Implementation of WEB-httpd user authentication control and https on httpd in CentOS

Implementation of WEB-httpd user authentication control and https on httpd in CentOS

We can configure httpd by setting user authentication and implementing https encrypted transmission experiments. The following are the requirements of this experiment:

Lab environment:

CentOS release6.6 (Final) 1

Windows XP 1

IP Address:

172.16.31.31 www.stu31.com web Server

172.16.31.188 Windows XP test Client

Windows XP has installed the chrom browser and the IE browser that comes with the system.

Software Version:

Httpd-2.2.15-39.el6.centos.x86_64

Lab requirements:

1. Create an httpd server. Requirements:

Two name-based virtual hosts are provided:

(A) www1.stu31.com. The directory of the page file is/web/vhosts/www1. The error log is/var/log/httpd/www1.err and the access log is/var/log/httpd/www1.access;

(B) www2.stu31.com. The directory of the page file is/web/vhosts/www2. The error log is/var/log/httpd/www2.err and the access log is/var/log/httpd/www2.access;

(CEN creates its own main page file index.html for two virtual machines, with the corresponding host name respectively;

(D) Output httpdwork status information through www1.stu31.com/server-status, and only allow access using the account number password (status: status );

2. Provide https service for the above 2nd virtual hosts, so that users can access the web site securely through https;

(1) certificate authentication is required. The country (CN), State (Henan), city (Zhengzhou) and Organization (stu31) used in the certificate are required );

(2) Set department as tech, host name as www2.stu31.com, mailbox as admin@stu31.com;

Experiment process:

We will install httpd through the rpm package. The installation process is very simple. The important thing is the Configuration:

[Root @ www ~] # Rpm-qa httpd

Httpd-2.2.15-39.el6.centos.x86_64

1. Create an httpd server (based on the compilation method). Requirements:

Two name-based virtual hosts are provided:

(A) www1.stu31.com. The directory of the page file is/web/vhosts/www1. The error log is/var/log/httpd/www1.err and the access log is/var/log/httpd/www1.access;

(B) www2.stu31.com. The directory of the page file is/web/vhosts/www2. The error log is/var/log/httpd/www2.err and the access log is/var/log/httpd/www2.access;

(CEN creates its own main page file index.html for two virtual machines, with the corresponding host name respectively;

(D) Output httpdwork status information through www1.stu31.com/server-status, and only allow access using the account number password (status: status );

1. Configure the DNS server to provide the domain name resolution service for the client.

Configuration of the main configuration file:

[Root @ www ~] # Cat/etc/named. conf

//

// Named. conf

//

// Provided by RedHat bind package to configure the isc bind named (8) DNS

// Server as acaching only nameserver (as a localhost DNS resolver only ).

//

// See/usr/share/doc/bind */sample/for example named configuration files.

//

Options {

// Listen-on port 53 {127.0.0.1 ;};

// Listen-on-v6 port 53 {: 1 ;};

Directory "/var/named ";

Dump-file "/var/named/data/cache_dump.db ";

Statistics-file "/var/named/data/named_stats.txt ";

Memstatistics-file "/var/named/data/named_mem_stats.txt ";

// Allow-query {localhost ;};

Recursion yes;

// Dnssec-enable yes;

// Dnssec-validation yes;

// Dnssec-lookaside auto;

/* Path to isc dlv key */

/* Bindkeys-file "/etc/named. iscdlv. key ";

Managed-keys-directory "/var/named/dynamic ";

*/

};

Logging {

Channel default_debug {

File "data/named. run ";

Severity dynamic;

};

};

Zone "." IN {

Type hint;

File "named. ca ";

};

Include "/etc/named. rfc1912.zones ";

Include "/etc/named. root. key ";

Add the region file configuration to stu31.com:

[root@bindconf.d]#cat/etc/named.rfc1912.zoneszone"stu31.com"IN{typemaster;file"stu31.com.zone";};

