Configure host name-based virtual host and httpd encrypted SSL configuration and HTTPS forced jump

Source: Internet
Author: User
Tags openssl dnssec

Configuring host-name-based virtual hosts

1. Configure DNS First

DNS Installation

Yum Install bind*-y

Open firewall

Iptables-a input-p TCP--dport 53-j ACCEPT

Iptables-a input-p UDP--dport 53-j ACCEPT

Iptables-a input-p TCP--sport 53-j ACCEPT

Iptables-a input-p UDP--sport 53-j ACCEPT

Service Iptables Save

Service Iptables Restart

Copy configuration file

Cp-a/etc/named*/var/named/chroot/etc/

Cp-a/var/named/d*/var/named/named.*/var/named/slaves//var/named/chroot/var/named/

cd/var/named/chroot/etc/

Vim named.conf

Options {

Listen-on Port 53 {127.0.0.1;}; #127.0.0.1 change to any

Listen-on-v6 Port 53 {:: 1;};

Directory "/var/named";

Dump-file "/var/named/data/cache_dump.db";

Statistics-file "/var/named/data/named_stats.txt";

Memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query {localhost;}; # localhost; change to any

recursion Yes;

Dnssec-enable Yes;

Dnssec-validation Yes;

/* Path to ISC DLV key */

Bindkeys-file "/etc/named.iscdlv.key";

Managed-keys-directory "/var/named/dynamic";

};

Logging {

Channel Default_debug {

File "Data/named.run";

Severity dynamic;

};

};

Zone "." in {

Type hint;

File "named.ca";

};

#创建三个站点hhj. CC, baidu.com, google.com

Zone "hhj.cc" {

Type master;

File "Aa.zone";

};

Zone "Baidu.com" {

Type master;

File "Bb.zone";

};

Zone "google.com" {

Type master;

File "Cc.zone";

};

Include "/etc/named.rfc1912.zones";

Include "/etc/named.root.key";

Cd/var/named/chroot/var/named

Cp-a Named.localhost Aa.zone

Vim Aa.zone

$TTL 1D

@ in SOA node1.hhj.cc. Root (

11; Serial

1D; Refresh

1H; Retry

1W; Expire

3H); Minimum

NS node1.hhj.cc.

Node1 A 192.168.1.104

www A 192.168.1.104

Cp-a Named.localhost Bb.zone

Vim Aa.zone

$TTL 1D

@ in SOA node1.baidu.com. Root (

11; Serial

1D; Refresh

1H; Retry

1W; Expire

3H); Minimum

NS node1.baidu.com.

Node1 A 192.168.1.104

www A 192.168.1.104

Cp-a Named.localhost Bb.zone

Vim Cc.zone

$TTL 1D

@ in SOA node1.goole.com. Root (

11; Serial

1D; Refresh

1H; Retry

1W; Expire

3H); Minimum

NS node1.google.com.

Node1 A 192.168.1.104

www A 192.168.1.104

Create a Rndc.key file

Rndc-confgen-r/dev/urandom-a

Restart Service

Service named restart

2. Configure the virtual host

Vim/etc/httpd/conf/httpd.conf

#NameVirtualHost *:80 before the comment is removed

<virtualhost *:81>

Documentroot/baidu

ServerName www.baidu.com

</VirtualHost>

<virtualhost *:81>

Documentroot/google

ServerName www.google.com

</VirtualHost>

Restart HTTPD Service

Service httpd Restart

Modify Context

chcon-r–reference=/var/www/html/baidu//google/

HTTPS Encryption Configuration

1. Installing the Mod_ssl module

Yum Install Mod_ssl-y

View/etc/httpd/conf.d/after installation

[[Email protected] ~] #ls/etc/httpd/conf.d/

Open configuration file

[Email protected] ~]# vim/etc/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so #加载mod_ssl. So module

