zoukankan      html  css  js  c++  java
  • WEB应用之httpd基础入门(四)











      定义一个过滤器,定义过滤器的指令是setoutputfilter FILTER_NAME   过滤器的名称可以说任意合法名称,通常情况下我们使用DEFLATE作为过滤器的名称,如下所示

       提示:该指令表示设置一个输出文件过滤器,该指令可以用在server配置段中,虚拟主机配置段中,directory 和.htaccess中


       deflatecompressionlevel number:该指令表示指定deflate压缩级别,范围是1-9 ,9级别最高,压缩后的文件更小,当然消耗的CPU资源就越多;













      (1) 客户端发送可供选择的加密方式,并向服务器请求证书;

      (2) 服务器端发送证书以及选定的加密方式给客户端;

      (3) 客户端取得证书并进行证书验正,如果信任给其发证书的CA:

        (a) 验正证书来源的合法性;用CA的公钥解密证书上数字签名;

        (b) 验正证书的内容的合法性:完整性验正;

        (c) 检查证书的有效期限;

        (d) 检查证书是否被吊销;

        (e) 证书中拥有者的名字,与访问的目标主机要一致;

      (4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换;

      (5) 服务器用此密钥加密用户请求的资源,响应给客户端;




    [root@test_node1-centos7 CA]# pwd 
    [root@test_node1-centos7 CA]# ll
    total 0
    drwxr-xr-x. 2 root root 6 Aug  4  2017 certs
    drwxr-xr-x. 2 root root 6 Aug  4  2017 crl
    drwxr-xr-x. 2 root root 6 Aug  4  2017 newcerts
    drwx------. 2 root root 6 Aug  4  2017 private
    [root@test_node1-centos7 CA]# (umask 077;openssl genrsa -out cakey.pem 1024)
    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
    [root@test_node1-centos7 CA]# ll
    total 4
    -rw-------  1 root root 891 Mar 29 18:24 cakey.pem
    drwxr-xr-x. 2 root root   6 Aug  4  2017 certs
    drwxr-xr-x. 2 root root   6 Aug  4  2017 crl
    drwxr-xr-x. 2 root root   6 Aug  4  2017 newcerts
    drwx------. 2 root root   6 Aug  4  2017 private
    [root@test_node1-centos7 CA]# openssl req -new -x509 -key cakey.pem  -out cacert.pem -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:SC
    Locality Name (eg, city) [Default City]:GY
    Organization Name (eg, company) [Default Company Ltd]:TEST
    Organizational Unit Name (eg, section) []:OPS
    Common Name (eg, your name or your server's hostname) []:ca.test.com
    Email Address []:
    [root@test_node1-centos7 CA]# ll
    total 8
    -rw-r--r--  1 root root 932 Mar 29 18:25 cacert.pem
    -rw-------  1 root root 891 Mar 29 18:24 cakey.pem
    drwxr-xr-x. 2 root root   6 Aug  4  2017 certs
    drwxr-xr-x. 2 root root   6 Aug  4  2017 crl
    drwxr-xr-x. 2 root root   6 Aug  4  2017 newcerts
    drwx------. 2 root root   6 Aug  4  2017 private
    [root@test_node1-centos7 CA]# 



    [root@test_node1-centos7 CA]# ll
    total 8
    -rw-r--r--  1 root root 932 Mar 29 18:25 cacert.pem
    -rw-------  1 root root 891 Mar 29 18:24 cakey.pem
    drwxr-xr-x. 2 root root   6 Aug  4  2017 certs
    drwxr-xr-x. 2 root root   6 Aug  4  2017 crl
    drwxr-xr-x. 2 root root   6 Aug  4  2017 newcerts
    drwx------. 2 root root   6 Aug  4  2017 private
    [root@test_node1-centos7 CA]# (umask 077;openssl genrsa -out httpd.pem 1024)
    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
    [root@test_node1-centos7 CA]# openssl req -new -key httpd.pem -out httpd.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:SC
    Locality Name (eg, city) [Default City]:GY
    Organization Name (eg, company) [Default Company Ltd]:TEST
    Organizational Unit Name (eg, section) []:OPS
    Common Name (eg, your name or your server's hostname) []:www.test.com
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [root@test_node1-centos7 CA]# ll
    total 16
    -rw-r--r--  1 root root 932 Mar 29 18:25 cacert.pem
    -rw-------  1 root root 891 Mar 29 18:24 cakey.pem
    drwxr-xr-x. 2 root root   6 Aug  4  2017 certs
    drwxr-xr-x. 2 root root   6 Aug  4  2017 crl
    -rw-r--r--  1 root root 635 Mar 29 18:30 httpd.csr
    -rw-------  1 root root 887 Mar 29 18:26 httpd.pem
    drwxr-xr-x. 2 root root   6 Aug  4  2017 newcerts
    drwx------. 2 root root   6 Aug  4  2017 private
    [root@test_node1-centos7 CA]# 


