05-HTTP Configuration
Chapters Download (100.28 KB)
Table of Contents
Logging In to the Device Through HTTP
Configuring the Port Number of the HTTP Service
Associating the HTTP Service with an ACL
Displaying and Maintaining HTTP
Associating the HTTPS Service with an SSL Server Policy
Associating the HTTPS Service with a Certificate Attribute Access Control Policy
Configuring the Port Number of the HTTPS Service
Associating the HTTPS Service with an ACL
Displaying and Maintaining HTTPS
When configuring HTTP, go to these sections for information you are interested in:
l Associating the HTTP Service with an ACL
l Displaying and Maintaining HTTP
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet. It is an application-level protocol in the TCP/IP protocol suite. The connection-oriented Transport Control Protocol (TCP) is adopted on the transport layer.
Currently, HTTP/1.0 is supported on the device.
In the HTTP, the client/server mode is used for communication. The client and the server exchange messages following these procedures:
1) A TCP connection is created between the client and the server. Typically, the port number is 80.
2) The client sends a request to the server.
3) The server processes the request and sends back a response.
4) The TCP connection is closed.
You can log onto the device using the HTTP protocol with HTTP service enabled, accessing and controlling the device with Web-based network management.
To implement security management on the device, you can use the following methods to enhance the security of the device.
l Enable HTTP service only when necessary.
l Change the port number of the HTTP service as a port number not commonly used (80 or 8080), thus reducing attacks from illegal users on the HTTP service.
l Associate the HTTP service with an ACL to let pass only the filtered clients.
RFC 1945: Hypertext Transfer Protocol – HTTP/1.0
The device can act as the HTTP server and the users can access and control the device through the Web function only after the HTTP service is enabled.
Follow these steps to enable the HTTP service:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the HTTP service |
ip http enable |
Required Enabled by default. |
Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service.
Follow these steps to configure the port number of the HTTP service:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the port number of the HTTP service |
ip http port port-number |
Required By default, the port number of the HTTP service is 80. |
If you execute the ip http port command for multiple times, the last configured port number is used.
By associating the HTTP service with an ACL, only the clients that pass ACL filtering are allowed to access the device.
Follow these steps to associate the HTTP service with an ACL:
|
To do… |
Use the command… |
Remarks |
|
Enters system view |
system-view |
— |
|
Associate the HTTP service with an ACL |
ip http acl acl-number |
Required The HTTP service is not associated with an ACL by default. |
l If you execute the ip http acl command for multiple times to associate the HTTP with ACLs, the HTTP service is only associated with the last specified ACL.
l For the detailed introduction to ACL, refer to ACL Configuration in the Security Volume.
|
To do… |
Use the command… |
Remarks |
|
Display information about HTTP |
display ip http |
Available in any view |
When configuring HTTPS, go to these sections for information you are interested in:
l HTTPS Configuration Task List
l Associating the HTTPS Service with an SSL Server Policy
l Associating the HTTPS Service with a Certificate Attribute Access Control Policy
l Configuring the Port Number of the HTTPS Service
l Associating the HTTPS Service with an ACL
l Displaying and Maintaining HTTPS
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
l Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients;
l Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, thus realizing the security management of the device;
l Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.
l The total number of HTTP connections and HTTPS connections on a device cannot exceed ten.
l For SSL details, refer to SSL Configuration in the Security Volume.
Complete these tasks to configure HTTPS:
|
Configuration task |
Remarks |
|
Required |
|
|
Required |
|
|
Associating the HTTPS Service with a Certificate Attribute Access Control Policy |
Optional |
|
Optional |
|
|
Optional |
You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service.
Follow these steps to associate the HTTPS service with an SSL server policy:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with an SSL server policy |
ip https ssl-server-policy policy-name |
Required Not associated by default |
l If the ip https ssl-server-policy command is executed repeatedly, the HTTPS service is only associated with the last specified SSL server policy.
l When the HTTPS service is disabled, the association between the HTTPS service and the SSL server is automatically removed. To enable it again, you need to re-associate the HTTPS service with an SSL server policy.
l When the HTTPS service is enabled, no modification of its associated SSL server policy takes effect.
