作为笔记。。。以后有时间再整理把。。。
httpd-2.2实现
Centos 6自带的base仓库里的httpd默认就是httpd2.2,所以可以直接使用yum install httpd 安装
[root@test1 ~]# yum install httpd
(1) 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
实现步骤
1.先创建对应的网站目录和对应的日志目录
[root@test1 ~]# mkdir -pv /web/vhosts/www1
mkdir: 已创建目录 "/web"
mkdir: 已创建目录 "/web/vhosts"
mkdir: 已创建目录 "/web/vhosts/www1"
[root@test1 ~]# mkdir -pv /web/vhosts/www2
mkdir: 已创建目录 "/web/vhosts/www2"
[root@test1 ~]# mkdir -pv /var/log/httpd/www1/
mkdir: 已创建目录 "/var/log/httpd/www1/"
[root@test1 ~]# mkdir -pv /var/log/httpd/www2/
mkdir: 已创建目录 "/var/log/httpd/www2/"
2.http-2.2的配置
[root@test1 ~]# vim /etc/httpd/conf.d/vhost.conf //新建虚拟主机配置文件
Namevirtualhost *:80 //在httpd-2.2中启用虚拟主机这指令是必须的,虚拟主机和主服务不能共存。
<Virtualhost *:80>
Documentroot "/web/vhosts/www1"
Servername [www1.stu.com](http://www1.stu.com/)
CustomLog /var/log/httpd/www1/access_log combined
ErrorLog /var/log/httpd/www1/error_log
<Directory "/web/vhosts/www1">
order allow,deny
Deny from 192.168.1.0/24 //拒绝192.168.1.0/24的访问
allow from all
</Directory>
<location /status> //设置一个URL页面,访问这个页面的内容由配置块所定义
Sethandler server-status
Authtype "basic"
Authname " authentication" //提示信息
authuserfile "/etc/httpd/htuser"
require user "admin"
</location>
</Virtualhost>
<Virtualhost *:80>
documentroot "/web/vhosts/www2"
servername "[www2.std.com](http://www2.std.com/)"
Errorlog "/var/log/httpd/www2/error_log"
customlog "/var/log/httpd/www2/accerr_log" combined
<directory "/web/vhosts/www2">
order allow,deny
Allow from all
</directory>
</virtualhost>
3.http-2.4的配置
1.先创建对应的网站目录和对应的日志目录
[root@test1 ~]# mkdir -pv /web/vhosts/www1
mkdir: 已创建目录 "/web"
mkdir: 已创建目录 "/web/vhosts"
mkdir: 已创建目录 "/web/vhosts/www1"
[root@test1 ~]# mkdir -pv /web/vhosts/www2
mkdir: 已创建目录 "/web/vhosts/www2"
[root@test1 ~]# mkdir -pv /var/log/httpd/www1/
mkdir: 已创建目录 "/var/log/httpd/www1/"
[root@test1 ~]# mkdir -pv /var/log/httpd/www2/
mkdir: 已创建目录 "/var/log/httpd/www2/"
2.[root@test1 ~]# vim /etc/httpd/conf.d/vhost.conf //新建虚拟主机配置文件
<virtualhost *:80>
documentroot "/web/vhosts/www1"
Servername "[www1.std.com](http://www1.std.com/)"
Errorlog "/var/log/httpd/www1/error_log"
Customlog "/var/log/httpd/www1/access_log" combined
<directory "/web/vhosts/www1">
options none
allowoverride none
<Requireall>
require not ip 192.168.1.0/24
require all granted
</requireall>
</directory>
<location /status>
options none
allowoverride none
Sethandler server-status
authtype basic
authuserfile "/etc/httpd/htuser"
authname "authentication"
<RequireAll>
Require user admin
</Requireall>
</location>
</virtualhost>
<virtualhost *:80>
documentroot "/web/vhosts/www2"
Servername "[www2.std.com](http://www2.std.com/)"
errorlog "/var/log/httpd/www2/error_log"
