En esta guía se explica cómo hacer que su servidor HTTPD Apache
use un cifrado para transferir datos entre el servidor y sus visitantes. En vez
de usar enlaces http:
, usará del tipohttps:
, si todo
está configurado correctamente, toda persona que visite su web, tendrá más
privacidad y protección.
Este manual está pensado para aquellos que no están muy familiarizados con SSL/TLS y cifrados, junto con toda la jerga técnica incomprensible (Estamos bromeando, este tema es bastante importante, con serios expertos en el tema, y problemas reales que resolver - pero sí, suena a jerga técnica incomprensible para todos aquellos que no hayan tratado con esto). Personas que han escuchado que su servidor http: no es del todo seguro a dia de hoy. Que los espías y los malos están escuchando. Que incluso las empresas legítimas están insertando datos en sus páginas web y vendiendo perfiles de visitantes.
En esta guía nos centraremos en ayudarle para migrar su servidor httpd, para
que deje de servir enlaces vía http:
y los sirva vía
https:
ones, without you becoming a SSL expert first. You might
get fascinated by all this crypto things and study it more and become a real
expert. But you also might not, run a reasonably secure web server nevertheless
and do other things good for mankind with your time.
You will get a rough idea what roles these mysterious things called "certificate" and "private key" play and how they are used to let your visitors be sure they are talking to your server. You will not be told how this works, just how it is used: it's basically about passports.
The TLS protocol (formerly known as SSL) is a way a client and a server can talk to each other without anyone else listening, or better understanding a thing. It is what your browser uses when you open a https: link.
In addition to having a private conversation with a server, your browser also needs to know that it really talks to the server - and not someone else acting like it. That, next to the encryption, is the other part of the TLS protocol.
In order to do that, your server does not only need the software for TLS, e.g. the mod_ssl module, but some sort of identity proof on the Internet. This is commonly referred to as a certificate. Basically, everyone has the same mod_ssl and can encrypt, but only your have your certificate and with that, you are you.
A certificate is the digital equivalent of a passport. It contains two things: a stamp of approval from the people issuing the passport and a reference to your digital fingerprints, e.g. what is called a private key in encryption terms.
When you configure your Apache httpd for https: links, you need to give it the certificate and the private key. If you never give the key to anyone else, only you will be able to prove to visitors that the certificate belongs to you. That way, a browser talking to your server a second time will be sure that it is indeed the very same server it talked to before.
But how does it know that it is the real server, the first time it starts talking to someone? Here, the digital rubber stamping comes into play. The rubber stamp is done by someone else, using her own private key. That person has also a certificate, e.g. her own passport. The browser can make sure that this passport is based on the same key that was used to rubber stamp your server passport. Now, instead of making sure that your passport is correct, it must make sure that the passport of the person that says your passport is correct, is correct.
And that passport is also rubber stamped digitally, by someone else with a key and a certificate. So the browser only needs to make sure that that one is correct that says it is correct to trust the one that says your server is correct. This trusting game can go to a few or many levels (usually less than 5).
In the end, the browser will encounter a passport that is stamped by its own key. It's a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your operating system) comes with list of Gloria passports to trust, pre-installed. If it sees a Gloria certificate, it is either in this list or not to be trusted.
This whole thing works as long as everyone keeps his private keys to himself. Anyone copying such a key can impersonate the key owner. And if the owner can rubber stamp passports, the impersonator can also do that. And all the passports stamped by an impersonator, all those certificates will look 100% valid, indistinguishable from the "real" ones.
So, this trust model works, but it has its limits. That is why browser makers are so keen on having the correct Gloria Gaynor lists and threaten to expel anyone from it that is careless with her keys.
Bueno, pueds comprar uno. Hay muchas compañias vendiando pasaportes de Internet como servicio. En esta lista de Mozilla, podrás encontrar todas las compañias en las que el navegador Firefox confía. Escoge una, visita su pagina web y te diran los diferentes precios, y como hacer para comprobar tu identidad y quien dices ser quien eres, y así podrán generar tu pasaporte con confianza.
They all have their own methods, also depending on what kind of passport you apply for, and it's probably some sort of click web interface in a browser. They may send you an email that you need to answer or do something else. In the end, they will show you how to generate your own, unique private key and issue you a stamped passport matching it.
You then place the key in one file, the certificate in another. Put these on your server, make sure that only a trusted user can read the key file and add it to your httpd configuration. This is extensively covered in the SSL How-To.
Hay también compañias que ofrecen certificados gratuitos para servidores web. La pionera en esto es Let's Encrypt que es un servicio de la organización sin ánimo de lucro (ISRG) Internet Security Research Group , para "reducir las barreras financieras, tecnológicas y de educación, para securizar las comunicaciones en Internet."
No sólo ofrencen certificados gratuitos, también han desaarrollado una interfáz que puede ser usada en su Apache Httpd para obtener uno. Aquí es donde mod_md entra en juego.
(zoom out the camera on how to configure mod_md and virtual host...)