51工具盒子CentOS7上搭建httpd-2.4服务示例要求:
(1)提供两个基于名称的虚拟主机www1和www2;有单独的错误日志和访问日志;
(2)通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3)www2不允许192.168.0.1/24网络中任意主机访问;
(4)为www2虚拟主机提供https服务;
{#more-81}
实验过程:
第一个问题:
1、确定yum源配置正确,安装httpd-2.4服务。
#yum -y install httpd
2、创建两个基于名称的虚拟主机www1和www2,并创建www1和www2的目录(www1和www2的目录必须要在根下创建,默认根在/var/www下)。
#mkdir -pv /var/www/www{1,2}
#vim /etc/httpd/conf.d/vhost1.conf (这个必须在conf.d目录下并.conf结尾)
<VirtualHost 172.16.63.7:80>
ServerName www1
DocumentRoot /var/www/www1
Errorlog /var/log/httpd/www1.error_log
Customlog /var/log/httpd/www1.access_log combined
</VirtualHost>
#vim /etc/httpd/conf.d/vhost2.conf
<VirtualHost 172.16.63.7:80>
ServerName www2
DocumentRoot /var/www/www2
Errorlog /var/log/httpd/www2.error_log
Customlog /var/log/httpd/www2.access_log combined
</VirtualHost>
Errorlog:错误日志存放位置
Customlog:访问日志存放位置
3、修改httpd配置文件
#vim /etc/httpd/conf/httpd.conf
查找#ServerName www.example.com:80 把这行改为ServerName localhost:80 (去掉#的注释,默认这里的地址改成localhost)
#httpd -t 检查是否有错误,提示Syntax OK表示操作成功。
#systemctl start httpd 启动httpd服务
#ss -lnt 查看此时80端口已打开
4、测试
向这两个虚拟主机中分别添加一个主页文件。
#echo this is wwwa > /var/www/www1/index.html
#echo this is wwwb > /var/www/www2/index.html
#iptables -F 关闭防火墙
修改主机hosts文件,重定向,添加:
172.16.63.7 www1
172.16.63.7 www2
第二个问题:
1、修改vhost1.conf文件
#vim /etc/httpd/conf.d/vhost1.conf
<VirtualHost 172.16.63.7:80>
ServerName www1
DocumentRoot /var/www/www1
Errorlog /var/log/httpd/www1.error_log
Customlog /var/log/httpd/www1.access_log combined
<Location "/server-status">
SetHandler server-status
AuthType Basic
AuthName "tom access"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>
</VirtualHost>
2、创建帐号文件
#htpasswd -c -b /etc/httpd/conf/.htpasswd tom 123
提示Adding password for user tom创建成功
#systemctl restart httpd.service
3、测试
浏览器打开http://www1/server-status 会看到下图提示,此时只允许tom用户登录
输入用户tom密码123
登录成功页面如下;
第三个问题:
修改vhost2.conf文件
#vim /etc/httpd/conf.d/vhost2.conf
<VirtualHost *:80>
ServerName www2
DocumentRoot /var/www/www2
Errorlog /var/log/httpd/www2.error_log
Customlog /var/log/httpd/www2.access_log combined
<Directory "/var/www/www1">
Options None
AllowOverride None
<RequireAll>
Require not ip 192.168.0
Require all granted
</RequireALL>
</Directory>
</VirtualHost>
#systemctl restart httpd.service 重载即可
第四个问题:
用另外一台主机创建CA,为这台主机的www2颁发证书
在另外一台主机 虚拟主机上运行以下指令:
#(umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) 创建私有CA
#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem 生成一个自签证书
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:whsir
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:blog.whsir.com
Email Address []:admin@whsir.com
创建证书用到的数据库文件
#touch /etc/pki/CA/index.txt
#echo 01 > /etc/pki/CA/serial
www2主机安装ssl模块
#yum install mod_ssl
#mkdir /etc/httpd/ssl
#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 1024) 生成私钥
#openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:whsir
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:www2
Email Address []:admin@whsir.com
A challenge password []:
An optional company name []:
#scp /etc/httpd/ssl/httpd.csr 172.16.63.77:/tmp 将签署请求发送给另外一台主机(172.16.63.77为另外一台主机的IP)
在另外一台主机主机下为www2签署证书:
#openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt 按y确认两次
#scp /etc/pki/CA/certs/httpd.crt 172.16.63.17:/etc/httpd/ssl 将签好的证书发回给www2(172.16.63.7为www2的主机IP)
在www2主机下修改ssl的配置文件:
#vim /etc/httpd/conf.d/ssl.conf
修改以下几行,有#注释的取消
DocumentRoot "/var/www/www2" 根的地址
ServerName www2:443 服务器名
SSLCertificateFile /etc/httpd/ssl/httpd.crt 密钥文件位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key 私钥文件位置
#httpd -t 检查是否有错误
#systemctl restart httpd.service
#ss -lnt 此时查看443端口已经开启
使用curl命令测试https服务:
将另外一台主机的CA发给www2
#scp /etc/pki/CA/cacert.pem 172.16.63.17:/root/
在www2主机上运行
#vim /etc/hosts
添加重定向172.16.63.17 www2
#curl --cacert /root/cacert.pem https://www2
此时可看到返回结果this is www2
