# 练习题:分别使用httpd-2.2和httpd-2.4实现:
## 1、建立httpd服务,要求:
### (1)提供两个基于名称的虚拟主机:
#### www1.stux.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
#### www2.stux.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
### (2)通过www1.stux.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
### (3)www1不允许IP为192.168.10.20的主机访问;
## 2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
### (1)要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MagEdu);
### (2)设置部门为Ops,主机名为www2.stux.com;
httpd2.4配置:
第一步:提供三台服务器,一台为IP192.168.10.30作为测试机,一台IP为192.168.10.20作为httpd、DNS服务端,IP192.168.10.100作为CA机构
安装并启动httpd-2.4服务,关闭防火墙,防止端口被阻断
# yum -y install httpd
# systemctl start httpd
# systemctl enable httpd
# systemctl stop firewalld
创建目录及文件
# mkdir -p /web/vhosts/www1/
# mkdir -p /web/vhosts/www2/
# cd /var/log/httpd/
# mkdir {www1,www2}
# cd www1
# touch {error_log,access_log}
# cd ../www2
# touch {error_log,access_log}
分别创建两个测试网页页面/web/vhosts/www1/index.html和/web/vhosts/www2/index.html
# vim /web/vhosts/www1/index.html
<h1>www1.stux.com</h1>
# vim /web/vhosts/www2/index.html
<h1>www2.stux.com</h1>
创建用于httpd访问认证的用户账号密码文件
# htpasswd -bc /tmp/passwd text1 text1 创建一个文件,并且添加用户名为text1 密码为text1,默认为MD5加密
# htpasswd -b /tmp/passwd text2 text2 添加用户名text2,密码text2,MD5加密
# htpasswd -b /tmp/passwd text3 text3 添加用户名text3,密码text3,MD5加密
# cat /tmp/passwd
text1:$apr1$.n8kyAbr$HhkgNOBOnYSl4lVLsODmn.
text2:$apr1$WYHzv6AL$dTkFbeWaP3XMn6kaUvb0e1
text3:$apr1$NY3FzbAQ$.OsmtKj.4v2fbgGTzC64r.
在主配置文件中/etc/httpd/conf/httpd.conf中确保第56行Include conf.modules.d/*.conf和最后一行IncludeOptional conf.d/*.conf前面的#去掉,目的是让主配置文件内容包含这两个路径下的内容,以免与模块化修改配置文件;将第95行的 #ServerName www.example.com:80的#号注释掉或者直接修改为“ServerName 主机名:端口”,目的是确保httpd -t配置检查不报错。
# vim /etc/httpd/conf/httpd.conf
注意:需要关闭SELinux,否则只能访问默认页面:
# setenforce 0
# getenforce
Permissive
在/etc/httpd/conf.d/目录下创建vhosts.conf文件为www1的配置文件;完成一下要求:
#### www1.stux.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
### (2)通过www1.stux.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
(3)www1不允许IP为192.168.10.30的主机访问;
# vim /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:80>
ServerName www1.stux.com
DocumentRoot "/web/vhosts/www1/"
<Directory "/web/vhosts/www1/">
Options None
AllowOverride None
<RequireAll>
Require all granted
Require not ip 192.168.10.30
</RequireAll>
</Directory>
CustomLog "/var/log/httpd/www1/access_log" combined
ErrorLog "/var/log/httpd/www1/error_log"
</VirtualHost>
<Location /server-status>
SetHandler server-status
<RequireAll>
AuthType Basic
AuthName "please input passwd"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require valid-user
</RequireAll>
</Location>
在/etc/httpd/conf.d/目录下创建vhosts2.conf文件为www1的配置文件;完成一下要求:
#### www2.stux.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
# vim /etc/httpd/conf.d/vhosts2.conf
<VirtualHost *:80>
ServerName www2.stux.com
DocumentRoot "/web/vhosts/www2/"
<Directory "/web/vhosts/www2/">
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
</VirtualHost>
安装并配置DNS服务(这里为了省事直接用httpd服务所在的服务器做DNS服务),并将http客户端的DNS指向对应地址
# yum -y install bind
# systemctl start named
# systemctl enable named
# vim /etc/named.rfc1912.zones
zone "stux.com" IN {
type master;
file "stux.com.zone";
};
修改/etc/named.conf中监听的端口
options {
listen-on port 53 { any;}; 修改为any
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; 修改为any
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no; 测试时建议修改为no
dnssec-validation no; 测试时建议修改为no
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
建立并编辑区域数据文件,用于正向解析stux.com域中的域名
# vim /var/named/stux.com.zone
$TTL 3600
$ORIGIN stux.com.
