需求说明

分别用httpd-2.2和httpd-2.4 实现以下功能:

  • 两个虚拟主机,名字为www.a.comwww.b.org

  • www.a.com 页面文件为/opt/a.com/htdocs,访问日志文件路径/var/log/httpd/a.com/access.log,错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。

  • www.b.org 页面文件为/opt/b.org/htdocs,访问日志文件路径/var/log/httpd/b.org/access.log,错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。

  • 通过www.a.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;

  • wwww.a.com/server-status只允许192.168.5.0/24 网络中的主机访问。

  • 同时为这两个虚拟主机提供https服务。

说明:测试中的httpd全部为yum安装,httpd-2.2会在CentOS 6中演示,httpd-2.4会在CentOS 7中演示。

httpd-2.2 配置

安装

安装可以使用yum安装也可以使用编译安装,但是CentOS 6中系统yum源默认的是httpd-2.2版本,这个需要注意。

  1. #yum install -y httpd httpd-devel mod_ssl

ssl证书签署

以下操作是在CA机器上进行的操作。

生成CA证书

  1. # yum install -y openssl openssl-devel
  2. # cd /etc/pki/CA/
  3. # (umask 077; openssl genrsa 2048 > private/cakey.pem)
  4. # openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem
  5. You are about to be asked to enter information that will be incorporated
  6. into your certificate request.
  7. What you are about to enter is what is called a Distinguished Name or a DN.
  8. There are quite a few fields but you can leave some blank
  9. For some fields there will be a default value,
  10. If you enter '.', the field will be left blank.
  11. -----
  12. Country Name (2 letter code) [XX]:CN
  13. State or Province Name (full name) []:ShangHai
  14. Locality Name (eg, city) [Default City]:ShangHai
  15. Organization Name (eg, company) [Default Company Ltd]:example
  16. Organizational Unit Name (eg, section) []:ops
  17. Common Name (eg, your name or your server's hostname) []:www.example.com
  18. Email Address []:admin@example.com
  19. # touch index.txt serial
  20. # echo 01 > serial

a.com域名证书签署

  1. # mkdir /opt/ssl/a.com -p
  2. # (umask 077 ;openssl genrsa 2048 > a.key)
  3. # openssl req -new -key a.key -out a.csr
  4. You are about to be asked to enter information that will be incorporated
  5. into your certificate request.
  6. What you are about to enter is what is called a Distinguished Name or a DN.
  7. There are quite a few fields but you can leave some blank
  8. For some fields there will be a default value,
  9. If you enter '.', the field will be left blank.
  10. -----
  11. Country Name (2 letter code) [XX]:CN
  12. State or Province Name (full name) []:ShangHai
  13. Locality Name (eg, city) [Default City]:ShangHai
  14. Organization Name (eg, company) [Default Company Ltd]:example
  15. Organizational Unit Name (eg, section) []:ops
  16. Common Name (eg, your name or your server's hostname) []:www.a.com
  17. Email Address []:admin@a.com
  18. Please enter the following 'extra' attributes
  19. to be sent with your certificate request
  20. A challenge password []:
  21. An optional company name []:
  22. # openssl ca -in a.csr -out a.crt
  23. Using configuration from /etc/pki/tls/openssl.cnf
  24. Check that the request matches the signature
  25. Signature ok
  26. Certificate Details:
  27. Serial Number: 1 (0x1)
  28. Validity
  29. Not Before: Nov 28 08:05:37 2016 GMT
  30. Not After : Nov 28 08:05:37 2017 GMT
  31. Subject:
  32. countryName = CN
  33. stateOrProvinceName = ShangHai
  34. organizationName = example
  35. organizationalUnitName = ops
  36. commonName = www.a.com
  37. emailAddress = admin@a.com
  38. X509v3 extensions:
  39. X509v3 Basic Constraints:
  40. CA:FALSE
  41. Netscape Comment:
  42. OpenSSL Generated Certificate
  43. X509v3 Subject Key Identifier:
  44. AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90
  45. X509v3 Authority Key Identifier:
  46. keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06
  47. Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)
  48. Sign the certificate? [y/n]:y
  49. 1 out of 1 certificate requests certified, commit? [y/n]y
  50. Write out database with 1 new entries
  51. Data Base Updated

