参考拓扑图:

image

1.安装Apach服务

root@gjp99 ~]# mount /dev/cdrom /mnt/cdrom

mount: block device /dev/cdrom is write-protected, mounting read-only

[root@gjp99 ~]# cd /mnt/cdrom/Server

[root@gjp99 Server]# ll http*

-r--r--r-- 86 root root 1266575 Jul 28  2009 httpd-2.2.3-31.el5.i386.rpm

-r--r--r-- 99 root root  150002 Jul 28  2009 httpd-devel-2.2.3-31.el5.i386.rpm

-r--r--r-- 86 root root  830924 Jul 28  2009 httpd-manual-2.2.3-31.el5.i386.rpm

[root@gjp99 Server]# rpm -ivh httpd-2.2.3-31.el5.i386.rpm

warning: httpd-2.2.3-31.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

         package httpd-2.2.3-31.el5.i386 is already installed

[root@gjp99 Server]# rpm -ql httpd |less

/etc/httpd

/etc/httpd/conf

/etc/httpd/conf.d

/etc/httpd/conf.d/README

/etc/httpd/conf.d/proxy_ajp.conf

[root@gjp99 Server]# whereis httpd

httpd: /usr/sbin/httpd.event /usr/sbin/httpd /usr/sbin/httpd.worker /etc/httpd /usr/lib/httpd /usr/share/man/man8/httpd.8.gz

进入主要目录查看:

[root@gjp99 Server]# cd /etc/httpd/        

[root@gjp99 httpd]# ls

conf  conf.d  logs  modules  run

[root@gjp99 conf]# vim  /etc/httpd/conf/httpd.conf   //配置文档路径

[root@gjp99 conf]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

首次打开:测试页

clip_image002

由于存在下面这个文件: welcome.conf

clip_image004

2.编写网页!

[root@gjp99 conf]# cd /var/www/html

[root@gjp99 html]# echo "Welcome to gjp's  web \!" >index.html

[root@gjp99 html]# ll

total 4

-rw-r--r-- 1 root root 25 Aug 21 18:30 index.html

clip_image006

3.身份认证(输入账号,密码)才能进入!

[root@gjp99 html]# vim .htaccess   //文件名必须是这个

clip_image008

[root@gjp99 html]# cd ../

[root@gjp99 www]# ll

total 16

drwxr-xr-x 2 root root 4096 Jul 15  2009 cgi-bin

drwxr-xr-x 3 root root 4096 Aug  3 14:06 error

drwxr-xr-x 2 root root 4096 Aug 21 18:35 html

drwxr-xr-x 3 root root 4096 Aug  3 14:06 icons 

[root@gjp99 www]# which htpasswd      //工具

/usr/bin/htpasswd

[root@gjp99 www]# rpm -qf /usr/bin/htpasswd

httpd-2.2.3-31.el5

[root@gjp99 www]# htpasswd -c .htpasswd user1   //生成.htpasswd文件

New password:

Re-type new password:

Adding password for user user1

[root@gjp99 www]# cat .htpasswd

user1:QygWVyBqYHogk

[root@gjp99 www]# htpasswd  .htpasswd gjp  //再次创建账号,不用加-C

New password:

Re-type new password:

Adding password for user gjp

[root@gjp99 www]# cat .htpasswd

user1:QygWVyBqYHogk

gjp:EeZukL.9Q4s5.

clip_image010

[root@gjp99 www]# vim /etc/httpd/conf/httpd.conf

327#  AllowOverride None 改为 AllowOverride all

[root@gjp99 www]# service httpd configtest

Syntax OK

[root@gjp99 www]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

clip_image012

4.拒绝与允许某台主机访问

clip_image014

拒绝192.168.2.10

允许其他

clip_image016

clip_image018

 

除了192.168.2.10 都能访问!

clip_image020

 

clip_image022

5.CA的配置

Linux openca

[root@gjp99 CA]# cd /etc/pki/CA

[root@gjp99 CA]# ls

private

[root@gjp99 CA]# cd ..

[root@gjp99 pki]# ls

CA  nssdb  rpm-gpg  tls

[root@gjp99 tls]# ls

cert.pem  certs  misc  openssl.cnf  private

[root@gjp99 tls]# vim openssl.cnf

clip_image024

进目录,手动创建以下3个目录,2个文件

clip_image026

[root@gjp99 CA]# echo "01" > serial   //赋初始值

5.1创建数字证书:

1.产生私钥:

[root@gjp99 CA]# openssl genrsa 1024 > private/cakey.pem

Generating RSA private key, 1024 bit long modulus

..........................................................++++++

..................................................................++++++

e is 65537 (0x10001)

[root@gjp99 CA]# ll

total 24

drwxr-xr-x 2 root root 4096 Aug 21 19:32 certs

drwxr-xr-x 2 root root 4096 Aug 21 19:32 crl

-rw-r--r-- 1 root root    0 Aug 21 19:32 index.txt

drwxr-xr-x 2 root root 4096 Aug 21 19:32 newcerts

drwx------ 2 root root 4096 Aug 21 19:39 private

-rw-r--r-- 1 root root    3 Aug 21 19:35 serial

[root@gjp99 CA]# ll private/*

-rw-r--r-- 1 root root 887 Aug 21 19:39 private/cakey.pem

[root@gjp99 CA]# chmod 600 private/*

[root@gjp99 CA]# ll private/*

-rw------- 1 root root 887 Aug 21 19:39 private/cakey.pem

2.创建自签名证书

[root@gjp99 CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:

[root@gjp99 tls]# vim openssl.cnf

底行模式:88,90  s/match /optional

match 改为optional

88 countryName             = optional

 89 stateOrProvinceName     = optional

 90 organizationName        = optional

clip_image028

[root@gjp99 CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.           

