1、建立httpd服务器(基于编译的方式进行),要求:
提供两个基于名称的虚拟主机:
(a)www1.itab.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.itab.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.itab.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
(e) www1不允许192.168.1.0/24网络中的主机访问;
2、为上面的的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(HA)、城市(ZZ)和组织(iTab);
(2)设置部门为Ops,主机名为www2.itab.com,邮件为[email protected];
现在分别使用httpd-2.2和httpd-2.4搭建符合以上要求的HTTP/HTTPS服务。
httpd-2.2
(1) 使用yum安装httpd服务程序。
[[email protected] ~]# yum -y install httpd
(2) 要想使用虚拟主机,必须先注释掉中心主机的文档根路径(DocRoot)。
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html"
(3) 在/etc/httpd/conf.d目录下创建vhost.conf文件,专门用于配置虚拟主机。
NameVirtualHost 192.168.10.128:80 <VirtualHost 192.168.10.128:80> # 第一台虚拟主机配置 ServerName www1.itab.com # 第一台虚拟主机的主机名 DocumentRoot "/web/vhosts/www1" # 第一台虚拟主机的DocRoot ErrorLog logs/www1.err # 错误日志路径 CustomLog logs/www1.access combined # 访问日志路径 <Directory "/web/vhosts/www1"> # 基于IP地址做访问控制 Order allow,deny Deny from 192.168.1 # 不允许192.168.1.0/24网络中的主机访问 </Directory> <Location /server-status> # 第一台虚拟主机开启server-status工作状态输出功能 SetHandler server-status AuthType Basic # 基于账号密码做控制 AuthName "Enter your username and password." # 认证提示 AuthUserFile "/etc/httpd/.htpasswd" # 存放账号密码的文件路径 Require user status # 只允许status用户登录 </Location> </VirtualHost> <VirtualHost "192.168.10.128:80"> # 第二台虚拟主机配置 ServerName www2.itab.com # 第二台虚拟主机的主机名 DocumentRoot "/web/vhosts/www2" # 第二台虚拟主机的DocRoot ErrorLog logs/www2.err # 错误日志路径 CustomLog logs/www2.access combined # 访问日志路径 </VirtualHost>
(4) 创建虚拟主机的文档根目录,并为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名。
[[email protected] ~]# mkdir -pv /web/vhosts/{www1,www2}
mkdir: created directory `/web‘
mkdir: created directory `/web/vhosts‘
mkdir: created directory `/web/vhosts/www1‘
mkdir: created directory `/web/vhosts/www2‘
[[email protected] ~]# cat /web/vhosts/www1/index.html
<h1> www1.itab.com </h1>
[[email protected] ~]# cat /web/vhosts/www2/index.html
<h1> www2.itab.com </h1>
(5) 设置站点主页面。
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf DirectoryIndex index.html
(6) 创建访问status页面的账号(status)和密码(status)。
[[email protected] ~]# htpasswd -cm /etc/httpd/.htpasswd status New password: Re-type new password: Adding password for user status
(7) 检查语法错误,如果没有错误,则启动http服务。
[[email protected] ~]# httpd -t Syntax OK [[email protected] ~]# service httpd start Starting httpd: [ OK ]
(8) 查看httpd是否已经监听在80端口。
[[email protected] ~]# ss -tnl | grep 80 LISTEN 0 128 :::80 :::*
(9) 测试。
9.1 测试status页面。
使用192.168.10.140的主机测试,如下。
[[email protected] ~]# elinks www1.itab.com/server-status
打开页面如下。
9.2 测试两个虚拟主机的页面。
同样使用192.168.10.140这台主机来测试,如下。
[[email protected] ~]# elinks www1.itab.com
访问www1.itab.com时,打开页面如下。
[[email protected] ~]# elinks www2.itab.com
访问www2.itab.com时,打开页面如下。
对于192.168.1.0/24网段的主机,则无法访问www1.itab.com,其打开页面如下。
(10) 现在为上面的的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点。
为了方便,这里通过建立私有CA来提供服务器证书。CA主机和Webf服务器主机如下:
CA主机:192.168.10.140 Web服务器主机:192.168.10.128
10.1 在CA主机(192.168.10.128上)建立私有CA
① CA生成私钥。
[[email protected] ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
② 生成自签证书。
[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:iTab Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:ca.itab.com Email Address []:[email protected]
③ 为CA提供所需的目录及文件。
[[email protected] ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[[email protected] ~]# touch /etc/pki/CA/{serial,index.txt}
[[email protected] ~]# echo 01 > /etc/pki/CA/serial
10.2 在Web服务器主机(192.168.10.128)上创建证书签署请求。
① Web服务器主机生成私钥。
[[email protected] ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
② Web服务器生成证书签署请求。
[[email protected] ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:iTab Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:www2.itab.com Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
③ 通过可靠方式将证书签署请求发送给CA主机。这里为了演示方便,所以直接通过scp命令传送。
[[email protected] ~]# scp /etc/httpd/ssl/httpd.csr [email protected]:/tmp/
10.3 在CA主机(192.168.10.140)上签署证书请求。
① CA主机为Web服务器签证。
