标签:https 用户认证
博客作业:分别使用httpd-2.2和httpd-2.4实现
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务;
前提准备:
172.16.1.1测试httpd-2.4,这是centos7系统
172.16.1.2测试httpd-2.2,这是centos6系统
172.16.1.3作为CA服务器,为其他两个主机派发证书
暂时关闭selinux和iptables
生成私钥CA服务器自己的私钥,准备给自己做个根证书
[root@haizei ~]# cd /etc/pki/CA [root@haizei CA]# (umask 077;openssl genrsa 2048 > private/cakey.pem cakey.pem为CA服务的自己的私钥 |
##因为这里是建立私有CA,同一个机构,国家,省,组织 ,所以为了后续给自己签证方便,这里需要修改
[root@haizei CA]# vim /etc/pki/tls/openssl.cnf country Name_default = CN StateOrprovinceName_default = Beijing LocatityName_default = Shangdi 0.organizationName_default = M19 organizationUnitName = Jishu |
生成自签证书(根CA)
[root@haizei CA]# openssl req -new -x509 /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem Common Name (eg, your name or your server‘s hostname) []:haizei.zou.com 这里需要自己定义自己的主机名,最好与主机名或者可以解析的域名一致 |
准备好做CA服务器的数据库等文件
[root@haizei CA]# mkdir -p /etc/pki/CA/{certs,crl,newcerts} [root@haizei CA]# touch /etc/pki/CA/{serial,index.txt} [root@haizei CA]# echo 001 > /etc/pki/CA/serial |
httpd2.2基础上面(Centos6)
生成自己的私钥和证书文件,传送给根服务器验证
[root@zou www2]# mkdir /etc/httpd/conf/.ssh [root@zou www2]# cd /etc/httpd/conf/.ssh [root@zou .ssh]# (umask 077;openssl genrsa 4096 > http.key) [root@zou .ssh]# openssl req -new -key http.key -out httpd.csr |
跟服务器签发证书,并把证书发送回来
[root@haizei~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 [root@haizei~]# scp /etc/pki/CA/certs/httpd.crt root@172.16.1.2:/etc/httpd/conf/.ssh |
修改主配置文件支持基于FQDN的主机名
[root@zou ~]# vim /etc/httpd/conf/httpd.conf NameVirtualHost 172.16.1.2:80 |
配置httpd支持ssl
~]# yum -y install mod_ssl |
为虚部主机2进程配置设置
[root@zou www2]# vim /etc/httpd/conf/ssl.conf <VirtualHost _default_:443> ServerName www2.zou.com DocumentRoot /data/vhosts/www2 ErrorLog logs/ssl_www2-error_log LogLevel warn TransferLog logs/ssl_www2_access_log SSLCertificateFile /etc/httpd/conf/.ssh/httpd.crt SSLCertificateKeyFile /etc/httpd/conf/.ssh/http.key </VirtualHost>
<Directory /data/vhosts/www2> Options None AllowOverride None Order deny,allow Deny from 192.168.0.0/24 </Directory> |
为虚拟主机1进行配置设置
[root@zou www2]# vim /etc/httpd/conf.d/www1.conf <VirtualHost 172.16.1.2:80> ServerName www1.zou.com DocumentRoot /data/vhosts/www1 ErrorLog logs/www1-error_log LogLevel warn CustomLog logs/www1-access_log combined <Directory /data/vhosts/www1> Options None AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> <Location /server-status> SetHandler server-status Order deny,allow Allow from all AuthType Basic AuthName "Server-stauts" AuthBasicProvider file AuthUserFile "/etc/httpd/conf/.htpasswd" Require user tom </Location> |
为tom用户认证做准备
[root@zou www2]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom |
重启服务
~]# service httpd restart
httpd2.4(Centos7版本上)
生成自己的私钥和证书文件,传送给根服务器验证
[root@zzy www2]# mkdir /etc/httpd/conf/.ssh
[root@zzy www2]# cd /etc/httpd/conf/.ssh
[root@zzy .ssh]# (umask 077;openssl genrsa 4096 > http.key)
[root@zzy .ssh]# openssl req -new -key http.key -out httpd.csr
Common Name (eg, your name or your server‘s hostname) []:www2.zou.com
[root@zzy .ssh]# scp httpd.csr root@172.16.1.3:/mnt
跟服务器签发证书,并把证书发送回来
[root@haizei ~]# openssl ca -in /mnt/httpd.csr -out /etc/pki/CA/certs/httpd002.crt
[root@haizei ~]# scp /etc/pki/CA/certs/httpd002.crt root@172.16.1.1:/etc/httpd/conf/.ssh
回到web服务器上面来
[root@zzy ~]# cd /etc/httpd/conf/.ssh;cp httpd002.crt httpd.crt
安装支持ssl的http模块
[root@zzy ~]# yum install mod_ssl -y
配置虚拟主机1
[root@zzy ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443> ServerName www2.zou.com DocumentRoot /data/vhosts/www2 ErrorLog logs/ssl_www2-error_log LogLevel warn TransferLog logs/ssl_www2_access_log SSLCertificateFile /etc/httpd/conf/.ssh/httpd.crt SSLCertificateKeyFile /etc/httpd/conf/.ssh/http.key </VirtualHost> <Directory /data/vhosts/www2> <RequireAll> Require all granted Require not ip 192.168.0.0/24 </RequireAll> </Directory> |
设置www1的虚拟主机
[root@zzy ~]# vim /etc/httpd/conf.d/www1.conf <VirtualHost 172.16.1.1:80> ServerName www1.zou.com DocumentRoot /data/vhosts/www1 ErrorLog logs/www1-error_log LogLevel warn CustomLog logs/www1-access_log combined <Directory /data/vhosts/www1> <RequireAll> Require all granted </RequireAll> </Directory> </VirtualHost> <Location /server-status> SetHandler server-status <RequireAll> Require all granted AuthType Basic AuthName "Server-stauts" AuthBasicProvider file AuthUserFile "/etc/httpd/conf/.htpasswd" Require user tom </RequireAll> </Location> |
新建认证登录用户tom
[root@zzy vhosts]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
重新加载服务
[root@zzy .ssh]# systemctl reload httpd
本文出自 “北极的linux” 博客,请务必保留此出处http://941012521.blog.51cto.com/9253690/1826533
标签:https 用户认证
原文地址:http://941012521.blog.51cto.com/9253690/1826533