项目实践==虚拟主机及SSL通信(Blog 14)

httpd-2.4及httpd-2.4实现

 

1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
(2) 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
(3) www1不允许192.168.1.0/24网络中的主机访问;

2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1) 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MageEdu);
(2) 设置部门为Ops, 主机名为www2.stuX.com;

httpd-2.2,httpd-2.4项目实战

1、(1)CentOS 6主机

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

# mkdir -pv /web/vhosts/www{1,2}
# mkdir /var/log/httpd/www{1,2}
# httpd -t
# service httpd restart

给出测试页面:
# echo “www1.stuX.com” > /web/vhosts/www1/index.html
# echo “www2.stuX.com” > /web/vhosts/www2/index.html

在hosts文件中添加解析条目:
# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.16 www1.stuX.com www1
172.16.0.16 www2.stuX.com www2

测试访问:
# curl http://www1
www1.stuX.com
# curl http://www2
www1.stuX.com

(2)输出状态页面

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

提供账号
# htpasswd -c -b -s /etc/conf.d/.htpasswd tom magedu
# htpasswd -b -s /etc/conf.d/.htpasswd jack magedu
# htpasswd -b -s /etc/conf.d/.htpasswd obama magedu
# cat /etc/conf.d/.htpasswd
tom:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
jack:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
obama:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=

# httpd -t
# service httpd restart
测试访问
# curl –basic -u tom:magedu http://www1/server-status
# curl –basic -u jack:magedu http://www1/server-status

(3)www1不允许192.168.1.0/24网络访问

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Order allow,deny
Deny from 192.168.1.0/24
Allow from all
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

# httpd -t
# service httpd restart

2、(1)CentOS 6主机

# httpd -t -D DUMP_VHOSTS
*:80 is a NameVirtualHost
default server www1.stuX.com (/etc/httpd/conf.d/virtualhost.conf:2)
port 80 namevhost www1.stuX.com (/etc/httpd/conf.d/virtualhost.conf:2)
port 80 namevhost www2.stuX.com (/etc/httpd/conf.d/virtualhost.conf:23)

为第二个提供ssl,即是SSL的主机名同www2.stuX.com,且相同的DocumentRoot;

(2)在CA主机生成私钥,自签证书

# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:ca.stuX.com
Email Address []:

# touch /etc/pki/CA/index.txt
# echo 01 > /etc/pki/CA/serial

(3)在用到证书的主机生成私钥,生成证书签署请求

# mkdir /etc/httpd/ssl
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www2.stuX.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(4)将请求可靠的发送到CA

# scp /etc/httpd/ssl/httpd.csr root@172.16.0.8:/tmp

(5)CA签署请求

# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

(6)下载证书

# scp root@172.16.0.8:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl

(7)安装mod_ssl模块

# yum install mod_ssl

(8)配置ssl

# /etc/httpd/conf.d/ssl.conf
DocumentRoot “/web/vhosts/www2”
ServerName www2.stuX.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# httpd -t
# service httpd restart
# ss -tnl

(9)CA主机上测试连接

# openssl s_client -connect 172.16.0.16:443 -CAfile cacert.pem

Verify return code: 0 (ok)

GET /index.html HTTP/1.1
Host: 172.16.0.16

HTTP/1.1 200 OK
Date: Tue, 28 Nov 2017 15:35:40 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 28 Nov 2017 14:56:55 GMT
ETag: “e0006-e-55f0c3ae502c7”
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

www2.stuX.com
closed

2、(1)CentOS 7主机

# yum -y install httpd httpd-tools
# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
</VirtualHost>

# cp /etc/httpd/conf.d/www1.conf /etc/httpd/conf.d/www2.conf
# sed -i ‘s,www1,www2,g’ www2.conf
# mkdir -pv /web/vhosts/www{1,2}
# mkdir -v /var/log/httpd/www{1,2}
# httpd -t
# systemctl start httpd.service

# echo “<h1>www1.stuX.com</h1>” > /web/vhosts/www1/index.html
# echo “<h1>www2.stuX.com</h1>” > /web/vhosts/www2/index.html

# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.7 www1.stuX.com www1
172.16.0.7 www2.stuX.com www2

# curl http://www1.stuX.com
<h1>www1.stuX.com</h1>
# curl http://www2.stuX.com
<h1>www2.stuX.com</h1>

(2)为www1提供状态页面
# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>

# htpasswd -c -b -m /etc/httpd/conf.d/.htpasswd tom magedu
# htpasswd -b -s /etc/httpd/conf.d/.htpasswd jack magedu
# htpasswd -b -s /etc/httpd/conf.d/.htpasswd obama magedu

# cat /etc/httpd/conf.d/.htpasswd
tom:$apr1$uehD6ESz$6HCTYDjx60M.SNLEHNQZO0
jack:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
obama:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=

# httpd -t
# systemctl restart httpd.service
#
# curl –basic -u tom:magedu http://www1.stuX.com/index.html

(3)不允许192.168.0.1/24网络内的主机访问www1

# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
<RequireAll>
Require not ip 192.168.0.1/24
Require all granted
</RequireAll>
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>
# httpd -t
# systemctl restart httpd.service

 

CentOS 7

 

2、
在已建CA上,申请证书;
(1)生成私钥及请求

# mkdir -v /etc/httpd/ssl/
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www2.stuX.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# scp /etc/httpd/ssl/httpd.csr root@172.16.0.8:/tmp/

