标签:apache httpd2.4 基于用户的访问控制 https 基于虚拟主机控制
环境说明:此篇博客是基于编译安装httpd2.4博客基础上进行的
一、虚拟主机;
1.1基于host
[root@burgess apache]# vim/etc/httpd24/httpd.conf
Include/etc/httpd24/extra/httpd-vhosts.conf #开启虚拟主机
#DocumentRoot"/www/htdocs" #将中心主机注释掉
[root@burgess apache]# cd/etc/httpd24/extra
[root@burgess extra]# vim httpd-vhosts.conf
#其余原有信息全部注释掉
#添加虚拟主机
<VirtualHost*:80>
# ServerAdminwebmaster@dummy-host2.example.com
DocumentRoot"/Vhosts/www.rocky.com"
ServerName www.rocky.com
ErrorLog"logs/www.rocky.com-error_log"
CustomLog"logs/www.rocky.com-access_log" common
<Directory"/Vhosts/www.rocky.org">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost*:80>
# ServerAdminwebmaster@dummy-host2.example.com
DocumentRoot"/Vhosts/www.rocky.org"
ServerName www.rocky.org
ErrorLog"logs/www.rocky.org-error_log"
CustomLog"logs/www.rocky.org-access_log" common
<Directory"/Vhosts/www.rocky.org">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
保存退出, 检查语法 httpd -t
[root@burgess ~]# mkdir -pv/Vhosts/www.rocky.{com,org} …………………….创建Droot
mkdir:created directory `/Vhosts‘
mkdir:created directory `/Vhosts/www.rocky.com‘
mkdir:created directory `/Vhosts/www.rocky.org‘
[root@burgess~]# vim /Vhosts/www.rocky.org/index.html ……………………内容为<h1>Like A Fish InWater</h1>
[root@burgess ~]# vim/Vhosts/www.rocky.com/index.html ………………………….内容为<h1>Beautylies in the lover’s eyes</h1>
保存退出, 检查语法 httpd -t 重启 service httpd24 restart
可在命令行输入主机名,则显示相对应的信息
[root@burgess~]# curl http://www.rocky.com
<h1>Beauty liesin the lover‘s eyes</h1>
[root@burgess~]# curl http://www.rocky.org
<h1>Like A FishIn Water</h1>
本机演示的为虚拟主机,所以若在浏览器中查看,则在本地host文件加入主机名及虚拟机IP;windows 下的路径/c/windows/system32/driver/etc/hosts………….若在里面更改不了,可以拖出来更改;
1.2基于IP (环境: eth0: 172.16.249.120:80 ; eth0:0172.16.249.121 ;)
[root@burgess~]# vim /etc/httpd24/extra/httpd-vhosts.conf
<VirtualHost 172.16.249.120:80>
# ServerAdminwebmaster@dummy-host2.example.com
DocumentRoot"/Vhosts/www.rocky.com"
ServerName www.rocky.com
ErrorLog"logs/www.rocky.com-error_log"
CustomLog"logs/www.rocky.com-access_log" common
<Directory "/Vhosts/www.rocky.org">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 172.16.249.121:80>
# ServerAdminwebmaster@dummy-host2.example.com
DocumentRoot"/Vhosts/www.rocky.org"
ServerName www.rocky.org
ErrorLog"logs/www.rocky.org-error_log"
CustomLog"logs/www.rocky.org-access_log" common
<Directory"/Vhosts/www.rocky.org">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
[root@burgess~]# service httpd24 restart
在browser中输入IP则可以看到对应网页信息
1.3基于端口;
[root@burgess~]# vim /etc/httpd24/extra/httpd-vhosts.conf
<VirtualHost172.16.249.120:80>
# ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot"/Vhosts/www.rocky.com"
ServerName www.rocky.com
ErrorLog"logs/www.rocky.com-error_log"
CustomLog"logs/www.rocky.com-access_log" common
<Directory"/Vhosts/www.rocky.org">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 172.16.249.120:8080>
# ServerAdminwebmaster@dummy-host2.example.com
DocumentRoot"/Vhosts/www.rocky.org"
ServerName www.rocky.org
ErrorLog"logs/www.rocky.org-error_log"
CustomLog"logs/www.rocky.org-access_log" common
<Directory"/Vhosts/www.rocky.org">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
[root@burgess~]# vim /etc/httpd24/httpd.conf
Listen 80
Listen 8080
[root@burgess~]# service httpd24 restart
此时可以在浏览器中输入IP:port就可以得到相应内容了
二、基于用户的访问控制(认证方式为基本认证,访问路径/www/htdocs/index.html下的内容,已经创建过内容,不再创建演示)
(a) 先检查/etc/httpd24/httpd.conf, 是否有以下几个重要modules及是否开启
