CcentOS7.2上搭建httpd-2.4
1.实验需求:1、建立httpd服务,要求: (1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志; (2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问; (3) www2不允许192.168.0.0/24网络中任意主机访问;2、为上面的第2个虚拟主机提供https服务2.实验环境:Linux服务器操作系统版本:CentOS release 7.2 (Final) IP:172.16.250.60WIN7系统客户机:IP:172.16.250.1003.实验前提: 1)关闭防火墙和SELinux~]# systemctl stop iptables~]# setenforce 0 4.实验过程:1.提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志一、安装服务 1)yum安装httpd-2.4~]# yum install httpd -y~]# rpm -qa httpd
~]# rpm -ql httpd
/etc/httpd/var/log/httpd/var/www/html~]# rpm -qc httpd
/etc/httpd/conf/httpd.conf/etc/sysconfig/httpd/etc/httpd/conf.d/welcome.conf~]# systemctl restart httpd.service
~]# ss -lntLISTEN 0 128 :::80 :::* 二、创建虚拟主机 ~]# cat /etc/httpd/conf.d/www1.conf <VirtualHost 172.16.250.60:80> ServerName www1.magedu.com DocumentRoot /data/vhosts/www1 ErrorLog logs/www1-error_log CustomLog logs/www1-access_log combined <Directory "/data/vhosts/www1"> Options None AllowOverride None Require all granted </Directory></VirtualHost>
~]# cat /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.250.60:80>
ServerName www2.magedu.com DocumentRoot /data/vhosts/www2 ErrorLog logs/www2-error_log CustomLog logs/www2-access_log combiend <Directory "/data/vhosts/www2"> Options None AllowOverride None Require all granted </Directory></VirtualHost>三、修改配置参数:注意:基于FQDN的虚拟主机不再需要专门的指令NameVirtualHost 1)备份原有的配置文件~]# cp -p httpd.conf httpd.conf.bak 2)创建站点目录:~]# mkdir -pv /data/vhosts/www{1,2} 3)创建访问主页~]# echo "<h1> www1.magedu.com </h1>" > /data/vhosts/www1/index.html~]# echo "<h1> www2.magedu.com </h1>" > /data/vhosts/www2/index.html 4)添加hosts域名解析~]# echo " 172.16.250.60 www1.magedu.com www2.magedu.com " >> /etc/hsots 5)修改配置需要重载~]# httpd -t~]# systemctl reload httpd.service四、PC端上测试内容 1)在wind7上添加域名解析:路径:C:\Windows\System32\drivers\etc\hosts 2)用记事本打开hosts添加并保存:172.16.250.60 www1.magedu.com www2.magedu.com 3)测试都正常访问2.通过www1的/server-status提供状态信息,且仅允许tom用户访问;一、修改配置文件: 1)只允许tom用户访问/server-status;<Location /server-status> SetHandler server-status AuthType basic AuthName "For tom" AuthUserFile "/etc/httpd/conf/.htpasswd" Require user tom</Location> 2)创建虚拟用户tom文件~]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom 3)检查语法并重载配置文件~]# httpd -t ~]# systemctl reload httpd.service 二、在PC机浏览器中测试: 1)输入 http://172.16.250.60/server-status 需要用户tom认证才能访问测试:http://www1.magedu.com/server-statusApache Server Status for www1.magedu.com (via 172.16.250.60)Server Version: Apache/2.4.6 (CentOS)Server MPM: preforkServer Built: Nov 19 2015 21:43:13Current Time: Thursday, 14-Jul-2016 20:10:17 CSTRestart Time: Thursday, 14-Jul-2016 18:59:52 CSTParent Server Config. Generation: 5Parent Server MPM Generation: 4Server uptime: 1 hour 10 minutes 24 secondsServer load: 0.01 0.02 0.05Total accesses: 60 - Total Traffic: 112 kBCPU Usage: u0 s0 cu0 cs0.0142 requests/sec - 27 B/second - 1911 B/request1 requests currently being processed, 4 idle workersW____...........................................................................................................................................................................................................................................................Scoreboard Key:"_" Waiting for Connection, "S" Starting up, "R" Reading Request,"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,"C" Closing connection, "L" Logging, "G" Gracefully finishing,"I" Idle