Secure HTTP, or HTTPS, offers a secure connection to an HTTPS server. It uses SSL and TLS (transport layer security) to provide authentication and data encryption.
An HTTPS client initiates a request by establishing a TCP connection to a particular port on a remote host (port 443 by default). Resources to be accessed by HTTPS are identified using URIs or URLs using the HTTPS URI schemes.
When a client connects to the secure HTTPS port, it first authenticates to the server by using the server’s digital certificate. The client then negotiates the security protocols to be used for the connection with the server and generates session keys for encryption and decryption purposes. If the authentication fails, the client cannot establish a secure encrypted session and the security protocol negotiation does not proceed.
Use the ip http access-class command to restrict access-specific IP addresses, and employ ip http authentication to enable only certain users to access the Cisco router via HTTP.
If you choose to use HTTP for management, issue the ip http access-class access-list-number command to restrict access to appropriate IP addresses. As with interactive logins, the best choice for HTTP authentication is a TACACS+ or RADIUS server. Avoid using the enable password as an HTTP password.
The ip http secure-server command enables the HTTPS server. HTTP authentication for login can be set using the ip http authentication [ enable | local | tacacs | aaa ] command. All default login methods and local authentication methods supported are the same as mentioned in the section, “HTTP.”
The ip http secure-port command can set the HTTPS port number from the default value of 443, if required.