传输的数据都是未加密的,也就是明文的,因此使用HTTP协议传输隐私信息非常不安全,为了保证这些隐私数据能加密传输,于是网景公司(Netscape Communications Corporation)设计了SSL(Secure Sockets Layer)协议用于对HTTP协议传输的数据进行加密,从而就诞生了HTTPS。本文将介绍在Cacti中启用https登录。
-
安装mod_ssl软件包
yum install -y mod_ssl
-
生成服务器私钥ca.key
openssl genrsa -out ca.key 2048
-
用私钥ca.key文件生成证书请求文件ca.csr
openssl req -new -key ca.key -out ca.csr
按照提示完成相关信息:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Hunan Locality Name (eg, city) [Default City]:Changsha Organization Name (eg, company) [Default Company Ltd]:CNCONN Company Organizational Unit Name (eg, section) []:NetBU Common Name (eg, your name or your server's hostname) []:cacti Email Address []:netadmin@cnconn.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:
如果找第三方公司签名,请把csr文件发给第三方公司签名。以下第4步是自签设定。
-
生成证书文件ca.crt
openssl x509 -req -days 700 -in ca.csr -signkey ca.key -out ca.crt
可以见到生成成功的提示信息:
Signature ok subject=C = CN, ST = Hunan, L = Changsha, O = CNCONN Company, OU = NetBU, CN = cacti, emailAddress = netadmin@cnconn.com Getting Private key
如果是找第三方公司签名,第三方公司签名后会把crt文件发给你。
-
复制证书文件到对应的目录
cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr
-
修改Apache SSL配置文件
vi /etc/httpd/conf.d/ssl.conf
找到如下两行配置文件:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
修改为:
SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key
-
修改防火墙配置
firewall-cmd --permanent --add-service=https firewall-cmd --permanent --remove-service=http firewall-cmd --reload firewall-cmd --permanent --list-all
-
重启http服务
systemctl restart httpd
-
服务器一般是放置在硬件网络防火墙DMZ区,如是,还需开放硬件网络防火墙的权限。