cleanup of worker, "." Open slot with no current processSrv PID Acc M CPU SS Req Conn Child Slot Client VHost Request0-4 6133 0/0/14 W 0.00 0 0 0.0 0.00 0.02 172.16.250.149 www1.magedu.com:80 GET /server-status HTTP/1.11-4 6134 0/0/16 _ 0.00 145 0 0.0 0.00 0.06 ::1 www1.magedu.com:80 OPTIONS * HTTP/1.02-4 6135 0/0/6 _ 0.00 145 0 0.0 0.00 0.01 ::1 www1.magedu.com:80 OPTIONS * HTTP/1.03-4 6136 0/0/5 _ 0.00 145 0 0.0 0.00 0.00 ::1 www1.magedu.com:80 OPTIONS * HTTP/1.04-4 6137 0/0/5 _ 0.00 145 0 0.0 0.00 0.00 ::1 www1.magedu.com:80 OPTIONS * HTTP/1.05-3 - 0/0/7 . 0.00 145 0 0.0 0.00 0.01 ::1 www1.magedu.com:80 OPTIONS * HTTP/1.06-1 - 0/0/2 . 0.00 862 8 0.0 0.00 0.00 ::1 www.magedu.com:80 OPTIONS * HTTP/1.07-1 - 0/0/5 . 0.00 862 0 0.0 0.00 0.01 ::1 www.magedu.com:80 OPTIONS * HTTP/1.0Srv Child Server number - generationPID OS process IDAcc Number of accesses this connection / this child / this slotM Mode of operationCPU CPU usage, number of secondsSS Seconds since beginning of most recent requestReq Milliseconds required to process most recent requestConn Kilobytes transferred this connectionChild Megabytes transferred this childSlot Total megabytes transferred this slot3、为上面的第2个虚拟主机提供https服务;工作目录:/etc/pki/CA/一、建立私有CA 1)生成私钥CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) 2)生成自签证书CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeijingLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:liyangOrganizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www2.magedu.comEmail Address []:magedu.com@com 3)提供辅助文件CA]# touch index.txtCA]# echo 01 > serial 序列号CA]# tree .├── cacert.pem├── certs├── crl├── index.txt├── newcerts├── private│ └── cakey.pem└── serial二、节点申请证书 1)生成私钥~]# mkdir -pv /etc/httpd/sslssl]# (umask 077; openssl genrsa -out httpd.key 1024) 2)生成证书签署请求:ssl]# openssl req -new -key httpd.key -out httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeijingLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:liyangOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:www2.magedu.comEmail Address []:admin@magedu.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []: 3)把请求发给CAssl]# cp httpd.csr /tmp/三、CA签发证书 1)签署证书~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crtUsing configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 14 13:24:47 2016 GMT Not After : Jul 14 13:24:47 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = liyang organizationalUnitName = Ops commonName = www2.magedu.com emailAddress = admin@magedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 88:92:7A:EE:97:0B:51:8C:68:56:4D:E0:51:8E:79:CD:56:D5:DF:05 X509v3 Authority Key Identifier: keyid:0B:2F:43:5B:2D:B7:5D:F5:11:16:C2:78:0D:15:60:8F:39:9E:CA:70Certificate is to be certified until Jul 14 13:24:47 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 2)把签署好的证书发还给请求者。~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/注意:本次私建CA和节点申请证书在同一台机器完成。四、配置httpd支持使用ssl,及使用的证书 1)yum安装mod_ssl模块~]# httpd -M | grep ssl ~]# yum install mod_ssl -y~]# rpm -ql mod_ssl 2)修改配置文件~]# cat /etc/httpd/conf.d/ssl.conf <VirtualHost> DocumentRoot "/data/vhosts/www2" ServerName www2.magedu.com:443 SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key <Directory "/data/vhosts/www2"> SSLOptions +StdEnvVars AllowOverride None Require all granted </Directory> </VirtualHost>五、测试结果: 1)在PC机浏览器中测试:https://www2.magedu.com 通过443端口访问 2)在PC机浏览器中测试:http://www2.magedu.com 通过80端口访问