The device can act as the HTTPS server and users can access and control the device through the Web function only when the HTTPS service is enabled.
Follow these steps to enable the HTTPS service:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the HTTPS service |
ip https enable |
Required Disabled by default. |
l After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration.
l Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Since the application process takes much time, the SSL negotiation may fail and the HTTPS service cannot be started normally. Therefore, the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service.
Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security.
Follow these steps to associate the HTTPS service with a certificate attribute access control policy:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with a certificate attribute access control policy |
ip https certificate access-control-policy policy-name |
Required Not associated by default. |
l If the ip https certificate access-control-policy command is executed repeatedly, the HTTPS server is only associated with the last specified certificate attribute access control policy.
l If the HTTPS service is associated with a certificate attribute access control policy, the client-verify enable command must be configured in the SSL server policy. Otherwise, the client cannot log onto the device.
l If the HTTPS service is associated with a certificate attribute access control policy, the latter must contain at least one permit rule. Otherwise, no HTTPS client can log onto the device.
l For the configuration of an SSL server policy, refer to PKI Configuration in the Security Volume.
Configuration of the port number of the HTTPS service can reduce the attacks from illegal users on the HTTPS service.
Follow these steps to configure the port number of the HTTPS service:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the port number of the HTTPS service |
ip https port port-number |
Optional By default, the port number of the HTTPS service is 443. |
If you execute the ip https port command for multiple times, the last configured port number is used.
Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
Follow these steps to associate the HTTPS service with an ACL:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Associate the HTTPS service with an ACL |
ip https acl acl-number |
Required Not associated by default. |
l If you execute the ip https acl command for multiple times to associate the HTTPS service with ACLs, the HTTPS service is only associated with the last specified ACL.
l For the detailed introduction to ACL, refer to ACL Configuration in the Security Volume.
|
To do… |
Use the command… |
Remarks |
|
Display information about HTTPS |
display ip https |
Available in any view |
l Host acts as the HTTPS client and Device acts as the HTTPS server.
l Host accesses Device through Web to control Device.
l CA (Certificate Authority) issues certificate to Device. The common name of CA is new-ca.
In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
Figure 2-1 Network diagram for HTTPS configuration
Perform the following configurations on Device:
1) Apply for a certificate for Device
# Configure a PKI entity.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Configure a PKI domain.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier new-ca
[Device-pki-domain-1] certificate request url http://10.1.2.2:8080/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Generate a local RSA key pair.
[Device] public-key local create rsa
# Obtain a server certificate from CA.
[Device] pki retrieval-certificate ca domain 1
# Apply for a local certificate.
[Device] pki request-certificate domain 1
2) Configure an SSL server policy associated with the HTTPS service
# Configure an SSL server policy.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
3) Configure a certificate access control policy
# Configure a certificate attribute group.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Device-pki-cert-attribute-group-mygroup1] quit
# Configure certificate access control policy myacp and create a control rule.
[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1
[Device-pki-cert-acp-myacp] quit
4) Reference an SSL server policy
# Associate the HTTPS service with the SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
5) Associate the HTTPS service with a certificate attribute access control policy
# Associate the HTTPS service with certificate attribute access control policy myacp.
[Device] ip https certificate access-control-policy myacp
6) Enable the HTTPS service
# Enable the HTTPS service.
[Device] ip https enable
7) Verify the configuration
Launch the IE explorer on Host, and enter https://10.1.1.1. You can log in to Device and control it.
l The URL of the HTTPS server starts with https://, and that of the HTTP server starts with http://.
l For details of PKI commands, refer to PKI Commands in the Security Volume.
l For details of the public-key local create rsa command, refer to Public Key Commands in the Security Volume.
l For details of SSL commands, refer to SSL Commands in the Security Volume.
