需求说明

分别用httpd-2.2和httpd-2.4 实现以下功能:

  • 两个虚拟主机,名字为www.a.comwww.b.org

  • www.a.com 页面文件为/opt/a.com/htdocs,访问日志文件路径/var/log/httpd/a.com/access.log,错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。

  • www.b.org 页面文件为/opt/b.org/htdocs,访问日志文件路径/var/log/httpd/b.org/access.log,错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。

  • 通过www.a.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;

  • wwww.a.com/server-status只允许192.168.5.0/24 网络中的主机访问。

  • 同时为这两个虚拟主机提供https服务。

说明:测试中的httpd全部为yum安装,httpd-2.2会在CentOS 6中演示,httpd-2.4会在CentOS 7中演示。

httpd-2.2 配置

安装

安装可以使用yum安装也可以使用编译安装,但是CentOS 6中系统yum源默认的是httpd-2.2版本,这个需要注意。

#yum install -y httpd httpd-devel mod_ssl

ssl证书签署

以下操作是在CA机器上进行的操作。

生成CA证书

# yum install -y openssl openssl-devel

# cd /etc/pki/CA/

#  (umask 077; openssl genrsa 2048 > private/cakey.pem)

# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:ShangHai

Locality Name (eg, city) [Default City]:ShangHai

Organization Name (eg, company) [Default Company Ltd]:example

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:www.example.com

Email Address []:admin@example.com

#  touch index.txt serial

# echo 01 > serial

a.com域名证书签署

# mkdir /opt/ssl/a.com -p

# (umask 077 ;openssl genrsa 2048 > a.key)

#  openssl req -new -key a.key -out a.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:ShangHai

Locality Name (eg, city) [Default City]:ShangHai

Organization Name (eg, company) [Default Company Ltd]:example

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:www.a.com

Email Address []:admin@a.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# openssl ca -in a.csr -out a.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Nov 28 08:05:37 2016 GMT

            Not After : Nov 28 08:05:37 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = ShangHai

            organizationName          = example

            organizationalUnitName    = ops

            commonName                = www.a.com

            emailAddress              = admin@a.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90

            X509v3 Authority Key Identifier:

                keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06

Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

签署b.org域名的证书

# mkdir /opt/ssl/b.org/

# cd /opt/ssl/b.org/

# (umask 077 ;openssl genrsa 2048 > b.key)

# openssl req -new -key b.key -out b.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:ShangHai

Locality Name (eg, city) [Default City]:ShangHai

Organization Name (eg, company) [Default Company Ltd]:example

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:www.b.org

Email Address []:admin@b.org

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

#  openssl ca -in b.csr -out b.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Nov 28 08:12:01 2016 GMT

            Not After : Nov 28 08:12:01 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = ShangHai

            organizationName          = example

            organizationalUnitName    = ops

            commonName                = www.b.org

            emailAddress              = admin@b.org

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E

            X509v3 Authority Key Identifier:

                keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06

Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

复制证书到httpd主机

# scp -r  /opt/ssl/* root@192.168.5.194:/etc/httpd/ssl/

注意httpd服务器上ssl目录的创建。

查看签署信息

# cat serial

03

# cat index.txt

V   171128080537Z       01  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/emailAddress=admin@a.com

V   171128081201Z       02  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/emailAddress=admin@b.org

httpd配置

以下操作是在httpd服务器上进行的操作。

# vim /etc/httpd/conf.d/www.conf

<VirtualHost *:80>

ServerName www.a.com

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

#CustomLog logs/a.com/access_log combined

CustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combined

ErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"

<Location /server-status>

SetHandler server-status

Order allow,Deny

Allow from 192.168.5

AuthType Basic

AuthName "a.com basic"

AuthUserFile "/etc/httpd/conf/.htpasswd"

Require user bols

</Location>

</VirtualHost>

<VirtualHost *:80>

ServerName www.b.org

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combined

ErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"

#CustomLog logs/b.org/access_log combined

#ErrorLog logs/b.org/error_log

</VirtualHost>

<VirtualHost *:443>

ServerName www.b.org:443

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/b.org/access_ssl.log combined

ErrorLog /var/log/httpd/b.org/error_ssl.log

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/b.org/b.crt

SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key

</VirtualHost>

<VirtualHost *:443>

ServerName www.a.com:443

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/a.com/access_ssl.log combined

ErrorLog /var/log/httpd/a.com/error_ssl.log

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/a.com/a.crt

SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key

</VirtualHost>

测试

  • 创建网站测试的文件

[root@db-02 ~]# cat /opt/a.com/htdocs/index.html

<h1>www.a.com</h1>

[root@db-02 ~]# cat /opt/b.org/htdocs/index.html

<h1>www.b.org</h1>

  • 导入根证书

请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。

  • 相关所需文件的创建

# mkdir /var/log/httpd/a.com/

# mkdir /var/log/httpd/b.org/

# /etc/init.d/httpd start

# htpasswd -cm /etc/httpd/conf/.htpasswd bols

  • 测试

测试前请在hosts文件写入域名和想对应的解析IP:

# curl  http://www.a.com/index.html

<h1>www.a.com</h1>

# curl  http://www.b.org/index.html

<h1>www.b.org</h1>

# openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem

......

