Httpd-2.2实现2个虚拟主机:要求如下
a.
1.提供两个基于名称的虚拟主机www1,www2;有单独的错误日志和访问日志;
1.通过www1的/server-status提供httpd状态信息,且仅允许tom用户访问;
2.www2不允许192.168.0.0/24网段的任意主机访问;
b.
为上面的第2个虚拟主机提供https服务。
实现步骤:
1.创建两个虚拟主机www1,www2的配置文件/etc/httpd/conf.d/vhostwww1.conf,/etc/httpd/conf.d/vhostwww2.conf,根目录/var/www/html/www1,/var/www/html/www2及首页文件indexwww1.html,indexwww2.html
[root@www ~]# mkdir /var/www/html/www{1,2}
[root@www ~]# echo www1 > /var/www/html/www1/indexwww1.html
[root@www ~]# echo www2 > /var/www/html/www1/indexwww2.html
[root@www ~]# cat /etc/httpd/conf.d/vhostwww1.conf
<VirtualHost 172.16.251.237:80>
ServerName www1
DocumentRoot "/var/www/html/www1"
DirectoryIndex indexwww1.html
ErrorLog logs/www1_error_log
CustomLog logs/www1_access_log combined
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "httpd-2.2 status page"
AuthUserFile /etc/httpd/user/.htpasswd
require user tom
</Location>
</VirtualHost>
[root@www ~]# cat /etc/httpd/conf.d/vhostwww2.conf
<VirtualHost 172.16.251.237:80>
ServerName www2
DocumentRoot "/var/www/html/www2"
DirectoryIndex indexwww2.html
ErrorLog logs/www2_error_log
CustomLog logs/www2_access_log combined
<Directory /var/www/html/www2>
Options None
AllowOverride None
Order deny,allow
deny from 192.168.0.0/24
</Directory>
</VirtualHost>
修改主配置文件:
Vim /etc/httpd/conf/httpd.conf
NameVirtualHost 172.16.251.237:80
创建认证虚拟用户tom
Mkdir /etc/httpd/user
Htpasswd -m -c /etc/httpd/user/.htpasswd tom ---输入两次密码即可。
为虚拟机主机www2,提供https服务
安装httpd-2.2的扩展模块mod_ssl
Yum -y install mod_ssl
搭建私有CA,为www2虚拟站点提供数字证书。
实验环境:一台centos6.7主机,即使CA,又是www2站点。
搭建CA配置:
[root@www ~]# cd /etc /pki/CA
[root@www etc]# touch index.txt ---- 建立CA 数据库文件
[root@www etc]# echo 01 > serial
生成CA私钥:
[root@www CA]# (umask 066;openssl genrsa -out private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
..............................................++++++
......................++++++
e is 65537 (0x10001)
[root@www CA]# ls -l private/cakey.pem
-rw-------. 1 root root 891 Jul 19 00:07 private/cakey.pem
生成CA的自签证书:[root@www CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:www.magedu.com
Organizational Unit Name (eg, section) []:m19
Common Name (eg, your name or your server's hostname) []:www.wudang.com
Email Address []:xx@qq.com
Httpd的www2生成私钥:[root@www CA]# mkdir /etc/httpd/ssl
[root@www CA]# (umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.........................++++++
.++++++
e is 65537 (0x10001)
生成www2的证书申请:[root@www CA]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 356 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing--------必须与CA的证书申请的内容一样
Locality Name (eg, city) [Default City]:beijing-------必须与CA的证书申请的内容一样
Organization Name (eg, company) [Default Company Ltd]:www.magedu.com---必须与CA的 证书申请的内容一样
Organizational Unit Name (eg, section) []:m16
Common Name (eg, your name or your server's hostname) []:www.wudang.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:------- 为了安全加证书申请文件的口令
An optional company name []:
把生成的www2的证书申请传给CA,申请验证通过,颁发证书:
[root@www CA]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/httpd.crt -days 365
Cp /etc/pki/CA/httpd.crt /etc/httpd/ssl/httpd.crt
www2虚拟站点证书拿到。
接下来配置mod_ssl模块给httpd-2.2提供的配置文件
Vim /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost 172.16.251.237:443>
DocumentRoot "/var/www/html/www2"
ServerName www2:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCertificateFile /etc/httpd/ssl/httpd.crt
</VirtualHost>
Service httpd reload ---- 重载服务
www2 证书测试:
Vim /etc/hosts
172.16.251.237 www1 www2
1. Openssl s_client -connect www2:443 -CAfile /etc/pki/CA/cacert.crt
2. 把CA的证书,导入到浏览器中,然后访问
https://www2/indexwww2.html