Httpd-2.2實現2個虛擬主機:要求如下
a.
1.提供兩個基於名稱的虛擬主機www1,www2;有單獨的錯誤日誌和訪問日誌;
1.通過www1的/server-status提供httpd狀態信息,且僅允許tom用戶訪問;
2.www2不允許192.168.0.0/24網段的任意主機訪問;
b.
爲上面的第2個虛擬主機提供https服務。
實現步驟:
1.創建兩個虛擬主機www1,www2的配置文件/etc/httpd/conf.d/vhostwww1.conf,/etc/httpd/conf.d/vhostwww2.conf,根目錄/var/www/html/www1,/var/www/html/www2及首頁文件indexwww1.html,indexwww2.html
[root@www ~]# mkdir /var/www/html/www{1,2}
[root@www ~]# echo www1 > /var/www/html/www1/indexwww1.html
[root@www ~]# echo www2 > /var/www/html/www1/indexwww2.html
[root@www ~]# cat /etc/httpd/conf.d/vhostwww1.conf
<VirtualHost 172.16.251.237:80>
ServerName www1
DocumentRoot "/var/www/html/www1"
DirectoryIndex indexwww1.html
ErrorLog logs/www1_error_log
CustomLog logs/www1_access_log combined
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "httpd-2.2 status page"
AuthUserFile /etc/httpd/user/.htpasswd
require user tom
</Location>
</VirtualHost>
[root@www ~]# cat /etc/httpd/conf.d/vhostwww2.conf
<VirtualHost 172.16.251.237:80>
ServerName www2
DocumentRoot "/var/www/html/www2"
DirectoryIndex indexwww2.html
ErrorLog logs/www2_error_log
CustomLog logs/www2_access_log combined
<Directory /var/www/html/www2>
Options None
AllowOverride None
Order deny,allow
deny from 192.168.0.0/24
</Directory>
</VirtualHost>
修改主配置文件:
Vim /etc/httpd/conf/httpd.conf
NameVirtualHost 172.16.251.237:80
創建認證虛擬用戶tom
Mkdir /etc/httpd/user
Htpasswd -m -c /etc/httpd/user/.htpasswd tom ---輸入兩次密碼即可。
爲虛擬機主機www2,提供https服務
安裝httpd-2.2的擴展模塊mod_ssl
Yum -y install mod_ssl
搭建私有CA,爲www2虛擬站點提供數字證書。
實驗環境:一臺centos6.7主機,即使CA,又是www2站點。
搭建CA配置:
[root@www ~]# cd /etc /pki/CA
[root@www etc]# touch index.txt ---- 建立CA 數據庫文件
[root@www etc]# echo 01 > serial
生成CA私鑰:
[root@www CA]# (umask 066;openssl genrsa -out private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
..............................................++++++
......................++++++
e is 65537 (0x10001)
[root@www CA]# ls -l private/cakey.pem
-rw-------. 1 root root 891 Jul 19 00:07 private/cakey.pem
生成CA的自簽證書:[root@www CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:www.magedu.com
Organizational Unit Name (eg, section) []:m19
Common Name (eg, your name or your server's hostname) []:www.wudang.com
Email Address []:[email protected]
Httpd的www2生成私鑰:[root@www CA]# mkdir /etc/httpd/ssl
[root@www CA]# (umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.........................++++++
.++++++
e is 65537 (0x10001)
生成www2的證書申請:[root@www CA]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 356 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing--------必須與CA的證書申請的內容一樣
Locality Name (eg, city) [Default City]:beijing-------必須與CA的證書申請的內容一樣
Organization Name (eg, company) [Default Company Ltd]:www.magedu.com---必須與CA的 證書申請的內容一樣
Organizational Unit Name (eg, section) []:m16
Common Name (eg, your name or your server's hostname) []:www.wudang.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:------- 爲了安全加證書申請文件的口令
An optional company name []:
把生成的www2的證書申請傳給CA,申請驗證通過,頒發證書:
[root@www CA]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/httpd.crt -days 365
Cp /etc/pki/CA/httpd.crt /etc/httpd/ssl/httpd.crt
www2虛擬站點證書拿到。
接下來配置mod_ssl模塊給httpd-2.2提供的配置文件
Vim /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost 172.16.251.237:443>
DocumentRoot "/var/www/html/www2"
ServerName www2:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCertificateFile /etc/httpd/ssl/httpd.crt
</VirtualHost>
Service httpd reload ---- 重載服務
www2 證書測試:
Vim /etc/hosts
172.16.251.237 www1 www2
1. Openssl s_client -connect www2:443 -CAfile /etc/pki/CA/cacert.crt
2. 把CA的證書,導入到瀏覽器中,然後訪問
https://www2/indexwww2.html