签署b.org域名的证书

  1. # mkdir /opt/ssl/b.org/
  2. # cd /opt/ssl/b.org/
  3. # (umask 077 ;openssl genrsa 2048 > b.key)
  4. # openssl req -new -key b.key -out b.csr
  5. You are about to be asked to enter information that will be incorporated
  6. into your certificate request.
  7. What you are about to enter is what is called a Distinguished Name or a DN.
  8. There are quite a few fields but you can leave some blank
  9. For some fields there will be a default value,
  10. If you enter '.', the field will be left blank.
  11. -----
  12. Country Name (2 letter code) [XX]:CN
  13. State or Province Name (full name) []:ShangHai
  14. Locality Name (eg, city) [Default City]:ShangHai
  15. Organization Name (eg, company) [Default Company Ltd]:example
  16. Organizational Unit Name (eg, section) []:ops
  17. Common Name (eg, your name or your server's hostname) []:www.b.org
  18. Email Address []:admin@b.org
  19. Please enter the following 'extra' attributes
  20. to be sent with your certificate request
  21. A challenge password []:
  22. An optional company name []:
  23. # openssl ca -in b.csr -out b.crt
  24. Using configuration from /etc/pki/tls/openssl.cnf
  25. Check that the request matches the signature
  26. Signature ok
  27. Certificate Details:
  28. Serial Number: 2 (0x2)
  29. Validity
  30. Not Before: Nov 28 08:12:01 2016 GMT
  31. Not After : Nov 28 08:12:01 2017 GMT
  32. Subject:
  33. countryName = CN
  34. stateOrProvinceName = ShangHai
  35. organizationName = example
  36. organizationalUnitName = ops
  37. commonName = www.b.org
  38. emailAddress = admin@b.org
  39. X509v3 extensions:
  40. X509v3 Basic Constraints:
  41. CA:FALSE
  42. Netscape Comment:
  43. OpenSSL Generated Certificate
  44. X509v3 Subject Key Identifier:
  45. 93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E
  46. X509v3 Authority Key Identifier:
  47. keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06
  48. Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)
  49. Sign the certificate? [y/n]:y
  50. 1 out of 1 certificate requests certified, commit? [y/n]y
  51. Write out database with 1 new entries
  52. Data Base Updated

复制证书到httpd主机

  1. # scp -r /opt/ssl/* root@192.168.5.194:/etc/httpd/ssl/

注意httpd服务器上ssl目录的创建。

查看签署信息

  1. # cat serial
  2. 03
  3. # cat index.txt
  4. V 171128080537Z 01 unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/emailAddress=admin@a.com
  5. V 171128081201Z 02 unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/emailAddress=admin@b.org

httpd配置

以下操作是在httpd服务器上进行的操作。

  1. # vim /etc/httpd/conf.d/www.conf
  2. <VirtualHost *:80>
  3. ServerName www.a.com
  4. DocumentRoot "/opt/a.com/htdocs"
  5. DirectoryIndex index.html index.htm
  6. #CustomLog logs/a.com/access_log combined
  7. CustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combined
  8. ErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"
  9. <Location /server-status>
  10. SetHandler server-status
  11. Order allow,Deny
  12. Allow from 192.168.5
  13. AuthType Basic
  14. AuthName "a.com basic"
  15. AuthUserFile "/etc/httpd/conf/.htpasswd"
  16. Require user bols
  17. </Location>
  18. </VirtualHost>
  19. <VirtualHost *:80>
  20. ServerName www.b.org
  21. DocumentRoot "/opt/b.org/htdocs"
  22. DirectoryIndex index.html index.htm
  23. CustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combined
  24. ErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"
  25. #CustomLog logs/b.org/access_log combined
  26. #ErrorLog logs/b.org/error_log
  27. </VirtualHost>
  28. <VirtualHost *:443>
  29. ServerName www.b.org:443
  30. DocumentRoot "/opt/b.org/htdocs"
  31. DirectoryIndex index.html index.htm
  32. CustomLog /var/log/httpd/b.org/access_ssl.log combined
  33. ErrorLog /var/log/httpd/b.org/error_ssl.log
  34. SSLEngine On
  35. SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
  36. SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
  37. </VirtualHost>
  38. <VirtualHost *:443>
  39. ServerName www.a.com:443
  40. DocumentRoot "/opt/a.com/htdocs"
  41. DirectoryIndex index.html index.htm
  42. CustomLog /var/log/httpd/a.com/access_ssl.log combined
  43. ErrorLog /var/log/httpd/a.com/error_ssl.log
  44. SSLEngine On
  45. SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
  46. SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
  47. </VirtualHost>