[[email protected] ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 21 13:50:38 2017 GMT Not After : May 21 13:50:38 2018 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = iTab organizationalUnitName = Ops commonName = www2.itab.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C9:0A:4A:B8:2C:67:8A:1C:68:D5:1E:F6:40:57:21:BD:48:75:D5:75 X509v3 Authority Key Identifier: keyid:81:F9:59:3E:F7:7C:8C:A4:1A:6B:7F:6F:9E:4F:8B:A6:18:A5:20:30 Certificate is to be certified until May 21 13:50:38 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
② CA主机将已签署的证书通过可靠方式传送给该Webf服务器。这里同样使用scp命令。
[[email protected] ~]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/
(11) Web服务器在已经得到CA签署的证书了,现在开始配置HTTPS服务,首先安装mod_ssl模块。
[[email protected] ~]# yum install mod_ssl
查看ssl_module是否已经加载。
[[email protected] ~]# httpd -M | grep ssl_module ssl_module (shared) # ssl模块已经加载 Syntax OK
(12) 修改/etc/httpd/conf.d/ssl.conf配置文件。
[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf # 修改以下配置项 <VirtualHost 192.168.10.128:443> DocumentRoot "/web/vhosts/www2" ServerName www2.itab.com SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
检查语法错误。
[[email protected] ~]# httpd -t Syntax OK
重载服务。
[[email protected] ~]# service httpd reload
查看是否监听在443端口。
[[email protected] ~]# ss -tnl | grep 443 LISTEN 0 128 :::443 :::*
(13) 使用Web服务器本主机测试。
[[email protected] ~]# openssl s_client -connect www2.itab.com:443 -CAfile /etc/pki/CA/cacert.pem CONNECTED(00000003) ......(中间省略)...... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 379BE969583B315BC9C8C43F64107EE2CD9CB12668ECA26725D8749BA9CDABD2 Session-ID-ctx: Master-Key: FB5258D5C5FB3EF484831FC306B883EA84D106399CC5630A34169E7B2949FD45A9B90D025AB82EC34887A7C9D8E3F7E2 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 55 ba da 0d 93 a9 67 a4-46 1b 21 ab 6f a3 03 5d U.....g.F.!.o..] 0010 - 6e aa d8 23 25 8d 7d 8a-41 db 47 ea a9 3b fb 7c n..#%.}.A.G..;.| 0020 - 70 59 b2 a3 6c cd 7e 00-4e 8a 3e ef 7d 6b f4 68 pY..l.~.N.>.}k.h 0030 - 59 0a 2d 6d a1 1b 36 84-62 7c 3f 51 5d 24 aa 90 Y.-m..6.b|?Q]$.. 0040 - a8 7f 0a a9 f7 a3 fa b2-a0 ea 30 ef 35 80 7d 13 ..........0.5.}. 0050 - 66 8c d2 47 be b5 47 1f-64 90 e9 c7 ce 7e a6 6f f..G..G.d....~.o 0060 - 10 e5 ab 58 98 70 ab 14-07 ca 04 b0 c4 2f d8 f6 ...X.p......./.. 0070 - 70 52 85 f2 1c 93 13 ca-0c ef 7e b2 5a f3 f2 09 pR........~.Z... 0080 - e3 fd e6 d1 01 18 4b 63-74 ce b9 9c c0 a5 2e 1e ......Kct....... 0090 - 8c 9a 7d 7f 35 69 b3 81-01 64 7a 9c 2c 61 24 07 ..}.5i...dz.,a$. 00a0 - 29 69 af b8 19 a7 78 ff-2a 2e a5 8f fe 11 21 b0 )i....x.*.....!. 00b0 - 86 78 fd b7 ae 55 3b 10-44 b4 81 25 02 40 0a c5 .x...U;.D..%[email protected] Start Time: 1491487607 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- GET /index.html HTTP/1.1 # 测试能否获取www2.itab.com的主页面资源 Host: www2.itab.com HTTP/1.1 200 OK # 获取成功 Date: Thu, 06 Apr 2017 14:06:57 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Thu, 06 Apr 2017 11:29:45 GMT ETag: "4342e-19-54c7dd36ab98c" Accept-Ranges: bytes Content-Length: 25 Connection: close Content-Type: text/html; charset=UTF-8 <h1> www2.itab.com </h1> closed [[email protected] ~]#
测试完毕,使用httpd-2.2搭建HTTP/HTTPS服务成功。接下来使用httpd-2.4搭建同样的HTTP/HTTPS服务。
httpd-2.4
httpd-2.4跟httpd-2.2不同在于任意目录下的页面只有显式授权才能被访问,因此,在配置虚拟主机访问控制时,如下所示。
[[email protected] ~]# cat /etc/httpd/conf.d/vhosts.conf <VirtualHost 192.168.10.140:80> ServerName www1.itab.com DocumentRoot "/web/vhosts/www1" ErrorLog logs/www1.err CustomLog logs/www1.access combined <Location /server-status> SetHandler server-status AuthType Basic AuthName "Enter your username and password" AuthUserFile "/etc/httpd/.htpasswd" Require user status </Location> <Directory "/web/vhosts/www1"> <RequireAll> # 显示授权 Require all granted Require not ip 192.168.10.128 </RequireAll> </Directory> </VirtualHost> <VirtualHost 192.168.10.140:80> ServerName www2.itab.com DocumentRoot "/web/vhosts/www2" ErrorLog logs/www2.err CustomLog logs/www2.access combined <Directory "/web/vhosts/www2"> <RequireAll> # 显示授权 Require all granted Require not ip 192.168.10.128 </RequireAll> </Directory> </VirtualHost>
还有在配置HTTPS时,也是需要显式授权才能被访问到,如下。
[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf <VirtualHost 192.168.10.140:443> DocumentRoot "/web/vhosts/www2" ServerName www2.itab.com <Directory "/web/vhosts/www2"> # 显式授权 Require all granted </Directory> SSLCertificateFile /etc/httpd/ssl/httpd2.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key </VirtualHost>
除此之外,其它配置同httpd-2.2,这里不再赘述。
时间: 2024-12-13 08:34:22