LoadModuleauth_basic_module modules/mod_auth_basic.so
LoadModuleauthn_file_module modules/mod_authn_file.so
LoadModuleauthz_host_module modules/mod_authz_host.so
LoadModuleauthz_user_module modules/mod_authz_user.so
#Include /etc/httpd24/extra/httpd-vhosts.conf #查看虚拟机文件路径是否关闭
(b) 定义 security realm
[root@burgess ~]# vim /etc/httpd24/httpd.conf
<Directory"/www/htdocs/">
Options None
AllowOverride None
# Require all granted
AuthType Basic #…..认证类型
AuthName " AdminArea" # 安全域名, 自定义
AuthUserFile/etc/httpd24/users/.htpasswd # 认证文件, 即存放的认证密码、 用户名等信息, 与/etc/passwd/无关, 一般用隐藏文件存放; 路径可自定义, 路径目录若没有需要创建(.htpasswd之前的路径需要创建);
Require valid-user #…………………允许所有合法用户访问, 即有密码(如果规定 Wade 跟 Bosh 访问则 Reqireuser Wade Bosh,若还有用户则可以在其后面列出;Require valid-user: 允许账号文件中的所有有账号密码的用户访问, Require 后注意所有用户与列出用户书写方式的区别)
</Directory>
(c).提供用于认证的文件及需要创建的目录等
[root@Burgesshtdocs]# htpasswd -c -m /etc/httpd24/users/.htpasswd Wade # ……………………第一次创建用户密码用 -c
New password: #……………………….密码为 burgess
Re-type new password:
Adding password foruser Wade
[root@Burgesshtdocs]# htpasswd -m /etc/httpd24/users/.htpasswd Bosh
New password: # ……………………….密码为 burgess
Re-type new password:
Adding password foruser Bosh
三、ssl配置
(1) 建立私有CA (切换到 /etc/pki/CA目录)
[root@burgess CA]# (umask 077; opensslgenrsa -out private/cakey.pem 2048)
[root@burgess CA]# openssl req -new -x509 -key private/cakey.pem-days 19890 -out cacert.pem
[root@burgess CA]# echo 01 > serial #序列号从一开始
[root@burgess CA]# touch index.txt
(2) 为服务器生成证书
[root@burgess CA]# mkdir /etc/httpd/ certs
[root@burgess certs]# (umask 077;openssl genrsa -out httpd.key 2048 )
[root@burgess certs]#openssl req -new-key httpd.key -out httpd.csr -days 19890
[root@burgess certs]#openssl ca -in httpd.csr -outhttpd.crt -days 19890
详细步骤参考博客:http://burgess8909.blog.51cto.com/9607271/1588151
(3)配置httpd使用数字证书
[root@Burgess conf]# yum install mod_ssl -y #……………….. 安装相应的模块程序包,默认没有安装
[root@Burgess ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf # …………………..为其配置文件
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
[root@Burgess ~]# ss -tnl
LISTEN 0 128 :::443 :::* ……………….可以看到443端口开启,若没有,则restart一下;
编辑/etc/httpd24/extra/httpd-ssl.conf,开启检查以下相关信息
LoadModule ssl_modulemodules/mod_ssl.so
Listen 443
<VirtualHost IP:PORT>
ServerName www.burgess.com:443
DocumentRoot 可以修改DR路径,如修改为/www/sslhost
SSLCipherSuiteALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW #!表示移除,+表加进来的
SSLEngine on # ………………………SSL功能是否开启
SSLCertificateFile #/etc/httpd/certs/httpd.crt将路径修改为已生成的CA证书路径
SSLCertificateKeyFile #/etc/httpd/certs/httpd.key生成密钥路径
</VirtualHost>
保存退出;检查语法;reload;tail /var/log/httpd/error_log 查看信息,显示路径/www/sslhost不存在;创建之,并为其创建一个index.html页面
[root@Burgess ~]# mkdir /www/sslhost24 -pv
[root@Burgess~]# vim /www/sslhost24/index.html
<h1>Lovers don‘t finally meet somewhere.They‘re in each other all along</h1>
更改/etc/httpd/conf/httpd.conf下的DocumentRoot路径为/www/sslhost
在浏览器输入172.16.249.120;则显示您的链接不是私密链接;之所以出现这样的情况,是因为本地不能识别CA证书,所以把应该CA导入到本地,其次CA的名称应该为www.burgess.com,而非访问IP地址。
将CA(/etc/pki/CA/cacert.pem)导入到本地:直接复制到本地;并将cacerts.pem后缀更改为cacerts.crt;双击直接导入,安装,证书存储位置
访问地址与持有者身份不一致:则将www.burgess.com与对应IP写进hosts文件;windows下的路径/c/windows/system32/drivers/etc/hosts ………….若在里面更改不了,可以拖出来更改
再次访问输入:www.burgess.com;则会显示正常信息
用curl访问则需要将IP与主机名写进/etc/hosts文件中
本文出自 “西来龙象” 博客,请务必保留此出处http://burgess8909.blog.51cto.com/9607271/1592382
标签:apache httpd2.4 基于用户的访问控制 https 基于虚拟主机控制
原文地址:http://burgess8909.blog.51cto.com/9607271/1592382