基於httpd-2.4配置虛擬主機web站點,並提供https服務(一)

 使用httpd-2.2和httpd-2.4實現html

> 1.創建httpd服務,要求:web

> 1) 提供兩個基於名稱的虛擬主機www1, www2;要求每一個虛擬主機都有單獨的錯誤日誌和訪問日誌; vim

> 2) 經過www1的/server-status提供狀態信息,且僅容許172.16.0.1主機訪問;服務器

> 3) www2不容許192.168.1.0/24網絡中任意主機訪問;網絡

> 2.爲上面的第2)個虛擬主機提供https服務。dom

編輯器


基於httpd-2.4配置虛擬主機web站點,並提供https服務:ide

1.準備:(1)在VMwareWorkstation平臺下的CentOS7.2一枚;(2)真實機客戶端一個;測試

2.環境:(1)CentOS7.2系統中安裝httpd應用程序並啓動httpd服務;(2)關閉防火牆;(3)設置SELinux;ui

(1) [root@chenliang ~]# yum -y install httpd

  [root@chenliang ~]# systemctl restart http.service

  Active: active (running)

(2) [root@chenliang ~]# iptables -F

(3) [root@chenliang ~]# setenforce 0

3.操做步驟:

[root@chenliang ~]# cd /etc/httpd/conf.d

建立兩個基於主機名的web站點:

[root@chenliang conf.d]# vim www1.conf

<VirtualHost 172.16.72.1:80>

        ServerName www1.cl7.com

        DocumentRoot /var/www/www1

        ErrorLog logs/www1-error_log

        CustomLog logs/www1-access_log combined


        <Location /server-status>

        SetHandler server-status

        Require all denied            //httpd-2.4中統一使用Require來容許或阻止客戶端主機訪問,只要沒有明確的指明容許哪些客戶端主機訪問,則拒絕全部客戶端主機訪問;

        Require ip 172.16.0.1

        </Location>


</VirtualHost>


[root@chenliang conf.d]# vim www2.conf

<VirtualHost 172.16.72.1:80>

        ServerName www2.cl7.com

        DocumentRoot "/var/www/www2"

        ErrorLog logs/www2-error_log

        CustomLog logs/www2-access_log combiend

    <Directory "/var/www/www2">

        Options None

        AllowOverride None

        <RequireAll>                                     //若是容許和拒絕等訪問控制要同時設置,則全部的Require指令必需要放置在<RequireAny>或者<RequireAll>容器指令中

                Require not ip 192.168.1.0/24

                Require all granted                     

        </RequireAll>

    </Directory>

</VirtualHost>


檢查建立的虛擬主機語法有沒有錯誤:

[root@chenliang conf.d]# httpd -t

AH00557: httpd: apr_sockaddr_info_get() failed for chenliang

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Syntax OK

建立路徑映射目錄:

[root@chenliang conf]# mkdir -pv /var/www/www{1,2}

mkdir: 已建立目錄 "/var/www/www1"

mkdir: 已建立目錄 "/var/www/www2"

[root@chenliang conf]# echo "WWW1's page~~" > /var/www/www1/index.html

[root@chenliang conf]# echo "WWW2's page~~" > /var/www/www2/index.html

添加域名解析:

[root@chenliang conf.d]# echo "172.16.72.1 www1.cl.com www2.cl.com" >> /etc/hosts

重啓httpd服務:

[root@chenliang conf.d]# systemctl restart httpd.service

在真實機端打開系統盤:C:\Windows\System32\drivers\etc\hosts,使用文本編輯器編輯添加並保存添加內容:172.16.72.1 www1.cl7.com www2.cl7.com

使用客戶端測試結果以下:

1.png

 

2.png


測試www1是否能容許172.16.0.1網段內的主機查看服務器屬性:

3.png


4.爲虛擬主機www2提供https服務:

   (1) 建立私有CA:

            1)生成私鑰:

            [root@chenliang ~]# cd /etc/pki/CA

            [root@chenliang CA]# ls

            certs  crl  newcerts  private

            [root@chenliang CA]# (umask 077; openssl genrsa -out private/cakey.pem 4096)

            Generating RSA private key, 4096 bit long modulus

            ............................................................................................................................................................++

            .....................................................................................................................................................................................................................................................++

            e is 65537 (0x10001)

            2)生成自簽證書:

            [root@chenliang CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

            You are about to be asked to enter information that will be incorporated

            into your certificate request.