GET /index.html HTTP/1.1

Host:www.b.org

HTTP/1.1 200 OK

Date: Mon, 28 Nov 2016 09:58:20 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Wed, 23 Nov 2016 09:17:33 GMT

ETag: "2405e-13-541f45be79532"

Accept-Ranges: bytes

Content-Length: 19

Connection: close

Content-Type: text/html; charset=UTF-8

<h1>www.b.org</h1>

closed

# openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem

......

GET /index.html HTTP/1.1

Host:www.a.com

HTTP/1.1 200 OK

Date: Mon, 28 Nov 2016 09:57:39 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Wed, 23 Nov 2016 09:17:04 GMT

ETag: "2405f-13-541f45a2f779e"

Accept-Ranges: bytes

Content-Length: 19

Connection: close

Content-Type: text/html; charset=UTF-8

<h1>www.a.com</h1>

closed

[root@bid-02 ~]# curl -I --user bols:bols http://www.a.com/server-status

HTTP/1.1 200 OK

Date: Mon, 28 Nov 2016 11:05:37 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 2536

Connection: close

Content-Type: text/html; charset=ISO-8859-1

安装配置出现问题:

  • 语法检测时出现警告

# httpd -t

httpd: apr_sockaddr_info_get() failed for db-02

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence

[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Syntax OK

首先第一个是httpd的配置文件中ServerName 没有指定:

# vim /etc/httpd/conf/httpd.conf +276

ServerName *:80

之后在检测开始报错:

# httpd -t

[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence

[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Syntax OK

这个是由于NameVirtualHost 没有指定:

vim /etc/httpd/conf/httpd.conf +991

NameVirtualHost *:80

NameVirtualHost *:443

  • 配置日志滚动时出现滚动日志失败

原因:问题原因不清楚,但是解决方法是将日志文件使用绝对路径,不要使用相对路径。

httpd-2.4

安装

# yum install -y httpd httpd-devel mod_ssl

CA证书配置

ssl证书还是用于在CentOS 6系统中创建的,并把文件拷贝至/etc/httpd/ssl目录中,注意这个目录需要手动创建。

网站测试文件创建

# cat /opt/a.com/htdocs/index.html

<h1>www.a.com</h1>

# cat /opt/b.org/htdocs/index.html

<h1>www.b.org</h1>

认证文件创建

htpasswd 命令的使用请自行谷歌。

# htpasswd -cm /etc/httpd/conf/htpasswd bols

配置

<VirtualHost *:80>

ServerName www.a.com

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/a.com/access.log  combined

ErrorLog  /var/log/httpd/a.com/error.log

<Directory "/opt/a.com/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

<Location /server-status>

SetHandler server-status

Options None

AuthType Basic

AuthName "a.com basic"

AuthUserFile "/etc/httpd/conf/htpasswd"

Require user bols

</Location>

</VirtualHost>

<VirtualHost *:80>

ServerName www.b.org

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/b.org/access.log combined

ErrorLog /var/log/httpd/b.org/error.log

<Directory "/opt/b.org/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

</VirtualHost>

<VirtualHost *:443>

ServerName www.b.org:443

DocumentRoot "/opt/b.org/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/b.org/access_ssl.log combined

ErrorLog /var/log/httpd/b.org/error_ssl.log

<Directory "/opt/b.org/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/b.org/b.crt

SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key

</VirtualHost>

<VirtualHost *:443>

ServerName www.a.com:443

DocumentRoot "/opt/a.com/htdocs"

DirectoryIndex index.html index.htm

CustomLog /var/log/httpd/a.com/access_ssl.log combined

ErrorLog /var/log/httpd/a.com/error_ssl.log

<Directory "/opt/a.com/htdocs">

Options None

AllowOverride None

Require all granted

</Directory>

SSLEngine On

SSLCertificateFile /etc/httpd/ssl/a.com/a.crt

SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key

</VirtualHost>

测试

测试和CentOS 6中一样,测试的结果就不在贴出。

说明

在CentOS 7 中的配置和使用和CentOS 6有以下几个区别(个人总结):

  • 启动httpd不在是用service命令而是使用systemctl命令。

  • 任意目录下的页面只有显式授权才能被访问。

  • 访问控制配置如下:

    • 允许所有主机访问:Require all granted

    • 拒绝所有主机访问:Require all deny

    • 授权指定来源的IP访问:Require ip IPADDR

    • 拒绝指定来源的IP访问:Require not ip IPADDR

    • 授权指定来源的主机访问:Require host HOSTNAME

    • 拒绝指定来源的主机访问:Require not host HOSTNAME

关于日志滚动的说明:

  • httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。

  • 日志滚动可以用rotatelogs 是httpd自带的日志滚动工具,自己测试在httpd-2.4中没有成功。

  • cronolog 是在epel源中的一个日志滚动工具,需要安装。

  • 脚本控制滚动这个看自己业务需求进行写了。

httpd练习.md的更多相关文章

  1. httpd配置.md

    httpd-2.2 配置 监听端口和IP 配置文件: Listen [IP:]PORT 省略IP表示为0.0.0.0 Listen指令可重复出现多次 修改监听socket,重启服务进程方可生效 可以监 ...

