yum安裝
[root@node01-linux ~]# yum -y install httpd #yum安裝httpd
[root@node01-linux ~]# ls /var/www/html/ #網站默認放置的位置,默認爲空的
[root@node01-linux ~]# systemctl start httpd #啓用httpd服務
[root@node01-linux ~]# ll /var/log/httpd/ #日誌文件
total 4
-rw-r--r--. 1 root root 0 May 10 13:00 access_log #訪問日誌
-rw-r--r--. 1 root root 632 May 10 13:00 error_log #錯誤日誌
[root@node01-linux ~]# systemctl disable --now firewalld #關閉防火牆
[root@node01-linux ~]# setenforce 0 #切換成寬容模式
[root@node01-linux selinux]# pwd
/etc/selinux
[root@node01-linux selinux]# vim config #修改配置文件
SELINUX=Permissive
[root@node01-linux ~]# getenforce #查看selinux狀態
Permissive
[root@node01-linux ~]# vim /etc/httpd/conf/httpd.conf
···
ServerName www.example.com:80 #取消前面的註釋
···
[root@node01-linux conf.d]# ls
autoindex.conf README userdir.conf welcome.conf
root@node01-linux conf.d]# find / -name *vhosts.conf
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
[root@node01-linux conf.d]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf .
[root@node01-linux conf.d]# ls
autoindex.conf httpd-vhosts.conf README userdir.conf welcome.conf
[root@node01-linux conf.d]# vim httpd-vhosts.conf
···
<VirtualHost *:80>
DocumentRoot "/data/www.a.com"
ServerName www.a.com
ErrorLog "/var/log/httpd/www.a.com-error_log"
CustomLog "/var/log/httpd/www.a.com-access_log" common
<Directory "/data/www.a.com">
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/data/www.b.com"
ServerName www.b.com
ErrorLog "/var/log/httpd/www.b.com-error_log"
CustomLog "/var/log/httpd/www.b.com-access_log" common
<Directory "/data/www.b.com">
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
···
[root@node01-linux ~]# mkdir -p /data/{www.a.com,www.b.com}
[root@node01-linux data]# echo 'www.a.com' > www.a.com/index.html
[root@node01-linux data]# echo 'www.b.com' > www.b.com/index.html
[root@node02-linux data]# systemctl restart httpd
ssl證書
openssl實現私有CA
CA的配置文件:/etc/pki/tls/openssl.cnf
1. CA生成一對密鑰
[root@node02-linux ~]# cd /etc/pki/CA
[root@node02-linux CA]# ls
certs crl newcerts private
[root@node02-linux CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成密鑰,括號必須要
[root@node02-linux CA]# ls private/
cakey.pem
[root@node02-linux CA]# openssl rsa -in private/cakey.pem -pubout #提取公鑰
2. CA生成自簽署證書
[root@node02-linux CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
[root@node02-linux CA]# ls
cacert.pem certs crl newcerts private
[root@node02-linux CA]# touch index.txt && echo 01 > serial
[root@node02-linux CA]# ls
cacert.pem certs crl index.txt newcerts private serial
3. 客戶端(例如httpd服務器)生成密鑰
[root@node02-linux ~]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................+++
................................................................................+++
e is 65537 (0x10001)
[root@node02-linux ~]# ls
anaconda-ks.cfg httpd.key
4. 客戶端生成證書籤署請求
[root@node02-linux ~]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node02-linux ~]# ls
anaconda-ks.cfg httpd.csr httpd.key
5. 客戶端把證書籤署請求文件發送給CA
scp httpd.csr root@CA端IP:/root
6. CA簽署客戶端提交上來的證書
[root@node02-linux ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
···
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
···
[root@node02-linux ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr httpd.key
7. CA把簽署好的證書httpd.crt發給客戶端
scp httpd.crt root@客戶端IP:/etc/httpd/ssl/
yum安裝mod_ssl模塊服務
[root@node02-linux ~]# yum list all|grep mod_ssl #查看mod_ssl服務是否已經安裝
mod_ssl.x86_64 1:2.4.6-93.el7.centos base
[root@node02-linux ~]# yum -y install mod_ssl
配置ssl
[root@node02-linux conf.d]# pwd
/etc/httpd/conf.d
[root@node02-linux conf.d]# ls
autoindex.conf httpd-vhosts.conf README ssl.conf userdir.conf welcome.conf
[root@node02-linux conf.d]# vim ssl.conf
···
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/data/www.a.com"
ServerName www.a.com:443
<Directory /data/www.a.com>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
···
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
···
生成ssl證書存放目錄,一般寫在web服務的配置文件目錄中
[root@node02-linux httpd]# mkdir ssl
[root@node02-linux httpd]# cd ssl/
[root@node02-linux ssl]# pwd
/etc/httpd/ssl
[root@node02-linux ssl]# cp ~/httpd.* .
[root@node02-linux ssl]# ls
httpd.crt httpd.csr httpd.key
重啓服務並驗證端口號是否監聽
[root@node02-linux ssl]# systemctl restart httpd
[root@node02-linux ssl]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::443 :::*
訪問