1. 程式人生 > >基於httpd-2.2配置虛擬主機web站點,並提供https服務(一)

基於httpd-2.2配置虛擬主機web站點,並提供https服務(一)

基於主機名的虛擬主機配置 為虛擬主機提供https服務

使用httpd-2.2和httpd-2.4實現

> 1.建立httpd服務,要求:

> 1) 提供兩個基於名稱的虛擬主機www1, www2;要求每個虛擬主機都有單獨的錯誤日誌和訪問日誌;

> 2) 通過www1的/server-status提供狀態信息,且僅允許172.16.0.1主機訪問;

> 3) www2不允許192.168.1.0/24網絡中任意主機訪問;

> 2.為上面的第2)個虛擬主機提供https服務。

>


使用httpd-2.2實現基於主機名的虛擬主機服務,並提供https服務:

1.準備:(1)在VMwareWorkstation平臺下的CentOS6.9一枚;(2)真實機客戶端一個;

2.環境:(1)CentOS6.9系統中安裝httpd應用程序並啟動httpd服務;(2)關閉防火墻;(3)設置SELinux;

(1) [root@chenliang ~]# yum -y install httpd

[root@chenliang ~]# service httpd start

正在啟動 httpd:

(2) [root@chenliang ~]# iptables -F

(3) [root@chenliang ~]# setenforce 0

3.操作步驟:

[root@chenliang ~]# cd /etc/httpd/conf

[root@chenliang conf]# vim httpd.conf

NameVirtualHost 172.16.69.1:80 //在httpd.conf配置文件中添加這一行,IP地址要和下面設置的虛擬機文件保持一致

[root@chenliang conf]# cd ../conf.d //在配置虛擬主機時,我們在/etc/httpd/conf.d片段配置文件中設置

[root@chenliang conf.d]# ls

manual.conf mod_dnssd.conf README ssl.conf welcome.conf

[root@chenliang conf.d]# vim www1.conf //設置虛擬主機www1

>

<VirtualHost 172.16.69.1:80> //這裏的IP地址和端口號要和主配置文件/etc/httpd/conf/httpd.conf中的虛擬機配置設置的IP一致

> DocumentRoot /var/www/www1 //www1站點的資源路徑映射

> ServerName www1.cl.com //這就是基於主機名設置虛擬主機

> ErrorLog logs/www1-error_log //每個虛擬主機都有單獨的錯誤日誌

> CustomLog logs/www1-access_log combined //每個虛擬主機都有單獨訪問日誌

>

> <Location /server-status>

> SetHandler server-status

> Order deny,allow

> Deny from all

> Allow from 172.16.0.1 //通過www1的/server-status提供狀態信息,且僅允許172.16.0.1主機訪問

> </Location>

>

> </VirtualHost>

[root@chenliang conf.d]# vim www2.conf

> <VirtualHost 172.16.69.1:80> // 這裏的IP地址和端口號要和主配置文件/etc/httpd/conf/httpd.conf中的虛擬機配置設置的IP一致

> DocumentRoot /var/www/www2 //www2站點的資源路徑映射

> ServerName www2.cl.com

> ErrorLog logs/www2-error_log //每個虛擬主機都有單獨的錯誤日誌

> CustomLog logs/www2-access_log combined //每個虛擬主機都有單獨訪問日誌

>

> <Directory "/var/www/www2">

> Options None

> AllowOverride None

> Order deny,allow

> Deny from 192.168.1.0/24 //www2不允許192.168.1.0/24網絡中任意主機訪問

> </Directory>

>

> </VirtualHost>

[root@chenliang conf.d]# mkdir -pv /var/www/www{1,2} //為web站點的資源提供路徑映射

mkdir: 已創建目錄 "/var/www/www1"

mkdir: 已創建目錄 "/var/www/www2"

[root@chenliang conf.d]# echo "WWW1's web site~~" >> //var/www/www1/index.html //創建web站點首頁文件並添加內容

