Implementation of WEB-httpd user authentication control and https on httpd in CentOS
We can configure httpd by setting user authentication and implementing https encrypted transmission experiments. The following are the requirements of this experiment:
Lab environment:
CentOS release6.6 (Final) 1
Windows XP 1
IP Address:
172.16.31.31 www.stu31.com web Server
172.16.31.188 Windows XP test Client
Windows XP has installed the chrom browser and the IE browser that comes with the system.
Software Version:
Httpd-2.2.15-39.el6.centos.x86_64
Lab requirements:
1. Create an httpd server. Requirements:
Two name-based virtual hosts are provided:
(A) www1.stu31.com. The directory of the page file is/web/vhosts/www1. The error log is/var/log/httpd/www1.err and the access log is/var/log/httpd/www1.access;
(B) www2.stu31.com. The directory of the page file is/web/vhosts/www2. The error log is/var/log/httpd/www2.err and the access log is/var/log/httpd/www2.access;
(CEN creates its own main page file index.html for two virtual machines, with the corresponding host name respectively;
(D) Output httpdwork status information through www1.stu31.com/server-status, and only allow access using the account number password (status: status );
2. Provide https service for the above 2nd virtual hosts, so that users can access the web site securely through https;
(1) certificate authentication is required. The country (CN), State (Henan), city (Zhengzhou) and Organization (stu31) used in the certificate are required );
(2) Set department as tech, host name as www2.stu31.com, mailbox as admin@stu31.com;
Experiment process:
We will install httpd through the rpm package. The installation process is very simple. The important thing is the Configuration:
[Root @ www ~] # Rpm-qa httpd
Httpd-2.2.15-39.el6.centos.x86_64
1. Create an httpd server (based on the compilation method). Requirements:
Two name-based virtual hosts are provided:
(A) www1.stu31.com. The directory of the page file is/web/vhosts/www1. The error log is/var/log/httpd/www1.err and the access log is/var/log/httpd/www1.access;
(B) www2.stu31.com. The directory of the page file is/web/vhosts/www2. The error log is/var/log/httpd/www2.err and the access log is/var/log/httpd/www2.access;
(CEN creates its own main page file index.html for two virtual machines, with the corresponding host name respectively;
(D) Output httpdwork status information through www1.stu31.com/server-status, and only allow access using the account number password (status: status );
1. Configure the DNS server to provide the domain name resolution service for the client.
Configuration of the main configuration file:
[Root @ www ~] # Cat/etc/named. conf
//
// Named. conf
//
// Provided by RedHat bind package to configure the isc bind named (8) DNS
// Server as acaching only nameserver (as a localhost DNS resolver only ).
//
// See/usr/share/doc/bind */sample/for example named configuration files.
//
Options {
// Listen-on port 53 {127.0.0.1 ;};
// Listen-on-v6 port 53 {: 1 ;};
Directory "/var/named ";
Dump-file "/var/named/data/cache_dump.db ";
Statistics-file "/var/named/data/named_stats.txt ";
Memstatistics-file "/var/named/data/named_mem_stats.txt ";
// Allow-query {localhost ;};
Recursion yes;
// Dnssec-enable yes;
// Dnssec-validation yes;
// Dnssec-lookaside auto;
/* Path to isc dlv key */
/* Bindkeys-file "/etc/named. iscdlv. key ";
Managed-keys-directory "/var/named/dynamic ";
*/
};
Logging {
Channel default_debug {
File "data/named. run ";
Severity dynamic;
};
};
Zone "." IN {
Type hint;
File "named. ca ";
};
Include "/etc/named. rfc1912.zones ";
Include "/etc/named. root. key ";
Add the region file configuration to stu31.com:
[root@bindconf.d]#cat/etc/named.rfc1912.zones
zone"stu31.com"IN{
typemaster;
file"stu31.com.zone";
};
Region resolution library file Configuration:
[root@wwwnamed]#catstu31.com.zone
$TTL600
$ORIGINstu31.com.
@INSOAns1.stu31.com.root.stu31.com.(
2014121301
1H
5M
3D
6H)
INNSns1.stu31.com.
