HTTP + SSL/TLS = HTTPS
- SSL(Secure Sockets Layer)
- TLS(Transport Layer Security)
- HTTP(HyperText Transfer Protocol) enables clear text data exchange between computers. The default port is 80
- HTTPS(HyperText Transfer Protocol Secure) encrypts data with SSL/TLS, and then transmits it through HTTP to ensure data security. The default port is 443
Differences between SSL and TLS
SSL and TLS are encryption protocols used for Internet transmission.
SSL is an encryption protocol developed by Netscape;
- SSL version 1.0 is not publicly released;
- SSL version 2.0 was released in 1995, abbreviated as SSLv2, and was abandoned by IETF in 2011;
- SSL version 3.0 was released in 1996, abbreviated as SSLv3, and was abandoned by IETF in 2015;
- TLS is a new version based on SSL 3.0. In principle, its name is SSL 4.0; Only IETF changed the SSL name to TLS when standardizing SSL.
CA and digital certificate
Ca (certificate authority) is the organization that issues digital certificates. When HTTP services are upgraded to HTTPS, digital certificates are required to ensure the security of their communication links, Let's Encrypt It is a public welfare organization that provides this certificate free of charge.
Certificate application process:
- The server becomes a pair of keys (private key + public key);
- Public key + server information (domain name, ip, etc.) sent to CA;
- The CA organization will verify the identity and encrypt the received information to generate a certificate. This certificate can only be decrypted by the CA organization's private key, which ensures the one-to-one correspondence between the domain name and the server ip and the security of the communication link.
Use certificate
- Customer access domain name: https://www.example.com」
Obtain the certificate corresponding to the domain name from the CA organization, and the client browser encrypts the data to be transmitted according to the public key in the certificate. - After the server obtains the data, it decrypts the data with its own private key. If the public key does not match the private key data, even if the third party obtains the data, it cannot decrypt.
- Customer access domain name: https://www.example.com」
The components of digital certificate include:
Subject information (domain name, company name, address, country, etc.);
- term of validity;
- Public Key;
- Signature of CA;
Telenet + SSH = ssh
SSH(Security Shell) is a protocol designed to provide security for remote login and other network services (Telnet, ftp, etc.). OpenSSH implements many applications based on SSH protocol: SSH, scp, sftp, etc. SSH default port is 22.
What is OpenSSH?
OpenSSH is a software package that implements the SSH protocol, OpenSSH official website , including the following tools:
- Remote operations are done using ssh, scp, and sftp.
- Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.
- The service side consists of sshd, sftp-server, and ssh-agent.
1,ssh
ssh is the client software of OpenSSH to realize remote login, which allows the remote server to execute command operations.
# Remote shutdown command $ ssh -t user@ip 'sudo shutdown -h now' # Remotely shut down multiple servers: $ ssh -t user@ip1 'sudo shutdown -h now';ssh -t user@ip2 'sudo shutdown -h now'; # Remote restart command $ ssh -t user@ip1 'sudo reboot' # Restart SSH $ /etc/init.d/ssh restart $ sudo service ssh restart # SSH configuration directory /etc/ssh # Directory of public keys ~/.ssh # log information at login can be output ssh -v [root@node1](mailto:user@ip) # View SSH progress $ ps aux | grep ssh
2. ssh password free login
$ ssh user@ip To log in to the remote server, you must enter a password every time. You can log in without secret with a key.
# System environment: MAC # Create SSH secret key (SSH keygen is a key generation and management tool) $ ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa # Add the key to the remote machine (SSH copy ID is a tool for installing the key to the remote server) $ ssh-copy-id -i ~/.ssh/id_rsa.pub user@ip # Log in directly without entering a password $ ssh user@ip
3,scp
scp uses ssh to transfer files with the remote server, and this communication process is also encrypted.
# Copy the local file "test.txt" to the "~ /" directory of the server $ scp ~/test.txt user@ip:~/ # Copy the local folder "test" to the "~ /" directory of the server $ scp -r ~/test user@ip:~/ # Copy the server folder "test" to the local "~ /" directory $ scp -r user@ip:~/test ~/
4,ssh-copy-id
# Install SSH copy ID under MAC $ brew install ssh-copy-id # See "ssh password free login" for details
Problems and Solutions
1,WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
$ ssh pi@192.168.1.9 # The following error occurred: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:VrUX6WSrWP7GYk+9rjNfUitciAFE1DJPPR8lilyXq4Q. Please contact your system administrator. Add correct host key in /Users/liuhai/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /Users/liuhai/.ssh/known_hosts:5 ECDSA host key for 192.168.1.9 has changed and you have requested strict checking. Host key verification failed. # Solutions under Mac: Step 1: $ sudo nano ~/.ssh/known_hosts Step 2: delete ip Which row of data does it correspond to(fn+delete) Step 3: ctrl+x,Save exit!