Configure host name-based virtual host and httpd encrypted SSL configuration and HTTPS forced jump

Configuring host-name-based virtual hosts

1. Configure DNS First

DNS Installation

Yum Install bind*-y

Open firewall

Iptables-a input-p TCP--dport 53-j ACCEPT

Iptables-a input-p UDP--dport 53-j ACCEPT

Iptables-a input-p TCP--sport 53-j ACCEPT

Iptables-a input-p UDP--sport 53-j ACCEPT

Service Iptables Save

Service Iptables Restart

Copy configuration file

Cp-a/etc/named*/var/named/chroot/etc/

Cp-a/var/named/d*/var/named/named.*/var/named/slaves//var/named/chroot/var/named/

cd/var/named/chroot/etc/

Vim named.conf

Options {

Listen-on Port 53 {127.0.0.1;}; #127.0.0.1 change to any

Listen-on-v6 Port 53 {:: 1;};

Directory "/var/named";

Dump-file "/var/named/data/cache_dump.db";

Statistics-file "/var/named/data/named_stats.txt";

Memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query {localhost;}; # localhost; change to any

recursion Yes;

Dnssec-enable Yes;

Dnssec-validation Yes;

/* Path to ISC DLV key */

Bindkeys-file "/etc/named.iscdlv.key";

Managed-keys-directory "/var/named/dynamic";

};

Logging {

Channel Default_debug {

File "Data/named.run";

Severity dynamic;

};

};

Zone "." in {

Type hint;

File "named.ca";

};

#创建三个站点hhj. CC, baidu.com, google.com

Zone "hhj.cc" {

Type master;

File "Aa.zone";

};

Zone "Baidu.com" {

Type master;

File "Bb.zone";

};

Zone "google.com" {

Type master;

File "Cc.zone";

};

Include "/etc/named.rfc1912.zones";

Include "/etc/named.root.key";

Cd/var/named/chroot/var/named

Cp-a Named.localhost Aa.zone

Vim Aa.zone

$TTL 1D

@ in SOA node1.hhj.cc. Root (

11; Serial

1D; Refresh

1H; Retry

1W; Expire

3H); Minimum

NS node1.hhj.cc.

Node1 A 192.168.1.104

www A 192.168.1.104

Cp-a Named.localhost Bb.zone

Vim Aa.zone

$TTL 1D

@ in SOA node1.baidu.com. Root (

11; Serial

1D; Refresh

1H; Retry

1W; Expire

3H); Minimum

NS node1.baidu.com.

Node1 A 192.168.1.104

www A 192.168.1.104

Cp-a Named.localhost Bb.zone

Vim Cc.zone

$TTL 1D

@ in SOA node1.goole.com. Root (

11; Serial

1D; Refresh

1H; Retry

1W; Expire

3H); Minimum

NS node1.google.com.

Node1 A 192.168.1.104

www A 192.168.1.104

Create a Rndc.key file

Rndc-confgen-r/dev/urandom-a

Restart Service

Service named restart

2. Configure the virtual host

Vim/etc/httpd/conf/httpd.conf

#NameVirtualHost *:80 before the comment is removed

<virtualhost *:81>

Documentroot/baidu

ServerName www.baidu.com

</VirtualHost>

<virtualhost *:81>

Documentroot/google

ServerName www.google.com

</VirtualHost>

Restart HTTPD Service

Service httpd Restart

Modify Context

chcon-r–reference=/var/www/html/baidu//google/

HTTPS Encryption Configuration

1. Installing the Mod_ssl module

Yum Install Mod_ssl-y

View/etc/httpd/conf.d/after installation

[[Email protected] ~] #ls/etc/httpd/conf.d/

Open configuration file

[Email protected] ~]# vim/etc/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so #加载mod_ssl. So module