@ IN SOA ns1.stux.com. dnsadmin.stux.com. (
2019122001
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
ns1 IN A 192.168.10.20
mx1 IN A 192.168.10.20
www1 IN A 192.168.10.20
www2 IN A 192.168.10.20
配置完后做语法检查
named-checkzone stux.com /var/named/stux.com.zone
named-checkconf
权限及属组修改
chgrp named /var/named/stux.com.zone
chmod o= /var/named/stux.com.zone
让服务器重载配置文件和区域数据文件
rndc reload
在CA服务器192.168.10.100上私建CA服务器,生成私钥
# cd /etc/pki/CA/
# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 4096 bit long modulus
...++
.++
e is 65537 (0x10001)
# ll private/cakey.pem
-rw-------. 1 root root 3247 Dec 23 01:03 private/cakey.pem
生成自签证书
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
为CA提供所需的目录及文件(根据实际情况选择是否要手动创建)
# mkdir - pv /etc/pki/CA/{certs,crl,newcerts}
# touch index.txt serial
# echo 01 > /etc/pki/CA/serial
要用到证书进行安全通信的服务器,需要向CA请求签署证书
用到证书的主机生成私钥:以httpd服务器自己访问为例
# mkdir /etc/httpd/ssl/
# cd /etc/httpd/ssl/
# (umask 007; openssl genrsa -out httpd_key.pem 1024)
Generating RSA private key, 2048 bit long modulus
........................................+++
..+++
e is 65537 (0x10001)
# ll
total 4
-rw-rw----. 1 root root 1679 Dec 16 18:17 httpd_key.pem
# chmod 600 httpd_key.pem 确保权限为400或600,安全
生成证书签署请求
# openssl req -new -key httpd_key.pem -out httpd_csr.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.stux.com 这里的主机名需要与键入浏览器的地址一致
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ll
total 8
-rw-r--r--. 1 root root 1005 Dec 16 18:26 httpd_crt.pem
-rw-------. 1 root root 1679 Dec 16 18:17 httpd_key.pem
将请求发给CA主机
# scp httpd_csr.pem root@192.168.10.100:/tmp
The authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.
ECDSA key fingerprint is SHA256:Ss9puEjAq4gLKA1kXy7EC/WoHUwQvSoc+Kvfb9LsMEE.
ECDSA key fingerprint is MD5:24:68:b3:56:47:64:b1:1a:f5:f3:74:5a:7b:8b:0a:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.100' (ECDSA) to the list of known hosts.
root@192.168.10.100's password:
httpd_csr.pem 100% 1005 1.0MB/s 00:00
在CA主机上签署证书
# openssl ca -in /tmp/httpd_csr.pem -out /etc/pki/CA/certs/httpd_crt.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 23 06:39:57 2019 GMT
Not After : Dec 22 06:39:57 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www2.stux.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:61:06:4D:F9:47:F6:BA:06:2B:87:AC:FF:AC:E9:BE:1B:4D:61:4F
X509v3 Authority Key Identifier:
keyid:A2:16:B8:0A:86:A9:16:73:7A:20:98:BC:01:35:0E:6A:03:2C:E1:87
Certificate is to be certified until Dec 22 06:39:57 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# ll certs/
total 8
-rw-r--r--. 1 root root 5717 Dec 23 01:40 httpd_crt.pem
CA主机将签好的证书发送给客户端:
# scp certs/httpd_crt.pem root@192.168.10.20:/etc/httpd/ssl
The authenticity of host '192.168.10.20 (192.168.10.20)' can't be established.
ECDSA key fingerprint is e2:d4:22:10:8a:be:88:8f:83:d9:a8:a6:37:4b:2c:82.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.20' (ECDSA) to the list of known hosts.
root@192.168.10.20's password:
httpd_crt.pem 100% 5717 5.6KB/s 00:00
在httpd服务器配置http工作在https,查看是否有mod_ssl模块
# httpd -M | grep ssl
# yum -y install mod_ssl
# httpd -M | grep ssl
ssl_module (shared)
编辑mod_ssl对应的配置模块
# vim /etc/httpd/conf.d/ssl.conf
对应的证书修改为httpd服务器上的已经经过CA验证的证书以及私钥路径
修改对应需要通过https访问的域名和网页路径
登陆测试机192.168.10.30,将CA的证书复制测试机
# scp root@192.168.10.100:/etc/pki/CA/cacert.pem /tmp
在测试机192.168.10.30测试:
# openssl s_client -connect www2.stux.com:443 -CAfile /tmp/cacert.pem
结果
