httpd-2.4 implementation of virtual host, access control and HTTPS functions

Preparation: Install httpd in Centos7, install with Yum or build your own, it is recommended to use Yum to install, fast and convenient.

Shut down the firewall and SELinux.

1. provides two name-based virtual host WWW1, WWW2, with separate error logs and access logs;

   First set up the virtual host WWW1

   A. Create a configuration file belonging to the virtual host in HTTPd's secondary profile directory/etc/httpd/conf.d/

~]# vim/etc/httpd/conf.d/vhosts-www1.conf<virtualhost 192.168.127.128:80> DocumentRoot "/MYWEB/VHOSTS/WWW1" ServerName www.link1.com errorlog "/myweb/vhosts/www1/logs/error_log" Customlog "/myweb/vhosts/www1/l    Ogs/access_log "Combined</virtualhost><directory"/MYWEB/VHOSTS/WWW1 "> allowoverride none Options None Require All granted</directory>

B. After creating the configuration file, create the document root directory and log directory.

~]# MKDIR/MYWEB/VHOSTS/WWW1/LOGS-PV

C. Create and write something to index.html in the document root and add 192.168.127.128 www.link1.com to the host file in the native C:\Windows\System32\drivers\etc directory.

Reload configuration file

Systemctl Reload Httpd.service

Then open it in a local browser with the following results:

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/A4/4A/wKioL1mnxxOy62MhAAA_HF2_Nos662.jpg-wh_500x0-wm_ 3-wmp_4-s_3474665312.jpg "title=" 36020170829160225228.jpg "alt=" Wkiol1mnxxoy62mhaaa_hf2_nos662.jpg-wh_50 "/>

To view the access log/myweb/vhosts/www1/logs/access_log, the contents are as follows:

192.168.127.1--[29/aug/2017:15:40:00 +0800] "get/sky/http/1.1" 1319 "-" "mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) gecko/20100101 firefox/55.0 "

The status code is 200 and the request succeeds.

Virtual host WWW2 process and WWW1 no difference, just change the relevant name on the line, and finally the browser test, the results are as follows: 650) this.width=650; src= https://s2.51cto.com/wyfs02/M02/05 /99/wkiom1mnybwboyddaaa7owbcwg8430.jpg-wh_500x0-wm_3-wmp_4-s_4135152778.jpg "title=" 36020170829160157758.jpg " alt= "Wkiom1mnybwboyddaaa7owbcwg8430.jpg-wh_50"/>

2. Access control

A. Provide status information through WWW1 's/server-status, and only allow link users access;

A-1. Modify the WWW1 configuration file as follows:

<virtualhost 192.168.127.128:80>         DocumentRoot  "/MYWEB/VHOSTS/WWW1"          servername www.link1.com        errorlog  "/MYWEB/VHOSTS/WWW1 /logs/error_log "        CustomLog "/myweb/vhosts/www1/logs/access _log " combined</VirtualHost><Directory "/MYWEB/VHOSTS/WWW1 ">     Allowoverride none    options none    authtype basic     AuthName  "Please input user and password to login, only link has permission to access!! "     AuthUserFile /etc/httpd/users/.htpasswd      Require user link</directory> 

A-2. Creating a virtual user with the HTPASSWD command

~]# mkdir/etc/httpd/users~]# htpasswd-c-m/etc/httpd/users/.htpasswd link~]# htpasswd-m/etc/httpd/users/.htpasswd li Nk1

A-3. Reload the configuration file and open the browser input to the following scenarios:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/05/9A/wKiom1mn03aT2MLXAAIBhN0oI7I299.jpg-wh_500x0-wm_ 3-wmp_4-s_1651760900.jpg "title=" 36020170831171019759.jpg "alt=" Wkiom1mn03at2mlxaaibhn0oi7i299.jpg-wh_50 "/>

When you enter the link user and password:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/A4/4B/wKioL1mn08nDQaN2AACdRoG3ruU344.jpg-wh_500x0-wm_ 3-wmp_4-s_3734496783.jpg "title=" 36020170831171149133.jpg "alt=" Wkiol1mn08ndqan2aacdrog3ruu344.jpg-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/A4/4B/wKioL1mn0-7Qx4n6AACNDwVbSDk641.jpg-wh_500x0-wm_ 3-wmp_4-s_1204800773.jpg "title=" 36020170831171207883.jpg "alt=" Wkiol1mn0-7qx4n6aacndwvbsdk641.jpg-wh_50 "/>

When entering LINK1 user and password:

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/05/9A/wKiom1mn1FHAI0qJAACgDQuwGp0919.jpg-wh_500x0-wm_ 3-wmp_4-s_2238281029.jpg "title=" 36020170831171242451.jpg "alt=" Wkiom1mn1fhai0qjaacgdquwgp0919.jpg-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/A4/4B/wKioL1mn1G2gzLRuAAFE4DTLo5g269.jpg-wh_500x0-wm_ 3-wmp_4-s_4211956908.jpg "title=" 36020170831171335165.jpg "alt=" Wkiol1mn1g2gzlruaafe4dtlo5g269.jpg-wh_50 "/>

Because only link users are allowed to log on:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/05/9A/wKiom1mn1QrA2btiAAA58OedfeY417.jpg-wh_500x0-wm_ 3-wmp_4-s_2922775774.jpg "title=" 36020170831171111894.jpg "alt=" Wkiom1mn1qra2btiaaa58oedfey417.jpg-wh_50 "/>

At this point, the requirement is fulfilled.

B.WWW2 does not allow access to any host in the 192.168.127.0/24 network;

From the previous view of the access log, you see that the IP address of this host is 192.168.127.1.

Then we will modify the WWW2 configuration file as follows:

<virtualhost 192.168.127.128:80> documentroot "/myweb/vhosts/www2" ServerName www.link2.com ERR Orlog "/myweb/vhosts/www2/logs/error_log" Customlog "/myweb/vhosts/www2/logs/access_log" Combined<Directory "/my  Web/vhosts/www2 "> AllowOverride none Options none <RequireAll> Require all granted Require not IP 192.168.127.0/24 </RequireAll></Directory></VirtualHost>

The changes were previously accessed as follows:

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/A4/4D/wKioL1mn7-aQB8CHAABqbUz7C6c893.jpg-wh_500x0-wm_ 3-wmp_4-s_2925449766.jpg "title=" 36020170831183959892.jpg "alt=" Wkiol1mn7-aqb8chaabqbuz7c6c893.jpg-wh_50 "/>

After modification, visit the following:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/A4/4D/wKioL1mn8COxXUgAAABWDqMdaX4141.jpg-wh_500x0-wm_ 3-wmp_4-s_1513024017.jpg "title=" 36020170831184359531.jpg "alt=" Wkiol1mn8coxxugaaabwdqmdax4141.jpg-wh_50 "/>

At this point, the required functionality is implemented.

3. Provide HTTPS service for the above WWW2 virtual host

Create a private CA, and then issue a self-visa book for this server.

A. Creating a private CA

A-1. Creating a private CA private key file

~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)

A-2. Generating self-signed certificates

~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3653

A-3. The layout of directory-level files and text files that are necessary for the CA to be met

~]# touch/etc/pki/ca/index.txt~]# echo >/etc/pki/ca/serial

B. Providing a certificate for the server

B-1. Creating a private key file for a server

~]# mkdir/etc/httpd/conf/ssl~]# cd/etc/httpd/conf/sslssl]# (umask 077; OpenSSL genrsa-out httpd.key 4096)

B-2. Generating a certificate Request file

ssl]# OpenSSL req-new-key httpd.key-out httpd.csr-days 3653

B-3. Certificate issued by CA: Completed on the same server as the CA

ssl]# OpenSSL ca-in httpd.csr-out httpd.crt-days 365

The certificate issuance is complete.

C. Installing the Mod_ssl module

Yum-y Install Mod_ssl

Some of the configuration files that modify SSL are as follows:

Sslcertificatefile/etc/httpd/conf/ssl/httpd.crt<directory "/myweb/vhosts/ssl" > AllowOverride None Options Non E Require all Granted</directory>documentroot "/myweb/vhosts/ssl" ServerName Www.link2.comSSLCertificateKeyFile/etc/httpd/conf/ssl/httpd.key

And then create the/myweb/vhosts/ssl directory

~]# mkdir/myweb/vhosts/ssl~]# echo "Welcome to https://www.link2.com" >>/myweb/vhosts/ssl/index.html

Then restart the service.

Unencrypted access is as follows:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/A4/4D/wKioL1mn9wGy4KhyAABqbUz7C6c253.jpg-wh_500x0-wm_ 3-wmp_4-s_1435647821.jpg "title=" 36020170831183959892.jpg "alt=" Wkiol1mn9wgy4khyaabqbuz7c6c253.jpg-wh_50 "/>

HTTPS access is as follows:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/A4/4D/wKioL1mn98nRovZRAAA4mLMgUGk322.jpg-wh_500x0-wm_ 3-wmp_4-s_1766040925.jpg "title=" 36020170831194901196.jpg "alt=" Wkiol1mn98nrovzraaa4mlmgugk322.jpg-wh_50 "/>

Because the certificate was issued by US ourselves, the first visit would say that the certificate is untrusted or risky, adding an exception.

httpd-2.4 implementation of virtual host, access control and HTTPS functions