Listen 443 #监听端口默认443

Sslengine on #是开启SSL引擎

SSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/LOCALHOST.CRT #证书路径

Sslcertificatekeyfile/etc/pki/tls/private/localhost.key #私钥路径

Enter the/etc/pki/tls/certs/directory

[Email protected] ~]# cd/etc/pki/tls/certs/

[[email protected] certs]# ls

CA-BUNDLE.CRT ca-bundle.trust.crt localhost.crt Make-dummy-cert Makefile Renew-dummy-cert

Use OpenSSL command to make keys and certificate files :

Generate the Ca.key key:

# OpenSSL genrsa-des3-out Ca.key-rand rand.dat 1024

To create a CA.CRT certificate:

# OpenSSL req-new-x509-days 365-key ca.key-out ca.crt

[email protected] certs]# make AA.CRT #制作数据签名

Umask 77; \

/usr/bin/openssl genrsa-aes128 2048 > Aa.key

Generating RSA private key, 2048 bit long modulus

................................+++

...............................+++

E is 65537 (0x10001)

Enter Pass phrase: #输入密码

Verifying-enter Pass phrase: #输入密码

Umask 77; \

/usr/bin/openssl req-utf8-new-key aa.key-x509-days 365-out aa.crt-set_serial 0

Enter Pass phrase for Aa.key: #输入密码

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:SC

Locality Name (eg, city) [Default CITY]:CD

Organization Name (eg, company) [Default company LTD]:HHJ

Organizational Unit Name (eg, section) []:hhj1984

Common name (eg, your name or your server ' s hostname) []:RHCC

Email Address []:

[[email protected] certs]# ls

AA.CRT aa.key ca-bundle.crt ca-bundle.trust.crt localhost.crt make-dummy-cert Makefile Renew-dummy-cert

AA.CRT to generate the certificate, Aa.key is the private key

Take a document to a designated place

[email protected] certs]# CP AA.CRT aa.key/etc/httpd/conf/

Configuring the/ETC/HTTPD/CONF.D/SSL.CONF certificate and private key path

Vim/etc/httpd/conf.d/ssl.conf

SSLCERTIFICATEFILE/ETC/HTTPD/CONF/AA.CRT #证书路径

Sslcertificatekeyfile/etc/httpd/conf/aa.key #私钥路径

[Email protected] certs]# service httpd restart #重启后就可以用HTTPS访问了

2. use a digital signature only for one site

[Email protected] ~]# vim/etc/httpd/conf.d/ssl.conf

Sslengine off #关闭SSL引擎

Put the configuration directly under the virtual host

<virtualhost *:443> #改为443

Documentroot/baidu

ServerName www.baidu.com

Sslengine on

SSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/LOCALHOST.CRT #证书路径

Sslcertificatekeyfile/etc/pki/tls/private/localhost.key #私钥路径

</VirtualHost>

and restart httpd.

forcing users to use HTTPS to access site methods

in the /httpd.conf Modify

Vim/etc/httpd/conf/httpd.conf

<virtualhost 192.168.1.104:443>

Documentroot/var/www/html

ServerName www.hhj1984.cc

Serveralias www.hhj1984.cc. *.hhj1984.cc

Sslengine on

Sslcertificatefile/etc/httpd/conf/ca.crt

Sslcertificatekeyfile/etc/httpd/conf/ca.key

</VirtualHost>

<directory "/var/www/html" > #站点所在目录

Options Indexes FollowSymLinks

AllowOverride all #要求找. htacess configuration file

Order Allow,deny

Allow from all

</Directory>

Modified under/var/www/html. Htacess is not created #站点所在目录

<ifmodule mod_rewrite.c>

Rewriteengine on

Rewritecond%{http_host} ^www.hhj1984.cc$ [NC]

Rewriterule ^ (. *)? $ https://www.hhj1984.cc/$1 [r=301,l]

Rewritecond%{server_port}!^443$

Rewriterule ^ (. *)? $ https://www.hhj1984.cc/$1 [r=301,l]

</IfModule>

~                                                                                                                                                                                                                                                       

~

Configure host name-based virtual host and httpd encrypted SSL configuration and HTTPS forced jump

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.