Region resolution library file Configuration:

[root@wwwnamed]#catstu31.com.zone$TTL600$ORIGINstu31.com.@INSOAns1.stu31.com.root.stu31.com.(20141213011H5M3D6H)INNSns1.stu31.com.INMX5mailns1INA172.16.31.31wwwINA172.16.31.31www1INA172.16.31.31www2INA172.16.31.31mailINA172.16.31.31pop3INCNAMEmailiamp4INCNAMEmail

Test DNS server availability:

Ii. Httpd server configuration

Create a website directory and add it to the test webpage:

[root@wwwnamed]#mkdir-pv/web/vhosts/www1[root@wwwnamed]#vim/web/vhosts/www1/index.htmlwww1.stu31.com

[root@wwwnamed]#mkdir-pv/web/vhosts/www2[root@wwwnamed]#vim/web/vhosts/www2/index.htmlwww2.stu31.com

Configure the httpd main configuration file/etc/httpd/conf/httpd. conf. I have listed the main configurations:

[Root @ www named] # vim/etc/httpd/conf/httpd. conf

# DocumentRoot "/var/www/html"

NameVirtualHost172.16.31.31: 80

<VirtualHost172.16.31.31: 80>

DocumentRoot/web/vhosts/www1

ServerName www1.stu31.com

ErrorLog "/var/log/httpd/www1.err"

CustomLog "/var/log/httpd/www1.access" combind

<Location/server-status>

SetHandler server-status

Authtype Basic

Authname "status area"

AuthUserFile/etc/httpd/users/. htpasswd

Require valid-user

</Location>

</VirtualHost>

<VirtualHost172.16.31.31: 80>

DocumentRoot/web/vhosts/www2

ServerName www2.stu31.com

ErrorLog "/var/log/httpd/www2.err"

CustomLog "/var/log/httpd/www2.access" combind

</VirtualHost>

The blue configuration above is the user authentication configuration. We need to check the syntax below:

[root@wwwnamed]#httpd-tSyntaxOK

For user authentication configuration, we need to create authentication user files accessed by users:

[root@wwwnamed]#mkdir/etc/httpd/users[root@wwwnamed]#htpasswd-c-m/etc/httpd/users/.htpasswdstatusNewpassword:Re-typenewpassword:Addingpasswordforuserstatus

After that, we can start the httpd service for user authentication testing:

[root@wwwnamed]#servicehttpdrestartStoppinghttpd:[FAILED]Startinghttpd:[OK]

Iii. User Authentication Test:

Enter the user name and password for authentication:

You can view the apache server status information:

2For the above 2ndVirtual Hosts provide httpsService, so that users can use httpsSecure access to this webSite;

(1)Certificate authentication is required, and the country (CN) required in the certificate), State (Henan), City (Zhengzhou)And organization (stu31);

(2)Set team to techThe host name is www2.stu31.com., Mail is admin@stu31.com;

HTTPSEncrypted transmission configuration process

(A) Establish a private CA authentication server

[Root @ www named] # cd/etc/pki/CA/

# Construct a CA private key file

[root@wwwCA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048)GeneratingRSAprivatekey,2048bitlongmodulus...............+++...........+++eis65537(0x10001)

# Generate a self-signed certificate

[root@wwwCA]#opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days3560Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CNStateorProvinceName(fullname)[]:HALocalityName(eg,city)[DefaultCity]:ZZOrganizationName(eg,company)[DefaultCompanyLtd]:stu31OrganizationalUnitName(eg,section)[]:techCommonName(eg,yournameoryourserver'shostname)[]:www2.stu31.comEmailAddress[]:admin@stu31.com

# Generating index database files

[root@wwwCA]#touchindex.txt

# Create a serial number File

[root@wwwCA]#touchserial[root@wwwCA]#echo01>serial[root@wwwCA]#lscacert.pemcertscrlindex.txtnewcertsprivateserial

The CA server has been created.

