zoukankan      html  css  js  c++  java

  • CentOS 6下Apache的https虚拟主机实践

    题目:
    1、建立httpd服务器,要求:
    提供两个基于名称的虚拟主机:
    (a)www1.buybybuy.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
    (b)www2.buybybuy.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
    (c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
    (d)通过www1.buybybuy.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);

    2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
    (1)要求使用证书认证,证书中要求使用的国家(CN)、州(Beijing)、城市(Beijing)和组织(Quintin Ltd);
    (2)设置部门为Ops,主机名为www2.buybybuy.com,邮件为admin@buybybuy.com;

    ===============================================================================

    准备环境与材料:
    CentOS 6 两部(一部也可以)
    Apache 2.2
    使用域名buybybuy.com


    1.建立httpd服务器

    创建所需文件夹:
    # mkdir -p /web/vhosts/www{1,2}


    (a)、(b)

    因为服务器自带httpd,无需安装
    所以直接编辑httpd配置文件:httpd.conf
    # vim /etc/httpd/conf/httpd.conf

    注释掉:
    DocumentRoot

    取消注释:
    #NameVirtualHost *:80

    修改:
    ServerName localhost:80

    在底部添加以下虚拟主机配置
    <VirtualHost *:80>
    ServerAdmin admin@buybybuy.com
    DocumentRoot /web/vhosts/www1
    ServerName www1.buybybuy.com
    ErrorLog logs/www1.err
    CustomLog logs/www1.access combined
    </VirtualHost>

    <Directory /web/vhosts/www1>
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>

    <VirtualHost *:80>
    ServerAdmin admin@buybybuy.com
    DocumentRoot /web/vhosts/www2
    ServerName www2.buybybuy.com
    ErrorLog logs/www2.err
    CustomLog logs/www2.access combined
    </VirtualHost>

    <Directory /web/vhosts/www2>
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>

    配置好后发现
    Apache 403 error, (13)Permission denied: access to / denied问题
    检查了一圈httpd.conf和目录权限,均没有发现问题。
    发现是因为系统启动了SELINUX导致的。

    临时关闭SELINUX
    setenforce 0

    永久关闭
    vim /etc/selinux/config
    修改
    SELINUX=enforcing
    改成
    SELINUX=disabled

    (c)

    在www1和www2中分别新建index.html,内容分别为www1.buybybuy.com和www2.buybybuy.com
    # vim /web/vhosts/www1/index.html
    # vim /web/vhosts/www2/index.html


    (d)

    创建一个访问账户,按提示操作
    # htpasswd -c /etc/httpd/conf.d/.htpasswd webadmin

    修改httpd.conf,加入
    <Location /server-status>
    AuthType Basic
    AuthName "Administrator privateeee"
    AuthUserFile "/etc/httpd/conf.d/.htpasswd"
    Require user "webadmin"
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 192.168.3.3
    </Location>

    2.将www2.buybybuy.com设置为https

    需要使用OpenSSL生成自签名证书,确保OpenSSL已安装.
    # httpd -M | grep ssl
    如果没有则安装
    # yum install mod_ssl openssl

    在CentOS A服务器上配置CA服务,再给当前服务器(CentOS B)的https颁发证书.

    CentOS A:

    初始化CA服务,创建所需要的文件(/etc/pki/CA/)
    # touch index.txt 创建索引文件
    # echo 01 > serial 创建序列号文件

    CA自签证书
    生成私钥
    # (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
    使用私钥生成签名证书
    # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

    CentOS B:

    # mkdir /etc/httpd/ssl
    # cd /etc/httpd/ssl
    生成秘钥
    # (umask 007;openssl genrsa -out httpd.key 1024)
    生成请求文件
    # openssl req -new -key httpd.key -out httpd.csr


    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:Quintin Ltd
    Organizational Unit Name (eg, section) []:Ops
    Common Name (eg, your name or your server's hostname) []:www2.buybybuy.com
    Email Address []:admin@buybybuy.com

    把生成的文件发送到CA服务器 CentOS A:
    # scp httpd.csr root@192.168.3.67:/tmp/


    回到CentOS A:

    签署
    # openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/www2.buybybuy.com.crt -days 365
    将生成的crt传回CentOS B
    # scp /etc/pki/CA/certs/www2.buybybuy.com.crt root@192.168.3.60:/etc/httpd/ssl/


    回到CentOS B:

    配置httpd的ssl配置(ssl.conf):

    # cd /etc/httpd/conf.d/
    备份
    # cp ssl.conf{,.bak}

    编辑ssl.conf

    修改
    <VirtualHost _default_:443>

    <VirtualHost *:443>

    DocumentRoot "/web/vhosts/www2"
    ServerName www2.buybybuy.com

    证书位置
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    =>
    SSLCertificateFile /etc/httpd/ssl/www2.buybybuy.com.crt

    私钥位置
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    =>
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key


    配置完毕检查配置文件语法错误:
    # httpd -t

    重启httpd:
    # service httpd restart

    查看443端口是否已开启:
    ss -tnl

    使用s_client在CentOS A上做测试:
    # openssl s_client -connect 192.168.3.60:443 -CAfile /etc/pki/CA/cacert.pem

    GET / HTTP/1.1
    Host: www2.buybybuy.com


    HTTP/1.1 200 OK
    Date: Wed, 05 Oct 2016 11:20:16 GMT
    Server: Apache/2.2.15 (CentOS)
    Last-Modified: Fri, 30 Sep 2016 13:33:02 GMT
    ETag: "bf4e8-21-53db9a230598a"
    Accept-Ranges: bytes
    Content-Length: 33
    Connection: close
    Content-Type: text/html; charset=UTF-8

    www2.buybybuy.com</br>
    welcome!

    测试成功!

    去浏览器访问格式:
    https://www2.buybybuy.com
  • 相关阅读:
    Ubuntu命令行快捷启动Matlab
    用xmanager6启动Linux上的图形界面程序
    Winscp远程连接Linux主机,上传和下载文件
    Xshell6连接Ubuntu18.04
    Windows10通过VNC远程连接Ubuntu18.04
    获取Linux ip
    关联Anaconda和最新Pycharm2018.3.2
    asp.net mvc 外网获取不到port问题解决
    js 毫秒换算成秒
    c# 监听文件夹动作
  • 原文地址:https://www.cnblogs.com/Q--T/p/5986210.html
Copyright © 2011-2022 走看看