测试

  • 创建网站测试的文件

  1. [root@db-02 ~]# cat /opt/a.com/htdocs/index.html
  2. <h1>www.a.com</h1>
  3. [root@db-02 ~]# cat /opt/b.org/htdocs/index.html
  4. <h1>www.b.org</h1>
  • 导入根证书

请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。

  • 相关所需文件的创建

  1. # mkdir /var/log/httpd/a.com/
  2. # mkdir /var/log/httpd/b.org/
  3. # /etc/init.d/httpd start
  4. # htpasswd -cm /etc/httpd/conf/.htpasswd bols
  • 测试

测试前请在hosts文件写入域名和想对应的解析IP:

  1. # curl http://www.a.com/index.html
  2. <h1>www.a.com</h1>
  3. # curl http://www.b.org/index.html
  4. <h1>www.b.org</h1>
  5. # openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem
  6. ......
  7. GET /index.html HTTP/1.1
  8. Host:www.b.org
  9. HTTP/1.1 200 OK
  10. Date: Mon, 28 Nov 2016 09:58:20 GMT
  11. Server: Apache/2.2.15 (CentOS)
  12. Last-Modified: Wed, 23 Nov 2016 09:17:33 GMT
  13. ETag: "2405e-13-541f45be79532"
  14. Accept-Ranges: bytes
  15. Content-Length: 19
  16. Connection: close
  17. Content-Type: text/html; charset=UTF-8
  18. <h1>www.b.org</h1>
  19. closed
  20. # openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem
  21. ......
  22. GET /index.html HTTP/1.1
  23. Host:www.a.com
  24. HTTP/1.1 200 OK
  25. Date: Mon, 28 Nov 2016 09:57:39 GMT
  26. Server: Apache/2.2.15 (CentOS)
  27. Last-Modified: Wed, 23 Nov 2016 09:17:04 GMT
  28. ETag: "2405f-13-541f45a2f779e"
  29. Accept-Ranges: bytes
  30. Content-Length: 19
  31. Connection: close
  32. Content-Type: text/html; charset=UTF-8
  33. <h1>www.a.com</h1>
  34. closed
  35. [root@bid-02 ~]# curl -I --user bols:bols http://www.a.com/server-status
  36. HTTP/1.1 200 OK
  37. Date: Mon, 28 Nov 2016 11:05:37 GMT
  38. Server: Apache/2.2.15 (CentOS)
  39. Content-Length: 2536
  40. Connection: close
  41. Content-Type: text/html; charset=ISO-8859-1

安装配置出现问题:

  • 语法检测时出现警告

  1. # httpd -t
  2. httpd: apr_sockaddr_info_get() failed for db-02
  3. httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
  4. [Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
  5. [Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
  6. [Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
  7. Syntax OK

首先第一个是httpd的配置文件中ServerName 没有指定:

  1. # vim /etc/httpd/conf/httpd.conf +276
  2. ServerName *:80

之后在检测开始报错:

  1. # httpd -t
  2. [Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
  3. [Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
  4. [Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
  5. Syntax OK

这个是由于NameVirtualHost 没有指定:

  1. vim /etc/httpd/conf/httpd.conf +991
  2. NameVirtualHost *:80
  3. NameVirtualHost *:443
  • 配置日志滚动时出现滚动日志失败

原因:问题原因不清楚,但是解决方法是将日志文件使用绝对路径,不要使用相对路径。

httpd-2.4

安装

  1. # yum install -y httpd httpd-devel mod_ssl

CA证书配置

ssl证书还是用于在CentOS 6系统中创建的,并把文件拷贝至/etc/httpd/ssl目录中,注意这个目录需要手动创建。

网站测试文件创建

  1. # cat /opt/a.com/htdocs/index.html
  2. <h1>www.a.com</h1>
  3. # cat /opt/b.org/htdocs/index.html
  4. <h1>www.b.org</h1>