Customlog "/var/log/httpd/www2/access_log" combined
<directory "/web/vhosts/www2">
options none
allowoverride none
require all granted
</directory>
</virtualhost>
为www2.std.com创建https,使得用户可以通过https安全的访问此web站点;
环境:
Centos7 作为http服务器:IP:192.168.30.138
Centos6 构建一个私有CA,负责签署Centos7的证书
#Centos6作为CA认证机构,需要给自己颁发一个自签证书。
#创建一个私钥:
[root@test1 CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pri 4096) 生成私钥
#生成自签证书
[root@test1 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pri -out /etc/pki/CA/cacert.pem -days 365
填好证书信息后。
#为CA提供所需的目录及文件。
[root@test1 CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@test1 CA]# touch /etc/pki/CA/{serial,index.txt}
[root@test1 CA]# echo 01 > /etc/pki/CA/serial
OK,CA的自签证书完成,接下来,需要在httpd的服务器上生成证书,然后拿去CA签一下
httpd服务器
首先生成一个私钥,然后再生成一个证书。
生成密钥
[root@test2 ssl]# (umask 077 ; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
生成证书
**[root@test2 ssl]# openssl req -new -key http.key -out httpd.csr -days 365 //注意这里只是新建一个待签证书。和CA自签署不一样**
上传到CA机构签署
[root@test2 ssl]# scp httpd.csr root@192.168.30.128:/etc/pki/CA/httpd.scr
The authenticity of host '192.168.30.128 (192.168.30.128)' can't be established.
RSA key fingerprint is 2c:28:b3:8b:c1:06:7c:6f:88:c2:6b:68:68:f3:5d:ea.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.30.128' (RSA) to the list of known hosts.
root@192.168.30.128's password:
httpd.csr
在Centos6上签署证书
[root@test1 CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: May 12 04:52:51 2018 GMT
Not After : May 12 04:52:51 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = Mageedu
organizationalUnitName = Ops
commonName = [www1.std.com](http://www1.std.com/)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
16:ED:BE:9F:6C:EA:6F:20:84:AA:BC:5C:6C:EE:7A:BF:04:91:49:1B
X509v3 Authority Key Identifier:
keyid:03:EC:5C:E8:4F:67:5F:AF:05:49:73:EB:CE:7D:88:3E:C9:82:3B:80
Certificate is to be certified until May 12 04:52:51 2019 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
签完后,重新scp到httpd服务器
[root@test1 CA]# scp certs/httpd.crt root@192.168.30.138:/etc/httpd/ssl/httpd_crt.pem
root@192.168.30.138's password:
httpd.crt 100% 0 0.0KB/s 00:00
[root@test1 CA]#
配置httpd服务器,为www2.std.com做https,在ssl的配置文件写入需要使用https的虚拟主机就可以了。
[root@test2 httpd]# vim conf.d/ssl.conf
Listen 443 https //监听443端口,并且只能是https协议
DocumentRoot "/web/vhosts/www2" //向80端口的虚拟主机提供https服务
ServerName [www2.std.com:443](http://www2.std.com:443/)
SSLCertificateFile /etc/httpd/ssl/httpd_crt.pem //CA机构签发的证书,用于发给客户端
SSLCertificateKeyFile /etc/httpd/ssl/http.key //证书的私钥,以为客户端是用证书的公钥来加密对称加密的密钥,所以需要指定该公钥对应的私钥,用于解密对称加密的密钥。
5.测试
我在虚拟机上开启一个suse,用作客户端,先把自签的CA证书加入浏览器的信任机构中,这样,就可以信任该签证的证书了。
获取CA自签证书
www1:~ # scp root@192.168.30.128:/etc/pki/CA/cacert.pem ./
在浏览器中把证书导入到信任机构中
5.4导入成功后,测试https站点。
image.png