  2. httpd安装.md

    httpd 简介 httpd是由apache软件基金会开发的一款著名的web服务器软件.由于其开放源代码,并且拥有跨平台.功能强大.安全稳定等特性,而被广泛使用.早期httpd是在修修补补的基础上成长 ...

  3. [svc]linux常用手头命令-md版-2017年11月12日 12:31:56

    相关代码 curl命令-网站如果3次不是200或301则报警 curl -o /dev/null -s -w "%{http_code}" baidu.com -k/--insec ...

  4. 好用的Markdown编辑器一览 readme.md 编辑查看

    https://github.com/pandao/editor.md https://pandao.github.io/editor.md/examples/index.html Editor.md ...

  5. 解决apache启动错误"httpd:Could not reliably determine..."

    启动apache遇到错误:httpd: Could not reliably determine the server's fully qualified domain name [root@serv ...

  6. Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details

    thinkphp 在Apache上配置启用伪静态,重启Apache1 restart 竟然失败了,报错 Job for httpd.service failed because the control ...

  7. Apache主配置文件httpd.conf 详解

    Apache的主配置文件:/etc/httpd/conf/httpd.conf 默认站点主目录:/var/www/html/ Apache服务器的配置信息全部存储在主配置文件/etc/httpd/co ...

  8. Linux httpd源码编译安装

    # wget http://apache.fayea.com/httpd/httpd-2.2.31.tar.bz2 去官网下载源码包 # mv httpd-.tar.bz2 /usr/local/sr ...

  9. centos7 apache httpd安装和配置django项目

    一.安装httpd服务 apache在centos7中是Apache HTTP server.如下对httpd的解释就是Apache HTTP Server.所以想安装apache其实是要安装http ...

随机推荐

  1. POJ-3061

    算法: 1. 定义两个整数N和S,输入序列长度到N,输入最小子序列和下界到S. 2. 定义一个数组arr[100002],从arr[1]开始依次输入N个序列元素到arr. 3. 定义一个整数ans,初 ...

  2. WebAPI生成可导入到PostMan的数据

    一.前言 现在使用WebAPI来作为实现企业服务化的需求非常常见,不可否认它也是很便于使用的,基于注释可以生成对应的帮助文档(Microsoft.AspNet.WebApi.HelpPage),但是比 ...

  3. Lind.DDD~实体属性变更追踪器的实现

    回到目录 看着这个标题很复杂,大叔把它拆开说一下,实体属性-变更-追踪器,把它拆成三部分大家看起来就容易懂一些了,实体属性:领域实体里有自己的属性,属性有getter,setter块,用来返回和设置属 ...

  4. Code First :使用Entity. Framework编程(6) ----转发 收藏

    Chapter6 Controlling Database Location,Creation Process, and Seed Data 第6章 控制数据库位置,创建过程和种子数据 In prev ...

  5. 自定义JS控件-简单示例

    1.  业务需求: 制作 一个按钮对象,然后 像 winfrom  那样调用 就可以了: 首先 我们新建一个 MyControls的 JS文件:(插入如下代码) //这里运用的面向对象的思想 ,新建了 ...

  6. Sharepoint学习笔记—习题系列--70-576习题解析 -(Q112-Q115)

    Question  112 You are designing a public-facing SharePoint 2010 Web site for an elementary school th ...

  7. 了解HTML CSS布局(层叠样式表)

    CSS全称为"层叠样式表(Cascading Style Sheets)", 它主要是用于定义HTML内容在浏览器内显示的样式, 比如文字, 颜色, 视觉上的静态效果, 布局等等. ...

  8. Dagger2 (一) 入坑篇

    为什么是Dagger2 为了更好的了解Dagger2,请先阅读RoboGuice篇了解依赖注入. 官方文档称,依赖注入这种技术已经在存在多年了,为什么Dagger2要造轮子? Dagger2是第一个全 ...

  9. 敏捷开发与jira之研发管理模式

    以IPD方法论为基础,采用原型+迭代的开发模式,并以质量优先为原则,持续对用户做价值交付. 使用JIRA+WIKI+SVN管理整个的研发过程:JIRA管理任务和进度:SVN管理代码和过程文档:WIKI ...

  10. jdb - The Java Debugger

    jdb 是一个简单的命令行调试器,可以调试本地或远程 Java Virtual Machine. jdb [ options ] [ class ] [ arguments ] options 命令行 ...