Httpd服务
一.目的:
1、建立httpd服务,要求:
(1)提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2)通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3)www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务;
二.大体流程概述
A.为https申请证书:需要自建证书Server
B.安装Httpd
C.配置文件使其达到上述要求
三.let’s begin inCentOS6.7 + Httpd2.2
A.证书
1.生成根证书 (根证书和密钥放置路径 由/etc/pki/tls/openssl.cnf 定义)
[loaclhost:~]yum install openssl
[localhost:~]cd /etc/pki/CA
[localhost:CA](umask 077;openssl genrsa –out private/cakey.pem 1024)
[localhost:CA] openssl req –x509 –new–key private/cakey.pem –out cacert.pem
[localhost:CA]touchindex.txt
[localhost:CA]echo“01”>serial
2.申请证书
[loaclhost:~](umask 077;openssl genrsa –out cakey.pem 1024)
[loaclhost:~]opensslreq –new –key cakey.pem –out cacertreq.pem
3.颁发证书
[loaclhost:~]openslca –in cacertreq.pem –out cacert.cer
B.安装Httpd services
1.安装httpd
[localhost:~]yuminstall httpd
[lcoalhost:~]ll/etc/httpd
Conf----------------------------------------------------主配置文件conf/httpd.conf
conf.d--------------------------------------------------辅助配置文件目录(conf/httpd.conf--------------------------------------------------------------有”Include conf/*.conf“)
logs -> ../../var/log/httpd-------------------------日志目录
modules -> ../../usr/lib64/httpd/modules----模块目录
run -> ../../var/run/httpd--------------------------放置pid文件目录
2.安装mod_ssl
[lcoalhost:~]yuminstall mod_ssl
[localhost:~]rm–f /etc/httpd/conf.d/ssl.conf
C.配置文件
1.配置主文件:
[localhost:~]cat/etc/httpd/conf/httpd.conf
ServerTokens OS
ServerRoot /etc/httpd
KeepAlive On
KeepAliveTimeout10
Timeout 5
MaxKeepAliveRequests100
Includeconf.d/*.conf
PidFilerun/httpd.pid
DirectoryIndexindex.html index.php
TypesConfig/etc/mime.types
useCanonicalNameOff
User apache
Group apache
LogFormat"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-agent}i\"" combined
LogLevel warn
ErrorLoglogs/error_log
CustomLoglogs/acces_log combined
<Directory/>
Optionsnone
AllowOverridenone
Order Allow,Deny
AllowFrom All
</Directory>
SSLENGINE ON
SSLCertificateFile /root/cacert.cer
SSLCertificateKeyFile/root/cakey.pem
2.Modules配置文件:
[localhost:~]cat /etc/httpd/conf.d/loadmodules
LoadModuleauth_basic_module modules/mod_auth_basic.so
LoadModuleauth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_modulemodules/mod_authn_file.so
LoadModuleauthn_alias_module modules/mod_authn_alias.so
LoadModuleauthn_anon_module modules/mod_authn_anon.so
LoadModuleauthn_dbm_module modules/mod_authn_dbm.so
LoadModuleauthn_default_module modules/mod_authn_default.so
LoadModuleauthz_host_module modules/mod_authz_host.so
LoadModuleauthz_user_module modules/mod_authz_user.so
LoadModuleauthz_owner_module modules/mod_authz_owner.so
LoadModuleauthz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_modulemodules/mod_authz_dbm.so
LoadModuleauthz_default_module modules/mod_authz_default.so
LoadModuleldap_module modules/mod_ldap.so
LoadModuleauthnz_ldap_module modules/mod_authnz_ldap.so
LoadModuleinclude_module modules/mod_include.so
LoadModulelog_config_module modules/mod_log_config.so
LoadModulelogio_module modules/mod_logio.so
LoadModuleenv_module modules/mod_env.so
LoadModuleext_filter_module modules/mod_ext_filter.so
LoadModulemime_magic_module modules/mod_mime_magic.so
LoadModule expires_modulemodules/mod_expires.so
LoadModuledeflate_module modules/mod_deflate.so
LoadModuleheaders_module modules/mod_headers.so
LoadModuleusertrack_module modules/mod_usertrack.so
LoadModulesetenvif_module modules/mod_setenvif.so
LoadModulemime_module modules/mod_mime.so
LoadModuledav_module modules/mod_dav.so
LoadModulestatus_module modules/mod_status.so
LoadModuleautoindex_module modules/mod_autoindex.so
LoadModuleinfo_module modules/mod_info.so
LoadModuledav_fs_module modules/mod_dav_fs.so
LoadModulevhost_alias_module modules/mod_vhost_alias.so
LoadModulenegotiation_module modules/mod_negotiation.so
LoadModuledir_module modules/mod_dir.so
LoadModuleactions_module modules/mod_actions.so
LoadModulespeling_module modules/mod_speling.so
LoadModuleuserdir_module modules/mod_userdir.so
LoadModulealias_module modules/mod_alias.so
LoadModulesubstitute_module modules/mod_substitute.so
LoadModulerewrite_module modules/mod_rewrite.so
LoadModuleproxy_module modules/mod_proxy.so
LoadModule proxy_balancer_modulemodules/mod_proxy_balancer.so
LoadModuleproxy_ftp_module modules/mod_proxy_ftp.so
LoadModuleproxy_http_module modules/mod_proxy_http.so
LoadModuleproxy_ajp_module modules/mod_proxy_ajp.so
LoadModuleproxy_connect_module modules/mod_proxy_connect.so
LoadModulecache_module modules/mod_cache.so
LoadModulesuexec_module modules/mod_suexec.so
LoadModuledisk_cache_module modules/mod_disk_cache.so
LoadModulecgi_module modules/mod_cgi.so
LoadModuleversion_module modules/mod_version.so
LoadModulessl_module modules/mod_ssl.so
<IfModuleprefork.c>
StartServers 5
MaxSpareServers 10
MinSPareServers 5
MaxRequestsPerChild 200
MaxClients 256
</IfModule>
<IfModuleworker.c>
StartServers 4
ThreadsPerChild 25
MaxSpareThreads 100
MinSpareThreads 50
MaxClients 1000
MaxRequestsPerChild 200
</IfModule>
4.VirtualHost配置
[localhost:~]htpassword–c /etc/httpd/passwd tom
[localhost:~]cat/etc/httpd.conf.d/vhost1
Listen 443
NameVirtualHost172.16.0.202:443
<VirtualHost172.16.0.202:443>
ServerName www1
DocumentRoot /data/web/test/www1
ErrorLog /etc/httpd/logs/error_www1.log
CustomLog /etc/httpd/logs/acces_www1.log conbined
<Location /server-status>
SetHandler server-status
Options none
AllowOverride none
AuthType Basic
AuthName "AdminRequire"
AuthUserFile/etc/httpd/passwd
Require user tom
</Location>
</VirtualHost>
<VirtualHost172.16.0.202:443>
ServerName www2
DocumentRoot /data/web/test/www2
ErrorLog /etc/httpd/logs/error_www2.log
CustomLog/etc/httpd/logs/acces_www2.log combined
<Location /server-status>
SetHandler server-status
Options none
AllowOverride none
Order Allow,deny
Allow From 192.168.0
Deny From All
</Location>
</VirtualHost>
在httpd2.4 中达到上述要求只需注意:
NameVirtualHost 不需要定义
2.Httpd2.2 基于IP访问控制使用Order allow,deny \n Allow From ALL
基于用户使用Require user/group
Httpd2.4 基于IP是:Require IPGranted/Denied
基于用户相同
