配置vhost、https、重定向

原创已于 2022-08-01 14:17:24 修改 · 1.1k 阅读

2 ·

CC 4.0 BY-SA版权

文章标签：

#linux

于 2022-07-24 21:05:49 首次发布

本文介绍了如何配置虚拟主机，包括相同IP不同端口、不同IP相同端口和相同IP不同域名的情况。接着讲解了设置访问控制，强调了在httpd-2.4版本中需要显示授权访问。然后，文章详细阐述了配置HTTPS的过程，包括私有CA的创建和mod_ssl模块的使用。最后，提供了http重定向至https的方法，确保所有访问都通过安全的HTTPS连接。

配置vhost、https、重定向

一、配置虚拟主机
httpd服务在实际应用中有这样一种场景；我们有一台服务器，但是想挂多个网站，按照上面的配置方式就无法实现。那么我们就可以通过配置虚拟主机的方式实现一个服务器上运行多个网站，每个网站都是一个虚拟主机；虚拟主机其实就是通过httpd服务访问同一个服务器上的不同站点。

虚拟主机有三类：

相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名
注意：虚拟主机的配置可以写在主配置文件；也可以将配置写在扩展配置文件，扩展配置文件需要自行创建。

准备工作

[root@192 ~]# dnf -y install httpd    //安装httpd服务
[root@192 ~]# systemctl stop firewalld.service     //临时关闭防火墙，立即生效
[root@192 ~]# systemctl disable firewalld.service
[root@192 ~]# setenforce 0
[root@192 ~]# systemctl restart httpd      //启动httpd服务
[root@192 ~]# systemctl enable httpd       //把httpd服务设置为开机自启
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

访问测试：

配置相同IP不同端口

//搜索vhost的模板文件
[root@192 ~]# find / -name "*vhosts.conf"
/usr/share/doc/httpd/httpd-vhosts.conf
//进入到可放置虚拟主机配置文件的目录
[root@192 ~]# cd /etc/httpd/conf.d/
//把模板文件拷贝至目录下
[root@192 conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf ./
[root@192 conf.d]# vim httpd-vhosts.conf
[root@192 conf.d]# cat httpd-vhosts.conf      //配置内容如下
<VirtualHost *:80>         //指定该网站的IP地址与端口号
    DocumentRoot "/var/www/html/yzxfj"     //存放网页内容的根目录
    ServerName www.yf.com            //指定域名
    ErrorLog "/var/log/httpd/yzxfj_log/error_log"     //错误日志文件位置
    CustomLog "/var/log/httpd/yzxfj_log/access_log" common     //访问日志文件位置
</VirtualHost>

Listen 82            //监听82端口
<VirtualHost *:82>
    DocumentRoot "/var/www/html/tk"
    ServerName www.yf.com
    ErrorLog "/var/log/httpd/tk_log/error_log"
    CustomLog "/var/log/httpd/tk_log/access_log" common
</VirtualHost>

//创建两台虚拟主机网页内容存放的目录并把属主属组修改为apache
[root@192 conf.d]# cd /var/www/html/
[root@192 html]# ls
[root@192 html]# mkdir yzxfj tk
drwxr-xr-x. 2 root root 6 Jul 22 14:56 yzxfj
drwxr-xr-x. 2 root root 6 Jul 22 14:56 tk
[root@192 html]# chown -R apache.apache yzxfj
[root@192 html]# chown -R apache.apache tk
[root@192 html]# ll
total 0
drwxr-xr-x. 2 apache apache 6 Jul 22 14:56 yzxfj
drwxr-xr-x. 2 apache apache 6 Jul 22 14:56 tk

//获取网页内容
[root@192 html]# mv /root/feijiedazhan.zip ./    //把源码包移到网页存放目录
[root@192 html]# mv /root/坦克.zip ./
[root@192 html]# unzip feijiedazhan.zip ; unzip 坦克.zip    //解压源码包
[root@192 html]# ls                                //查看解压出的目录和文件
Battle_City  feijiedazhan.zip  yzxfj  HTML5全民飞机大战小游戏  tk  坦克.zip
[root@192 html]# mv HTML5全民飞机大战小游戏/* yzxfj      //将内容移到想存放的位置
[root@192 html]# mv Battle_City/* tk/
[root@192 html]# ls yzxfj
css  img  index.html  js
[root@192 html]# ls tk
audio  css  images  index.html  js

