配置基于主机名的虚拟主机
1、先配置DNS
DNS 安装
yum install bind* -y
开户防火墙
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
service iptables save
service iptables restart
拷贝配置文件
cp -a /etc/named* /var/named/chroot/etc/
cp -a /var/named/d* /var/named/named.* /var/named/slaves/ /var/named/chroot/var/named/
cd /var/named/chroot/etc/
vim named.conf
options {
listen-on port 53 { 127.0.0.1; }; #127.0.0.1改成any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; # localhost;改成any
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
#创建三个站点hhj.cc, baidu.com, google.com
zone "hhj.cc" {
type master;
file "aa.zone";
};
zone "baidu.com" {
type master;
file "bb.zone";
};
zone "google.com" {
type master;
file "cc.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
cd /var/named/chroot/var/named
cp -a named.localhost aa.zone
vim aa.zone
$TTL 1D
@ IN SOA node1.hhj.cc. root (
11 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS node1.hhj.cc.
node1 A 192.168.1.104
www A 192.168.1.104
cp -a named.localhost bb.zone
vim aa.zone
$TTL 1D
@ IN SOA node1.baidu.com. root (
11 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS node1.baidu.com.
node1 A 192.168.1.104
www A 192.168.1.104
cp -a named.localhost bb.zone
vim cc.zone
$TTL 1D
@ IN SOA node1.goole.com. root (
11 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS node1.google.com.
node1 A 192.168.1.104
www A 192.168.1.104
建立一个rndc.key文件
rndc-confgen -r /dev/urandom -a
重启服务
service named restart
2、配置虚拟主机
vim /etc/httpd/conf/httpd.conf
#NameVirtualHost *:80前的注释去掉
<VirtualHost *:81>
DocumentRoot /baidu
ServerName www.baidu.com
</VirtualHost>
<VirtualHost *:81>
DocumentRoot /google
ServerName www.google.com
</VirtualHost>
重启httpd服务
service httpd restart
修改上下文
chcon -R –reference=/var/www/html /baidu/ /google/
HTTPS加密配置
1、 安装mod_ssl模块
yum install mod_ssl -y
安装完后查看/etc/httpd/conf.d/
[root@hhj1984 ~]#ls /etc/httpd/conf.d/
打开配置文件
[root@hhj1984 ~]# vim /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so #加载mod_ssl.so模块
Listen 443 #监听端口默认443
SSLEngine on #是开启SSL引擎
SSLCertificateFile /etc/pki/tls/certs/localhost.crt #证书路径
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #私钥路径
进入/etc/pki/tls/certs/目录
[root@hhj1984 ~]# cd /etc/pki/tls/certs/
[root@hhj1984 certs]# ls
ca-bundle.crt ca-bundle.trust.crt localhost.crt make-dummy-cert Makefile renew-dummy-cert
使用openssl命令制作密钥和证书文件:
生成ca.key密钥:
# openssl genrsa -des3 -out ca.key -rand rand.dat 1024
创建ca.crt证书:
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
[root@hhj1984 certs]# make aa.crt #制作数据签名
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > aa.key
Generating RSA private key, 2048 bit long modulus
................................+++
...............................+++
e is 65537 (0x10001)
Enter pass phrase: #输入密码
Verifying - Enter pass phrase: #输入密码
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key aa.key -x509 -days 365 -out aa.crt -set_serial 0
Enter pass phrase for aa.key: #输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:CD
Organization Name (eg, company) [Default Company Ltd]:HHJ
Organizational Unit Name (eg, section) []:HHJ1984
Common Name (eg, your name or your server‘s hostname) []:RHCC
Email Address []:
[root@hhj1984 certs]# ls
aa.crt aa.key ca-bundle.crt ca-bundle.trust.crt localhost.crt make-dummy-cert Makefile renew-dummy-cert
aa.crt 为生成证书,aa.key为私钥
将文件考到指定地方
[root@hhj1984 certs]# cp aa.crt aa.key /etc/httpd/conf/
配置/etc/httpd/conf.d/ssl.conf证书与私钥路径
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/aa.crt #证书路径
SSLCertificateKeyFile /etc/httpd/conf/aa.key #私钥路径
[root@hhj1984 certs]# service httpd restart #重启后就可以用HTTPS访问了
2、将数字签名只给某一个站点使用
[root@hhj1984 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLEngine off #关闭SSL引擎
直接将配置放入虚拟主机下
<VirtualHost *:443> #改为443
DocumentRoot /baidu
ServerName www.baidu.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt #证书路径
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #私钥路径
</VirtualHost>
再重启httpd
强制用户使用https来访问网站方法
在/httpd.conf修改
vim /etc/httpd/conf/httpd.conf
<VirtualHost 192.168.1.104:443>
DocumentRoot /var/www/html
ServerName www.hhj1984.cc
ServerAlias www.hhj1984.cc. *.hhj1984.cc
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ca.crt
SSLCertificateKeyFile /etc/httpd/conf/ca.key
</VirtualHost>
<Directory "/var/www/html"> #站点所在目录
Options Indexes FollowSymLinks
AllowOverride All #要求找.htacess配置文件
Order allow,deny
Allow from all
</Directory>
在/var/www/html下修改. htacess 没有则创建 #站点所在目录
<IfModule mod_rewrite.c>
RewriteEngine on
Rewritecond %{http_host} ^www.hhj1984.cc$ [nc]
RewriteRule ^(.*)?$ https://www.hhj1984.cc/$1 [R=301,L]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://www.hhj1984.cc/$1 [R=301,L]
</IfModule>
~
~
