Contents

Configuring HTTP·· 1

About HTTP· 1

Restrictions and guidelines: HTTP configuration· 1

Configuring HTTP service· 1

Configuring HTTPS service· 1

Verifying and maintaining HTTP· 3

Configuring HTTP

About HTTP

The device provides a built-in Web server that supports HTTP 1.0, HTTP 1.1, and HTTPS.

The Hypertext Transfer Protocol (HTTP) is used to transfer web page information on the Internet. It is an application layer protocol that uses TCP in the TCP/IP protocol stack.

The Hypertext Transfer Protocol Secure (HTTPS) is based on HTTP and is more secure than HTTP. It uses SSL to ensure the integrity and security of data exchanged between the client and the server. You can define a certificate-based access control policy to allow only legal clients to use the HTTPS service.

Restrictions and guidelines: HTTP configuration

To improve device security, the system automatically enables the HTTPS service when you enable the HTTP service. When the HTTP service is enabled, you cannot disable the HTTPS service.

Configuring HTTP service

1.     Enter system view.

system-view

2.     Enable the HTTP service.

ip http enable

By default, the HTTP service is disabled.

3.     (Optional.) Specify the HTTP service port number.

ip http port port-number

The default HTTP service port number is 80.

4.     (Optional.) Apply an ACL to the HTTP service.

ip http acl { acl-number | name acl-name }

By default, no ACL is applied to the HTTP service.

Configuring HTTPS service

About this task

The device supports the following HTTPS service modes:

·     Simplified mode—The device uses a self-signed certificate (a certificate that is generated and signed by the device itself) and the default SSL settings. The configuration of the SSL server policy that associates with HTTPS services is not required. The device operates in simplified mode after you enable HTTPS service on the device.

·     Secure mode—The device uses a certificate signed by a CA and a set of user-defined security protection settings to ensure security. For the device to operate in secure mode, you must perform the following tasks:

¡     Enable HTTPS service on the device.

¡     Specify an SSL server policy for the service.

¡     Configure PKI domain-related parameters.

The simplified mode is easy to configure but it is insecure. In this mode, self-signed certificates are not trusted by browsers, when you access a device by using HTTPS, a security risk alert will be popped up on the browser. If you do not have high security requirements and can accept security risks caused by the use of self-signed certificates, you can ignore this alert and continue to browse the webpage.

The secure mode is secure but it is complicated to configure. To enhance the security for HTTPS service, perform the following tasks:

1.     Obtain a CA certificate.

2.     Request a local certificate from the CA.

3.     Specify an SSL server policy, and associate this policy to HTTPS service.

‌

For more information about SSL, self-signed certificates, local certificates, and PKI, see Security Configuration Guide.

Restrictions and guidelines

·     To associate a different SSL server policy with the HTTPS service, you must perform the following tasks:

¡     Disable the HTTP service and HTTPS service before you associate the new SSL server policy.

¡     Enable the HTTP service and HTTPS service again after the association.

If you fail to complete the required tasks, the new SSL server policy does not take effect.

·     For the HTTP service to use its self-signed certificate after you associate an SSL server policy with the HTTPS service, you must follow these steps:

a.     Disable the HTTP service and HTTPS service.

b.     Execute the undo ip https ssl-server-policy command to remove the existing SSL server policy association.

c.     Enable the HTTP service and HTTPS service again.

·     Enabling the HTTPS service triggers the SSL handshake negotiation process.

¡     If the device has a local certificate, the SSL handshake negotiation succeeds and the HTTPS service starts up.

¡     If the device does not have a local certificate, the certificate application process starts. Because the certificate application process takes a long time, the SSL handshake negotiation might fail and the HTTPS service might not be started. To solve the problem, execute the ip https enable command again until the HTTPS service is enabled.

·     To use a certificate-based access control policy to control HTTPS access, you must perform the following tasks:

¡     Configure the client-verify enable command in the SSL server policy that is associated with the HTTPS service.

¡     Configure a minimum of one permit rule in the certificate-based access control policy.

If you fail to complete the required tasks, HTTPS clients cannot log in.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Apply policies to the HTTPS service.

¡     Apply an SSL server policy.

ip https ssl-server-policy policy-name

By default, no SSL server policy is associated. The HTTP service uses a self-signed certificate.

¡     Apply a certificate-based access control policy to control HTTPS access.

ip https certificate access-control-policy policy-name

By default, no certificate-based access control policy is applied.

For more information about certificate-based access control policies, see PKI in Security Configuration Guide.

3.     Enable the HTTPS service.

ip https enable

By default, HTTPS is disabled.

4.      (Optional.) Specify the HTTPS service port number.

ip https port port-number

The default HTTPS service port number is 443.

5.     (Optional.) Apply an ACL to the HTTPS service.

ip https acl {acl-number | name acl-name }

By default, no ACL is applied to the HTTPS service.

Verifying and maintaining HTTP

Perform display tasks in any view.

·     Display HTTP service configuration and status information.

display ip http

·     Display HTTPS service configuration and status information.

display ip https