Login
- Table of Contents
-
- 07-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-HTTP configuration
- 06-IP forwarding basics configuration
- 07-Fast forwarding configuration
- 08-Adjacency table configuration
- 09-IRDP configuration
- 10-IP performance optimization configuration
- 11-UDP helper configuration
- 12-IPv6 basics configuration
- 13-IPv6 neighbor discovery configuration
- 14-DHCPv6 configuration
- 15-IPv6 fast forwarding configuration
- 16-IPv6 transition technologies configuration
- 17-WAAS configuration
- 18-HTTP redirect configuration
- 19-Web caching configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-HTTP configuration | 63.01 KB |
Configuring HTTP
About HTTP
The device provides a built-in Web server that supports HTTP 1.0, HTTP 1.1, and HTTPS.
The Hypertext Transfer Protocol (HTTP) is used to transfer web page information on the Internet. It is an application layer protocol that uses TCP in the TCP/IP protocol stack.
The Hypertext Transfer Protocol Secure (HTTPS) is based on HTTP and is more secure than HTTP. It uses SSL to ensure the integrity and security of data exchanged between the client and the server. You can define a certificate-based access control policy to allow only legal clients to use the HTTPS service.
Restrictions and guidelines: HTTP configuration
To improve device security, the system automatically enables the HTTPS service when you enable the HTTP service. When the HTTP service is enabled, you cannot disable the HTTPS service.
Configuring HTTP service
1. Enter system view.
system-view
2. Enable the HTTP service.
ip http enable
By default, the HTTP service is disabled.
3. (Optional.) Specify the HTTP service port number.
ip http port port-number
The default HTTP service port number is 80.
4. (Optional.) Apply an ACL to the HTTP service.
ip http acl { acl-number | name acl-name }
By default, no ACL is applied to the HTTP service.
Configuring HTTPS service
About this task
The device supports the following HTTPS service modes:
· Simplified mode—The device operates in simplified mode after you enable HTTPS service on the device. The device uses a self-signed certificate (a certificate that is generated and signed by the device itself) and the default SSL settings. No SSL server policy is associated with the HTTPS service. However, the browser does not trust the self-signed certificate because the certificate is not issued by a trusted CA. When you use HTTPS to access the device, the browser prompts a security risk message. If you are tolerant to the security risks, you can ignore the message and continue the access.
· Secure mode—The device uses a local certificate signed by a CA and a set of user-defined security protection settings to ensure security. For the device to operate in secure mode, you must perform the following tasks:
¡ Configure PKI domain-related parameters.
¡ Obtain the CA certificate and request a local certificate from the CA.
¡ Configure an SSL server policy and associate the policy with the HTTPS service.
¡ Enable HTTPS service on the device.
|
|
IMPORTANT: To use the secure mode, you must first purchase a local certificate for SSL purposes from an official third-party CA. H3C does not provide CA certificates signed by authorities for the device. |
The simplified mode is easy to configure but it is insecure. The secure mode is secure but it is complicated to configure.
For more information about SSL, self-signed certificate, local certificate, and PKI, see Security Configuration Guide.
Restrictions and guidelines
· If the HTTPS service and the SSL VPN service use the same port number, they must use the same SSL server policy. If they use different SSL server policies, only one of them can be enabled.
To modify the SSL server policy used by both the HTTPS service and the SSL VPN service, you must perform the following tasks:
¡ Disable the two services before you modify the SSL server policy.
¡ Enable the two services again after the modification.
If you fail to complete the required tasks, the new settings do not take effect.
· To associate a different SSL server policy with the HTTPS service, you must perform the following tasks:
¡ Disable the HTTP service and HTTPS service before you associate the new SSL server policy.
¡ Enable the HTTP service and HTTPS service again after the association.
If you fail to complete the required tasks, the new SSL server policy does not take effect.
· For the HTTP service to use its self-signed certificate after you associate an SSL server policy with the HTTPS service, you must follow these steps:
a. Disable the HTTP service and HTTPS service.
b. Execute the undo ip https ssl-server-policy command to remove the existing SSL server policy association.
c. Enable the HTTP service and HTTPS service again.
· Enabling the HTTPS service triggers the SSL handshake negotiation process.
¡ If the device has a local certificate, the SSL handshake negotiation succeeds and the HTTPS service starts up.
¡ If the device does not have a local certificate, the certificate application process starts. Because the certificate application process takes a long time, the SSL handshake negotiation might fail and the HTTPS service might not be started. To solve the problem, execute the ip https enable command again until the HTTPS service is enabled.
· To use a certificate-based access control policy to control HTTPS access, you must perform the following tasks:
¡ Configure the client-verify enable command in the SSL server policy that is associated with the HTTPS service.
¡ Configure a minimum of one permit rule in the certificate-based access control policy.
If you fail to complete the required tasks, HTTPS clients cannot log in.
Procedure
1. Enter system view.
system-view
2. (Optional.) Apply policies to the HTTPS service.
¡ Apply an SSL server policy.
ip https ssl-server-policy policy-name
By default, no SSL server policy is associated. The HTTP service uses a self-signed certificate.
¡ Apply a certificate-based access control policy to control HTTPS access.
ip https certificate access-control-policy policy-name
By default, no certificate-based access control policy is applied.
For more information about certificate-based access control policies, see PKI in Security Configuration Guide.
3. Enable the HTTPS service.
ip https enable
By default, HTTPS is disabled.
4. (Optional.) Specify the HTTPS service port number.
ip https port port-number
The default HTTPS service port number is 443.
5. (Optional.) Apply an ACL to the HTTPS service.
ip https acl {acl-number | name acl-name }
By default, no ACL is applied to the HTTPS service.
Verifying and maintaining HTTP
Perform display tasks in any view.
· Display HTTP service configuration and status information.
display ip http
· Display HTTPS service configuration and status information.
display ip https
