项目实践==虚拟主机及SSL通信(Blog 14)

httpd-2.4及httpd-2.4实现

 

1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
(2) 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
(3) www1不允许192.168.1.0/24网络中的主机访问;

2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1) 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MageEdu);
(2) 设置部门为Ops, 主机名为www2.stuX.com;

httpd-2.2,httpd-2.4项目实战

1、(1)CentOS 6主机

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

# mkdir -pv /web/vhosts/www{1,2}
# mkdir /var/log/httpd/www{1,2}
# httpd -t
# service httpd restart

给出测试页面:
# echo “www1.stuX.com” > /web/vhosts/www1/index.html
# echo “www2.stuX.com” > /web/vhosts/www2/index.html

在hosts文件中添加解析条目:
# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.16 www1.stuX.com www1
172.16.0.16 www2.stuX.com www2

测试访问:
# curl http://www1
www1.stuX.com
# curl http://www2
www1.stuX.com

(2)输出状态页面

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

提供账号
# htpasswd -c -b -s /etc/conf.d/.htpasswd tom magedu
# htpasswd -b -s /etc/conf.d/.htpasswd jack magedu
# htpasswd -b -s /etc/conf.d/.htpasswd obama magedu
# cat /etc/conf.d/.htpasswd
tom:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
jack:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
obama:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=

# httpd -t
# service httpd restart
测试访问
# curl –basic -u tom:magedu http://www1/server-status
# curl –basic -u jack:magedu http://www1/server-status

(3)www1不允许192.168.1.0/24网络访问

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Order allow,deny
Deny from 192.168.1.0/24
Allow from all
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

# httpd -t
# service httpd restart

2、(1)CentOS 6主机

# httpd -t -D DUMP_VHOSTS
*:80 is a NameVirtualHost
default server www1.stuX.com (/etc/httpd/conf.d/virtualhost.conf:2)
port 80 namevhost www1.stuX.com (/etc/httpd/conf.d/virtualhost.conf:2)
port 80 namevhost www2.stuX.com (/etc/httpd/conf.d/virtualhost.conf:23)

为第二个提供ssl,即是SSL的主机名同www2.stuX.com,且相同的DocumentRoot;

(2)在CA主机生成私钥,自签证书

# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:ca.stuX.com
Email Address []:

# touch /etc/pki/CA/index.txt
# echo 01 > /etc/pki/CA/serial

(3)在用到证书的主机生成私钥,生成证书签署请求

# mkdir /etc/httpd/ssl
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www2.stuX.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(4)将请求可靠的发送到CA

# scp /etc/httpd/ssl/httpd.csr root@172.16.0.8:/tmp

(5)CA签署请求

# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

(6)下载证书

# scp root@172.16.0.8:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl

(7)安装mod_ssl模块

# yum install mod_ssl

(8)配置ssl

# /etc/httpd/conf.d/ssl.conf
DocumentRoot “/web/vhosts/www2”
ServerName www2.stuX.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# httpd -t
# service httpd restart
# ss -tnl

(9)CA主机上测试连接

# openssl s_client -connect 172.16.0.16:443 -CAfile cacert.pem

Verify return code: 0 (ok)

GET /index.html HTTP/1.1
Host: 172.16.0.16

HTTP/1.1 200 OK
Date: Tue, 28 Nov 2017 15:35:40 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 28 Nov 2017 14:56:55 GMT
ETag: “e0006-e-55f0c3ae502c7”
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

www2.stuX.com
closed

2、(1)CentOS 7主机

# yum -y install httpd httpd-tools
# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
</VirtualHost>

# cp /etc/httpd/conf.d/www1.conf /etc/httpd/conf.d/www2.conf
# sed -i ‘s,www1,www2,g’ www2.conf
# mkdir -pv /web/vhosts/www{1,2}
# mkdir -v /var/log/httpd/www{1,2}
# httpd -t
# systemctl start httpd.service

# echo “<h1>www1.stuX.com</h1>” > /web/vhosts/www1/index.html
# echo “<h1>www2.stuX.com</h1>” > /web/vhosts/www2/index.html

# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.7 www1.stuX.com www1
172.16.0.7 www2.stuX.com www2

# curl http://www1.stuX.com
<h1>www1.stuX.com</h1>
# curl http://www2.stuX.com
<h1>www2.stuX.com</h1>

(2)为www1提供状态页面
# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>

# htpasswd -c -b -m /etc/httpd/conf.d/.htpasswd tom magedu
# htpasswd -b -s /etc/httpd/conf.d/.htpasswd jack magedu
# htpasswd -b -s /etc/httpd/conf.d/.htpasswd obama magedu

# cat /etc/httpd/conf.d/.htpasswd
tom:$apr1$uehD6ESz$6HCTYDjx60M.SNLEHNQZO0
jack:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
obama:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=

# httpd -t
# systemctl restart httpd.service
#
# curl –basic -u tom:magedu http://www1.stuX.com/index.html

(3)不允许192.168.0.1/24网络内的主机访问www1

# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
<RequireAll>
Require not ip 192.168.0.1/24
Require all granted
</RequireAll>
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>
# httpd -t
# systemctl restart httpd.service

