Enabling Secure HTTP (HTTPS) Access to a Router
Problem
You want to configure and monitor your router using an encrypted browser interface.
Solution
To enable secure HTTP (HTTPS) access to a router, use the ip http secure-server command:
Core#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Core(config)#ip http secure-server
Core(config)#end
Core#
Cisco introduced secure HTTP access feature in IOS Version 12.2(14)S.
Discussion
The Secure HTTP feature provides you with a secure and encrypted method to access the router via a web browser using Secure Sockets Layer and Transport Layer Security. This prevents HTTP sessions from being intercepted or attacked.
By default, the router creates a self-signed digital certificate that is required for secure access. The router adds the digital certificate to its configuration:
Router2#show running-config | section crypto
crypto pki trustpoint TP-self-signed-2618906780
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2618906780
revocation-check none
rsakeypair TP-self-signed-2618906780
crypto pki certificate chain TP-self-signed-2618906780
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363138 39303637 3830301E 170D3036 30313235 31373031
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36313839
30363738 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E12C BF2F0F2D 3FA6AAEC 6538D47B FF4A4129 2BE28AFE F1880962 659D06DC
82992F38 4DDBC544 A071D74F AF503DC7 14C0EF28 7D03D6BA 4AD3D122 184034FF
FBDE5616 0246528A 83B8E0BA 70C2FC46 605DA522 BC85B1F3 AD47E133 6C2CE562
669048DB 7378B44A 5999D087 CDA95F74 9E073880 975FEA58 8B0B75EA AA62F996
CDEB0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13526F75 74657232 2E696A62 726F776E 2E636F6D 301F0603
551D2304 18301680 1475B543 CAC80FB1 63018DD7 4A81D46A 03DF023B 35301D06
03551D0E 04160414 75B543CA C80FB163 018DD74A 81D46A03 DF023B35 300D0609
2A864886 F70D0101 04050003 81810070 5D025E22 B4120D0A BD1D2E33 904B198F
D9E57BB0 55C90C11 8882A727 9DC42D5F 86619446 1AF7BA53 5DDEDCB5 3B32B70D
0AFCBCE0 77EC5A50 B0428E89 656C641B F2A6A0E9 CEA331EE 9404F527 40BD66FB
D30791B9 92BAB053 465FB50C 8C7D8B74 9926ED58 5881A515 7199D397 B69D385F
329EC47B 9850E063 B4AC318D 76DC9D
quit
Router2#
If this command doesn't show any self-signed certificates, you can generate them using the command crypto key generate rsa. We disscuss this command in more detail in Recipe 3.20.
It is a good idea to explicitly disable the HTTP server to ensure that only encrypted HTTP sessions are permitted once secure HTTP is enabled. To do so, use the no ip http server command to disable the HTTP server:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip http secure-server
Router2(config)#no ip http server
Router2(config)#end
Router2#
By default, the secure HTTP server uses port 443. To change the secure server port, use the following command:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip http secure-port 8080
Router2(config)#end
Router2#
In this example, we changed the secure HTTP port from 443, the default, to port 8080. You can set the secure port to most any unused port number; however, the HTTP and secure HTTP servers cannot be configured to use the same port.
|
To view the secure HTTP configuration status, use the show ip server command:
Router2#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 8080
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
Router2#
As you can see from the output of the show command, the secure server is enabled and is configured to use port 8080. Also, notice that client authentication is currently disabled. Secure HTTP client authentication is enabled by using the same method as the HTTP server. See Recipe 2.8 for more information on enabling HTTP authentication.