1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
(2) 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
(3) www1不允许192.168.0.88主机访问;
2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1) 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MageEdu);
(2) 设置部门为Ops, 主机名为www2.stuX.com;
3、为https访问配置强制跳转,访问http://www2.stuX.com会跳转到https://www2.stuX.com上面去。
在Centos 7 基于httpd-2.4实现
在进行配置前,首先安装httpd服务及mod_ssl:
[root@localhost ~]# yum install -y mod_ssl httpd
1、建立httpd服务
首先创建页面文件目录及日志文件目录:
[root@localhost ~]# mkdir -pv /web/vhosts/www1 #创建www1web目录
mkdir: created directory ‘/web’
mkdir: created directory ‘/web/vhosts’
mkdir: created directory ‘/web/vhosts/www1’
[root@localhost ~]# mkdir /var/log/httpd/www1 #创建www1 log目录
[root@localhost ~]# mkdir -pv /web/vhosts/www2 #创建www2 web目录
mkdir: created directory ‘/web/vhosts/www2’
[root@localhost ~]# mkdir /var/log/httpd/www2 ##创建www2 log目录
[root@localhost ~]# chcon -R --reference /var/www/ /web/ #设置安全上下文
随后编辑配置配置文件:
[root@localhost ~]# vim /etc/httpd/conf.d/vhosts.conf
LoadModule status_module modules/mod_status.so #加载status模块
<virtualhost *:80> #定义基于域名www1.stuX.com的虚拟主机
ServerName www1.stuX.com
Documentroot /web/vhosts/www1
CustomLog "/var/log/httpd/www1/access_log" combined #定义access_log
ErrorLog "/var/log/httpd/www1/error_log" #定义error_log
<Directory "/web/vhosts/www1">
Options none
AllowOverride none
<RequireAll>
Require all granted
Require not ip 192.168.0.88 #禁止192.168.0.88访问www1目录
</RequireAll>
</Directory>
<Location /server-status> #配置server-status页面
SetHandler server-status #启动服务器的status信息
Options none
AllowOverride none
AuthType basic
AuthName "welcome to www1.stuX.com"
AuthUserFile "/web/vhosts/www1passwd"
Require user charlie wch #限制只允许指定的账号认证访问
</Location>
</virtualhost>
<virtualhost *:80> #定义基于域名www2.stuX.com的虚拟主机
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
之后配置用户认证文件:
[root@localhost ~]# htpasswd -cb /web/vhosts/www1passwd charlie 123456
Adding password for user charlie
[root@localhost ~]# htpasswd -b /web/vhosts/www1passwd wch magedu
Adding password for user wch
使用httpd -t检查配置,如无报错后启动服务:
[root@localhost ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK
测试认证访问:
我这边用windows测试,本地Ip为192.168.0.38,修改保存C:\Windows\System32\drivers\etc\hosts文件:
127.0.0.1 localhost
127.0.0.1 steamcommunity.com
192.168.0.109 www1.stuX.com
192.168.0.109 www2.stuX.com
然后测试访问:
能正常访问www1目录
IP192.168.0.88无法访问www1目录
访问server-status页面需要账号认证
用指定的用户账号完成认证后能正常访问
虚拟主机www2也能正常访问
查看相应的日志文件:
[root@localhost ~]# tail -5 /var/log/httpd/www1/access_log
192.168.0.88 - - [01/May/2018:19:18:00 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 403 244 "http://www1.stux.com/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:18:06 +0800] "GET /server-status HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:18:06 +0800] "GET /server-status HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - charlie [01/May/2018:19:18:40 +0800] "GET /server-status HTTP/1.1" 200 4315 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:20:06 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
[root@localhost ~]# tail -5 /var/log/httpd/www1/error_log
[Tue May 01 19:22:51.202586 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user asdasda not found: /server-status
[Tue May 01 19:22:51.445776 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user not found: /server-status
[Tue May 01 19:22:52.552326 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user asdasda not found: /server-status
[Tue May 01 19:22:53.682249 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user adasd not found: /server-status
[Tue May 01 19:22:55.105525 2018] [authz_core:error] [pid 11446] [client 192.168.0.88:50872] AH01630: client denied by server configuration: /web/vhosts/www1/favicon.ico, referer: http://www1.stux.com/server-status
[root@localhost ~]# tail -5 /var/log/httpd/www2/access_log
