需求说明

分别用httpd-2.2和httpd-2.4 实现以下功能:

  • 两个虚拟主机,名字为www.a.comwww.b.org

  • www.a.com 页面文件为/opt/a.com/htdocs,访问日志文件路径/var/log/httpd/a.com/access.log,错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。

  • www.b.org 页面文件为/opt/b.org/htdocs,访问日志文件路径/var/log/httpd/b.org/access.log,错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。

  • 通过www.a.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;

  • wwww.a.com/server-status只允许192.168.5.0/24 网络中的主机访问。

  • 同时为这两个虚拟主机提供https服务。

说明:测试中的httpd全部为yum安装,httpd-2.2会在CentOS 6中演示,httpd-2.4会在CentOS 7中演示。

httpd-2.2 配置

安装

安装可以使用yum安装也可以使用编译安装,但是CentOS 6中系统yum源默认的是httpd-2.2版本,这个需要注意。

#yum install -y httpd httpd-devel mod_ssl

ssl证书签署

以下操作是在CA机器上进行的操作。

生成CA证书

# yum install -y openssl openssl-devel

# cd /etc/pki/CA/

#  (umask 077; openssl genrsa 2048 > private/cakey.pem)

# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:ShangHai

Locality Name (eg, city) [Default City]:ShangHai

Organization Name (eg, company) [Default Company Ltd]:example

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:www.example.com

Email Address []:admin@example.com

#  touch index.txt serial

# echo 01 > serial

a.com域名证书签署

# mkdir /opt/ssl/a.com -p

# (umask 077 ;openssl genrsa 2048 > a.key)

#  openssl req -new -key a.key -out a.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:ShangHai

Locality Name (eg, city) [Default City]:ShangHai

Organization Name (eg, company) [Default Company Ltd]:example

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:www.a.com

Email Address []:admin@a.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# openssl ca -in a.csr -out a.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Nov 28 08:05:37 2016 GMT

            Not After : Nov 28 08:05:37 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = ShangHai

            organizationName          = example

            organizationalUnitName    = ops

            commonName                = www.a.com

            emailAddress              = admin@a.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90

            X509v3 Authority Key Identifier:

                keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06

Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

签署b.org域名的证书

# mkdir /opt/ssl/b.org/

# cd /opt/ssl/b.org/

# (umask 077 ;openssl genrsa 2048 > b.key)

# openssl req -new -key b.key -out b.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:ShangHai

Locality Name (eg, city) [Default City]:ShangHai

Organization Name (eg, company) [Default Company Ltd]:example

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:www.b.org

Email Address []:admin@b.org

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

#  openssl ca -in b.csr -out b.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Nov 28 08:12:01 2016 GMT

            Not After : Nov 28 08:12:01 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = ShangHai

            organizationName          = example

            organizationalUnitName    = ops

            commonName                = www.b.org

            emailAddress              = admin@b.org

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E

            X509v3 Authority Key Identifier:

                keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06

Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

复制证书到httpd主机

# scp -r  /opt/ssl/* root@192.168.5.194:/etc/httpd/ssl/

注意httpd服务器上ssl目录的创建。

查看签署信息

# cat serial

03

# cat index.txt

V   171128080537Z       01  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/emailAddress=admin@a.com

V   171128081201Z       02  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/emailAddress=admin@b.org

httpd配置

以下操作是在httpd服务器上进行的操作。

# vim /etc/httpd/conf.d/www.conf

<VirtualHost *:80>

ServerName www.a.com

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

#CustomLog logs/a.com/access_log combined

CustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combined

ErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"

<Location /server-status>

SetHandler server-status

Order allow,Deny

Allow from 192.168.5

AuthType Basic

AuthName "a.com basic"

AuthUserFile "/etc/httpd/conf/.htpasswd"

Require user bols

</Location>

</VirtualHost>

<VirtualHost *:80>

ServerName www.b.org

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combined

ErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"

#CustomLog logs/b.org/access_log combined

#ErrorLog logs/b.org/error_log

</VirtualHost>

<VirtualHost *:443>

ServerName www.b.org:443

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/b.org/access_ssl.log combined

ErrorLog /var/log/httpd/b.org/error_ssl.log

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/b.org/b.crt

SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key

</VirtualHost>

<VirtualHost *:443>

ServerName www.a.com:443

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/a.com/access_ssl.log combined

ErrorLog /var/log/httpd/a.com/error_ssl.log

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/a.com/a.crt

SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key

</VirtualHost>

测试

  • 创建网站测试的文件

[root@db-02 ~]# cat /opt/a.com/htdocs/index.html

<h1>www.a.com</h1>

[root@db-02 ~]# cat /opt/b.org/htdocs/index.html

<h1>www.b.org</h1>

  • 导入根证书

请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。

  • 相关所需文件的创建

# mkdir /var/log/httpd/a.com/

# mkdir /var/log/httpd/b.org/

# /etc/init.d/httpd start

# htpasswd -cm /etc/httpd/conf/.htpasswd bols

  • 测试

测试前请在hosts文件写入域名和想对应的解析IP:

# curl  http://www.a.com/index.html

<h1>www.a.com</h1>

# curl  http://www.b.org/index.html

<h1>www.b.org</h1>

# openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem

......