            What you are about to enter is what is called a Distinguished Name or a DN.

            There are quite a few fields but you can leave some blank

            For some fields there will be a default value,

            If you enter '.', the field will be left blank.

            -----

            Country Name (2 letter code) [XX]:CN

            State or Province Name (full name) []:Hebei

            Locality Name (eg, city) [Default City]:Handan

            Organization Name (eg, company) [Default Company Ltd]:chenliang

            Organizational Unit Name (eg, section) []:chenliang

            Common Name (eg, your name or your server's hostname) []:chenliang

            Email Address []:

            

            [root@chenliang CA]# ls

            cacert.pem  certs  crl  newcerts  private

            3)將文本文件和目錄添加完成私有CA配置:

            [root@chenliang CA]# touch index.txt

            [root@chenliang CA]# echo 01 > serial

    (2)建立https站點:{前提要安裝httpd模塊列表中的mod_ssl模塊}  

 1)生成私鑰並生成證書請求:

[root@chenliang ~]# mkdir -pv /etc/httpd/ssl

mkdir: 已建立目錄 "/etc/httpd/ssl"

[root@chenliang ~]# cd /etc/httpd/ssl

[root@chenliang ssl]# ls

[root@chenliang ssl]# (umask 077;openssl genrsa -out httpd.key 4096)

Generating RSA private key, 4096 bit long modulus

...............................++

......................++

e is 65537 (0x10001)

[root@chenliang ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Hebei

Locality Name (eg, city) [Default City]:Handan

Organization Name (eg, company) [Default Company Ltd]:chenliang

Organizational Unit Name (eg, section) []:chenliang

Common Name (eg, your name or your server's hostname) []:chenliang

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:CL

[root@chenliang ssl]# ls

httpd.csr  httpd.key

2)將證書請求發送到CA:

[root@chenliang ssl]# cp httpd.csr /tmp/        

3)在CA上爲這次請求籤發證書:

[root@chenliang ssl]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Apr 27 12:51:29 2018 GMT

            Not After : Apr 27 12:51:29 2019 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Hebei

            organizationName          = chenliang

            organizationalUnitName    = chenliang

            commonName                = chenliang

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                92:A4:5B:5C:88:0D:CE:84:67:5F:2A:9B:1F:57:15:AD:12:A9:13:CE

            X509v3 Authority Key Identifier: 

                keyid:B6:C0:56:B6:E7:CF:C6:9B:CB:35:6D:1F:C9:06:94:69:D2:D9:23:68


Certificate is to be certified until Apr 27 12:51:29 2019 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


4)在CA上將CA簽發的證書傳送到httpd服務器:

[root@chenliang ssl]# scp /etc/pki/CA/certs/httpd.crt  /etc/httpd/ssl/          

5)在httpd服務器上,刪除證書請求文件:

[root@chenliang ssl]# ls
httpd.crt  httpd.csr  httpd.key
[root@chenliang ssl]# rm -fr httpd.csr
[root@chenliang ssl]# ls
httpd.crt  httpd.key

6)在httpd服務器上配置ssl支持:(須要安裝httpd中的mod_ssl模塊,沒有安裝須要提早安裝)

配置https的虛擬主機:

[root@chenliang ~]# vim /etc/httpd/conf.d/ssl.conf

<VirtualHost>
     DocumentRoot "/data/vhosts/www2"
     ServerName www2.cl7.com:443
     SSLCertificateFile /etc/httpd/ssl/httpd.crt 
     SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

</VirtualHost>

5.測試https是否配置成功:

1.png



至此,httpd-2.4基於主機名創建虛擬主機並實現web站點的https服務完成

相關文章
相關標籤/搜索