(B) generate a certificate for the httpd server

# Httpd server generation Private Key

[root@wwwCA]#mkdir/etc/httpd/certs[root@wwwCA]#cd/etc/httpd/certs[root@wwwcerts]#(umask077;opensslgenrsa-outhttpd.key2048)GeneratingRSAprivatekey,2048bitlongmodulus...........................................................................................................................................................................................+++.............................................................................................+++eis65537(0x10001)

# Generate a Certificate Signing Request File

[root@wwwcerts]#opensslreq-new-keyhttpd.key-outhttpd.csr-days3650Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CNStateorProvinceName(fullname)[]:HALocalityName(eg,city)[DefaultCity]:ZZOrganizationName(eg,company)[DefaultCompanyLtd]:stu31OrganizationalUnitName(eg,section)[]:techCommonName(eg,yournameoryourserver'shostname)[]:www2.stu31.comEmailAddress[]:admin@stu31.comPleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:Anoptionalcompanyname[]:

(C) configure the httpd service to use a digital certificate

# CA Server Signing Request Certificate

[root@wwwcerts]#lshttpd.csrhttpd.key[root@wwwcerts]#opensslca-inhttpd.csr-outhttpd.crt-days3650Usingconfigurationfrom/etc/pki/tls/openssl.cnfCheckthattherequestmatchesthesignatureSignatureokCertificateDetails:SerialNumber:1(0x1)ValidityNotBefore:Dec1305:30:192014GMTNotAfter:Dec1005:30:192024GMTSubject:countryName=CNstateOrProvinceName=HAorganizationName=stu31organizationalUnitName=techcommonName=www2.stu31.comemailAddress=admin@stu31.comX509v3extensions:X509v3BasicConstraints:CA:FALSENetscapeComment:OpenSSLGeneratedCertificateX509v3SubjectKeyIdentifier:9A:84:73:63:C0:82:7F:45:21:9C:BA:2B:4C:FB:C3:87:7C:BA:63:58X509v3AuthorityKeyIdentifier:keyid:1C:57:C2:12:E4:D3:A6:4F:9A:7A:C6:53:7F:5B:7B:86:1E:75:0D:57CertificateistobecertifieduntilDec1005:30:192024GMT(3650days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated

(D) Configure https server for encrypted transmission

Apache httpd software is configured by default:

The httpd software does not use the ssl module by default. You need to install the corresponding module package.

[root@wwwcerts]#yuminstallmod_ssl-y[root@www~]#rpm-qamod_sslmod_ssl-2.2.15-39.el6.centos.x86_64

After installation, the ssl. conf configuration file is generated in the/etc/httpd/conf. d/directory. We configure https in this file:

[root@wwwconf.d]#lsmod_dnssd.confREADMEssl.confwelcome.conf

Configure the ssl. conf file. Important configurations are in the following file:

[root@wwwconf.d]#vim/etc/httpd/conf.d/ssl.confLoadModulessl_modulemodules/mod_ssl.soListen443<VirtualHost172.16.31.31:443>DocumentRoot"/web/vhosts/www2"ServerNamewww2.stu31.com:443SSLEngineonSSLCertificateFile/etc/httpd/certs/httpd.crtSSLCertificateKeyFile/etc/httpd/certs/httpd.key</VirtualHost>

Test File Syntax:

[root@wwwconf.d]#httpd-tSyntaxOK

Restart the httpd service

[root@wwwconf.d]#servicehttpdrestartStoppinghttpd:[OK]Startinghttpd:[OK]

View the service listening port:

[root@wwwconf.d]#ss-tunl|grep443tcpLISTEN0128:::443:::*

Test on windows:

First, install the certificate of the CA server in windows. Then, send cacert. pem to windows, change the name of cacert. crt, and install the certificate:

Test using the chrom Browser

The experiment is complete! (* ^__ ^ *)