192.168.0.38 - - [01/May/2018:18:54:40 +0800] "GET / HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:20:13 +0800] "GET / HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
[root@localhost ~]# tail -5 /var/log/httpd/www2/error_log
空
相关日志log均能正常记录访问。
2、为第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点
首先创建CA服务器,用于签发证书:
[root@localhost ~]# cd /etc/pki/CA/private/
[root@localhost private]# (umask 077;openssl genrsa -out CA.key 1024) #生成CA的私钥
Generating RSA private key, 1024 bit long modulus
..............................................++++++
....................++++++
e is 65537 (0x10001)
[root@localhost private]# ll
total 4
-rw-------. 1 root root 887 May 1 19:57 CA.key
[root@localhost private]# cd ../certs/
[root@localhost certs]# openssl req -new -x509 -key /etc/pki/CA/private/CA.key -out CA.crt -days 365 #生成CA的自签证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:
root@localhost certs]# cd
[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt} #生成serial,index.txt文件
[root@localhost ~]# echo 00 > /etc/pki/CA/serial #输入序列号
随后生成签发服务器证书:
[root@localhost ~]# mkdir /etc/httpd/ssl #创建httpd的ssl目录
[root@localhost ~]# cd /etc/httpd/ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd-ssl.key 1024) #生成httpd-ssl的私钥
Generating RSA private key, 1024 bit long modulus
....................++++++
.....++++++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd-ssl.key -out httpd-ssl.csr -days 365 #生成httpd-ssl证书签发请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.stuX.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@localhost ssl]# openssl ca -in httpd-ssl.csr -out httpd-ssl.crt -days 365 -cert /etc/pki/CA/certs/CA.crt -keyfile /etc/pki/CA/private/CA.key #签发httpd-ssl证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 1 12:33:28 2018 GMT
Not After : May 1 12:33:28 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www2.stuX.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:DC:0A:C4:72:EE:DC:9E:57:4A:F8:38:49:DA:B1:DF:24:24:73:3D
X509v3 Authority Key Identifier:
keyid:E7:5E:74:26:B2:A4:C6:C7:67:7A:BB:8B:8B:DF:E8:C4:AF:39:03:B0
Certificate is to be certified until May 1 12:33:28 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
之后编辑/etc/httpd/conf.d/ssl.conf文件:
Listen 443 https #确保有此项配置
SSLCertificateFile /etc/httpd/ssl/httpd-ssl.crt #修改为刚生成的httpd-ssl证书
SSLCertificateKeyFile /etc/httpd/ssl/httpd-ssl.key #修改为刚生成的httpd-ssl私钥
编辑/etc/httpd/conf.d/vhost.conf文件:
<virtualhost *:80> #配置80端口的虚拟主机
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
<virtualhost *:443> #新增虚拟主机的监听端口为443
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
重启httpd服务,后测试访问:
能正常访问https页面
此时访问http://www2.stuX.com页面,不会跳转到https页面访问:
http页面也能正常访问
3、配置https强制跳转
首先确认配置文件是否加载了mod_rewrite,httpd-2.4 module配置文件在/etc/httpd/conf.modules.d/00-base.conf中:
[root@localhost ~]# vim /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so #如若没有指定的mod加载语句,可自行添加
随后编辑www2的虚拟主机配置:
[root@localhost ~]# vim /etc/httpd/conf.d/vhosts.conf
<virtualhost *:80>
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
RewriteEngine on #启动Rewrite引擎
RewriteCond %{SERVER_PORT} 80 #定义URL匹配条件,此处匹配端口80
RewriteRule ^(/test.*)$ https://%{HTTP_HOST}$1 [R,L] #定义Rewrite复写规则,此处将带有test的URL路径重写为https://www2.stuX.com/test.html
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
保存后重启httpd服务,访问相应的页面测试:
访问www2.stuX.com/test.html时会跳转到https访问
此时访问www2.stuX.com的其他路径不会跳转到https访问页面,如index.html。
访问index.html的不会跳转到https
Rewrite的模块使用比较复杂,此处我也是刚接触有兴趣的同学可以参考下面的链接进行学习:
配置https服务:https://blog.csdn.net/wlzx120/article/details/52597338
配置https强制跳转:https://www.centos.bz/2018/01/apache-%E5%BC%BA%E5%88%B6-http-%E5%85%A8%E9%83%A8%E8%B7%B3%E8%BD%AC%E5%88%B0-https/
Rewrite模块:http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
Rewrite模块中文手册:http://man.chinaunix.net/newsoft/Apache2.2_chinese_manual/mod/mod_rewrite.html#rewriterule
RewriteRule和RewriteCond规则参数的详细介绍:https://blog.csdn.net/lijunwyf/article/details/54948463
