分别使用httpd-2.2和httpd-2.4实现
1、建立httpd服务,要求:
(1)提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2)通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3)www2不允许192.168.0.0/24网络中任意主机访问;
准备过程
准备三台虚拟机,一台CentOS 7实现httpd-2.4 CentOS 6 实现httpd-2.2 另一台提供颁发CA认证和测试服务要求
先关闭三台虚拟机的iptables selinux
三台机器yum安装mod_ssl
CentOS 6 ip 172.16.55.6
CentOS 7 ip 172.16.55.7
CA方加测试 ip 172.16.55.11
第一小题
=========================
CentOS 6上提供的httpd服务是2.2版本
安装httpd-2.2
yum install-y httpd
修改配置文件,添加虚拟主机名
vim/etc/httpd/conf/httpd.conf
990行下
NameVirtualHost172.16.55.6:80
添加虚拟主机配置文件,并添加日志文件信息
vim/etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.55.6:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
</VirtualHost>
vim /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.55.6:80>
ServerName www2.magedu.com
DocumentRoot /data/vhosts/www2
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
</VirtualHost>
在创建网站信息
mkdir /data/vhosts/www{1,2}
vim /data/vhosts/www1/index.html
11111
vim /data/chosts/www2/index.html
22222
修改hosts配置文件,添加域名解析
vim /etc/hosts
添加 172.16.55.6 www1.magedu.com www2.magedu.com
语法检查
httpd -t
在检查端口是否打开,服务是否启动
ss -ntl
ps aux
重启服务,然后在浏览器中检查172.16.55.7是否能解析
CentOS 7上提供的httpd服务是2.4版本
安装httpd-2.4
yum install-y httpd
查看配置文件,但不需要添加虚拟主机名
添加虚拟主机配置文件,并添加日志文件信息
vim/etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.55.7:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
ErrorLog logs/www1-error_log
CustomLoglogs/www1-access_log combined
<Directory"/data/vhosts/www1">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
vim /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.55.6:80>
ServerName www2.magedu.com
DocumentRoot /data/vhosts/www2
ErrorLog logs/www2-error_log
CustomLoglogs/www2-access_log combined
<Directory"/data/vhosts/www1">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
在创建网站信息
mkdir /data/vhosts/www{1,2}
vim /data/vhosts/www1/index.html
11111
vim /data/chosts/www2/index.html
22222
修改hosts配置文件,添加域名解析
vim /etc/hosts
添加 172.16.55.7 www1.magedu.com www2.magedu.com
语法检查
httpd -t
在检查端口是否打开,服务是否启动
ss -ntl
ps aux
重启服务,然后在浏览器中检查172.16.55.7是否能解析
第二题
============================
ip为172.16.55.6的CentOS 6上
先添加一个tom的虚拟用户
htpasswd -c -m /etc/httpd/conf/.htpasswdtom
修改虚拟主机www1的配置文件
vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.55.6:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
</VirtualHost>
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "For tom"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>
语法检查后无误后,重载服务配置
httpd -t
service httpd reload
在浏览器这种输入172.16.55.6/server-status
如下图,只有输入账户tom的账户密码才可访问
ip为172.16.55.7的CentOS 7上
先添加一个tom的虚拟用户
htpasswd -c -m /etc/httpd/conf/.htpasswdtom
修改虚拟主机www1的配置文件
在后面直接添加
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "For tom"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>
语法检查后无误后,重载服务配置
httpd -t
service httpd reload
在浏览器这种输入172.16.55.7/server-status
如图,只有输入账户tom的账户密码才可访问
第二题3小问
先在CentOS6上面做该操作
www2不允许192.168.0.0/24网络中任意主机访问
直接编辑www2的配置文件
vim /etc/httpd/conf.d/www2.conf
在后面添加一段代码即可
<VirtualHost 172.16.55.6:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
<Directory /data/vhosts/www2>
OptionsNone
AllowOverride None
Order deny,allow
Denyfrom 192.16.0.0/24
</Directory>
</VirtualHost>
CentOS 7 上操作相同
第三da题
=====172.16.55.11=====
先创建公钥,颁发CA证书
yum install -y mod_ssl
cd /etc/pki/CA
(umask 077;openssl genrsa -outprivate/cakey.pem 2048)
openssl req -new -x509 -keyprivate/cakey.pem -out cacert.pem
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name)[]:beijing
Locality Name (eg, city) [DefaultCity]:beijing
Organization Name (eg, company) [DefaultCompany Ltd]:magedu
Organizational Unit Name (eg, section)[]:ops
Common Name (eg, your name or your server'shostname) []:ca.magedu.com
Email Address []:magedu@admin.com
创建补充文件
touch index.txt
echo 01> serial
然后在CentOS 6 上创建私钥
mkdir -pv /etc/httpd/ssl
cd /etc/httpd/ssl/
(umask 077; openssl genrsa -outhttpd.key 1024)
openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name)[]:beijing
Locality Name (eg, city) [DefaultCity]:beijing
Organization Name (eg, company) [DefaultCompany Ltd]:magedu
Organizational Unit Name (eg, section)[]:ops
Common Name (eg, your name or yourserver's hostname) []:www2.magedu.com
Email Address []:www2@admin.com
scp 172.16.55.11:/tmp
然后在切换到172.16.55.11 CA上面签发证书
cd /etc/pki/CA
openssl ca -in /tmp/httpd.csr -out/etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches thesignature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 04:54:15 2016GMT
Not After : Jul 24 04:54:15 2017GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = ops
commonName = www2.magedu.com
emailAddress = www2@admin.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2B:D6:FF:8B:84:2D:33:FD:48:8A:EC:A5:80:63:67:46:F5:D5:54:12
X509v3 Authority Key Identifier:
keyid:F2:32:D8:C5:E6:D9:04:B8:46:38:8D:D7:32:2B:E6:D5:90:56:3D:A1
Certificate is to be certified until Jul24 04:54:15 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
把签署好的证书发还给请求者。
scp /certs/httpd.crt 172.16.55.6:/etc/httpd/ssl/
在回到172.16.55.6的CentOS上面修改ssl的配置文件
vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/data/vhosts/www2"
ServerName www2.magedu.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
</VirtualHost>
然后检查语法无误后,重载服务
httpd-t
servicereload httpd
CentOS 7 上面的操作过程和6的基本一致