-----

Country Name (2 letter code) [CN]:

State or Province (full name) [He Nan]:

Locality Name (eg, city) [zhengzhou]:

Organizational(eg, company) [My Company oLtd]:NETWORK

Organizational Unit Name (eg, section) []:TEC

Common Name (eg, your name or your server's hostname) []:GJP.net.net

Email Address []:

设置过默认值后,直接回车即可!

5.2 Apache 主配置:

[root@gjp99 CA]# mkdir -pv /etc/httpd/certs

[root@gjp99 CA]# cd  /etc/httpd/certs

[root@gjp99 certs]# openssl genrsa 1024 >httpd.key

Generating RSA private key, 1024 bit long modulus

......++++++

.........................................++++++

e is 65537 (0x10001)

[root@gjp99 certs]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province (full name) [He Nan]:

Locality Name (eg, city) [zhengzhou]:

Organizational(eg, company) [My Company oLtd]:restore

Organizational Unit Name (eg, section) []:teco

Common Name (eg, your name or your server's hostname) []:restore.net.net

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@gjp99 certs]# pwd

/etc/httpd/certs

[root@gjp99 certs]# ll

total 8

-rw-r--r-- 1 root root 660 Aug 21 21:43 httpd.csr

-rw-r--r-- 1 root root 887 Aug 21 21:41 httpd.key

 

[root@gjp99 certs]# openssl ca -in httpd.csr -out httpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 21 15:08:55 2012 GMT

            Not After : Aug 21 15:08:55 2013 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = He Nan

            organizationName          = restore

            organizationalUnitName    = teco

            commonName                = restore.net.net

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                DA:55:76:07:0B:0C:36:EE:FA:7E:61:94:99:13:6B:19:F3:67:06:17

            X509v3 Authority Key Identifier:

                keyid:5A:B6:BD:F1:BF:55:93:52:15:58:72:84:48:09:6B:B1:3E:AC:0F:A9

 

Certificate is to be certified until Aug 21 15:08:55 2013 GMT (365 days)

Sign the certificate? [y/n]:y

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@gjp99 certs]# ll

total 12

-rw-r--r-- 1 root root 3087 Aug 21 23:09 httpd.cert

-rw-r--r-- 1 root root  660 Aug 21 21:43 httpd.csr

-rw-r--r-- 1 root root  887 Aug 21 21:41 httpd.key

[root@gjp99 certs]# chmod 600 *

[root@gjp99 certs]# ll

total 12

-rw------- 1 root root 3087 Aug 21 23:09 httpd.cert

-rw------- 1 root root  660 Aug 21 21:43 httpd.csr

-rw------- 1 root root  887 Aug 21 21:41 httpd.key

6.安装与配置ssl

vim /etc/yum.repos.d/rhel-debuginfo.repo  //编写yum配置文件

6.1安装

[root@gjp99 Server]# yum install mod_ssl  -y

[root@gjp99 httpd]# cd /etc/httpd/conf.d

[root@gjp99 conf.d]# ll

total 24

-rw-r--r-- 1 root root  392 Jul 15  2009 README

-rw-r--r-- 1 root root  566 Jul 15  2009 proxy_ajp.conf

-rw-r--r-- 1 root root 9677 Jul 15  2009 ssl.conf

-rw-r--r-- 1 root root  299 Jul 15  2009 welcome.conf

6.2 配置

[root@gjp99 conf.d]# vim ssl.conf

112 SSLCertificateFile /etc/httpd/certs/httpd.cert

119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key

[root@gjp99 certs]# vim /etc/httpd/conf.d/ssl.conf

[root@gjp99 certs]# service httpd configtest

Syntax OK

[root@gjp99 certs]# service httpd restart  

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

6.3查看日志文件的变化

服务器重启之前:

[root@gjp99 conf.d]# cd /var/log/httpd

[root@gjp99 httpd]# ll

total 28

-rw-r--r-- 1 root root 9716 Aug 21 19:20 access_log

-rw-r--r-- 1 root root 1164 Aug  3 14:47 access_log.1

-rw-r--r-- 1 root root 4981 Aug 21 19:55 error_log

-rw-r--r-- 1 root root 2883 Aug  3 14:47 error_log.1

服务器重启之后:

 [root@gjp99 conf.d]# cd /var/log/httpd

多了

-rw-r--r-- 1 root root    0 Aug 21 23:56 ssl_access_log

-rw-r--r-- 1 root root  444 Aug 21 23:56 ssl_error_log

-rw-r--r-- 1 root root    0 Aug 21 23:56 ssl_request_log

6.4 检测运行端口

[root@gjp99 certs]# netstat -tupln |grep httpd

tcp        0      0 :::80                       :::*                        LISTEN      3884/httpd         

tcp        0      0 :::443                      :::*

 

7.测试与改正:

 7.1 基本测试(安全证书日期有效)

clip_image030

clip_image032

clip_image034

7.2可信的验证机构发行

vim /etc/httpd/conf.d/ssl.conf

127 SSLCertificateChainFile /etc/pki/CA/cacert.pem

[root@gjp99 certs]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

clip_image036

clip_image038

clip_image040

Xp

clip_image042

clip_image044

7.3  名称与站点对应

编写Hos ts 文件

clip_image046

hosts 文件 中添加 如下:

192.168.2.100   restore.net.net

clip_image048

clip_image050

clip_image052

可直接访问!

7.4  明文方式也可访问!(不安全)

clip_image054

关闭80端口

clip_image056

clip_image058禁用掉

[root@gjp99 ~]# netstat -tupln |grep http

tcp        0      0 :::443                      :::*

clip_image060

clip_image062

clip_image064