认证文件创建

htpasswd 命令的使用请自行谷歌。

  1. # htpasswd -cm /etc/httpd/conf/htpasswd bols

配置

  1. <VirtualHost *:80>
  2. ServerName www.a.com
  3. DocumentRoot "/opt/a.com/htdocs"
  4. DirectoryIndex index.html index.htm
  5. CustomLog /var/log/httpd/a.com/access.log combined
  6. ErrorLog /var/log/httpd/a.com/error.log
  7. <Directory "/opt/a.com/htdocs">
  8. Options None
  9. AllowOverride None
  10. Require all granted
  11. </Directory>
  12. <Location /server-status>
  13. SetHandler server-status
  14. Options None
  15. AuthType Basic
  16. AuthName "a.com basic"
  17. AuthUserFile "/etc/httpd/conf/htpasswd"
  18. Require user bols
  19. </Location>
  20. </VirtualHost>
  21. <VirtualHost *:80>
  22. ServerName www.b.org
  23. DocumentRoot "/opt/b.org/htdocs"
  24. DirectoryIndex index.html index.htm
  25. CustomLog /var/log/httpd/b.org/access.log combined
  26. ErrorLog /var/log/httpd/b.org/error.log
  27. <Directory "/opt/b.org/htdocs">
  28. Options None
  29. AllowOverride None
  30. Require all granted
  31. </Directory>
  32. </VirtualHost>
  33. <VirtualHost *:443>
  34. ServerName www.b.org:443
  35. DocumentRoot "/opt/b.org/htdocs"
  36. DirectoryIndex index.html index.htm
  37. CustomLog /var/log/httpd/b.org/access_ssl.log combined
  38. ErrorLog /var/log/httpd/b.org/error_ssl.log
  39. <Directory "/opt/b.org/htdocs">
  40. Options None
  41. AllowOverride None
  42. Require all granted
  43. </Directory>
  44. SSLEngine On
  45. SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
  46. SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
  47. </VirtualHost>
  48. <VirtualHost *:443>
  49. ServerName www.a.com:443
  50. DocumentRoot "/opt/a.com/htdocs"
  51. DirectoryIndex index.html index.htm
  52. CustomLog /var/log/httpd/a.com/access_ssl.log combined
  53. ErrorLog /var/log/httpd/a.com/error_ssl.log
  54. <Directory "/opt/a.com/htdocs">
  55. Options None
  56. AllowOverride None
  57. Require all granted
  58. </Directory>
  59. SSLEngine On
  60. SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
  61. SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
  62. </VirtualHost>

测试

测试和CentOS 6中一样,测试的结果就不在贴出。

说明

在CentOS 7 中的配置和使用和CentOS 6有以下几个区别(个人总结):

  • 启动httpd不在是用service命令而是使用systemctl命令。

  • 任意目录下的页面只有显式授权才能被访问。

  • 访问控制配置如下:

    • 允许所有主机访问:Require all granted

    • 拒绝所有主机访问:Require all deny

    • 授权指定来源的IP访问:Require ip IPADDR

    • 拒绝指定来源的IP访问:Require not ip IPADDR

    • 授权指定来源的主机访问:Require host HOSTNAME

    • 拒绝指定来源的主机访问:Require not host HOSTNAME

关于日志滚动的说明:

  • httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。

  • 日志滚动可以用rotatelogs 是httpd自带的日志滚动工具,自己测试在httpd-2.4中没有成功。

  • cronolog 是在epel源中的一个日志滚动工具,需要安装。

  • 脚本控制滚动这个看自己业务需求进行写了。

httpd练习.md的更多相关文章

  1. httpd配置.md

    httpd-2.2 配置 监听端口和IP 配置文件: Listen [IP:]PORT 省略IP表示为0.0.0.0 Listen指令可重复出现多次 修改监听socket,重启服务进程方可生效 可以监 ...

  2. httpd安装.md

    httpd 简介 httpd是由apache软件基金会开发的一款著名的web服务器软件.由于其开放源代码,并且拥有跨平台.功能强大.安全稳定等特性,而被广泛使用.早期httpd是在修修补补的基础上成长 ...

