标签:http指令和https
分别使用httpd-2.2和httpd-2.4实现
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务;
1.httpd-2.2-----环境CentOS6.7
主配置文件
#vim /etc/httpd/conf/httpd.conf
NameVirtualHost 172.16.8.100:80
LoadModule status_module modules/mod_status.so
www1配置文件
#vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www1
ServerName www1.marvel.com
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "status"
AuthType basic
AuthUserFile "/etc/httpd/www1_passwd"
Require user tom
</Location>
</VirtualHost>
www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www2
ServerName www2.marvel.com
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
<directory "/data/www2">
options none
allowoverride none
order allow,deny
allow from all
</directory>
</VirtualHost>
为www2配置https
#yum install mod_ssl
#httpd -M //查看是否启用ssl模块,如果未启用,在主配置文件或ssl.conf文件加入LoadModule ssl_module modules/mod_ssl.so即可
为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服务器创建证书签署请求 172.16.8.100
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安装了mod_ssl,在这个文件中为ssl提供了配置文件ssl.conf,其中规定了私钥和公钥的存放位置
(c) CA签证
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.100:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
2.http-2.4--环境Centos7.1
1.加载status模块
在/etc/httpd/conf.modules.d/00-base.conf中,加入或取消注释下面一行
LoadModule status_module modules/mod_status.so
2.编辑虚拟主机www1的配置文件,httpd-2.4不再需要NameVirtualHost指令了
#vim /etc/httpd/conf.d/www1.conf
<virtualhost 172.16.8.102:80>
servername www1.marvel.com
documentroot "/data/www1"
errorlog logs/www1-error_log
customlog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "staus"
AuthType basic
AuthUserFile "/data/www1/.www1_passwd"
require user tom
</Location>
<directory "/data/www1">
<RequireAll>
Require all granted
Require not ip 192.168.0.0/24
</RequireAll>
</directory>
</virtualhost>
3.编辑www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<virtualhost 172.16.8.102:80>
servername www2.marvel.com
documentroot "/data/www2"
errorlog logs/www2-error_log
customlog logs/www2-access_log combined
<directory "/data/www2">
Require all granted
</directory>
</virtualhost>
4.为www2提供https
安装mod_ssl模块
#yum install mod_ssl
安装mod_ssl会自动生成/etc/httpd/conf.modules.d/00-ssl.conf,其中包含加载模块的指令
LoadModule ssl_module modules/mod_ssl.so
为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服务器创建证书签署请求 172.16.8.102
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安装了mod_ssl,在这个文件中为ssl提供了配置文件ssl.conf,其中规定了私钥和公钥的存放位置
(c) CA签证
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.102:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
<directory "/data/www2">
require all granted
</directory>
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
标签:http指令和https
原文地址:http://bloodhero.blog.51cto.com/4496010/1827588