GET /index.html HTTP/1.1

Host:www.b.org

HTTP/1.1 200 OK

Date: Mon, 28 Nov 2016 09:58:20 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Wed, 23 Nov 2016 09:17:33 GMT

ETag: "2405e-13-541f45be79532"

Accept-Ranges: bytes

Content-Length: 19

Connection: close

Content-Type: text/html; charset=UTF-8

<h1>www.b.org</h1>

closed

# openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem

......

GET /index.html HTTP/1.1

Host:www.a.com

HTTP/1.1 200 OK

Date: Mon, 28 Nov 2016 09:57:39 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Wed, 23 Nov 2016 09:17:04 GMT

ETag: "2405f-13-541f45a2f779e"

Accept-Ranges: bytes

Content-Length: 19

Connection: close

Content-Type: text/html; charset=UTF-8

<h1>www.a.com</h1>

closed

[root@bid-02 ~]# curl -I --user bols:bols http://www.a.com/server-status

HTTP/1.1 200 OK

Date: Mon, 28 Nov 2016 11:05:37 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 2536

Connection: close

Content-Type: text/html; charset=ISO-8859-1

安装配置出现问题:

  • 语法检测时出现警告

# httpd -t

httpd: apr_sockaddr_info_get() failed for db-02

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence

[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Syntax OK

首先第一个是httpd的配置文件中ServerName 没有指定:

# vim /etc/httpd/conf/httpd.conf +276

ServerName *:80

之后在检测开始报错:

# httpd -t

[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence

[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Syntax OK

这个是由于NameVirtualHost 没有指定:

vim /etc/httpd/conf/httpd.conf +991

NameVirtualHost *:80

NameVirtualHost *:443

  • 配置日志滚动时出现滚动日志失败

原因:问题原因不清楚,但是解决方法是将日志文件使用绝对路径,不要使用相对路径。

httpd-2.4

安装

# yum install -y httpd httpd-devel mod_ssl

CA证书配置

ssl证书还是用于在CentOS 6系统中创建的,并把文件拷贝至/etc/httpd/ssl目录中,注意这个目录需要手动创建。

网站测试文件创建

# cat /opt/a.com/htdocs/index.html

<h1>www.a.com</h1>

# cat /opt/b.org/htdocs/index.html

<h1>www.b.org</h1>

认证文件创建

htpasswd 命令的使用请自行谷歌。

# htpasswd -cm /etc/httpd/conf/htpasswd bols

配置

<VirtualHost *:80>

ServerName www.a.com

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/a.com/access.log  combined

ErrorLog  /var/log/httpd/a.com/error.log

<Directory "/opt/a.com/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

<Location /server-status>

SetHandler server-status

Options None

AuthType Basic

AuthName "a.com basic"

AuthUserFile "/etc/httpd/conf/htpasswd"

Require user bols

</Location>

</VirtualHost>

<VirtualHost *:80>

ServerName www.b.org

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/b.org/access.log combined

ErrorLog /var/log/httpd/b.org/error.log

<Directory "/opt/b.org/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

</VirtualHost>

<VirtualHost *:443>

ServerName www.b.org:443

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/b.org/access_ssl.log combined

ErrorLog /var/log/httpd/b.org/error_ssl.log

<Directory "/opt/b.org/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/b.org/b.crt

SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key

</VirtualHost>

<VirtualHost *:443>

ServerName www.a.com:443

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/a.com/access_ssl.log combined

ErrorLog /var/log/httpd/a.com/error_ssl.log

<Directory "/opt/a.com/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/a.com/a.crt

SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key

</VirtualHost>

测试

测试和CentOS 6中一样,测试的结果就不在贴出。

说明

在CentOS 7 中的配置和使用和CentOS 6有以下几个区别(个人总结):

  • 启动httpd不在是用service命令而是使用systemctl命令。

  • 任意目录下的页面只有显式授权才能被访问。

  • 访问控制配置如下:

    • 允许所有主机访问:Require all granted

    • 拒绝所有主机访问:Require all deny

    • 授权指定来源的IP访问:Require ip IPADDR

    • 拒绝指定来源的IP访问:Require not ip IPADDR

    • 授权指定来源的主机访问:Require host HOSTNAME

    • 拒绝指定来源的主机访问:Require not host HOSTNAME

关于日志滚动的说明:

  • httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。

  • 日志滚动可以用rotatelogs 是httpd自带的日志滚动工具,自己测试在httpd-2.4中没有成功。

  • cronolog 是在epel源中的一个日志滚动工具,需要安装。

  • 脚本控制滚动这个看自己业务需求进行写了。

httpd练习.md的更多相关文章

  1. httpd配置.md

    httpd-2.2 配置 监听端口和IP 配置文件: Listen [IP:]PORT 省略IP表示为0.0.0.0 Listen指令可重复出现多次 修改监听socket,重启服务进程方可生效 可以监 ...

