1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务;
实验要求并不多,但是考虑到仅仅是为了测试,所以域名无需去互联网申请,也无需到互联网中的根CA注册证书,一切自给自足即可。为了达成实验要求,我准备了四台虚拟机,一台CentOS6.8、两台CentOS7.2和一台windowsXP,他们的主机名分别是CentOS68A、CentOS72A和CentOS72B。其中CentOS68A和CentOS72A分别作为httpd-2.2和httpd-2.4服务器,CentOS72B作为私有DNS服务器和私有CA,WindowsXP作为测试客户机。
对于三台服务器的部署如下:
1.三台虚拟机的IP地址规划如下:
[root@Centos68A ~]# ip a l dev eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:d0:5b:1b brd ff:ff:ff:ff:ff:ff inet 172.16.9.61/16 brd 172.16.255.255 scope global eth0 inet6 fe80::20c:29ff:fed0:5b1b/64 scope link valid_lft forever preferred_lft forever
[root@Centos72A ~]# ip a l dev eno16777736 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:e0:46:e1 brd ff:ff:ff:ff:ff:ff inet 172.16.9.71/16 brd 172.16.255.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fee0:46e1/64 scope link valid_lft forever preferred_lft forever
[root@Centos72B ~]# ip a l dev eno16777736 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:07:0e:a7 brd ff:ff:ff:ff:ff:ff inet 172.16.9.72/16 brd 172.16.255.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe07:ea7/64 scope link valid_lft forever preferred_lft forever
注:WIndowsXP的IP地址为172.16.9.9/16,DNS指向172.16.9.72,因不需访问其他网段,故没有为其设置网关属性。
2.在三台服务器上安装相应的软件包
[root@Centos68A ~]# yum -y install httpd mod_ssl [root@Centos72A ~]# yum -y install httpd mod_ssl [root@Centos72B ~]# yum -y install bind
3.首先构建私有DNS服务和私有CA服务。
1)构建私有DNS服务,计划域名为"test.com",在DNS中要为DNS服务器,CA服务器以及两个虚拟服务器上的四个虚拟主机站点提供相对应的名称解析。主要步骤和配置文件片段如下:
DNS主配置文件:/etc/named.conf
options {
directory "/var/named";
listen-on port 53 { localhost; };
allow-recursion { 172.16.0.0/16; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com" IN {
type master;
file "test.com.zone";
};test.com域的数据库文件:/var/named/test.com.zone
$TTL 1D@ IN SOA ns1.test.com. root.test.com. ( 0 1D 1H 1W 3H ) NS ns1 ns1 A 172.16.9.72 ca A 172.16.9.72 websrv1 A 172.16.9.61 www1 CNAME websrv1 www2 CNAME websrv1 websrv2 A 172.16.9.71 www3 CNAME websrv2 www4 CNAME websrv2
检查语法正确之后,启动服务待用。
[root@Centos72B named]# systemctl start named.service
2)构建私有根CA,事先编辑openssl的配置文件/etc/pki/tls/openssl.conf,设置了其中的req_distinguished_name段的某些关键参数的默认内容,如下所示:
[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = CNcountryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = BeijinglocalityName = Locality Name (eg, city)localityName_default = Beijing0.organizationName = Organization Name (eg, company)0.organizationName_default = TestTechorganizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_default = TechcommonName = Common Name (eg, your name or your server\'s hostname)commonName_default = ca.test.comcommonName_max = 64emailAddress = Email AddressemailAddress_default = caadmin@test.comemailAddress_max = 64
接下来创建CA的私钥文件、自签证书以及其他相关文件:
[root@Centos72B named]# cd /etc/pki/CA[root@Centos72B CA]# pwd/etc/pki/CA[root@Centos72B CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus.............................................................+++............................................................................................+++e is 65537 (0x10001)[root@Centos72B CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Beijing]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [TestTech]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) [ca.test.com]:Email Address [caadmin@test.com]:[root@Centos72B CA]# touch index.txt[root@Centos72B CA]# echo 01 > serial
至此,一个私有CA建设完毕。CentOS72B上的工作也暂时告一段落。
4.在CentOS68A和CentOS72A上分别构建需要的虚拟主机
1)CentOS68A上的配置:
I.两个虚拟主机分别被命名为www1.test.com和www2.test.com;
II.由于要使用的是基于FQDN的虚拟主机,而CentOS6系列上以rpm包的方式来安装的httpd的版本是2.2的,所以为了能够使用这样的虚拟主机,需要将主配置文件/etc/httpd/conf/httpd.conf中的NameVirtualHost指令进行配置,具体操作为:复制NameVirtualHost所在行,取消注释,并将后面的"*"改成监听的IP地址。即:
NameVirtualHost 172.16.9.61:80
注意:在httpd2.2版本中,配置FQDN的虚拟主机,这行指令必不可少。
III.两个虚拟主机的配置文本被放置在/etc/httpd/conf.d目录中,分别命名为vhost-www1.conf和vhost-www2.conf,其中vhost-www2.conf是将ssl.conf文件重命名而来的;
