https:
客户端:申请证书
[root@martin ssl]# pwd /etc/httpd/ssl [root@martin ssl]# (umask 077; openssl genrsa -out martin01.key 2048)
[root@martin ssl]# openssl req -new -key martin01.key -out martin01.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:zhejiang Locality Name (eg, city) [Default City]:ningbo Organization Name (eg, company) [Default Company Ltd]:martin Organizational Unit Name (eg, section) []:martin Common Name (eg, your name or your server‘s hostname) []:martin Email Address []:martin@qq.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
[root@martin ssl]# scp -P 6789 martin01.csr marvin:/mydata/ssl/csr
CA服务器:审核证书
[root@marvin CA]# openssl ca -in /mydata/ssl/csr/martin01.csr -out /mydata/ssl/crt/martin01.crt -days 800 [root@marvin CA]# scp -P6789 /mydata/ssl/crt/martin01.crt martin:/etc/httpd/ssl/
客户端:
# Required modules: mod_log_config, mod_setenvif, mod_ssl, # socache_shmcb_module (for default value of SSLSessionCache) [root@martin httpd]# vim /etc/httpd/httpd.conf LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule log_config_module modules/mod_log_config.so Include /etc/httpd/extra/httpd-ssl.conf
[root@martin httpd]# vim extra/httpd-ssl.conf DocumentRoot "/www/web/ssl" ServerName www.ssl.com:443 <Directory "/www/web/ssl"> Options none AllowOverride all Require all granted </Directory> SSLCertificateFile /etc/httpd/ssl/martin01.crt SSLCertificateKeyFile /etc/httpd/ssl/martin01.key [root@martin httpd]# echo ok > /www/web/ssl/index.html [root@martin httpd]# httpd -t Syntax OK [root@martin httpd]# /etc/init.d/httpd restart
证书创建若有疑问,请参考 http://9173436.blog.51cto.com/9163436/1774625(加密解密私有CA构建)
虚拟主机:
[root@martin httpd]# vim /etc/httpd/httpd.conf LoadModule rewrite_module modules/mod_rewrite.so Include /etc/httpd/extra/httpd-vhosts.conf
[root@martin httpd]# vim extra/httpd-vhosts.conf <VirtualHost *:80> DocumentRoot "/www/web/martin" ServerName www.martin.com <Directory "/www/web/martin"> Options none AllowOverride all Require all granted </Directory> </VirtualHost>
[root@martin httpd]# echo martin > /www/web/martin/index.html
基于IP访问控制:2.4新特性
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all deny
控制某主机的访问:
Require ip IPADDR
Require not ip IPADDR
Require host IPADDR
Require not host IPADDR
<Directory "/www/web/martin"> Options none AllowOverride all Require ip 192.168.1 Require all denied </Directory>
status:
[root@martin htdocs]# vim /etc/httpd/httpd.conf LoadModule status_module modules/mod_status.so Include /etc/httpd/extra/httpd-info.conf
[root@martin htdocs]# vim /etc/httpd/extra/httpd-info.conf <Location /server-status> SetHandler server-status #Require host .example.com Require ip 127 Require ip 192.168.1 </Location>
这是一个httpd的内嵌handler,通过status可查看当前服务器的状态。它通过一个HTML页面展示了当前服务器的统计数据。这些数据通常包括但不限于:
(1) 处于工作状态的worker进程数;
(2) 空闲状态的worker进程数;
(3) 每个worker的状态,包括此worker已经响应的请求数,及由此worker发送的内容的字节数;
(4) 当前服务器总共发送的字节数;
(5) 服务器自上次启动或重启以来至当前的时长;
(6) 平均每秒钟响应的请求数、平均每秒钟发送的字节数、平均每个请求所请求内容的字节数;
基于用户的访问控制
<Directory "/www/web/martin"> Options none AuthType Basic AuthName "Admin status" AuthUserFile /etc/httpd/conf/.htpasswd AllowOverride all Require ip 192.168.1 Require all denied </Directory>
[root@martin httpd]# /usr/local/apache/bin/htpasswd -m -c /etc/httpd/.htpasswd admin New password: Re-type new password: Adding password for user admin
原文地址:http://9173436.blog.51cto.com/9163436/1782207
