1、建立httpd伺服器,提供兩個基於名稱的虛擬主機 2、為上面的第2個虛擬主機提供https服務,使得用戶可以通過https安全的訪問此web站點 ...
題目:
1、建立httpd伺服器,要求:
提供兩個基於名稱的虛擬主機:
(a)www1.buybybuy.com,頁面文件目錄為/web/vhosts/www1;錯誤日誌為/var/log/httpd/www1.err,訪問日誌為/var/log/httpd/www1.access;
(b)www2.buybybuy.com,頁面文件目錄為/web/vhosts/www2;錯誤日誌為/var/log/httpd/www2.err,訪問日誌為/var/log/httpd/www2.access;
(c)為兩個虛擬主機建立各自的主頁文件index.html,內容分別為其對應的主機名;
(d)通過www1.buybybuy.com/server-status輸出httpd工作狀態相關信息,且只允許提供帳號密碼才能訪問(status:status);
2、為上面的第2個虛擬主機提供https服務,使得用戶可以通過https安全的訪問此web站點;
(1)要求使用證書認證,證書中要求使用的國家(CN)、州(Beijing)、城市(Beijing)和組織(Quintin Ltd);
(2)設置部門為Ops,主機名為www2.buybybuy.com,郵件為[email protected];
===============================================================================
準備環境與材料:
CentOS 6 兩部(一部也可以)
Apache 2.2
使用功能變數名稱buybybuy.com
1.建立httpd伺服器
創建所需文件夾:
# mkdir -p /web/vhosts/www{1,2}
(a)、(b)
因為伺服器自帶httpd,無需安裝
所以直接編輯httpd配置文件:httpd.conf
# vim /etc/httpd/conf/httpd.conf
註釋掉:
DocumentRoot
取消註釋:
#NameVirtualHost *:80
修改:
ServerName localhost:80
在底部添加以下虛擬主機配置
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /web/vhosts/www1
ServerName www1.buybybuy.com
ErrorLog logs/www1.err
CustomLog logs/www1.access combined
</VirtualHost>
<Directory /web/vhosts/www1>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /web/vhosts/www2
ServerName www2.buybybuy.com
ErrorLog logs/www2.err
CustomLog logs/www2.access combined
</VirtualHost>
<Directory /web/vhosts/www2>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
配置好後發現
Apache 403 error, (13)Permission denied: access to / denied問題
檢查了一圈httpd.conf和目錄許可權,均沒有發現問題。
發現是因為系統啟動了SELINUX導致的。
臨時關閉SELINUX
setenforce 0
永久關閉
vim /etc/selinux/config
修改
SELINUX=enforcing
改成
SELINUX=disabled
(c)
在www1和www2中分別新建index.html,內容分別為www1.buybybuy.com和www2.buybybuy.com
# vim /web/vhosts/www1/index.html
# vim /web/vhosts/www2/index.html
(d)
創建一個訪問賬戶,按提示操作
# htpasswd -c /etc/httpd/conf.d/.htpasswd webadmin
修改httpd.conf,加入
<Location /server-status>
AuthType Basic
AuthName "Administrator privateeee"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require user "webadmin"
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.3.3
</Location>
2.將www2.buybybuy.com設置為https
需要使用OpenSSL生成自簽名證書,確保OpenSSL已安裝.
# httpd -M | grep ssl
如果沒有則安裝
# yum install mod_ssl openssl
在CentOS A伺服器上配置CA服務,再給當前伺服器(CentOS B)的https頒發證書.
CentOS A:
初始化CA服務,創建所需要的文件(/etc/pki/CA/)
# touch index.txt 創建索引文件
# echo 01 > serial 創建序列號文件
CA自簽證書
生成私鑰
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
使用私鑰生成簽名證書
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
CentOS B:
# mkdir /etc/httpd/ssl
# cd /etc/httpd/ssl
生成秘鑰
# (umask 007;openssl genrsa -out httpd.key 1024)
生成請求文件
# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Quintin Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.buybybuy.com
Email Address []:[email protected]
把生成的文件發送到CA伺服器 CentOS A:
# scp httpd.csr [email protected]:/tmp/
回到CentOS A:
簽署
# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/www2.buybybuy.com.crt -days 365
將生成的crt傳回CentOS B
# scp /etc/pki/CA/certs/www2.buybybuy.com.crt [email protected]:/etc/httpd/ssl/
回到CentOS B:
配置httpd的ssl配置(ssl.conf):
# cd /etc/httpd/conf.d/
備份
# cp ssl.conf{,.bak}
編輯ssl.conf
修改
<VirtualHost _default_:443>
為
<VirtualHost *:443>
DocumentRoot "/web/vhosts/www2"
ServerName www2.buybybuy.com
證書位置
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
=>
SSLCertificateFile /etc/httpd/ssl/www2.buybybuy.com.crt
私鑰位置
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
=>
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
配置完畢檢查配置文件語法錯誤:
# httpd -t
重啟httpd:
# service httpd restart
查看443埠是否已開啟:
ss -tnl
使用s_client在CentOS A上做測試:
# openssl s_client -connect 192.168.3.60:443 -CAfile /etc/pki/CA/cacert.pem
GET / HTTP/1.1
Host: www2.buybybuy.com
HTTP/1.1 200 OK
Date: Wed, 05 Oct 2016 11:20:16 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Fri, 30 Sep 2016 13:33:02 GMT
ETag: "bf4e8-21-53db9a230598a"
Accept-Ranges: bytes
Content-Length: 33
Connection: close
Content-Type: text/html; charset=UTF-8
www2.buybybuy.com</br>
welcome!
測試成功!
去瀏覽器訪問格式:
https://www2.buybybuy.com