Test target:
Three virtual hosts, as required
Vhost1:phpmyadmin, while providing HTTPS services;
Vhost2:wordpress
Configuration process:
First, configure the Vhost1
1, first configure the Vhost1, first build a private CA
Build a private CA on 172.16.20.242: (1) Create private key, public key does not need to be processed [[Email protected] ~]# cd /etc/pki/ca/[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048 ) generating rsa private key, 2048 bit long modulus.....+++.......+++e is 65537 (0x10001) (2) generate self-visa, fill in the relevant certificate information [[email protected] ca]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating rsa private key, 2048 bit long modulus.....+++.......+++e is 65537 (0x10001) [[email Protected] ca]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655you are about to be asked to enter information that will be incorporatedinto your certificate request. what you are about to enter is what is called a distinguished name or a dn. there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter '. ', the field will be left blank.-----country name (2 letter code) [XX]:CNState or Province Name (full name) []: hubeilocality name (eg, city) [Default City]:HubeiOrganization Name (eg, company) [Default Company Ltd]:Gump LtdOrganizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server ' S hostname) []:ca.gump.comemail address []:[email protected][[email protected] ca]# // Note that the certificate format must be created for the PEM format (3) To sign the certificate environment [[email protected] ca]# touch /etc/pki/ca/ index.txt[[email protected] ca]# touch /etc/pki/ca/serial[[email protected] ca]# echo 01 > /etc/pki/ca/serial
2, generate a certificate request on the web host, and send a certificate request to the CA host
Generate a certificate request in 172.16.20.244: (1) generate the key and save it to the profile directory of the service where this certificate is applied [[email protected] ~]# mkdir /etc/ httpd/ssl[[email protected] ~]# cd /etc/httpd/ssl[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 2048) generating rsa private key, 2048 bit long modulus..........+++ ....................................................................+++e is 65537 (0x10001) [[ Email protected] ssl]# lshttpd.key (2) Generate certificate signing request, fill in the relevant information needs to be noted, in addition to the host address and email address, other needs to be consistent [[email protected] ssl]# openssl req -new -key httpd.key -out Httpd.csryou are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a distInguished name or a dn. there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter '. ', the field will be left blank.-----country name (2 letter code) [XX]:CNState or Province Name (full name) []: hubeilocality name (eg, city) [Default City]:HubeiOrganization Name (eg, company) [Default Company Ltd]:Gump LtdOrganizational Unit Name (eg, section) []:OpsCommon Name (Eg, your name or your server ' s hostname) []:web.gump.comemail address []:[email protected]please enter the following ' Extra ' attributesto be sent with your certificate&Nbsp;requesta challenge password []:an optional company name []:[[email protected] ssl]# lshttpd.csr httpd.key[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/[email protected] ' s password: httpd.csr 100% 1050 1.0KB/s 00:00 [[email protected] ssl]#
3, signing a certificate request, sending a certificate request back to the web host
(1) signing a certificate request [[email protected] ca]# openssl ca -in /tmp/httpd.csr -out / Tmp/web.gump.com.crt -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that the request matches the signaturesignature okcertificate details : serial number: 1 (0x1) validity not Before: Aug 23 10:55:56 2017 GMT Not After : Aug 23 10:55:56 2018 GMT Subject: countryName = cn stateorprovincename = Hubei organizationname = gump ltd organizationalunitname = Ops commonName = web.gump.com emailAddress = [email protected] X509v3 extensions: x509v3 basic constraintS:                 CA: false netscape comment: OpenSSL generated certificate x509v3 subject key identifier: 7A:D2:B5:60:3D:13:27:33:C4:F5:02:DC:AC:44:BB:0F:F9:32:00:71 X509v3 Authority Key Identifier: keyid:5a:9a :54:2f:9c:91:3e:d6:be:cc:22:68:50:c6:83:eb:23:ad:ac:afcertificate is to be certified Until aug 23 10:55:56 2018 gmt (365 days) sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]ywrite out database with 1 new entriesData Base Updated[[email protected] CA]# (2) Pass the certificate back to the requestor [[email protected] ca]# scp /tmp/web.gump.com.crt [email protected]:/ etc/httpd/sslthe authenticity of host ' 172.16.20.244 (172.16.20.244) ' can ' t be established. rsa key fingerprint is 5a:10:33:a2:bf:5b:06:82:25:01:fb:c2:74:93:34:95.are you sure you want to continue connecting (yes/no)? yeswarning: permanently added ' 172.16.20.244 ' (RSA) to the list of known hosts. [email protected] ' s password: web.gump.com.crt 100% 4595 4.5KB/s 00:00 [[email protected] ca]#