 

CentOS 7

 

2、
在已建CA上,申请证书;
(1)生成私钥及请求

# mkdir -v /etc/httpd/ssl/
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www2.stuX.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# scp /etc/httpd/ssl/httpd.csr root@172.16.0.8:/tmp/

(2)CA签署请求

吊销上一个主机的证书
# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
# echo 01 > crlnumber
# openssl ca -gencrl -out /etc/pki/CA/crl/httpd.crl
# openssl crl -in /etc/pki/CA/crl/httpd.crl -noout -text

# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

# scp root@172.16.0.8:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl

(3)安装配置SSL

# yum -y install mod_ssl

# httpd -t -D DUMP_VHOSTS
172.16.0.7:80 is a NameVirtualHost
default server www1.stuX.com (/etc/httpd/conf.d/www1.conf:1)
port 80 namevhost www1.stuX.com (/etc/httpd/conf.d/www1.conf:1)
port 80 namevhost www2.stuX.com (/etc/httpd/conf.d/www2.conf:1)
*:443 is a NameVirtualHost
default server localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)

# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot “/web/vhosts/www2”
ServerName www2.stuX.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

# httpd -t
# systemctl restart httpd.service

(4)在CA主机访问

# openssl s_client -connect 172.16.0.7:443 -CAfile /etc/pki/CA/cacert.pem

Start Time: 1512215742
Timeout : 300 (sec)
Verify return code: 0 (ok)

GET /index.html HTTP/1.1
Host: 172.16.0.7

HTTP/1.1 403 Forbidden
Date: Sat, 02 Dec 2017 11:50:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Content-Length: 212
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don’t have permission to access /index.html
on this server.</p>
</body></html>

(5)配置SSL授权目录

# vim /etc/httpd/conf.d/ssl.conf
<Directory “/web/vhosts/www2”>
Options None
AllowOverride None
Require all granted
</Directory>

(6)在CA主机访问

# openssl s_client -connect 172.16.0.7:443 -CAfile /etc/pki/CA/cacert.pem

# httpd -t
# systemctl restart httpd.service

Start Time: 1512215937
Timeout : 300 (sec)
Verify return code: 0 (ok)

GET /index.html HTTP/1.1
Host: 172.16.0.7

HTTP/1.1 200 OK
Date: Sat, 02 Dec 2017 11:53:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Last-Modified: Sat, 02 Dec 2017 11:23:09 GMT
ETag: “17-55f59b5bd19a3”
Accept-Ranges: bytes
Content-Length: 23
Content-Type: text/html; charset=UTF-8

<h1>www2.stuX.com</h1>

本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/89222

(0)
逆神阳逆神阳
上一篇 2017-12-02
下一篇 2017-12-02

相关推荐

  • PHP安全模式详解(PHP5.4安全模式将消失)

    1. 安全模式      一直没有用过php的safe_mode安全模式,以此说明作为日后参考。      PHP 的安全模式是为了试图解决共享服务器(shared-server)安全问题而设立的。在结构上,试图在 PHP 层上解决这个问题是不合理的,但修改 web 服务器层和操作系统层显得非常不现…

    Linux干货 2015-06-02
  • 图解 lvs 工作原理

    一.lvs 基本工作流程介绍  如图1,ipvsadm定义lvs服务监听的ip和port,并发送给ipvs,而ipvs是工作在netfilter的input钩子上的程序,当input链中有目标ip属于lvs服务的请求报文时,ipvs就会修改该报文的链路,使其不进入用户空间而直接转到postrouting链上,并转发给其中一台real server,…

    Linux干货 2016-10-30
  • 计算机网络基础

    1、OSI, TCP/IP, 五层协议的体系结构, 以及各层协议 OSI分层(7层): 物理层, 数据链路层, 网络层, 传输层, 会话层, 表示层, 应用层 TCP/IP分层(4层): 网络接口层, 网际层, 传输层, 应用层 五层协议(5层): 物理层, 数据链路层, 网络层, 运输层, 应用层 每一层的协议: 物理层: RJ45, CLOCK, IEE…

    Linux干货 2016-09-19
  • 硬盘分区的三种方式

    以前在初步接触linux的时候,只知道一种分区方式,现在学会了三种分区方式,所以下面就给大家简单的演示一下 ,以供参考。 第一种:fdisk /dev/sd?    具体步骤请看下图:首先有一个空的硬盘/dev/sdb, 第一步:输入命令fdisk /dev/sdb,会弹出一个帮助信息Command(m for help),意思就是m键是…

    2017-08-20
  • Package Manager

    Package Manager Package 管理工具的分类 rpm yum Source Code Install 管理工具的分类 前段管理工具:Debian:debRedhat,Suse…:rpm 前端管理工具:Debian:apt-getRedhat:yum,dnf RPM RPM是什么?RPM全称是RPM Package Manager…

    2016-03-27
  • 一个简单的负载均衡集群:web服务

    一个简单的负载均衡集群:以web服务为例 实验环境:三台主机(CentOS 7.3)             主机1:IP地址 172.18.0.88(Haproxy代理服务器)             主机2:IP地址 172.…

    Linux干货 2017-05-17