Listen 443 #监听端口默认443

Sslengine on #是开启SSL引擎

SSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/LOCALHOST.CRT #证书路径

Sslcertificatekeyfile/etc/pki/tls/private/localhost.key #私钥路径

Enter the/etc/pki/tls/certs/directory

[Email protected] ~]# cd/etc/pki/tls/certs/

[[email protected] certs]# ls

CA-BUNDLE.CRT ca-bundle.trust.crt localhost.crt Make-dummy-cert Makefile Renew-dummy-cert

Use OpenSSL command to make keys and certificate files :

Generate the Ca.key key:

# OpenSSL genrsa-des3-out Ca.key-rand rand.dat 1024

To create a CA.CRT certificate:

# OpenSSL req-new-x509-days 365-key ca.key-out ca.crt

[email protected] certs]# make AA.CRT #制作数据签名

Umask 77; \

/usr/bin/openssl genrsa-aes128 2048 > Aa.key

Generating RSA private key, 2048 bit long modulus

................................+++

...............................+++

E is 65537 (0x10001)

Enter Pass phrase: #输入密码

Verifying-enter Pass phrase: #输入密码

Umask 77; \

/usr/bin/openssl req-utf8-new-key aa.key-x509-days 365-out aa.crt-set_serial 0

Enter Pass phrase for Aa.key: #输入密码

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:SC

Locality Name (eg, city) [Default CITY]:CD

Organization Name (eg, company) [Default company LTD]:HHJ

Organizational Unit Name (eg, section) []:hhj1984

Common name (eg, your name or your server ' s hostname) []:RHCC

Email Address []:

[[email protected] certs]# ls

AA.CRT aa.key ca-bundle.crt ca-bundle.trust.crt localhost.crt make-dummy-cert Makefile Renew-dummy-cert

AA.CRT to generate the certificate, Aa.key is the private key

Take a document to a designated place

[email protected] certs]# CP AA.CRT aa.key/etc/httpd/conf/

Configuring the/ETC/HTTPD/CONF.D/SSL.CONF certificate and private key path

Vim/etc/httpd/conf.d/ssl.conf

SSLCERTIFICATEFILE/ETC/HTTPD/CONF/AA.CRT #证书路径

Sslcertificatekeyfile/etc/httpd/conf/aa.key #私钥路径

[Email protected] certs]# service httpd restart #重启后就可以用HTTPS访问了

2. use a digital signature only for one site

[Email protected] ~]# vim/etc/httpd/conf.d/ssl.conf

Sslengine off #关闭SSL引擎

Put the configuration directly under the virtual host

<virtualhost *:443> #改为443

Documentroot/baidu

ServerName www.baidu.com

Sslengine on

SSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/LOCALHOST.CRT #证书路径

Sslcertificatekeyfile/etc/pki/tls/private/localhost.key #私钥路径

</VirtualHost>

and restart httpd.

forcing users to use HTTPS to access site methods

in the /httpd.conf Modify

Vim/etc/httpd/conf/httpd.conf

<virtualhost 192.168.1.104:443>

Documentroot/var/www/html

ServerName www.hhj1984.cc

Serveralias www.hhj1984.cc. *.hhj1984.cc

Sslengine on

Sslcertificatefile/etc/httpd/conf/ca.crt

Sslcertificatekeyfile/etc/httpd/conf/ca.key

</VirtualHost>

<directory "/var/www/html" > #站点所在目录

Options Indexes FollowSymLinks

AllowOverride all #要求找. htacess configuration file

Order Allow,deny

Allow from all

</Directory>

Modified under/var/www/html. Htacess is not created #站点所在目录

<ifmodule mod_rewrite.c>

Rewriteengine on

Rewritecond%{http_host} ^www.hhj1984.cc$ [NC]

Rewriterule ^ (. *)? $ https://www.hhj1984.cc/$1 [r=301,l]

Rewritecond%{server_port}!^443$

Rewriterule ^ (. *)? $ https://www.hhj1984.cc/$1 [r=301,l]

</IfModule>

~                                                                                                                                                                                                                                                       

~

Configure host name-based virtual host and httpd encrypted SSL configuration and HTTPS forced jump