4, configuring HTTPD support using SSL
(1) To see if the Mod_ssl module is installed on the current web host, if it is not installed, you must first install the Mod_ssl module (2) To configure the SSL configuration file [[email protected] ssl]# vim /etc/httpd/conf.d/ssl.conf Modify the following options:<virtuahost 172.16.20.244:443>// because SSL sessions are based on IP addresses, if there are multiple IP addresses, You need to specify the address, if there is only one address, there is no need to modify, keep "*";documentroot "/www/htdocs"// This directory is the central directory of the virtual host vhost1, that is, the Web page file storage location servername web.gump.com:443// current hostname errorlog /logs/pma_error_log// error log storage location Transferlog logs/pma_ access_log// Access log storage directory sslcertificatefile /etc/httpd/ssl/web.gump.com.crt// Server certificate store directory sslcertificatekeyfile /etc/httpd/ssl/httpd.key// certificate private key Store directory (3) Configure phpMyAdmin Web page file [[email protected] ~]# mkdir -pv /www/htdocs/vhosts{1,2,3}[[email protected] ~]# unzip phpmyadmin-4.0.10.20-all-languages.zip[[email protected] ~ ]# cp phpmyadmin-4.0.10.20-all-languages /www/htdocs/vhosts1/[[email protected] ~]# ln&nbsP;-SV&NBSP;PHPMYADMIN-4.0.10.20-ALL-LANGUAGES&NBSP;PMA (4) Configure httpd.conf[[email protected] conf]# vim httpd.confservername localhost:80documentroot "/www/htdocs" <Directory "/www/htdocs" > // Directory Specify the directory to be consistent with DocumentRoot (5) Configure the virtual host profile [[email protected] ~]# vim /etc/httpd/conf.d/httpd-vhost1.conf<VirtualHost 172.16.20.244:80> serveradmin web.gump.com documentroot "/www/htdocs" <Directory "/www/ HTDOCS/VHOSTS1/PMA "> Options None AllowOverride none require all granted </directory></virtualhost>[[ Email protected] ~]# systemctl reload httpd.service
View Configuration Effects
Second, configure the virtual host 2
1. Configure the configuration file for virtual host 2 [[email protected] ~]# vim /etc/httpd/conf.d/httpd-vhost2.conf <virtualhost 172.16.20.245:80> serveradmin web2.gump.com documentroot "/www/htdocs" <Directory "/www/htdocs/vhosts2" > options none allowoverride none require all granted &NBSP;&NBSP;</DIRECTORY></VIRTUALHOST>2, configuring IP addresses for virtual host 2 because it is a virtual machine, there is no multi-net card to add addresses with IP commands to achieve multiple IP effects [[email Protected] ~]# ip addr add 172.16.20.245/24 dev ens33[[email protected] ~]# ip addr show dev ens33[[email protected] ~]# ip add show dev ens332: ens33: <broadcast,multicast,up,lower_ up> mtu 1500 qdisc pfifo_fast state up qlen 1000 link/ether 00:0c:29:44:e2:e3 brd ff:ff:ff:ff:ff:ff inet 172.16.20.244/24 brd 172.16.20.255 scope global ens33 valid_lft forever preferred_lft forever inet 172.16.20.245/24 scope global secondary ens33 valid_lft forever PREFERRED_LFT&NBSP;FOREVER&NBSP;&NBSP;&NBSP;&NBSP;INET6&NBSP;FE80::d 846:2237:6188:97fe/64 scope link tentative dadfailed valid_lft forever Preferred_lft forever inet6 fe80::a0de:8503:69c8:5595/64 scope link tentative dadfailed valid_lft forever Preferred_lft forever inet6 fe80::9a1a:88f0:c9cf:41bd/64 scope link tentative dadfailed &nbSp; valid_lft forever preferred_lft forever3, configuring Web page files for virtual host 2 [[ email protected] ~]# unzip wordpress-4.7.4-zh_ch.zip[[email protected] ~]# &NBSP;&NBSP;CP&NBSP;WORDPRESS&NBSP;/WWW/HTDOCS/VHOSTS2/4, configuring the WordPress configuration file for virtual host 2 [[email protected] ~] # mysqlmariadb [(None)]> create database mydb1; mariadb [(none)]> exit// connection WordPress must be configured with the correct database and user name password, so you need to implement a database creation [[email protected] ~]# cd /www/htdocs/vhost2/wordpress[[email protected] ~]# cp wp-config-sample.php wp-config.php[[email protected] ~]# vim wp-config.phpdefine (' db_name ', ' mydb1 '); // database for pre-created mydb1define (' Db_user ', ' root '); // User name Rootdefine (' Db_password ', '); // root password default is empty
5. View Configuration Effects
Write the more scribbled, if there are missing errors and controversies, welcome everyone's criticism and discussion, thank you.
httpd.2.4 Virtual Host Configuration test