本文旨在實踐httpd-2.4基於域名的虛擬主機配置,讓指定用戶訪問站點狀態信息,併爲站點提供https服務。
知識儲備
HTTPS協議
HTTPS協議就是“HTTP協議”和“SSL/TLS”協議的結合,HTTP over SSL”或“HTTP over TLS”,對http協議的文本數據進行加密處理後,成爲二進制形式傳輸.
SSL會話簡化過程
(1) 客戶端發送可供選擇的加密方式,並向服務器請求證書;
(2) 服務器端發送證書以及選定的加密方式給客戶端;
(3) 客戶端取得證書並進行證書驗正:
如果信任給其發證書的CA機構:則
(a) 驗正證書來源的合法性;用CA的公鑰解密證書上數字簽名;
(b) 驗正證書的內容的合法性:完整性驗正
(c) 檢查證書的有效期限;
(d) 檢查證書是否被吊銷;
(e) 證書中擁有者的名字,與訪問的目標主機要一致;
(4) 客戶端生成臨時會話密鑰(對稱密鑰),並使用服務器端的公鑰加密此數據發送給服務器,
完成密鑰交換;
(5) 服務用此密鑰加密用戶請求的資源,響應給客戶端;
注意:SSL會話是基於IP地址創建;所以單IP的主機上,僅可以使用一個https虛擬主機;
SSL/TLS協議模型
環境準備
1.操作系統及軟件
2臺 Centos 7.2 x86_64
httpd:httpd-2.4.6-40.el7.centos.x86_64
2.IP地址
172.16.52.51/16 web服務
172.16.52.1/6 CA證書頒發機構
2.提供2個基於域名的虛擬主機
域名 www1.linux.com、www2.linux.com
站點目錄:/web/vhosts/www{1,2}
訪問日誌:/var/log/httpd/www{1,2}/www{1,2}.access_log
錯誤日誌:/var/log/httpd/www{1,2}/www{1,2}.error_log
3.輸出www1.linux.com的狀態信息,且要求只允許提供賬號的用戶訪問
4.www1不允許10.0.0.0/24網絡中的主機訪問
5.爲www2提供https服務。
注意:關閉防火牆和selinux
安裝httpd並配置虛擬主機
1.安裝httpd
[root@study ~]# yum -y install httpd
2.註釋主配置文件的DocumentRoot
[root@study ~]# grep "#DocumentRoot" /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html"
3.配置虛擬主機
[root@study conf.d]# cat www1.conf <VirtualHost *:80> ServerName www1.linux.com DocumentRoot "/web/vhosts/www1" CustomLog "/var/log/httpd/www1/www1.access_log" combined ErrorLog "/var/log/httpd/www1/www1.error_log" <Directory "/web/vhosts/www1"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
www2的配置與此並無差別,不在不再贅述
配置站點主頁
[root@study ~]# cat /web/vhosts/www{1,2}/index.html www1 websit http://www1.linux.com www2 websit http://www2.linux.com
4.檢查並啓動服務
[root@study conf.d]# httpd -t Syntax OK [root@study conf.d]# systemctl start httpd.service
5.測試
[root@study conf.d]# curl www1.linux.com www1 websit http://www1.linux.com
[root@study conf.d]# curl www2.linux.com www2 websit http://www2.linux.com
6.輸出www1.linux.com的狀態信息,且要求只允許提供賬號的用戶訪問
6.1 編輯www1的虛擬主機文件:添加一個<Location></Location>標籤
[root@study conf.d]# cat www1.conf <VirtualHost *:80> ServerName www1.linux.com DocumentRoot "/web/vhosts/www1" CustomLog "/var/log/httpd/www1/www1.access_log" combined ErrorLog "/var/log/httpd/www1/www1.error_log" <Directory "/web/vhosts/www1"> Options None AllowOverride None Require all granted </Directory> <Location "/server-status"> SetHandler server-status AuthType basic AuthName "For Adminstrator" AuthUserFile "/etc/httpd/conf/.htpasswd" Require user tom </Location> </VirtualHost>
6.2 提供賬號和密碼存儲文件
[root@study conf]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom New password: Re-type new password: Adding password for user tom
6.3 測試:
瀏覽器輸入http://www1.linux.com/server-status
7. www1不允許10.0.0.0/24網絡中的主機訪問
配置www1虛擬主機,在<Directory></Directory>標籤段內添加<RequireAll>段
<Directory "/web/vhosts/www1"> Options None AllowOverride None <RequireAll> Require all granted Require not ip 10.0.0.0/24 </RequireAll> </Directory>
實現虛擬主機 www2 https訪問
在172.16.52.1 CA服務器上:
1. 配置CA證書頒發機構
1.1 查看openssl相關文件
[root@CA ~]# cd /etc/pki/CA [root@CA CA]# ll total 16 drwxr-xr-x. 2 root root 4096 Jul 24 03:09 certs drwxr-xr-x. 2 root root 4096 Jul 24 03:09 crl drwxr-xr-x. 2 root root 4096 Jul 24 03:09 newcerts drwx------. 2 root root 4096 Jul 24 03:09 private
1.2 使用openssl生成CA私鑰