    [root@test_node1-centos7 CA]# touch index.txt                            
    [root@test_node1-centos7 CA]# echo "01" >serial                          
    [root@test_node1-centos7 CA]# openssl ca -in httpd.csr -out httpd.crt.pem -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
                Not Before: Mar 29 10:36:47 2020 GMT
                Not After : Mar 29 10:36:47 2021 GMT
                countryName               = CN
                stateOrProvinceName       = SC
                organizationName          = TEST
                organizationalUnitName    = OPS
                commonName                = www.test.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                X509v3 Authority Key Identifier: 
    Certificate is to be certified until Mar 29 10:36:47 2021 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@test_node1-centos7 CA]# ll
    total 36
    -rw-r--r--  1 root root  932 Mar 29 18:25 cacert.pem
    -rw-------  1 root root  891 Mar 29 18:24 cakey.pem
    drwxr-xr-x. 2 root root    6 Aug  4  2017 certs
    drwxr-xr-x. 2 root root    6 Aug  4  2017 crl
    -rw-r--r--  1 root root 3022 Mar 29 18:36 httpd.crt.pem
    -rw-r--r--  1 root root  635 Mar 29 18:30 httpd.csr
    -rw-------  1 root root  887 Mar 29 18:26 httpd.pem
    -rw-r--r--  1 root root   70 Mar 29 18:36 index.txt
    -rw-r--r--  1 root root   21 Mar 29 18:36 index.txt.attr
    -rw-r--r--  1 root root    0 Mar 29 18:36 index.txt.old
    drwxr-xr-x. 2 root root   20 Mar 29 18:36 newcerts
    drwx------. 2 root root    6 Aug  4  2017 private
    -rw-r--r--  1 root root    3 Mar 29 18:36 serial
    -rw-r--r--  1 root root    3 Mar 29 18:36 serial.old
    [root@test_node1-centos7 CA]# pwd
    [root@test_node1-centos7 CA]# 


    [root@test_node1-centos7 CA]# httpd -M |grep ssl
    [root@test_node1-centos7 CA]# yum info mod_ssl
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirrors.aliyun.com
     * extras: mirrors.aliyun.com
     * updates: mirrors.cn99.com
    Available Packages
    Name        : mod_ssl
    Arch        : x86_64
    Epoch       : 1
    Version     : 2.4.6
    Release     : 90.el7.centos
    Size        : 112 k
    Repo        : base/7/x86_64
    Summary     : SSL/TLS module for the Apache HTTP Server
    URL         : http://httpd.apache.org/
    License     : ASL 2.0
    Description : The mod_ssl module provides strong cryptography for the Apache Web
                : server via the Secure Sockets Layer (SSL) and Transport Layer
                : Security (TLS) protocols.
    [root@test_node1-centos7 CA]# yum install -y mod_ssl
    Loaded plugins: fastestmirror
    base                                                                             | 3.6 kB  00:00:00     
    epel                                                                             | 4.7 kB  00:00:00     
    extras                                                                           | 2.9 kB  00:00:00     
    updates                                                                          | 2.9 kB  00:00:00     
    (1/5): epel/x86_64/group_gz                                                      |  95 kB  00:00:00     
    (2/5): extras/7/x86_64/primary_db                                                | 164 kB  00:00:00     
    (3/5): epel/x86_64/updateinfo                                                    | 1.0 MB  00:00:00     
    (4/5): updates/7/x86_64/primary_db                                               | 7.6 MB  00:00:01     
    (5/5): epel/x86_64/primary_db                                                    | 6.8 MB  00:00:01     
    Loading mirror speeds from cached hostfile
     * base: mirrors.aliyun.com
     * extras: mirrors.aliyun.com
     * updates: mirrors.cn99.com
    Resolving Dependencies
    --> Running transaction check
    ---> Package mod_ssl.x86_64 1:2.4.6-90.el7.centos will be installed
    --> Finished Dependency Resolution
    Dependencies Resolved
     Package              Arch                Version                               Repository         Size
     mod_ssl              x86_64              1:2.4.6-90.el7.centos                 base              112 k
    Transaction Summary
    Install  1 Package
    Total download size: 112 k
    Installed size: 224 k
    Downloading packages:
    mod_ssl-2.4.6-90.el7.centos.x86_64.rpm                                           | 112 kB  00:00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : 1:mod_ssl-2.4.6-90.el7.centos.x86_64                                                 1/1 
      Verifying  : 1:mod_ssl-2.4.6-90.el7.centos.x86_64                                                 1/1 
      mod_ssl.x86_64 1:2.4.6-90.el7.centos                                                                  
    [root@test_node1-centos7 CA]# rpm -ql mod_ssl
    [root@test_node1-centos7 CA]# 

      提示:可以看到安装mod_ssl生成了一个ssl.conf的配置文件和00-ssl.conf、mod_ssl.so  ,安装这个包后,httpd就支持https了,接下来配置www.test.com虚拟站点支持https访问



       提示:通过测试,我们可以正常访问www.test.com虚拟主机提供的主页,这里需要注意,如果我们自己写配置文件,且单独一配置文件,如果自己写的有listen 443 https,那么ssl.conf里的就需要注释,否则重载配置文件httpd服务起不来;

  • 相关阅读:
    Linux 线程占用CPU过高定位分析
    nginx修改上传文件大小限制(413 Request Entity Too Large)
    官方Tomcat 7.0.81 漏洞整改记录
  • 原文地址:https://www.cnblogs.com/qiuhom-1874/p/12593675.html
Copyright © 2011-2022 走看看