(2)CA签署请求

吊销上一个主机的证书
# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
# echo 01 > crlnumber
# openssl ca -gencrl -out /etc/pki/CA/crl/httpd.crl
# openssl crl -in /etc/pki/CA/crl/httpd.crl -noout -text

# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

# scp root@172.16.0.8:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl

(3)安装配置SSL

# yum -y install mod_ssl

# httpd -t -D DUMP_VHOSTS
172.16.0.7:80 is a NameVirtualHost
default server www1.stuX.com (/etc/httpd/conf.d/www1.conf:1)
port 80 namevhost www1.stuX.com (/etc/httpd/conf.d/www1.conf:1)
port 80 namevhost www2.stuX.com (/etc/httpd/conf.d/www2.conf:1)
*:443 is a NameVirtualHost
default server localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)

# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot “/web/vhosts/www2”
ServerName www2.stuX.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

# httpd -t
# systemctl restart httpd.service

(4)在CA主机访问

# openssl s_client -connect 172.16.0.7:443 -CAfile /etc/pki/CA/cacert.pem

Start Time: 1512215742
Timeout : 300 (sec)
Verify return code: 0 (ok)

GET /index.html HTTP/1.1
Host: 172.16.0.7

HTTP/1.1 403 Forbidden
Date: Sat, 02 Dec 2017 11:50:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Content-Length: 212
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don’t have permission to access /index.html
on this server.</p>
</body></html>

(5)配置SSL授权目录

# vim /etc/httpd/conf.d/ssl.conf
<Directory “/web/vhosts/www2”>
Options None
AllowOverride None
Require all granted
</Directory>

(6)在CA主机访问

# openssl s_client -connect 172.16.0.7:443 -CAfile /etc/pki/CA/cacert.pem

# httpd -t
# systemctl restart httpd.service

Start Time: 1512215937
Timeout : 300 (sec)
Verify return code: 0 (ok)

GET /index.html HTTP/1.1
Host: 172.16.0.7

HTTP/1.1 200 OK
Date: Sat, 02 Dec 2017 11:53:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Last-Modified: Sat, 02 Dec 2017 11:23:09 GMT
ETag: “17-55f59b5bd19a3”
Accept-Ranges: bytes
Content-Length: 23
Content-Type: text/html; charset=UTF-8

<h1>www2.stuX.com</h1>

本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/89222

(0)
逆神阳逆神阳
上一篇 2017-12-02
下一篇 2017-12-02

相关推荐

  • 浅谈编译kernel+busybox构建拥有远程ssh登录和web功能最小linux系统(一)

    实验环境win7+VM11.1 大致过程总揽 1,硬件准备以及查看硬件设备型号(不用担心,这些都是VM虚拟出来的) 2,编译环境的配置以及下载内核源码以及编译内核 3,编译busybox,以及提供系统正常运行的配置文件,初步运行linux系统 4,编译安装dropbear提供ssh服务 5,安装nginx;提供web服务 一,硬件准备以及查看硬件设备型号 由…

    Linux干货 2015-09-22
  • 文件搜索者-find命令详解

    1. 文件查找:          在linux系统中由于文件的众多,往往需要在众多的文件当中查找某一个文件,如果时间一长,很难记得文件存放至何处,不过,这一点,你不比担心,因为开发人员为我们提供了强大的文件搜索工具,下面将介绍两款常用的文件查找工具locate,和find,这两…

    Linux干货 2016-08-15
  • sed使用小命令及课后作业

    Stream EDitor,  行编辑器 sed 是一种流编辑器,它一次处理一行内容。处理时,把当前处理的行存储在临时缓冲区中,称为“模式空间”(pattern space ),接着用sed 命令处理缓冲区中的内容,处理完成后,把缓冲区的内容送往屏幕。接着处理下一行,这样不断重复,直到文件末尾。文件内容并没有改变,除非你使用重定向存储输出。Sed …

    Linux干货 2017-03-18
  • Linux网络管理之路由和team网络组

    如何实现把linux当路由器来使用,实现不同网段之间的通信访问,这就是今天所要实现的路由配置   环境准备:4台虚拟机,两台中间两台作为路由器来使用(每天主机两块网卡),其他两台作为终端主机,目的是让不同网段的两台主机之间互相访问(这里在vmware里面做的实验,所以网卡的类型都设置为桥接)   拓扑图:   步骤一:将A、D两…

    系统运维 2016-09-10
  • 正则表达式

    1:什么是正则表达式: 简单的说,正则表达式就是处理字符串的方法,它是以行为单位进行字符串的处理行为,正则表达式通过一些特殊符号的辅助,可以让用户轻易达到查找,删除,替换某特定字符串的处理程序。 2:一些参数: grep [-A] [-B] [–color=auto] ‘收索字符串’ filename -A :后面可加数字…

    2017-07-29
  • 【26期】Linux第五周学习小总结

        第五周的学习内容很丰富, 从查找到压缩打包,到软件包的管理,其中尤其是以压缩的内容最为丰富,而且庞大的选项让人绝望,那我今天就总结了一下压缩的一些东西,和大家一起分享。     为什么会产生压缩工具呢?因为我们的现在的很多文件会利用到的东西很多,电脑的读存速度也越来越快,一些大的文件在传输和使用上就会很麻烦,虽…

    2017-08-12