zoukankan      html  css  js  c++  java
  • 练习题

    练习题:分别使用httpd-2.2和httpd-2.4实现;

    1、建立httpd服务,要求:
    (1) 提供两个基于名称的虚拟主机:
    www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
    www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
    (2) 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
    (3) www1不允许192.168.1.0/24网络中的主机访问;

    2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
    (1) 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MageEdu);
    (2) 设置部门为Ops, 主机名为www2.stuX.com;

    实验环境:httpd-2.2

    [root@server-status localhost6]#vi /etc/httpd/conf/httpd.conf
    #DocumentRoot "/var/www/html"  
    KeepAlive On
    #在/etc/httpd/conf.d/下配置此文件
    [root@conf.d localhost6]#cat virtuhost.conf
    <VirtualHost 172.16.252.242:80>  #定义虚拟主机,同一个ip和port ServerName www1.stuX.com    #虚拟主机名,必须相同 DocumentRoot "/web/vhosts/www1"  #虚拟主机1的HTML存放处 <Directory "/web/vhosts/www1">  #定义控制访问 Options None AllowOverride None order allow,deny deny from 192.168.1.0/24  #拒绝此网段访问主机 allow from all </Directory> ErrorLog /var/log/httpd/www1/error_log  #错误日志 CustomLog /var/log/httpd/www2/access_log combined #访问日志
      <Location /server-status>   #status页面
            Options None
            AllowOverride None
            SetHandler server-status
            AuthType Basic
            AuthName "input id and passwd"
            AuthuserFile "/etc/httpd/conf/.htpasswd"
            Require user magedu
      </Location>
    </VirtualHost>
    <VirtualHost 172.16.252.242:80>
        ServerName www2.stuX.com
        DocumentRoot "/web/vhosts/www2"
      <Directory "/web/vhosts/www2">
            Options None
            AllowOverride None
            order allow,deny
            allow from all
      </Directory>
      ErrorLog /var/log/httpd/www2/error_log
      CustomLog /var/log/httpd/www2/access_log combined
    </VirtualHost>
    #用户认证的创建
    htpasswd -c -m /etc/httpd/conf/.htpasswd magedu

     2、将服务器172.16.252.225配成CA机构:

    ]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 
    > 
    > )
    Generating RSA private key, 4096 bit long modulus
    ............................................................................................................................................................................................++
    ..............++
    e is 65537 (0x10001)
    #自签证书
    [root@www ~17:34:39]#openssl req -new -x509 -key /etc/pki/CA/private/ > cakey.pem -out /etc/pki/CA/cacert.pem -days 36600 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:magedu.com Email Address []:
    ]#touch serial index.txt
    ]#echo 01 > serial

    3、给虚拟主机2认证:


    [root@~ localhost6]#mkdir -v /ca/ mkdir: created directory `/ca/' [root@~ localhost6]#(umask 077;openssl genrsa -out /ca/httpd.key 2048) Generating RSA private key, 2048 bit long modulus ..........................................+++ ..........................+++ e is 65537 (0x10001) [root@~ localhost6]#openssl req -new -key /ca/httpd.key -out /ca/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www2.stuX.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123 string is too short, it needs to be at least 4 bytes long A challenge password []:123456 An optional company name []:
    #将公钥传给CA
    [root@ca localhost6]#scp /ca/httpd.csr root@172.16.252.225:/etc/pki/CA/ The authenticity of host '172.16.252.225 (172.16.252.225)' can't be established. RSA key fingerprint is 0b:0e:e9:a5:c7:74:dc:22:e0:22:80:e9:a2:9c:4f:20. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Warning: Permanently added '172.16.252.225' (RSA) to the list of known hosts. root@172.16.252.225's password: httpd.csr 100% 1017 1.0KB/s 00:00
    #在CA主机进行签证
    [root@www CA17:52:01]#openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 24 09:53:16 2017 GMT Not After : Apr 24 09:53:16 2018 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = MageEdu commonName = www2.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 95:A1:28:9B:96:F7:30:40:B1:E4:DE:F3:9F:BD:37:6E:4C:B3:99:9C X509v3 Authority Key Identifier: keyid:0A:6C:39:63:F0:52:18:86:1B:F8:0B:DA:33:6E:35:79:8B:6A:7D:AD Certificate is to be certified until Apr 24 09:53:16 2018 GMT (365 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
    #返回已签证书
    [root@www certs18:01:36]#scp httpd.crt root@172.16.252.242:/ca/ root@172.16.252.242's password: httpd.crt 100% 5649 5.5KB/s 00:00

     将CA的公钥发送到Windows,改成.crt,并安转。

  • 相关阅读:
    jquery flot详解
    AngularJS例子 ng-repeat遍历输出
    JS正则表达式
    jQuery Validate验证框架详解
    解决IE6下png图片不透明
    IT经理,你在这个位置吗
    如何做一个好的前端重构工程师
    noi1816 画家问题(技巧搜索Dfs)
    codevs1380 没有丧尸的舞会
    2016年春季大学先修课考试
  • 原文地址:https://www.cnblogs.com/wzhuo/p/6928288.html
Copyright © 2011-2022 走看看