//创建日志文件存放目录并把属主属组设置为apache
[root@192 html]# mkdir /var/log/httpd/{yzxfj_log,tk_log}
[root@192 html]# ll /var/log/httpd/
drwxr-xr-x. 2 root root    6 Jul 22 14:58 yzxfj_log
drwxr-xr-x. 2 root root    6 Jul 22 14:58 tk_log
[root@192 html]# chown apache.apache /var/log/httpd/{yzxfj_log,tk_log}
[root@192 html]# ll /var/log/httpd/
drwxr-xr-x. 2 apache apache    6 Jul 22 14:58 yzxfj_log
drwxr-xr-x. 2 apache apache    6 Jul 22 14:58 tk_log

[root@192 conf.d]# apachectl -t     //检查语法
Syntax OK
[root@192 conf.d]# systemctl restart httpd      //重启服务生效配置文件

不同ip，相同端口

[root@192 conf.d]# vim httpd-vhosts.conf 
<VirtualHost 192.168.133.146:80>
    DocumentRoot "/var/www/html/yzxfj"
    ServerName www.yzxfj.com
    ErrorLog "/var/log/httpd/www.yzxfj.com-error_log"
    CustomLog "/var/log/httpd/www.yzxfj.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.133.147:81>
    DocumentRoot "/var/www/html/yzxyzxtanke"
    ServerName www.yzxyzxtanke.com
    ErrorLog "/var/log/httpd/www.yzxyzxtanke.com-error_log"
    CustomLog "/var/log/httpd/www.yzxyzxtanke.com-access_log" common
</VirtualHost>

[root@192 conf.d]# ip addr add 192.168.133.147/24 dev ens192
[root@192 conf.d]# ip as
Object "as" is unknown, try "ip help".
[root@192 conf.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:48:0b:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.133.146/24 brd 192.168.133.255 scope global dynamic noprefixroute ens192
       valid_lft 1386sec preferred_lft 1386sec
    inet 192.168.133.147/24 scope global secondary ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe48:b0f/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@192 conf.d]# ping 192.168.133.147
PING 192.168.133.147 (192.168.133.147) 56(84) bytes of data.
64 bytes from 192.168.133.147: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from 192.168.133.147: icmp_seq=2 ttl=64 time=0.038 ms
^C
--- 192.168.133.147 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9201ms
rtt min/avg/max/mdev = 0.025/0.032/0.054/0.010 ms
[root@192 conf.d]# httpd -t
Syntax OK
[root@192 conf.d]# systemctl restart httpd

相同ip，不同域名

//由于做了先前的配置，这次只修改域名，其他的内容不作变动。
[root@192 conf.d]# vim httpd-vhosts.conf
[root@192 conf.d]# cat httpd-vhosts.conf
<VirtualHost *:80>
    DocumentRoot "/var/www/html/dz"
    ServerName www.yf.com
    ErrorLog "/var/log/httpd/dz_log/error_log"
    CustomLog "/var/log/httpd/dz_log/access_log" common
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/var/www/html/tk"
    ServerName www.fy.com
    ErrorLog "/var/log/httpd/tk_log/error_log"
    CustomLog "/var/log/httpd/tk_log/access_log" common
</VirtualHost>

//检查语法，重启httpd服务生效配置文件
[root@192 conf.d]# apachectl -t
Syntax OK
[root@192 conf.d]# systemctl restart httpd

注意：

由于该域名只能在局域网内使用，宿主机的浏览器无法识别该域名，把该域名添加进宿主机的本地dns解析文件里。
文件路径：C:\Windows\System32\drivers\etc\hosts
如果无法直接修改该文件，可以该文件移到桌面修改完再放回原本位置。

设置访问控制

访问控制法则：

法则	功能
Require all granted	允许所有主机访问
Require all deny	拒绝所有主机访问
Require ip IPADDR	授权指定来源地址的主机访问
Require not ip IPADDR	拒绝指定来源地址的主机访问
Require host HOSTNAME	授权指定来源主机名的主机访问
Require not host HOSTNAME	拒绝指定来源主机名的主机访问

IPADDR的类型：

IP：192.168.1.1
- Network/mask：192.168.1.0/255.255.255.0
- Network/Length：192.168.1.0/24
- Net：192.168