  2. httpd安装.md

    httpd 简介 httpd是由apache软件基金会开发的一款著名的web服务器软件.由于其开放源代码,并且拥有跨平台.功能强大.安全稳定等特性,而被广泛使用.早期httpd是在修修补补的基础上成长 ...

  3. [svc]linux常用手头命令-md版-2017年11月12日 12:31:56

    相关代码 curl命令-网站如果3次不是200或301则报警 curl -o /dev/null -s -w "%{http_code}" baidu.com -k/--insec ...

  4. 好用的Markdown编辑器一览 readme.md 编辑查看

    https://github.com/pandao/editor.md https://pandao.github.io/editor.md/examples/index.html Editor.md ...

  5. 解决apache启动错误"httpd:Could not reliably determine..."

    启动apache遇到错误:httpd: Could not reliably determine the server's fully qualified domain name [root@serv ...

  6. Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details

    thinkphp 在Apache上配置启用伪静态,重启Apache1 restart 竟然失败了,报错 Job for httpd.service failed because the control ...

  7. Apache主配置文件httpd.conf 详解

    Apache的主配置文件:/etc/httpd/conf/httpd.conf 默认站点主目录:/var/www/html/ Apache服务器的配置信息全部存储在主配置文件/etc/httpd/co ...

  8. Linux httpd源码编译安装

    # wget http://apache.fayea.com/httpd/httpd-2.2.31.tar.bz2 去官网下载源码包 # mv httpd-.tar.bz2 /usr/local/sr ...

  9. centos7 apache httpd安装和配置django项目

    一.安装httpd服务 apache在centos7中是Apache HTTP server.如下对httpd的解释就是Apache HTTP Server.所以想安装apache其实是要安装http ...

随机推荐

  1. Scalaz(56)- scalaz-stream: fs2-安全运算,fs2 resource safety

    fs2在处理异常及资源使用安全方面也有比较大的改善.fs2 Stream可以有几种方式自行引发异常:直接以函数式方式用fail来引发异常.在纯代码里隐式引发异常或者在运算中引发异常,举例如下: /函数 ...

  2. B/S结构的流程简单概述

    在介绍appl ication 对象之前,先简单介绍一些Web 服务器的实现原理.         对于大部分浏览器而言,它通常负责完成三件事情: (1)向远程服务器发送请求. (2)读取远程服务器返 ...

  3. WebApi系列~FromUri参数自动解析成实体的要求

    回到目录 关于webapi我之前写了一些文章,大家可以根据目录去浏览,今天要说的是个怪问题,也是被我忽略的一个问题,当你的Url参数需要被Api自动解析成实体的属性,实事上是要有条件的,不是所以属性都 ...

  4. jQuery常用方法和函数

    jQuery 事件 bind() 方法:被选元素添加一个或多个事件处理程序,并规定事件发生时运行的函数 $(selector).bind({event:function, event:function ...

  5. Bootstrap之字体图标

    优点:1.减少请求 2.容易控制样式 所在位置:在下载的bootstrap文件中的fonts文件夹存放字体图标 默认路径为当前目录下,如需修改路径,则需在bootstrap.css中查找font-fa ...

  6. iOS UITabBarController的使用

    UITabBarController 和 UINavigationController 几乎是iOS APP的标配. UITabBarController分栏(标签栏)控制器, 和UINavigati ...

  7. web安全攻防----环境搭建篇

    1.安装虚拟机vMware. 2.在虚拟机上安装kali系统. *Kali为linux操作系统的一个发行版. 3.安装Xshell *Xshell是一个强大的安全终端模拟软件,它支持SSH1, SSH ...

  8. iOS-钥匙串中证书全部失效(证书的签发者无效)的解决办法

    今天用Xcode打包IPA文件给同事,结果提示import时,提示证书missing,找了半天没发现问题,后来打开钥匙串,发现证书全失效了!!!根证书失效了!吓死宝宝了 解决方法 首选此方法: 1.打 ...

  9. CSS3-01 简介

    概述 HTML 文档由包含 HTML 标签的 HTML 元素组成,HTML 标签被用于定义文档的内容.HTML 文档内容没有额外的样式,以纯文本流的方式渲染到浏览器页面.需要借助层叠样式表(CSS)来 ...

  10. 基于Ruby的Watir-WebDriver自动化测试方案

    Watir-WebDriver       —— 软件测试的自动化时代 QQ群:160409929 自动化测试方案书 系统架构 该自动化测试框架分三个模块:Test用例.Control控制层.Tool ...