CentOS6.7上搭建httpd-2.2
1.实验需求:
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1,www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务
2.实验环境:
Linux服务器操作系统版本:CentOS release 6.7 (Final) IP:172.16.66.60
WIN7系统客户机:IP:172.16.250.100
3.实验前提:
1)关闭防火墙和SELinux
~]# service iptables stop
~]# setenforce 0
4.实验过程:
1.提供两个基于名称的虚拟主机www1,www2;有单独的错误日志和访问日志
一、安装服务
1.yum安装httpd-2.2
~]# yum install httpd -y
~]# rpm -qa httpd
~]# rpm -ql httpd
~]# rpm -qc httpd
~]# service httpd restart
~]# chkconfig httpd on
~]# ss -lnt
二、配置虚拟主机
~]# cat /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.66.60:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
</VirtualHost>
~]# cat /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.66.60:80>
ServerName www2.magedu.com
DocumentRoot /data/vhosts/www2
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
</VirtualHost>
三、修改配置参数:
1)备份原有的配置文件
~]# cp -p httpd.conf httpd.conf.bak
2)开启虚拟主机:NameVirtualHost
~]# sed -n '990p' /etc/httpd/httpd.conf
NameVirtualHost 172.16.66.60:80
3)创建站点目录:
~]# mkdir -pv /data/vhosts/www{1,2}
~]# echo "<h1> www1.magedu.com </h1>" > /data/vhosts/www1/index.html
~]# echo "<h1> www2.magedu.com </h1>" > /data/vhosts/www2/index.html
4)添加hosts域名解析
~]# echo " 172.16.66.60 www1.magedu.com www2.magedu.com " >> /etc/hsots
四、PC端上测试内容
1)在wind7上添加域名解析:路径:C:\Windows\System32\drivers\etc\hosts
2)用记事本打开hosts添加并保存:172.16.66.60 www1.magedu.com www2.magedu.com
3)测试都正常访问
2.通过www1的/server-status提供状态信息,且仅允许tom用户访问;
一、修改配置文件:
1)只允许tom用户访问/server-status;
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "For tom"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>
2)创建虚拟用户tom文件
~]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
3)检查语法并重载配置文件
~]# httpd -t
~]# service httpd reload
二、在PC机浏览器中测试:
1)输入 http://172.16.66.60/server-status 需要用户tom认证才能访问
3、为上面的第2个虚拟主机提供https服务;
工作目录:/etc/pki/CA/
1)生成私钥
CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
2)生成自签证书
CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.',the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg,city) [Default City]:Beijing
Organization Name (eg,company) [Default Company Ltd]:liyang
Organizational Unit Name (eg,section) []:0ps
Common Name (eg,your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu@com
3)提供辅助文件
CA]# touch index.txt
CA]# echo 01 > serial 序列号
二、节点申请证书
1)生成私钥
~]# mkdir -pv /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
2)生成证书签署请求:
ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg,your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu@com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3)把请求发给CA
ssl]# cp httpd.csr /tmp/
三、CA签发证书 1)签署证书~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crtUsing configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 12 13:01:20 2016 GMT Not After : Jul 12 13:01:20 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = liyang organizationalUnitName = 0ps commonName = www2.magedu.com emailAddress = magedu@com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F6:C2:E3:DC:3F:D9:50:39:52:43:35:BF:99:BC:FF:5E:26:EB:9E:29 X509v3 Authority Key Identifier: keyid:15:71:78:70:3E:9B:23:64:A0:37:DE:91:1E:6B:73:F6:AD:3C:A7:A7Certificate is to be certified until Jul 12 13:01:20 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified,commit? [y/n]yWrite out database with 1 new entriesData Base Updated 2)把签署好的证书发还给请求者。~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/注意:本次私建CA在一台机器完成。四、配置httpd支持使用ssl,及使用的证书 1)yum安装mod_ssl模块~]# httpd -M | grep ssl ~]# yum install mod_ssl -y~]# rpm -ql mod_ssl/etc/httpd/conf.d/ssl.conf/usr/lib64/httpd/modules/mod_ssl.so 2)修改配置文件~]# cat /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> DocumentRoot "/data/vhosts/www2" ServerName www2.magedu.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log SSLProtocol all -SSLv2 SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key </VirtualHost> 五、测试结果: 1)在PC机浏览器中测试:https://www2.magedu.com 通过443端口访问 2)在PC机浏览器中测试:http://www2.magedu.com 通过80端口访问