目录
httpd配置三种虚拟主机带访问控制
虚拟主机:
相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名
访问控制法则
安装ssl安全模块
配置https
CA生成密钥
CA生成自签署证书
客户端生成密钥
客户端生成证书签署请求
CA签署客户端提交上来的证书
修改ssl.conf配置文件
重定向
虚拟主机:
虚拟主机有三类:
相同IP不同端口 不同IP相同端口 相同IP相同端口不同域名
相同IP不同端口
//全局查找一下vhost的模板文件
[root@zzh ~]# find / -name "*vhosts.conf"
/usr/share/doc/httpd/httpd-vhosts.conf
//把模板文件拷贝到可放置虚拟主机配置文件的目录
[root@zzh ~]# cd /etc/httpd/conf.d/
[root@zzh conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf ./
[root@zzh conf.d]# ls
README autoindex.conf httpd-vhosts.conf userdir.conf welcome.conf
//编辑复制的模板文件
[root@zzh conf.d]# vim httpd-vhosts.conf
DocumentRoot "/var/www/html/fjdz" //存放网页内容的根目录
ServerName www.fjdz.com //指定域名
ErrorLog "/var/log/httpd/www.fjdz.com-error_log" //错误日志位置
CustomLog "/var/log/httpd/www.fjdz.com-access_log" common //访问日志位置
Listen 82
DocumentRoot "/var/www/html/ddz"
ServerName www.ddz.com
ErrorLog "/var/log/httpd/www.ddz.com-error_log"
CustomLog "/var/log/httpd/www.ddz.com-access_log" common
//进入html目录下,下载飞机大战所需源码包
[root@zzh conf.d]# cd /var/www/html/
[root@zzh html]# mkdir fjdz //创建飞机大战目录
[root@zzh html]# ls //上传源码包
feijiedazhan.zip fjdz
[root@zzh html]# dnf -y install zip* //安装解压工具
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:22:56 ago on Sun Jul 24 03:26:55 2022.
Dependencies resolved.
===================================================================================
Package Architecture Version Repository Size
===================================================================================
Installing:
zip x86_64 3.0-23.el8 baseos 270 k
//解压源码包
[root@zzh html]# unzip feijiedazhan.zip
Archive: feijiedazhan.zip
//将解压文件移动到飞机大战目录下
[root@zzh html]# mv HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f fjdz/
[root@zzh html]# cd fjdz/
[root@zzh fjdz]# ls
css img index.html js
//同样的操作,下载斗地主源码包
[root@zzh html]# mkdir ddz
[root@zzh html]# ls
ddz feijiedazhan.zip fjdz
[root@zzh html]# ls
ddz feijiedazhan.zip fjdz ''$'\346\226\227\345\234\260\344\270\273''.zip'
[root@zzh html]# unzip ''$'\346\226\227\345\234\260\344\270\273''.zip'
Archive: 斗地主.zip
[root@zzh html]# ls
'HTML5 canvas#U79fb#U52a8#U7aef#U6597#U5730#U4e3b#U5c0f#U6e38#U620f' ddz feijiedazhan.zip fjdz ''$'\346\226\227\345\234\260\344\270\273''.zip'
[root@zzh html]# mv 'HTML5 canvas#U79fb#U52a8#U7aef#U6597#U5730#U4e3b#U5c0f#U6e38#U620f' ddz/
[root@zzh html]# cd ddz/
[root@zzh ddz]# ls
DJDDZ.js JControls.js Prototype.js ResourceData.js img index.html
//检查配置文件是否存在语法错误
[root@zzh html]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e2c4:3bc8:ed3a:ecac. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@zzh html]# systemctl restart httpd //重启服务
//查看效果
不同IP相同端口
[root@zzh conf.d]# vim httpd-vhosts.conf //进入模板文件定义成自己的主机IP
DocumentRoot "/var/www/html/fjdz"
ServerName www.fjdz.com
ErrorLog "/var/log/httpd/www.fjdz.com-error_log"
CustomLog "/var/log/httpd/www.fjdz.com-access_log" common
DocumentRoot "/var/www/html/ddz"
ServerName www.ddz.com
ErrorLog "/var/log/httpd/www.ddz.com-error_log"
CustomLog "/var/log/httpd/www.ddz.com-access_log" common
[root@zzh conf.d]# ip addr add 192.168.78.21/24 dev ens33 //本机没有21IP地址,需要加一个临时IP
[root@zzh conf.d]# ip a
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33:
link/ether 00:0c:29:20:be:e5 brd ff:ff:ff:ff:ff:ff
inet 192.168.78.20/24 brd 192.168.78.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.78.21/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::e2c4:3bc8:ed3a:ecac/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@zzh conf.d]# httpd -t //检查语法
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e2c4:3bc8:ed3a:ecac. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@zzh conf.d]# systemctl restart httpd //重启服务
//查看效果
相同IP相同端口不同域名
[root@zzh conf.d]# vim httpd-vhosts.conf
DocumentRoot "/var/www/html/fjdz"
ServerName www.fjdz.com
ErrorLog "/var/log/httpd/www.fjdz.com-error_log"
CustomLog "/var/log/httpd/www.fjdz.com-access_log" common
DocumentRoot "/var/www/html/ddz"
ServerName www.ddz.com
ErrorLog "/var/log/httpd/www.ddz.com-error_log"
CustomLog "/var/log/httpd/www.ddz.com-access_log" common
[root@zzh conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e2c4:3bc8:ed3a:ecac. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@zzh conf.d]# systemctl restart httpd
域名映射 Linux系统和mac系统:/etc/hosts Windows:C:\windows\system32\drivers\etc\hosts 先把hosts文件移动到桌面上进行修改,修改完成后移动回原文件夹中 //进入hosts所在文件夹,将其移动到桌面进行修改;
//右击打开方式选择记事本,写入相同IP不同域名
//查看效果
访问控制法则
法则功能Require all granted允许所有主机访问Require all deny拒绝所有主机访问Require ip IPADDR授权指定来源地址的主机访问Require not ip IPADDR拒绝指定来源地址的主机访问Require host HOSTNAME授权指定来源主机名的主机访问Require not host HOSTNAME拒绝指定来源主机名的主机访问
IPADDR的类型: IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168
HOSTNAME的类型: |FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
[root@zzh ~]# vim /etc/httpd/conf/httpd.conf
Require not ip 192.168.1.20
Require all granted
[root@zzh ~]# httpd -t
Syntax OK
[root@zzh ~]# systemctl restart httpd
安装ssl安全模块
[root@zzh ~]# dnf install -y mod_ssl
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1:46:07 ago on Sun Jul 24 03:26:55 2022.