vhost-www1.conf的主要配置指令及其值
<VirtualHost 172.16.9.61:80> ServerName www1.test.com DocumentRoot /myweb/test.com/www1 ErrorLog logs/www1_error.log CustomLog logs/www1_access.log combined <Location /server-status> SetHandler server-status AuthType basic AuthName "The status of Web site, Only allow tom." AuthUserFile "/etc/httpd/conf.d/.www1_htpasswd" Require User tom </Location></VirtualHost>
创建认证用户文件:
[root@Centos68A conf.d]# htpasswd -c -m .www1_htpasswd tomNew password: Re-type new password:
vhost-www2.conf的主要配置指令及其值
LoadModule ssl_module modules/mod_ssl.soListen 443SSLPassPhraseDialog builtinSSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)SSLSessionCacheTimeout 300SSLMutex defaultSSLRandomSeed startup file:/dev/urandom 256SSLRandomSeed connect builtinSSLCryptoDevice builtin<VirtualHost 172.16.9.61:443> DocumentRoot "/myweb/test.com/www2" ServerName www2.test.com:443 <Directory "/myweb/test.com/www2"> Options None AllowOverride None Order allow,deny Deny from 192.168.0.0/24 Allow from all </Directory> ErrorLog logs/www2_ssl_error_log TransferLog logs/www2_ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /etc/httpd/secure/httpvh_www2.crt SSLCertificateKeyFile /etc/httpd/secure/httpvh_www2.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/www2_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</VirtualHost> IV.两个虚拟主机的文档根目录是/myweb/test.com/目录中分别命名为www1和www2的目录,并为两个虚拟主机提供可访问的测试页面。
[root@Centos68A conf.d]# mkdir -pv /myweb/test.com/www{1,2}mkdir: created directory `/myweb'mkdir: created directory `/myweb/test.com'mkdir: created directory `/myweb/test.com/www1'mkdir: created directory `/myweb/test.com/www2'[root@Centos68A conf.d]# echo "<h1>www1 Home Page</h1>" > /myweb/test.com/www1/index.html[root@Centos68A conf.d]# echo "<h1>www2 Test Page</h1>" > /myweb/test.com/www2/index.html V.为www2创建httpd私有和证书请求文件:
[root@Centos68A httpd]# mkdir secure[root@Centos68A httpd]# cd secure/[root@Centos68A secure]# (umask 077;openssl genrsa -out httpvh_www2.key 2048)Generating RSA private key, 2048 bit long modulus..............+++.....................................................................................................................+++e is 65537 (0x10001)[root@Centos68A secure]# openssl req -new -key httpvh_www2.key -out httpvh_www2.csr -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Beijing]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [TestTech]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) [www2.test.com]:Email Address [admin@test.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@Centos68A secure]#
将已经生成的证书请求传给私有根CA,让其签署并生成公钥证书:
[root@Centos68A secure]# scp httpvh_www2.csr 172.16.9.72:/tmphttpvh_www2.csr 100% 1054 1.0KB/s 00:00 [root@Centos68A secure]#
[root@Centos72B tmp]# openssl ca -in httpvh_www2.csr -out httpvh_www2.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 9 07:54:54 2016 GMT Not After : Jul 9 07:54:54 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = TestTech organizationalUnitName = Tech commonName = www2.test.com emailAddress = admin@test.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C8:FF:5F:B3:D1:9E:F7:C5:45:15:CC:AD:2A:89:86:FD:DC:A7:B2:B1 X509v3 Authority Key Identifier: keyid:0E:3D:4B:D7:08:F4:B5:4D:EF:59:C9:03:8F:20:C6:0F:B6:1B:67:1BCertificate is to be certified until Jul 9 07:54:54 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@Centos72B tmp]# scp httpvh_www2.crt 172.16.9.61:/etc/httpd/securehttpvh_www2.crt 100% 4613 4.5KB/s 00:00
使用客户机进行测试即可:
在客户机的浏览器的地址栏中输入:http://www1.test.com来测试第一个虚拟主机
在客户机的浏览器的地址栏中输入:https://www2.test.com来测试第二个虚拟主机
证书不受信任
但如果选择“仍然继续”的话还是可以访问的。为了方便使用chrome,在网站页面上加了个下载超链接
查看到具体的信息就是:无法核实CA的证书是否合法,因此由这样的CA颁发的证书也不受信任
结果确实是我们自己给自己颁发的那个证书了,只是能在实验场合用用而已,无法用于互联网的。
2)CentOS72A上的配置:
I.两个虚拟主机分别被命名为www3.test.com和www4.test.com;
