CcentOS7.2上搭建httpd-2.4

1.实验需求:
1、建立httpd服务,要求:
    (1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
    (2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
    (3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务
2.实验环境:
Linux服务器操作系统版本:CentOS release 7.2 (Final) IP:172.16.250.60
WIN7系统客户机:IP:172.16.250.100
3.实验前提:
    1)关闭防火墙和SELinux
~]# systemctl stop iptables
~]# setenforce 0
    
4.实验过程:
1.提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志
一、安装服务
    1)yum安装httpd-2.4
~]# yum install httpd -y

~]# rpm -qa httpd

~]# rpm -ql httpd

/etc/httpd
/var/log/httpd
/var/www/html

~]# rpm -qc httpd

/etc/httpd/conf/httpd.conf
/etc/sysconfig/httpd
/etc/httpd/conf.d/welcome.conf

~]# systemctl restart httpd.service

~]# ss -lnt
LISTEN      0      128       :::80      :::*                                            
二、创建虚拟主机
            
~]# cat /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.250.60:80>
        ServerName www1.magedu.com
        DocumentRoot /data/vhosts/www1
        ErrorLog logs/www1-error_log
        CustomLog logs/www1-access_log combined
    <Directory "/data/vhosts/www1">
        Options None
        AllowOverride None
        Require all granted
    </Directory>

</VirtualHost>

~]# cat /etc/httpd/conf.d/www2.conf

<VirtualHost 172.16.250.60:80>

        ServerName www2.magedu.com
        DocumentRoot /data/vhosts/www2
        ErrorLog logs/www2-error_log
        CustomLog logs/www2-access_log combiend
    <Directory "/data/vhosts/www2">
        Options None
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>
三、修改配置参数:
注意:基于FQDN的虚拟主机不再需要专门的指令NameVirtualHost
    
    1)备份原有的配置文件
~]# cp -p httpd.conf httpd.conf.bak
    
    2)创建站点目录:
~]# mkdir -pv /data/vhosts/www{1,2}
    3)创建访问主页
~]# echo "<h1> www1.magedu.com </h1>" > /data/vhosts/www1/index.html
~]# echo "<h1> www2.magedu.com </h1>" > /data/vhosts/www2/index.html
    4)添加hosts域名解析
~]# echo " 172.16.250.60 www1.magedu.com www2.magedu.com " >> /etc/hsots
    5)修改配置需要重载
~]# httpd -t
~]# systemctl reload httpd.service
四、PC端上测试内容    
    1)在wind7上添加域名解析:路径:C:\Windows\System32\drivers\etc\hosts
    2)用记事本打开hosts添加并保存:172.16.250.60 www1.magedu.com www2.magedu.com
    3)测试都正常访问
2.通过www1的/server-status提供状态信息,且仅允许tom用户访问;
一、修改配置文件:
    