  3. [svc]linux常用手头命令-md版-2017年11月12日 12:31:56

    相关代码 curl命令-网站如果3次不是200或301则报警 curl -o /dev/null -s -w "%{http_code}" baidu.com -k/--insec ...

  4. 好用的Markdown编辑器一览 readme.md 编辑查看

    https://github.com/pandao/editor.md https://pandao.github.io/editor.md/examples/index.html Editor.md ...

  5. 解决apache启动错误"httpd:Could not reliably determine..."

    启动apache遇到错误:httpd: Could not reliably determine the server's fully qualified domain name [root@serv ...

  6. Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details

    thinkphp 在Apache上配置启用伪静态,重启Apache1 restart 竟然失败了,报错 Job for httpd.service failed because the control ...

  7. Apache主配置文件httpd.conf 详解

    Apache的主配置文件:/etc/httpd/conf/httpd.conf 默认站点主目录:/var/www/html/ Apache服务器的配置信息全部存储在主配置文件/etc/httpd/co ...

  8. Linux httpd源码编译安装

    # wget http://apache.fayea.com/httpd/httpd-2.2.31.tar.bz2 去官网下载源码包 # mv httpd-.tar.bz2 /usr/local/sr ...

  9. centos7 apache httpd安装和配置django项目

    一.安装httpd服务 apache在centos7中是Apache HTTP server.如下对httpd的解释就是Apache HTTP Server.所以想安装apache其实是要安装http ...

随机推荐

  1. JMeter专题系列(七)聚合报告之 90% Line

    JMeter 官网原文: 90% Line - 90% of the samples took no more than this time. The remaining samples at lea ...

  2. 【圣诞呈献】高性能 Socket 组件 HP-Socket v3.1.1 正式发布

    HP-Socket 是一套通用的高性能 Windows Socket 组件包,包含服务端组件(IOCP 模型)和客户端组件(Event Select 模型),广泛适用于 Windows 平台的 TCP ...

  3. java web学习总结(二十一) -------------------模拟Servlet3.0使用注解的方式配置Servlet

    一.Servlet的传统配置方式 在JavaWeb开发中, 每次编写一个Servlet都需要在web.xml文件中进行配置,如下所示: 1 <servlet> 2 <servlet- ...

  4. Android开发7:简单的数据存储(使用SharedPreferences)和文件操作

    前言 啦啦啦~大家好,又见面啦~ 本篇博文讲和大家一起完成一个需要注册.登录的备忘录的,一起学习 SharedPreferences 的基本使用,学习 Android 中常见的文件操作方法,复习 An ...

  5. 从头开始构建LINUX [LFS 脚本]

    脚本共享在这 http://pan.baidu.com/s/1nt6yiH7 version-check.sh : 这个是检查HOST机器的软件依赖情况 host-dep.sh:针对ubuntu10_ ...

  6. iOS之常用宏定义

    下面我为大家提供一些常用的宏定义! 将这些宏定义 加入到.pch使用 再也不用 用一次写一次这么长的程序了 //-------------------获取设备大小------------------- ...

  7. UIViewController相关知识

    title: UIViewController 相关知识date: 2015-12-13 11:50categories: IOS tags: UIViewController 小小程序猿我的博客:h ...

  8. parawork功能使用说明

    项目整体估算 1.项目估算:依据项目属性,开发规模,参考行业平均生存率自动估算软件工作量.成本.工期 : 2.项目生产率分析:掌握研发生产率行业水平,方便项目管理 : 3.工期占比分析:了解项目关键节 ...

  9. Linux命令学习总结:shutdown

    命令简介: 该命令可以安全关闭或者重新启动系统.你没有看错,shutdown命令不仅可以关闭系统.也可以重启Linux系统.   命令语法: /sbin/shutdown [-t sec] [-ark ...

  10. winform窗体(一)——基本属性

    一.窗体设计界面 二.部分属性 1.基本 设计中的Name:窗体类的类名 AcceptButton:窗口的确定按钮Enter CancelButton:窗口按ESC的取消按钮 2.外观 Backcol ...