1、建立httpd服务器,要求提供两个基于名称的虚拟主机:
- www.X.com,页面文件目录为/web/vhosts/x;错误日志为/var/log/httpd/x.err,访问日志为/var/log/httpd/x.access
- www.Y.com,页面文件目录为/web/vhosts/y;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/y.access
- 为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名
- 通过www.X.com/server-status输出httpd工作状态相关信息
因实验会被selinux的安全上下文影响,需优先关闭selinux和防火墙
systemctl stop firewalld
setenforce 0
创建对面的页面文件目录,并创建主页文件
[root@centos8 ~]#mkdir -pv /web/vhosts/{x,y}
[root@centos8 ~]#echo www.X.com > /web/vhosts/x/index.html
[root@centos8 ~]#echo www.Y.com > /web/vhosts/y/index.html
[root@centos8 ~]#cat /etc/httpd/conf.d/vhost.conf
<virtualhost *:80 >
documentroot "/web/vhosts/x" ##指定URL的起始位置
servername www.X.com ##指定服务器名
customlog "logs/x.access" combined ##设置x网站的访问日志
errorlog "logs/x.err" ## 设置x网站的错误日志
<directory "/web/vhosts/x"> ##访问需授权,设置的是所有访问都通过
require all granted
</directory>
<ifmodule dir_module> ##设置主页文件
directoryindex index.html
</ifmodule>
<location "/status"> ##设置httpd工作状态输出
sethandler server-status
</location>
</virtualhost>
<virtualhost *:80 >
documentroot "/web/vhosts/y"
servername www.Y.com
customlog "logs/y.access" combined
errorlog "logs/y.err"
<directory "/web/vhosts/y">
require all granted
</directory>
<ifmodule dir_module>
directoryindex index.html
</ifmodule>
</virtualhost>
ExtendedStatus Off ##不显示详细信息
[root@centos8 ~]#httpd -t ##不能配置在虚拟主机下面
AH00526: Syntax error on line 29 of /etc/httpd/conf.d/vhost.conf:
ExtendedStatus cannot occur within <VirtualHost> section
2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点
- 要求使用证书认证,证书中要求使用的国家(CN)、州(Beijing)、城市(Beijing)和组织(MageEdu)
- 设置部门为Ops,主机名为www.Y.com,邮件为admin@Y.com
搭建一个CA服务器:10.0.0.38
CA服务器搭建:
##创建CA所需要的目录和文件
[root@centos8-LD-V587 ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
##创建索引数据库和第一个整数序列号
[root@centos8-LD-V587 ~]# touch /etc/pki/CA/index.txt
[root@centos8-LD-V587 ~]# echo 01 > /etc/pki/CA/serial
##CA服务器创建CA的私钥
[root@centos8-LD-V587 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
##CA服务器给CA颁发自签名证书
[root@centos8-LD-V587 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
httpd服务器创建私钥和创建证书签署请求
[root@centos8 ~]#mkdir /etc/httpd/ssl
[root@centos8 ~]#(umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
[root@centos8 ~]#openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.y.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
SCP到CA服务器
[root@centos8 ~]#scp /etc/httpd/ssl/httpd.csr 10.0.0.38:/opt/
CA服务器颁发证书
[root@centos8-LD-V587 CA]#openssl ca -in /opt/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
SCP到HTTPD服务器
[root@centos8 ~]#scp /etc/pki/CA/certs/httpd.crt 10.0.0.8:/etc/httpd/ssl/
HTTPD服务器下载mod_ssl模块并修改/etc/httpd/conf.d/ssl.conf配置
[root@centos8 certs]#grep -Ev "^ *#|^$" /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/web/vhosts/y" ##增加
ServerName www.Y.com ##增加
<directory "/web/vhosts/y"> ##授权
require all granted
</directory>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/httpd/ssl/httpd.crt ##修改
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ##修改
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@centos8 certs]#httpd -t 语法校验
[root@centos8 certs]#systemctl reload httpd重新加载httpd
扫一扫
2250
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