    1)只允许tom用户访问/server-status;
<Location /server-status>
    SetHandler server-status
    AuthType basic
    AuthName "For tom"
    AuthUserFile "/etc/httpd/conf/.htpasswd"
    Require user tom
</Location>    
    2)创建虚拟用户tom文件
~]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
    3)检查语法并重载配置文件
~]# httpd -t                                
~]# systemctl reload httpd.service    
二、在PC机浏览器中测试:
    1)输入 http://172.16.250.60/server-status 需要用户tom认证才能访问
测试:
http://www1.magedu.com/server-status
Apache Server Status for www1.magedu.com (via 172.16.250.60)
Server Version: Apache/2.4.6 (CentOS)
Server MPM: prefork
Server Built: Nov 19 2015 21:43:13
Current Time: Thursday, 14-Jul-2016 20:10:17 CST
Restart Time: Thursday, 14-Jul-2016 18:59:52 CST
Parent Server Config. Generation: 5
Parent Server MPM Generation: 4
Server uptime: 1 hour 10 minutes 24 seconds
Server load: 0.01 0.02 0.05
Total accesses: 60 - Total Traffic: 112 kB
CPU Usage: u0 s0 cu0 cs0
.0142 requests/sec - 27 B/second - 1911 B/request
1 requests currently being processed, 4 idle workers
W____...........................................................
................................................................
................................................................
................................................................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv    PID    Acc    M    CPU     SS    Req    Conn    Child    Slot    Client    VHost    Request
0-4    6133    0/0/14    W     0.00    0    0    0.0    0.00    0.02     172.16.250.149    www1.magedu.com:80    GET /server-status HTTP/1.1
1-4    6134    0/0/16    _     0.00    145    0    0.0    0.00    0.06     ::1    www1.magedu.com:80    OPTIONS * HTTP/1.0
2-4    6135    0/0/6    _     0.00    145    0    0.0    0.00    0.01     ::1    www1.magedu.com:80    OPTIONS * HTTP/1.0
3-4    6136    0/0/5    _     0.00    145    0    0.0    0.00    0.00     ::1    www1.magedu.com:80    OPTIONS * HTTP/1.0
4-4    6137    0/0/5    _     0.00    145    0    0.0    0.00    0.00     ::1    www1.magedu.com:80    OPTIONS * HTTP/1.0
5-3    -    0/0/7    .     0.00    145    0    0.0    0.00    0.01     ::1    www1.magedu.com:80    OPTIONS * HTTP/1.0
6-1    -    0/0/2    .     0.00    862    8    0.0    0.00    0.00     ::1    www.magedu.com:80    OPTIONS * HTTP/1.0
7-1    -    0/0/5    .     0.00    862    0    0.0    0.00    0.01     ::1    www.magedu.com:80    OPTIONS * HTTP/1.0
Srv    Child Server number - generation
PID    OS process ID
Acc    Number of accesses this connection / this child / this slot
M    Mode of operation
CPU    CPU usage, number of seconds
SS    Seconds since beginning of most recent request
Req    Milliseconds required to process most recent request
Conn    Kilobytes transferred this connection
Child    Megabytes transferred this child
Slot    Total megabytes transferred this slot
3、为上面的第2个虚拟主机提供https服务;
工作目录:/etc/pki/CA/
一、建立私有CA
    1)生成私钥
CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
    2)生成自签证书
CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liyang
Organizational Unit Name (eg, section) []:Ops      
Common Name (eg, your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu.com@com
    3)提供辅助文件
CA]# touch index.txt
CA]# echo 01 > serial 序列号
CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
二、节点申请证书
    
    1)生成私钥
~]# mkdir -pv /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
    2)生成证书签署请求:
ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liyang
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.magedu.com
Email Address []:admin@magedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
    3)把请求发给CA
ssl]# cp httpd.csr /tmp/
三、CA签发证书
    1)签署证书
~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 14 13:24:47 2016 GMT
            Not After : Jul 14 13:24:47 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = liyang
            organizationalUnitName    = Ops
            commonName                = www2.magedu.com
            emailAddress              = admin@magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                88:92:7A:EE:97:0B:51:8C:68:56:4D:E0:51:8E:79:CD:56:D5:DF:05
            X509v3 Authority Key Identifier:
                keyid:0B:2F:43:5B:2D:B7:5D:F5:11:16:C2:78:0D:15:60:8F:39:9E:CA:70
Certificate is to be certified until Jul 14 13:24:47 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
    2)把签署好的证书发还给请求者。
~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
注意:本次私建CA和节点申请证书在同一台机器完成。
四、配置httpd支持使用ssl,及使用的证书
    1)yum安装mod_ssl模块
~]# httpd -M | grep ssl        
~]# yum install mod_ssl -y
~]# rpm -ql mod_ssl
    2)修改配置文件
~]# cat /etc/httpd/conf.d/ssl.conf
    <VirtualHost>
     DocumentRoot "/data/vhosts/www2"
     ServerName www2.magedu.com:443
     SSLCertificateFile /etc/httpd/ssl/httpd.crt
     SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
     <Directory "/data/vhosts/www2">
            SSLOptions +StdEnvVars
            AllowOverride None
            Require all granted
     </Directory>
    </VirtualHost>
五、测试结果:
    1)在PC机浏览器中测试:https://www2.magedu.com  通过443端口访问
    2)在PC机浏览器中测试:http://www2.magedu.com   通过80端口访问