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ....................................................................................................................................................+++ .....................................................................................+++ e is 65537 (0x10001)
1.3 使用openssl給CA服務器生成自簽名證書
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:ca.test.com Email Address []:[email protected]
1.4 創建CA相關目錄和文件,指定序列號起始數字
[root@CA CA]# touch index.txt #新建索引文件 [root@CA CA]# touch serial #建立序列號文件 [root@CA CA]# echo 01 > serial #寫入起始序列號
web服務器創建申請證書
2. 創建申請證書
2.1 在web服務器配置目錄創建ssl目錄
[root@study ~]# mkdir /etc/httpd/ssl
2.2 生成httpd 服務私鑰
[root@study ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 1024) Generating RSA private key, 1024 bit long modulus ..................++++++ ..............................++++++ e is 65537 (0x10001)
[root@study ~]# ll /etc/httpd/ssl/httpd.key -rw------- 1 root root 887 Jul 14 15:29 /etc/httpd/ssl/httpd.key
2.3 生成證書籤署請求文件
[root@study ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www1.linux.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
2.4 把httpd申請證書發送到CA頒發機構上
[root@study ssl]# scp httpd.csr 172.16.52.1:/tmp [email protected]'s password: httpd.csr 100% 696 0.7KB/s 00:00
2.5 在CA端爲給客戶端簽名並頒發證書
[root@CA tmp]# openssl ca -in httpd.csr -out httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 15 18:13:23 2015 GMT Not After : Dec 12 18:13:23 2025 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = magedu organizationalUnitName = ops commonName = www1.linux.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:C4:3B:E1:C4:59:25:D4:0E:DF:AF:83:9C:48:D6:A8:D9:CC:27:27 X509v3 Authority Key Identifier: keyid:67:CC:F6:A8:E6:0B:73:CE:6C:A1:6D:B8:A6:99:1F:CA:7A:A3:D3:AB Certificate is to be certified until Dec 12 18:13:23 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@CA tmp]# ll httpd* -rw-r--r-- 1 root root 3830 Dec 16 02:15 httpd.crt -rw-r--r-- 1 root root 696 Dec 16 02:12 httpd.csr
2.6 將生成的證書複製到web服務器上
[root@ca tmp]# scp httpd.crt [email protected]:/etc/httpd/ssl
2.7 web服務器查看收到的證書
[root@study ssl]# ll total 12 -rw-r--r-- 1 root root 3830 Dec 16 2015 httpd.crt -rw-r--r-- 1 root root 696 Jul 14 16:01 httpd.csr -rw------- 1 root root 887 Jul 14 16:00 httpd.key
3. web服務器配置ssl模塊
3.1裝載mod_ssl
[root@study ssl]# yum -y install mod_ssl
3.2 修改ssl配置文件
配置/etc/httpd/conf.d/ssl.conf
DocumentRoot
[root@study ssl]# sed -n "/^DocumentRoot/p" /etc/httpd/conf.d/ssl.conf DocumentRoot "/web/vhosts/www2"
ServerName
[root@study ssl]# sed -n "/^ServerName/p" /etc/httpd/conf.d/ssl.conf ServerName www2.linux.com:443
<Directory "">
[root@study ssl]# sed -n "186,190p" /etc/httpd/conf.d/ssl.conf <Directory "/web/vhosts/www2"> Options None AllowOverride None Require all granted </Directory>
SSLCertificateFile
SSLCertificateKeyFile
[root@study conf.d]# sed -n '101p;109p' /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
3.3 重啓httpd服務
[root@study conf.d]# systemctl restart httpd.service [root@study conf.d]# ss -tnlp|grep 443 LISTEN 0 128 :::443 :::* users:(("httpd",pid=2475,fd=6),("httpd",pid=2474,fd=6),("httpd",pid=2473,fd=6),("httpd",pid=2472,fd=6),("httpd",pid=2471,fd=6),("httpd",pid=2469,fd=6))
3.5 瀏覽器訪問