1.实验需求:
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务
2.实验环境:
Linux服务器操作系统版本:CentOS release 6.7 (Final) IP:172.16.66.60
WIN7系统客户机:IP:172.16.250.100
3.实验前提:
1)关闭防火墙和SELinux
~]# service iptables stop
~]# setenforce 0
4.实验过程:
1.提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志
一、安装服务
1.yum安装httpd-2.2
~]# yum install httpd -y
~]# rpm -qa httpd
~]# rpm -ql httpd
~]# rpm -qc httpd
~]# service httpd restart
~]# chkconfig httpd on
~]# ss -lnt
二、配置虚拟主机
~]# cat /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.66.60:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
</VirtualHost>
~]# cat /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.66.60:80>
ServerName www2.magedu.com
DocumentRoot /data/vhosts/www2
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
</VirtualHost>
三、修改配置参数:
1)备份原有的配置文件
~]# cp -p httpd.conf httpd.conf.bak
2)开启虚拟主机:NameVirtualHost
~]# sed -n ‘990p‘ /etc/httpd/httpd.conf
NameVirtualHost 172.16.66.60:80
3)创建站点目录:
~]# mkdir -pv /data/vhosts/www{1,2}
~]# echo "<h1> www1.magedu.com </h1>" > /data/vhosts/www1/index.html
~]# echo "<h1> www2.magedu.com </h1>" > /data/vhosts/www2/index.html
4)添加hosts域名解析
~]# echo " 172.16.66.60 www1.magedu.com www2.magedu.com " >> /etc/hsots
四、PC端上测试内容
1)在wind7上添加域名解析:路径:C:\Windows\System32\drivers\etc\hosts
2)用记事本打开hosts添加并保存:172.16.66.60 www1.magedu.com www2.magedu.com
3)测试都正常访问
2.通过www1的/server-status提供状态信息,且仅允许tom用户访问;
一、修改配置文件:
1)只允许tom用户访问/server-status;
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "For tom"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>
2)创建虚拟用户tom文件
~]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
3)检查语法并重载配置文件
~]# httpd -t
~]# service httpd reload
二、在PC机浏览器中测试:
1)输入 http://172.16.66.60/server-status 需要用户tom认证才能访问
3、为上面的第2个虚拟主机提供https服务;
工作目录:/etc/pki/CA/
1)生成私钥
CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
2)生成自签证书
CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liyang
Organizational Unit Name (eg, section) []:0ps
Common Name (eg, your name or your server‘s hostname) []:www2.magedu.com
Email Address []:[email protected]
3)提供辅助文件
CA]# touch index.txt
CA]# echo 01 > serial 序列号
二、节点申请证书
1)生成私钥
~]# mkdir -pv /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
2)生成证书签署请求:
ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liyang
Organizational Unit Name (eg, section) []:0ps
Common Name (eg, your name or your server‘s hostname) []:www2.magedu.com
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3)把请求发给CA
ssl]# cp httpd.csr /tmp/
三、CA签发证书
1)签署证书
~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 12 13:01:20 2016 GMT
Not After : Jul 12 13:01:20 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = liyang
organizationalUnitName = 0ps
commonName = www2.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F6:C2:E3:DC:3F:D9:50:39:52:43:35:BF:99:BC:FF:5E:26:EB:9E:29
X509v3 Authority Key Identifier:
keyid:15:71:78:70:3E:9B:23:64:A0:37:DE:91:1E:6B:73:F6:AD:3C:A7:A7
Certificate is to be certified until Jul 12 13:01:20 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2)把签署好的证书发还给请求者。
~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
注意:本次私建CA在一台机器完成。
四、配置httpd支持使用ssl,及使用的证书
1)yum安装mod_ssl模块
~]# httpd -M | grep ssl
~]# yum install mod_ssl -y
~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
2)修改配置文件
~]# cat /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/data/vhosts/www2"
ServerName www2.magedu.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLProtocol all -SSLv2
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
</VirtualHost>
五、测试结果:
1)在PC机浏览器中测试:https://www2.magedu.com 通过443端口访问
2)在PC机浏览器中测试:http://www2.magedu.com 通过80端口访问