[root@chenliang conf.d]# echo "WWW2's web site~~" >> //var/www/www2/index.html

[root@chenliang conf.d]# httpd -t //檢查編寫的虛擬主機語法有沒有錯誤

httpd: apr_sockaddr_info_get() failed for chenliang

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

Syntax OK //語法OK

[root@chenliang conf.d]# service httpd restart //在每一次配置好httpd服務後要重新啟動服務

停止 httpd: [確定]

正在啟動 httpd:httpd: apr_sockaddr_info_get() failed for chenliang

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

[確定]

4.測試:

創建的虛擬主機web站點:

打開主機的真實主機進行測試,首先更改一下系統C盤下\Windows\System32\drivers\etc\hosts文件,在最下面添加配置的虛擬主機web站點:172.16.69.1 www1.cl.com www2.cl.com

結果:

技術分享圖片

技術分享圖片

5.提供https服務:

1)建立私有CA:

創建CA的私鑰文件:

[root@chenliang CA]# (umask 077; openssl genrsa -out private/cakey.pem 4096)

Generating RSA private key, 4096 bit long modulus

...............................................................................................................................................................................................................++

......................................................++

e is 65537 (0x10001)

生成自簽證書:

[root@chenliang CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HeBei

Locality Name (eg, city) [Default City]:Handan

Organization Name (eg, company) [Default Company Ltd]:CL

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:chenliang

Email Address []:

[root@chenliang CA]# ls //查看創建的證書文件

cacert.pem certs crl newcerts private

[root@chenliang CA]# touch /etc/pki/CA/index.txt //完善CA所必需目錄級文件要求和文本文件級文件要求

[root@chenliang CA]# echo 01 > /etc/pki/CA/serial

2)創建https站點:{有個前提要安裝httpd模塊列表中的mod_ssl模塊}

[root@chenliang ~]# mkdir /etc/httpd/ssl

[root@chenliang ~]# cd /etc/httpd/ssl

[root@chenliang ssl]# (umask 077;openssl genrsa -out httpd.key 4096)

Generating RSA private key, 4096 bit long modulus

.....................................................................................++

.......................................................................................................................................................................................................................................................................................................................................................................................................................................................++

e is 65537 (0x10001)

[root@chenliang ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HeBei

Locality Name (eg, city) [Default City]:Handan

Organization Name (eg, company) [Default Company Ltd]:CL

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:chenliang

Email Address []:


A challenge password []:123456

An optional company name []:chenliang

將證書請求發送到CA:~]# scp httpd.csr CA_SERVER:/tmp //因為這裏是創建的私有CA,所以不使用此命令,跳過

在CA上為此次請求簽發證書:

[root@chenliang ssl]# cd /etc/pki/CA

[root@chenliang CA]# ls

cacert.pem certs crl index.txt newcerts private serial

[root@chenliang CA]# openssl ca -in /etc/httpd/ssl/httpd.csr -out certs/httpd.crt

[root@chenliang CA]# ls certs/

httpd.crt

在httpd服務器上,刪除證書請求文件:

[root@chenliang CA]# cp certs/httpd.crt /etc/httpd/ssl/

[root@chenliang CA]# cd -

/etc/httpd/ssl

[root@chenliang ssl]# ls

httpd.crt httpd.csr httpd.key

[root@chenliang ssl]# rm -f httpd.csr

[root@chenliang ssl]# ls

httpd.crt httpd.key

在httpd服務器上配置ssl支持:

1) 保證mod_ssl模塊被正確裝載;如果沒有,則需要單獨安裝:yum install -y mod_ssl

2) 配置https的虛擬主機:

[root@chenliang conf.d]# vim ssl.conf

<VirtualHost 172.16.69.1:443>

DocumentRoot "/var/www/www2"

ServerName www2.cl.com:443

SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key


測試https建立是否成功:

重啟服務:

[root@chenliang conf.d]# service httpd restart

停止 httpd: [確定]

正在啟動 httpd:httpd: apr_sockaddr_info_get() failed for chenliang

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

[確定]


在真實主機上(因為我們是私有證書是不受信任的):

技術分享圖片

添加例外後:

技術分享圖片



至此,httpd-2.2基於主機名建立虛擬主機並實現web站點的https服務完成。












基於httpd-2.2配置虛擬主機web站點,並提供https服務(一)