建立httpd服务,要求: 提供两个基于名称的虚拟主机: www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log; www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
https快速部署
apache httpd 快速搭建VirtualHost&https实践.
实践一.建立httpd服务,要求:
- 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;- 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
- www1不允许192.168.1.0/24网络中的主机访问;
搭建过程:
1.yum install httpd
2.将selinux先关闭,在httpd主配置文件中末尾添加一条
IncludeOptional vhost.d/*.conf
3.mkdir /etc/httpd/vhosts.d
4.涉及基于域名的VirturlHost需要DNS的配合,于是在Dns的辅助配置文件中添加一条区域记录;
~]# vim /etc/named.rfc1912.zones
zone "stuX.com" IN {
type master;
file "stuX.com.zone";
};
在/var/named/stuX.com.zone
vim /var/named/stuX.com.zone
$TTL 600
@ IN SOA stuX.com. admin.stuX.com. (
01
1H
5M
1W
6H )
IN NS dns1.stuX.com.
dns1.stuX.com. IN A 172.16.252.87
www1.stuX.com. IN A 172.16.252.39
www2.stuX.com. IN A 172.16.252.39
重启named服务
]# service named reload
5.vim /etc/httpd/vhosts.d/www1.conf
<VirtualHost *:80>
<Directory "/web/vhosts/">
Options None
AllowOverride None
Require all granted
</Directory>
DocumentRoot "/web/vhosts/www1"
ServerName "www1.stux.com"
ErrorLog "/var/log/httpd/www1/error_log"
TransferLog "/var/log/httpd/www1/access_log"
DirectoryIndex index.html index.htm
</VirtualHost>
6.重启服务
systemctl restart httpd
7.做访问测试
elinks www1.stuX.com
8.重复类似上述步骤,创建www2的VirtualHost
9.配置服务器的状态,需要加载对应的模块status_mod
通过httpd -M即可查看
配置虚拟主机
<Location "/server-status">
SetHandler server-status
Require ip 172.16
</Location>
10.为这状态页面做认证,在此基础上添加认证指令
<Location "/server-status">
SetHandler server-status
AuthType Basic
AuthName "plz,Enter your access passwd"
AuthUserFile "/etc/httpd/vhosts.d/htpasswd"
Require user apacheuser
</Location>
实践二.为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
- 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(ZX);
- 设置部门为Ops, 主机名为www2.stuX.com;
搭建过程:
1.为主机申请证书
CA服务器执行如下命令:
1.生成私钥
(umask 077;openssl genrsa -out private/cakey.pem 2048)
2.CA为自己申请证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
3.创建ca所需文件,记录所签过的证书
touch index.txt serial
echo 01 > /etc/pki/CA/serial 指明证书的序列号
证书申请主机执行如下命令:
1.生成私钥
(umask 077 ;openssl genrsa -out httpd.key 2048)
2.生成证书的申请
openssl req -new -key httpd.key -out httpd.csr -days 365
3.将申请通过安全的途径送达CA签署
scp httpd.csr root@172.16.252.87:/tmp/
CA服务器签署申请:
openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
2.在httpd的主机之上安装mod_ssl包
~]# yum install mod_ssl
配置/etc/httpd/conf.d/ssl.conf
将<VirtualHost>标签内作出如下改动
<VirtualHost www2.stux.com:443>
DocumentRoot "/web/vhosts/www2"
ServerName www2.stuX.com:443
<Directory "/web/vhosts/www2">
Options None
AllowOverride None
Require all granted
</Directory>
3.将网站主机的私钥及申请到的证书,创建目录/etc/httpd/ssl将其放入该目录.
SSLCertificateFile /etc/httpd/ssl/httpd.key
SSLCertificateKeyFile /etc/httpd/ssl/httpd.crt
4.重启httpd服务
systemctl restart httpd
5.在客户端浏览器中导入Ca的自签证书即可https浏览
博文最后更新时间:
评论
-
暂无评论
