分別使用httpd-2.2和httpd-2.4實現
1、建立httpd服務,要求:
(1) 提供兩個基於名稱的虛擬主機www1, www2;有單獨的錯誤日誌和訪問日誌;
(2) 通過www1的/server-status提供狀態信息,且僅允許tom用戶訪問;
(3) www2不允許192.168.0.0/24網絡中任意主機訪問;
2、爲上面的第2個虛擬主機提供https服務;
1.httpd-2.2-----環境CentOS6.7
主配置文件
#vim /etc/httpd/conf/httpd.conf
NameVirtualHost 172.16.8.100:80
LoadModule status_module modules/mod_status.so
www1配置文件
#vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www1
ServerName www1.marvel.com
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "status"
AuthType basic
AuthUserFile "/etc/httpd/www1_passwd"
Require user tom
</Location>
</VirtualHost>
www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www2
ServerName www2.marvel.com
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
<directory "/data/www2">
options none
allowoverride none
order allow,deny
allow from all
</directory>
</VirtualHost>
爲www2配置https
#yum install mod_ssl
#httpd -M //查看是否啓用ssl模塊,如果未啓用,在主配置文件或ssl.conf文件加入LoadModule ssl_module modules/mod_ssl.so即可
爲服務器申請數字證書;
測試:通過私建CA發證書
(a) 創建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服務器創建證書籤署請求 172.16.8.100
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安裝了mod_ssl,在這個文件中爲ssl提供了配置文件ssl.conf,其中規定了私鑰和公鑰的存放位置
(c) CA簽證
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.100:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
2.http-2.4--環境Centos7.1
1.加載status模塊
在/etc/httpd/conf.modules.d/00-base.conf中,加入或取消註釋下面一行
LoadModule status_module modules/mod_status.so
2.編輯虛擬主機www1的配置文件,httpd-2.4不再需要NameVirtualHost指令了
#vim /etc/httpd/conf.d/www1.conf
<virtualhost 172.16.8.102:80>
servername www1.marvel.com
documentroot "/data/www1"
errorlog logs/www1-error_log
customlog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "staus"
AuthType basic
AuthUserFile "/data/www1/.www1_passwd"
require user tom
</Location>
<directory "/data/www1">
<RequireAll>
Require all granted
Require not ip 192.168.0.0/24
</RequireAll>
</directory>
</virtualhost>
3.編輯www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<virtualhost 172.16.8.102:80>
servername www2.marvel.com
documentroot "/data/www2"
errorlog logs/www2-error_log
customlog logs/www2-access_log combined
<directory "/data/www2">
Require all granted
</directory>
</virtualhost>
4.爲www2提供https
安裝mod_ssl模塊
#yum install mod_ssl
安裝mod_ssl會自動生成/etc/httpd/conf.modules.d/00-ssl.conf,其中包含加載模塊的指令
LoadModule ssl_module modules/mod_ssl.so
爲服務器申請數字證書;
測試:通過私建CA發證書
(a) 創建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服務器創建證書籤署請求 172.16.8.102
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安裝了mod_ssl,在這個文件中爲ssl提供了配置文件ssl.conf,其中規定了私鑰和公鑰的存放位置
(c) CA簽證
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.102:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
<directory "/data/www2">
require all granted
</directory>
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>