码迷,mamicode.com
首页 > Web开发 > 详细

https的博客作业

时间:2016-07-15 13:57:36      阅读:361      评论:0      收藏:0      [点我收藏+]

标签:https 用户认证

博客作业:分别使用httpd-2.2和httpd-2.4实现

    1、建立httpd服务,要求:

    (1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志; 

    (2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;

    (3) www2不允许192.168.0.0/24网络中任意主机访问;

2、为上面的第2个虚拟主机提供https服务;


前提准备:

  172.16.1.1测试httpd-2.4,这是centos7系统

  172.16.1.2测试httpd-2.2,这是centos6系统

  172.16.1.3作为CA服务器,为其他两个主机派发证书

  暂时关闭selinux和iptables


生成私钥CA服务器自己的私钥,准备给自己做个根证书

[root@haizei ~]# cd /etc/pki/CA

[root@haizei CA]# (umask 077;openssl genrsa 2048 > private/cakey.pem

cakey.pem为CA服务的自己的私钥

##因为这里是建立私有CA,同一个机构,国家,省,组织 ,所以为了后续给自己签证方便,这里需要修改

[root@haizei CA]# vim /etc/pki/tls/openssl.cnf

country Name_default = CN

StateOrprovinceName_default = Beijing

LocatityName_default = Shangdi

0.organizationName_default = M19

organizationUnitName = Jishu  

生成自签证书(根CA)

[root@haizei CA]# openssl req -new -x509 /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem


Common Name (eg, your name or your server‘s hostname) []:haizei.zou.com   这里需要自己定义自己的主机名,最好与主机名或者可以解析的域名一致

准备好做CA服务器的数据库等文件

[root@haizei CA]# mkdir -p /etc/pki/CA/{certs,crl,newcerts}

[root@haizei CA]# touch /etc/pki/CA/{serial,index.txt}

[root@haizei CA]# echo 001 > /etc/pki/CA/serial 


httpd2.2基础上面(Centos6)

生成自己的私钥和证书文件,传送给根服务器验证


[root@zou www2]# mkdir /etc/httpd/conf/.ssh

[root@zou www2]# cd /etc/httpd/conf/.ssh

[root@zou .ssh]# (umask 077;openssl genrsa 4096 > http.key)

[root@zou .ssh]# openssl req -new -key http.key -out httpd.csr

跟服务器签发证书,并把证书发送回来


[root@haizei~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

[root@haizei~]# scp /etc/pki/CA/certs/httpd.crt root@172.16.1.2:/etc/httpd/conf/.ssh

修改主配置文件支持基于FQDN的主机名

[root@zou ~]# vim /etc/httpd/conf/httpd.conf

NameVirtualHost 172.16.1.2:80 

配置httpd支持ssl

~]# yum -y install mod_ssl

为虚部主机2进程配置设置

[root@zou www2]# vim /etc/httpd/conf/ssl.conf

<VirtualHost _default_:443>

 ServerName www2.zou.com

 DocumentRoot /data/vhosts/www2

 ErrorLog logs/ssl_www2-error_log

 LogLevel warn

 TransferLog logs/ssl_www2_access_log

 SSLCertificateFile /etc/httpd/conf/.ssh/httpd.crt

 SSLCertificateKeyFile /etc/httpd/conf/.ssh/http.key

</VirtualHost>

 

 <Directory /data/vhosts/www2>

  Options None

  AllowOverride None

  Order deny,allow

  Deny from 192.168.0.0/24

 </Directory>

技术分享

为虚拟主机1进行配置设置

[root@zou www2]# vim /etc/httpd/conf.d/www1.conf

<VirtualHost 172.16.1.2:80>

 ServerName www1.zou.com

 DocumentRoot /data/vhosts/www1

 ErrorLog logs/www1-error_log

 LogLevel warn

 CustomLog logs/www1-access_log combined


 <Directory /data/vhosts/www1>

  Options None

  AllowOverride None

  Order allow,deny

  Allow from all

 </Directory>

</VirtualHost>

   <Location /server-status>

        SetHandler server-status

        Order deny,allow

        Allow from all

       AuthType Basic

       AuthName "Server-stauts"

       AuthBasicProvider file

       AuthUserFile "/etc/httpd/conf/.htpasswd"

       Require user tom

   </Location>

为tom用户认证做准备

[root@zou www2]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom

重启服务

~]# service httpd restart

技术分享

技术分享


httpd2.4(Centos7版本上)

生成自己的私钥和证书文件,传送给根服务器验证

[root@zzy www2]# mkdir /etc/httpd/conf/.ssh

[root@zzy www2]# cd /etc/httpd/conf/.ssh

[root@zzy .ssh]# (umask 077;openssl genrsa 4096 > http.key)

[root@zzy .ssh]# openssl req -new -key http.key -out httpd.csr

    Common Name (eg, your name or your server‘s hostname) []:www2.zou.com

[root@zzy .ssh]# scp httpd.csr root@172.16.1.3:/mnt

跟服务器签发证书,并把证书发送回来

[root@haizei ~]# openssl ca -in /mnt/httpd.csr -out /etc/pki/CA/certs/httpd002.crt

[root@haizei ~]# scp /etc/pki/CA/certs/httpd002.crt root@172.16.1.1:/etc/httpd/conf/.ssh

回到web服务器上面来

[root@zzy ~]# cd /etc/httpd/conf/.ssh;cp httpd002.crt httpd.crt

安装支持ssl的http模块

[root@zzy ~]# yum install mod_ssl -y

配置虚拟主机1

[root@zzy ~]# vim /etc/httpd/conf.d/ssl.conf

<VirtualHost _default_:443>

 ServerName www2.zou.com

 DocumentRoot /data/vhosts/www2

 ErrorLog logs/ssl_www2-error_log

 LogLevel warn

 TransferLog logs/ssl_www2_access_log

 SSLCertificateFile /etc/httpd/conf/.ssh/httpd.crt

 SSLCertificateKeyFile /etc/httpd/conf/.ssh/http.key

</VirtualHost>

<Directory /data/vhosts/www2>

  <RequireAll>

        Require all granted

        Require not ip 192.168.0.0/24

   </RequireAll>

</Directory>

技术分享


设置www1的虚拟主机


[root@zzy ~]# vim /etc/httpd/conf.d/www1.conf

<VirtualHost 172.16.1.1:80>

 ServerName www1.zou.com

 DocumentRoot /data/vhosts/www1

 ErrorLog logs/www1-error_log

 LogLevel warn

 CustomLog logs/www1-access_log combined


 <Directory /data/vhosts/www1>

   <RequireAll>

Require all granted

   </RequireAll>

 </Directory>

</VirtualHost>

   <Location /server-status>

        SetHandler server-status

      <RequireAll>

  Require all granted

       AuthType Basic

       AuthName "Server-stauts"

       AuthBasicProvider file

       AuthUserFile "/etc/httpd/conf/.htpasswd"

       Require user tom

      </RequireAll>

   </Location>


新建认证登录用户tom


[root@zzy vhosts]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom

重新加载服务

[root@zzy .ssh]# systemctl reload httpd

技术分享

本文出自 “北极的linux” 博客,请务必保留此出处http://941012521.blog.51cto.com/9253690/1826574

https的博客作业

标签:https 用户认证

原文地址:http://941012521.blog.51cto.com/9253690/1826574

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!