Dependencies resolved.
=================================================================================================================================================================================================
Package Architecture Version Repository Size
=================================================================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1 appstream 137 k
[root@zzh ~]# systemctl restart httpd
[root@zzh ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e2c4:3bc8:ed3a:ecac. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@zzh ~]# ss -antl //查看到443端口
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
[root@zzh ~]# httpd -M |grep ssl //过滤ssl安全模块
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e2c4:3bc8:ed3a:ecac. Set the 'ServerName' directive globally to suppress this message
ssl_module (shared)
配置https
https(全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 http 通道,在 http 的基础上通过传输加密和身份认证保证了传输过程的安全性。
CA生成密钥
[root@zzh ~]# cd /etc/pki/
[root@zzh pki]# mkdir CA
[root@zzh pki]# cd CA/
[root@zzh CA]# mkdir private
[root@zzh CA]# ls
private
[root@zzh CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //生成密钥
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
.................+++++
e is 65537 (0x010001)
[root@zzh CA]# openssl rsa -in private/cakey.pem -pubout //提取公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6Lht6POafL+XbCpcE42I
RiQENGXO+VRKIfsCcEs9W2Q+IWuMFjngNb1lagOmQr/7Qcpgy93eV1FxyxwiUmmB
Bf0DSRCei1ydWFfF0ewyidYCPMtuyTqOOf0FwGssRIwbsBnyg5D4HMBJnoSSIFN5
Or94aRXHvnuX022DfVlJGGGNGqSCMlM10aJHWBaEQNKB77S+S3YEKAZJ+ozvsWmY
GwwWQnNQm/sZ7WA+OoV5/hma802BI81tz3UreekYv9la6g5TUUrLaw8PYBUX3pNu
ytZ1FPODKFqkuIcYLiOXaoVjUwG984s1xOgtSB0SBfNXNl+J2QIwsVMzTzi/s0w3
BQIDAQAB
-----END PUBLIC KEY-----
CA生成自签署证书
[root@zzh CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:zzh
Organizational Unit Name (eg, section) []:dfj
Common Name (eg, your name or your server's hostname) []:www.fjdz.com
Email Address []:1@2.com
[root@zzh CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:83:75:6e:94:5e:71:4a:2e:49:61:9a:43:79:d0:b2:37:64:7e:31
Signature Algorithm: sha256WithRSAEncryption
[root@zzh CA]# mkdir certs newcerts crl
[root@zzh CA]# touch index.txt && echo 01 > serial
客户端生成密钥
[root@zzh CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@zzh ssl]# pwd
/etc/httpd/ssl
[root@zzh ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
.........................+++++
e is 65537 (0x010001)
客户端生成证书签署请求
[root@zzh ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:zzh
Organizational Unit Name (eg, section) []:dfj
Common Name (eg, your name or your server's hostname) []:www.fjdz.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA签署客户端提交上来的证书
[root@zzh ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 09:27:59 2022 GMT
Not After : Jul 24 09:27:59 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = zzh
organizationalUnitName = dfj
commonName = www.fjdz.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7A:E1:B3:4B:0C:45:E4:ED:AC:97:62:E9:B9:0C:26:4E:FF:A9:EF:AA
X509v3 Authority Key Identifier:
keyid:92:A9:DB:B3:1F:7F:5B:70:C6:0E:30:0E:78:4B:5A:79:3E:2D:60:7B
Certificate is to be certified until Jul 24 09:27:59 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
修改ssl.conf配置文件
[root@zzh conf.d]# vim ssl.conf /找到这四行取消注释并修改网页内容的根路径和证书的路径
DocumentRoot "/var/www/html/fjdz"
ServerName www.example.com:443
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
[root@zzh conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::e2c4:3bc8:ed3a:ecac. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@zzh conf.d]# systemctl restart httpd
//查看效果
重定向
[root@zzh conf.d]# vim httpd-vhosts.conf
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.yfdz.com$1 [L,R]
DocumentRoot "/var/www/html/fjdz"
ServerName www.yfdz.com
ErrorLog "/var/log/httpd/fjdz_log/error_log"
CustomLog "/var/log/httpd/fjdz_log/access_log" common
Require all granted
//查看效果
精彩内容
发表评论