II.两个虚拟主机的配置文本被放置在/etc/httpd/conf.d目录中,分别命名为vhost-www3.conf和vhost-www4.conf,其中vhost-www4.conf是将ssl.conf文件重命名而来的;
vhost-www3.conf的主要配置指令及其值
<VirtualHost 172.16.9.71:80> ServerName www3.test.com DocumentRoot /myweb/test.com/www3 ErrorLog logs/www3_error.log CustomLog logs/www3_access.log combined <Directory "/myweb/test.com/www3"> Options None AllowOverride None Require all granted </Directory> <Location /server-status> SetHandler server-status AuthType basic AuthName "The status of Web site, Only allow tom." AuthUserFile "/etc/httpd/conf.d/.www3_htpasswd" Require user tom </Location></VirtualHost>
创建认证用户文件:
[root@Centos72A conf.d]# htpasswd -c -m .www3_htpasswd tomNew password: Re-type new password:
vhost-www4.conf的主要配置指令及其值
LoadModule ssl_module modules/mod_ssl.soListen 443 httpsSSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialogSSLSessionCache shmcb:/run/httpd/sslcache(512000)SSLSessionCacheTimeout 300SSLRandomSeed startup file:/dev/urandom 256SSLRandomSeed connect builtinSSLCryptoDevice builtin<VirtualHost 172.16.9.71:443> DocumentRoot "/myweb/test.com/www4" ServerName www4.test.com:443 <Directory "/myweb/test.com/www4"> Options None AllowOverride None <RequireAny> Require not ip 192.168.0.0/24 Require all granted </RequireAny> </Directory> ErrorLog logs/www4_ssl_error_log TransferLog logs/www4_ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/httpd/secure/httpvh_www4.crt SSLCertificateKeyFile /etc/httpd/secure/httpvh_www4.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</VirtualHost> III.两个虚拟主机的文档根目录是/myweb/test.com/目录中分别命名为www3和www4的目录,并为两个虚拟主机提供可访问的测试页面。
[root@Centos72A conf.d]# mkdir -pv /myweb/test.com/www{3,4}mkdir: created directory `/myweb'mkdir: created directory `/myweb/test.com'mkdir: created directory `/myweb/test.com/www3'mkdir: created directory `/myweb/test.com/www4'[root@Centos72A conf.d]# echo "<h1>www3 Home Page</h1>" > /myweb/test.com/www3/index.html[root@Centos72A conf.d]# echo "<h1>www4 Test Page</h1>" > /myweb/test.com/www4/index.html IV.为www4创建httpd私有和证书请求文件:
[root@Centos72A httpd]# mkdir secure[root@Centos72A httpd]# cd secure/[root@Centos72A secure]# (umask 077;openssl genrsa -out http_www4.key 2048)Generating RSA private key, 2048 bit long modulus.................................................+++...........+++e is 65537 (0x10001)[root@Centos72A secure]# openssl req -new -key http_www4.key -out http_www4.csr -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Beijing]:Locality Name (eg, city) [Beijing]:Organization Name (eg, company) [TestTech]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) [www4.test.com]:Email Address [admin@test.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@Centos72A secure]#
将已经生成的证书请求传给私有根CA,让其签署并生成公钥证书:
[root@Centos72A secure]# scp httpvh_www4.csr 172.16.9.72:/tmphttpvh_www4.csr 100% 1054 1.0KB/s 00:00 [root@Centos72A secure]#
[root@Centos72B tmp]# openssl ca -in httpvh_www4.csr -out httpvh_www4.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 2 (0x2) Validity Not Before: Jul 9 11:37:03 2016 GMT Not After : Jul 9 11:37:03 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = TestTech organizationalUnitName = Tech commonName = www4.test.com emailAddress = admin@test.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6E:34:E7:5D:57:A2:05:D6:7C:24:58:F6:77:F2:3C:99:B3:3D:65:F0 X509v3 Authority Key Identifier: keyid:0E:3D:4B:D7:08:F4:B5:4D:EF:59:C9:03:8F:20:C6:0F:B6:1B:67:1BCertificate is to be certified until Jul 9 07:54:54 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@Centos72B tmp]# scp httpvh_www4.crt 172.16.9.71:/etc/httpd/securehttpvh_www4.crt 100% 4613 4.5KB/s 00:00
使用客户机进行测试即可:
在客户机的浏览器的地址栏中输入:http://www3.test.com来测试第一个虚拟主机
在客户机的浏览器的地址栏中输入:https://www4.test.com来测试第二个虚拟主机
同样是不受信任的证书提示
不管提示,仍然继续,访问是没有问题的。
提示证书服务器CA的证书无法核实,也就认为CA颁发的证书不受信任
这张证书也确实是我们自己的私有CA为www4颁发的,这毫无疑问。
