要求:
1.建立httpd服务器,要求:
提供两个基于名称的虚拟主机:
(a)www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志
为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access
(b)www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志
为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access
(c)为两个虚拟主机建立各自的主页文件/index.html,内容分别为其对应的主机名
(d)通过www1.stuX.com/server-status输出httpd工作状态相关信息,且只允许提供账
号密码才能访问(status:status)
2.为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点:
(1)要求使用证书认证,证书中要求使用的国家(CN),州(Henan),城市(Zhengzhou)和组
织(MageEdu);
(2)设置部门为tech,主机名为www2.stuX.com,邮箱为[email protected]
具体实现步骤:
一.
1)创建需要的目录文件
mkdir -pv /web/vhosts/www{1,2} mkdir /var/log/httpd cd /var/log/httpd touch www{1,2}.{err,access}
2)建立主页文件,并分别向里面写入其对应的内容
/web/vhosts/www1/index.html内容如下:
<h1>www1.stuX.com</h1>
/web/vhosts/www2/index.html内容如下:
<h1>www2.stuX.com</h2>
3)配置/etc/httpd/conf/httpd.conf,内容如下:
NameVirtualhost 192.168.1.179:80 <VirtualHost 192.168.1.179:80> Servername www1.stuX.com DocumentRoot "/web/vhosts/www1" ErrorLog /var/log/httpd/www1.err CustomLog /var/log/httpd/www1.access combined <Directory "/web/vhosts/www1"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> <Location /server-status> SetHandler server-status Order deny,allow Allow from all </Location> <Directory /server-status> Options None AllowOverride None AuthType basic AuthName "Admin Area" AuthUserFile /etc/httpd/users/.htpasswd require user status </Directory> </VirtualHost> <VirtualHost 192.168.1.179:80> Servername www2.stuX.com DocumentRoot "/web/vhosts/www2" ErrorLog /var/log/httpd/www2.err CustomLog /var/log/httpd/www2.access combined </VirtualHost>
二.
1)建立私有cA
cd /etc/pki/CA (umask 077; openssl genrsa -out pirvate/cakey.pem 2048) #生成私有CA openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 2655 #生成自签证书 echo 01 > serial touch index.txt
2)为服务器生成证书
cd /etc/httpd/ mkdir certs cd certs (umask 077;openssl genrsa -out httpd.key 2048) #生成私钥 openssl req -new -key httpd.key -out httpd.csr -days 3655 #生成证书签署请求: openssl ca -in httpd.csr -out httpd.crt -days 3655
(3)配置httpd使用数字证书
注意:ssl会话只能基于IP创建,这意味着如果服务器仅有一个IP,那么仅为一个虚拟主机提供https服务
yum list mod_ssl cd ../conf.d/ vim ssl.conf <VirtualHost _default_:443> DocumentRoot "/www/sslhost" ServerNmae www.magesu.com:443 SSLCertificateFile /etc/httpd/certs/httpd.crt # 证书 SSLCertificateKeyFile /etc/httpd/certs/httpd.key#秘钥
导入/etc/pki/CA/cacert.pem 改为cacert
验证: openssl s_client -connect 192.1:443
openssl s_client -connect 192.1:443 -CAfile /etc/pki/CA/cecert.pem
openssl s_client -connect www.mageu.com -CAfile /etc/pki/CA/cecert.pem
GET /index.html HTTP/1.1
Host:192.168.1.179