HOSTNAME的类型：

FQDN：特定主机的全名
DOMAIN：指定域内的所有主机

注意：httpd-2.4版本默认是拒绝所有主机访问的，所以安装以后必须做显示授权访问

[root@192 conf.d]# vim httpd-vhosts.conf
//添加访问控制9行-14行
[root@192 conf.d]# cat httpd-vhosts.conf
<VirtualHost *:80>
    DocumentRoot "/var/www/html/fj"
    ServerName www.yf.com
    ErrorLog "/var/log/httpd/fj_log/error_log"
    CustomLog "/var/log/httpd/fj_log/access_log" common
    <Directory /var/www/html/fj>
        <RequireAll>
        Require all granted
        Require not ip 192.168.92.129
        </RequireAll>
    </Directory>
</VirtualHost>

//检查语法，重启服务
[root@192 conf.d]# apachectl -t
Syntax OK
[root@192 conf.d]# systemctl restart httpd

配置https

实现私有CA：

CA的配置文件：/etc/pki/tls/openssl.cnf

//CA生成一对密钥
[root@192 ~]# cd /etc/pki/
[root@192 pki]# mkdir CA
[root@192 pki]# cd CA/
[root@192 CA]# mkdir private
[root@192 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

//CA生成自签署证书
[root@192 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn                       //国家
State or Province Name (full name) []:hb                  //州\省份
Locality Name (eg, city) [Default City]:wh                //城市
Organization Name (eg, company) [Default Company Ltd]:rt      //公司
Organizational Unit Name (eg, section) []:xy                //职位
Common Name (eg, your name or your server's hostname) []:www.yf.com    //域名
Email Address []:1@2.com                                   //邮箱
//以上填写的信息可随意指定，只要后续签署证书时跟这里填写一致就行
[root@192 CA]# mkdir certs newcerts crl
[root@192 CA]# touch index.txt && echo 01 > serial

//客户端生成密钥
[root@192 CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@192 ssl]# pwd
/etc/httpd/ssl
[root@192 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)

//客户端生成证书签署请求
//跟上述的CA生成的自签证书填写信息须一致
[root@192 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:rt
Organizational Unit Name (eg, section) []:xy
Common Name (eg, your name or your server's hostname) []:www.yf.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:           //直接回车不用管
An optional company name []:       //直接回车不用管

//CA签署客户端提交上来的证书
[root@192 ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@192 ssl]# ls
httpd.crt  httpd.csr  httpd.key

配置ssl

mod_ssl 模块可以实现https加密认证。

//查询httpd服务是否安装了ssl模块，如果没有就安装一个
[root@192 ~]# apachectl -M | grep ssl
//安装ssl模块
[root@192 ~]# dnf -y install mod_ssl
//重启服务，生效模块
[root@192 ~]# systemctl restart httpd

[root@192 conf.d]# pwd
/etc/httpd/conf.d
//找到这四行取消注释并修改网页内容的根路径和证书的路径
[root@192 conf.d]# vim ssl.conf
DocumentRoot "/var/www/html/fj"
ServerName www.yf.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

//检查语法，重启服务
[root@192 conf.d]# apachectl -t
Syntax OK
[root@192 conf.d]# systemctl restart httpd

http重定向至https

站点配置为https后，在浏览器访问网站时如果不添加https协议，默认还是http，所以需要将访问http站点的请求转发至https。

//配置重定向的参数是第五行到第七行
[root@192 conf.d]# vim httpd-vhosts.conf
[root@192 conf.d]# cat httpd-vhosts.conf
<VirtualHost 192.168.92.128:80>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://www.yf.com$1 [L,R]
    DocumentRoot "/var/www/html/fj"
    ServerName www.yf.com
    ErrorLog "/var/log/httpd/fj_log/error_log"
    CustomLog "/var/log/httpd/fj_log/access_log" common
    <Directory /var/www/html/fj>
        <RequireAll>
        Require all granted
        </RequireAll>
    </Directory>
</VirtualHost>

80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.yf.com$1 [L,R]
DocumentRoot “/var/www/html/fj”
ServerName www.yf.com
ErrorLog “/var/log/httpd/fj_log/error_log”
CustomLog “/var/log/httpd/fj_log/access_log” common
<Directory /var/www/html/fj>

Require all granted