Linux_服務管理—httpd

yum安裝

[root@node01-linux ~]# yum -y install httpd		#yum安裝httpd
[root@node01-linux ~]# ls /var/www/html/		#網站默認放置的位置，默認爲空的
[root@node01-linux ~]# systemctl start httpd		#啓用httpd服務
[root@node01-linux ~]# ll /var/log/httpd/		#日誌文件
total 4
-rw-r--r--. 1 root root   0 May 10 13:00 access_log		#訪問日誌
-rw-r--r--. 1 root root 632 May 10 13:00 error_log		#錯誤日誌
[root@node01-linux ~]# systemctl disable --now firewalld		#關閉防火牆
[root@node01-linux ~]# setenforce 0		#切換成寬容模式
[root@node01-linux selinux]# pwd
/etc/selinux
[root@node01-linux selinux]# vim config 		#修改配置文件
SELINUX=Permissive
[root@node01-linux ~]# getenforce		#查看selinux狀態
Permissive
[root@node01-linux ~]# vim /etc/httpd/conf/httpd.conf
···
ServerName www.example.com:80		#取消前面的註釋
···
[root@node01-linux conf.d]# ls
autoindex.conf  README  userdir.conf  welcome.conf
root@node01-linux conf.d]# find / -name *vhosts.conf
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
[root@node01-linux conf.d]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf .
[root@node01-linux conf.d]# ls
autoindex.conf  httpd-vhosts.conf  README  userdir.conf  welcome.conf
[root@node01-linux conf.d]# vim httpd-vhosts.conf
···
<VirtualHost *:80>
    DocumentRoot "/data/www.a.com"
    ServerName www.a.com
    ErrorLog "/var/log/httpd/www.a.com-error_log"
    CustomLog "/var/log/httpd/www.a.com-access_log" common
    <Directory "/data/www.a.com">
        <RequireAll>
            Require all granted
        </RequireAll>
    </Directory>
</VirtualHost>
Listen 81
<VirtualHost *:81>
    DocumentRoot "/data/www.b.com"
    ServerName www.b.com
    ErrorLog "/var/log/httpd/www.b.com-error_log"
    CustomLog "/var/log/httpd/www.b.com-access_log" common
    <Directory "/data/www.b.com">
        <RequireAll>
            Require all granted
        </RequireAll>
    </Directory>
</VirtualHost>
···
[root@node01-linux ~]# mkdir -p /data/{www.a.com,www.b.com}
[root@node01-linux data]# echo 'www.a.com' > www.a.com/index.html
[root@node01-linux data]# echo 'www.b.com' > www.b.com/index.html
[root@node02-linux data]# systemctl restart httpd

ssl證書

openssl實現私有CA
CA的配置文件：/etc/pki/tls/openssl.cnf
1. CA生成一對密鑰

[root@node02-linux ~]# cd /etc/pki/CA
[root@node02-linux CA]# ls
certs  crl  newcerts  private
[root@node02-linux CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)		#生成密鑰，括號必須要
[root@node02-linux CA]# ls private/
cakey.pem
[root@node02-linux CA]# openssl rsa -in private/cakey.pem -pubout	#提取公鑰

2. CA生成自簽署證書

[root@node02-linux CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com   
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
[root@node02-linux CA]# ls
cacert.pem  certs  crl  newcerts  private
[root@node02-linux CA]# touch index.txt && echo 01 > serial
[root@node02-linux CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

3. 客戶端（例如httpd服務器）生成密鑰

[root@node02-linux ~]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................+++
................................................................................+++
e is 65537 (0x10001)
[root@node02-linux ~]# ls
anaconda-ks.cfg  httpd.key

4. 客戶端生成證書籤署請求

[root@node02-linux ~]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com                                                                                  Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node02-linux ~]# ls
anaconda-ks.cfg  httpd.csr  httpd.key

5. 客戶端把證書籤署請求文件發送給CA

scp httpd.csr root@CA端IP:/root

6. CA簽署客戶端提交上來的證書

[root@node02-linux ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
···
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
···
[root@node02-linux ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr  httpd.key

7. CA把簽署好的證書httpd.crt發給客戶端

scp httpd.crt root@客戶端IP:/etc/httpd/ssl/

yum安裝mod_ssl模塊服務

[root@node02-linux ~]# yum list all|grep mod_ssl		#查看mod_ssl服務是否已經安裝
mod_ssl.x86_64                              1:2.4.6-93.el7.centos      base   
[root@node02-linux ~]# yum -y install mod_ssl

配置ssl

[root@node02-linux conf.d]# pwd
/etc/httpd/conf.d
[root@node02-linux conf.d]# ls
autoindex.conf  httpd-vhosts.conf  README  ssl.conf  userdir.conf  welcome.conf
[root@node02-linux conf.d]# vim ssl.conf 
···
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/data/www.a.com"
ServerName www.a.com:443
<Directory /data/www.a.com>
    <RequireAll>
        Require all granted
    </RequireAll>
</Directory>

···
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

···

生成ssl證書存放目錄，一般寫在web服務的配置文件目錄中

[root@node02-linux httpd]# mkdir ssl
[root@node02-linux httpd]# cd ssl/
[root@node02-linux ssl]# pwd
/etc/httpd/ssl
[root@node02-linux ssl]# cp ~/httpd.* .
[root@node02-linux ssl]# ls
httpd.crt  httpd.csr  httpd.key

重啓服務並驗證端口號是否監聽

[root@node02-linux ssl]# systemctl restart httpd
[root@node02-linux ssl]# ss -antl
State       Recv-Q Send-Q                     Local Address:Port                                    Peer Address:Port              
LISTEN      0      128                                    *:22                                                 *:*                  
LISTEN      0      100                            127.0.0.1:25                                                 *:*                  
LISTEN      0      128                                   :::80                                                :::*                  
LISTEN      0      128                                   :::22                                                :::*                  
LISTEN      0      100                                  ::1:25                                                :::*                  
LISTEN      0      128                                   :::443                                               :::*          

訪問