web 服務器+虛擬主機+用戶認證+ssl

1、安裝httpd

[root@station68 yum.repos.d]# yum list all |grep http

Unable to read consumer identity

httpd.i386 2.2.3-63.el5 base

httpd-devel.i386 2.2.3-63.el5 base

httpd-manual.i386 2.2.3-63.el5 base

jakarta-commons-httpclient.i386 1:3.0-7jpp.1 base

jakarta-commons-httpclient-demo.i386 1:3.0-7jpp.1 base

jakarta-commons-httpclient-javadoc.i386 1:3.0-7jpp.1 base

jakarta-commons-httpclient-manual.i386 1:3.0-7jpp.1 base

mockobjects-alt-httpclient.i386 0.09-14jpp.3 base

mockobjects-httpclient.i386 0.09-14jpp.3 base

system-config-httpd.noarch 5:1.3.3.3-1.el5 base

[root@station68 yum.repos.d]# yum install httpd -y

[root@station68 ~]# rpm -ql httpd ##能夠查看安裝httpd所生成的文件

[root@station68 ~]# service httpd start ###啓動服務

Starting httpd: [ OK ]

[root@station68 ~]# netstat -tnlp ##查看監聽的80端口是否啓用

用瀏覽器測試如圖

刪除配置文件中的welcome.conf就能夠再也不顯示此網頁

[root@station68 ~]# cd /etc/httpd/conf.d/

[root@station68 conf.d]# ls

proxy_ajp.conf README welcome.conf

[root@station68 conf.d]# rm welcome.conf

rm: remove regular file `welcome.conf'? y

[root@station68 conf.d]# service httpd restart ##重啓服務

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

刷新瀏覽器如圖所示

提供網頁內容

[root@station68 conf.d]# cd /var/www/html/

[root@station68 html]# ls

[root@station68 html]# vim wang.html ##編輯網頁

<html>

<title>Hi</title>

<h1>Hello</h1>

My name is wangxin.

</html>

刷新瀏覽器

點擊網頁文件

2、建立虛擬主機

首先要在主配置文件中取消中心主機

[root@station68 ~]# cd /etc/httpd/conf

[root@station68 conf]# vim httpd.conf

[root@localhost ~]# vim /etc/httpd/conf.d/virtual.conf

[root@localhost ~]# ip addr add 172.16.86.3/16 dev eth0 ##爲eth0再添加一個IP地址

[root@localhost ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

link/ether 00:0c:29:b7:af:f1 brd ff:ff:ff:ff:ff:ff

inet 172.16.86.2/16 brd 172.16.255.255 scope global eth0

inet 192.168.113.2/24 brd 192.168.113.255 scope global eth0:0

inet 172.16.86.3/16 scope global secondary eth0

修改配置文件監聽8080端口

[root@station68 conf]# vim httpd.conf

重啓服務：

測試網頁：

自定義日誌文件只需在配置文件中添加一項便可

[root@localhost ~]# vim /etc/httpd/conf.d/virtual.conf

[root@localhost a.org]# cd /var/log/httpd/

[root@localhost httpd]# ls

access_log access_log.1 error_log error_log.1 error_log.2

[root@localhost httpd]# mkdir magedu.com a.org

[root@localhost httpd]# ls

access_log access_log.1 a.org error_log error_log.1 error_log.2 magedu.com

[root@localhost httpd]# chown apache:apache magedu.com/ a.org/ ##修改屬主和屬組

[root@localhost httpd]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

測試網頁：

登陸成功：

拒絕IP訪問的設置：

[root@localhost ~]# vim /etc/httpd/conf.d/virtual.conf

[root@localhost httpd]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

網頁測試：

3、ssl的實現

一、要想使web服務器支持ssl功能就要先安裝mod_ssl模塊

[root@www ~]# yum install mod_ssl –y #安裝mod_ssl模塊

[root@www ~]# rpm -ql mod_ssl #查看生成的文件

/etc/httpd/conf.d/ssl.conf

/usr/lib/httpd/modules/mod_ssl.so

/var/cache/mod_ssl

/var/cache/mod_ssl/scache.dir

/var/cache/mod_ssl/scache.pag

/var/cache/mod_ssl/scache.sem

二、提供CA

另找一臺主機做爲CA

[root@localhost ~]# cd /etc/pki/

[root@localhost pki]# ls

CA entitlement nssdb product rpm-gpg tls

[root@localhost pki]# cd CA/

[root@localhost CA]# ls

Private

[root@mail CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) ##生成私鑰

Generating RSA private key, 2048 bit long modulus

......................................+++

..........................................................................................+++

e is 65537 (0x10001)

[root@mail CA]# ls -l private/ ##查看屬性

total 8

-rw------- 1 root root 1675 Apr 17 22:13 cakey.pem

[root@mail CA]#vim ../tls/openssl.cnf

[root@mail CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 ##生成自簽證書

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Henan]:

Locality Name (eg, city) [Zhengzhou]:

Organization Name (eg, company) [MageEdu]:

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server's hostname) []:ca.magedu.com

Email Address []:admin@magedu.com

[root@mail CA]# ls

cacert.pem private

[root@mail CA]# mkdir certs crl newcerts

[root@mail CA]# touch index.txt

[root@mail CA]# echo 01 > serial

[root@mail CA]# ls

cacert.pem certs crl index.txt newcerts private serial

[root@mail CA]#

切換到web服務器

[root@www ~]# cd /etc/httpd/

[root@www httpd]# mkdir ssl

[root@www httpd]# ls

conf conf.d htpasswd logs modules run ssl

[root@www ssl]# (umask 077; openssl genrsa 1024 > httpd.key) ##生成私鑰

Generating RSA private key, 1024 bit long modulus

......++++++

....................++++++

e is 65537 (0x10001)

[root@www ssl]# ll

total 8

-rw------- 1 root root 891 Apr 17 22:36 httpd.key

[root@www ssl]# openssl req -new -key httpd.key -out httpd.csr ##生成證書籤署請求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Henan

Locality Name (eg, city) [Newbury]:Zhengzhou

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:hello.magedu.com

Email Address []:hello@magedu.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

把證書籤署請求發給服務器

[root@www ssl]# scp httpd.csr 172.16.86.1:/tmp

The authenticity of host '172.16.86.1 (172.16.86.1)' can't be established.

RSA key fingerprint is 4a:07:84:06:7c:f9:9b:a2:8e:b1:d2:0a:b8:27:2c:ef.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.86.1' (RSA) to the list of known hosts.

root@172.16.86.1's password:

httpd.csr 100% 704 0.7KB/s 00:00

切換到作CA的主機簽署證書

複製證書到web服務器

[root@www ssl]# scp 172.16.86.1:/tmp/httpd.crt ./

root@172.16.86.1's password:

httpd.crt 100% 3864 3.8KB/s 00:00

[root@www ssl]# ls

httpd.crt httpd.csr httpd.key

[root@www ssl]# cd /etc/httpd/conf.d/

[root@www conf.d]# ls

proxy_ajp.conf README ssl.conf virtual.conf welcome.conf.bak

[root@www conf.d]# vim ssl.conf ##編輯配置文件

[root@www conf.d]# httpd -t

Syntax OK

[root@www conf.d]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

切換到作CA的主機把/etc/pki/CA下的cacert.pem 給物理主機一份，並更名爲cacert..crt 雙擊安裝便可。

測試網頁：