INMX5mail
ns1INA172.16.31.31
wwwINA172.16.31.31
www1INA172.16.31.31
www2INA172.16.31.31
mailINA172.16.31.31
pop3INCNAMEmail
iamp4INCNAMEmail
Test DNS server availability:
Ii. Httpd server configuration
Create a website directory and add it to the test webpage:
[root@wwwnamed]#mkdir-pv/web/vhosts/www1
[root@wwwnamed]#vim/web/vhosts/www1/index.html
www1.stu31.com
[root@wwwnamed]#mkdir-pv/web/vhosts/www2
[root@wwwnamed]#vim/web/vhosts/www2/index.html
www2.stu31.com
Configure the httpd main configuration file/etc/httpd/conf/httpd. conf. I have listed the main configurations:
[Root @ www named] # vim/etc/httpd/conf/httpd. conf
# DocumentRoot "/var/www/html"
NameVirtualHost172.16.31.31: 80
<VirtualHost172.16.31.31: 80>
DocumentRoot/web/vhosts/www1
ServerName www1.stu31.com
ErrorLog "/var/log/httpd/www1.err"
CustomLog "/var/log/httpd/www1.access" combind
<Location/server-status>
SetHandler server-status
Authtype Basic
Authname "status area"
AuthUserFile/etc/httpd/users/. htpasswd
Require valid-user
</Location>
</VirtualHost>
<VirtualHost172.16.31.31: 80>
DocumentRoot/web/vhosts/www2
ServerName www2.stu31.com
ErrorLog "/var/log/httpd/www2.err"
CustomLog "/var/log/httpd/www2.access" combind
</VirtualHost>
The blue configuration above is the user authentication configuration. We need to check the syntax below:
[root@wwwnamed]#httpd-t
SyntaxOK
For user authentication configuration, we need to create authentication user files accessed by users:
[root@wwwnamed]#mkdir/etc/httpd/users
[root@wwwnamed]#htpasswd-c-m/etc/httpd/users/.htpasswdstatus
Newpassword:
Re-typenewpassword:
Addingpasswordforuserstatus
After that, we can start the httpd service for user authentication testing:
[root@wwwnamed]#servicehttpdrestart
Stoppinghttpd:[FAILED]
Startinghttpd:[OK]
Iii. User Authentication Test:
Enter the user name and password for authentication:
You can view the apache server status information:
2For the above 2ndVirtual Hosts provide httpsService, so that users can use httpsSecure access to this webSite;
(1)Certificate authentication is required, and the country (CN) required in the certificate), State (Henan), City (Zhengzhou)And organization (stu31);
(2)Set team to techThe host name is www2.stu31.com., Mail is admin@stu31.com;
HTTPSEncrypted transmission configuration process
(A) Establish a private CA authentication server
[Root @ www named] # cd/etc/pki/CA/
# Construct a CA private key file
[root@wwwCA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048)
GeneratingRSAprivatekey,2048bitlongmodulus
...............+++
...........+++
eis65537(0x10001)
# Generate a self-signed certificate
[root@wwwCA]#opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days3560
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[XX]:CN
StateorProvinceName(fullname)[]:HA
LocalityName(eg,city)[DefaultCity]:ZZ
OrganizationName(eg,company)[DefaultCompanyLtd]:stu31
OrganizationalUnitName(eg,section)[]:tech
CommonName(eg,yournameoryourserver'shostname)[]:www2.stu31.com
EmailAddress[]:admin@stu31.com
# Generating index database files
[root@wwwCA]#touchindex.txt
# Create a serial number File
[root@wwwCA]#touchserial
[root@wwwCA]#echo01>serial
[root@wwwCA]#ls
cacert.pemcertscrlindex.txtnewcertsprivateserial
The CA server has been created.
(B) generate a certificate for the httpd server
# Httpd server generation Private Key
[root@wwwCA]#mkdir/etc/httpd/certs
[root@wwwCA]#cd/etc/httpd/certs
[root@wwwcerts]#(umask077;opensslgenrsa-outhttpd.key2048)
GeneratingRSAprivatekey,2048bitlongmodulus
...........................................................................................................................................................................................+++
.............................................................................................+++
eis65537(0x10001)
# Generate a Certificate Signing Request File
[root@wwwcerts]#opensslreq-new-keyhttpd.key-outhttpd.csr-days3650
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[XX]:CN
StateorProvinceName(fullname)[]:HA
LocalityName(eg,city)[DefaultCity]:ZZ
OrganizationName(eg,company)[DefaultCompanyLtd]:stu31
OrganizationalUnitName(eg,section)[]:tech
CommonName(eg,yournameoryourserver'shostname)[]:www2.stu31.com
EmailAddress[]:admin@stu31.com
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
(C) configure the httpd service to use a digital certificate
# CA Server Signing Request Certificate
[root@wwwcerts]#ls
httpd.csrhttpd.key
[root@wwwcerts]#opensslca-inhttpd.csr-outhttpd.crt-days3650
Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:1(0x1)
Validity
NotBefore:Dec1305:30:192014GMT
NotAfter:Dec1005:30:192024GMT
Subject:
countryName=CN
stateOrProvinceName=HA
organizationName=stu31
organizationalUnitName=tech
commonName=www2.stu31.com
emailAddress=admin@stu31.com
X509v3extensions:
X509v3BasicConstraints:
CA:FALSE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
9A:84:73:63:C0:82:7F:45:21:9C:BA:2B:4C:FB:C3:87:7C:BA:63:58
X509v3AuthorityKeyIdentifier:
keyid:1C:57:C2:12:E4:D3:A6:4F:9A:7A:C6:53:7F:5B:7B:86:1E:75:0D:57
CertificateistobecertifieduntilDec1005:30:192024GMT(3650days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
(D) Configure https server for encrypted transmission
Apache httpd software is configured by default:
The httpd software does not use the ssl module by default. You need to install the corresponding module package.
[root@wwwcerts]#yuminstallmod_ssl-y
[root@www~]#rpm-qamod_ssl
mod_ssl-2.2.15-39.el6.centos.x86_64
After installation, the ssl. conf configuration file is generated in the/etc/httpd/conf. d/directory. We configure https in this file:
[root@wwwconf.d]#ls
mod_dnssd.confREADMEssl.confwelcome.conf
Configure the ssl. conf file. Important configurations are in the following file:
[root@wwwconf.d]#vim/etc/httpd/conf.d/ssl.conf
LoadModulessl_modulemodules/mod_ssl.so
Listen443
<
VirtualHost
172.16.31.31:443>
DocumentRoot"/web/vhosts/www2"
ServerNamewww2.stu31.com:443
SSLEngineon
SSLCertificateFile/etc/httpd/certs/httpd.crt
SSLCertificateKeyFile/etc/httpd/certs/httpd.key
</
VirtualHost
>
Test File Syntax:
[root@wwwconf.d]#httpd-t
SyntaxOK
Restart the httpd service
[root@wwwconf.d]#servicehttpdrestart
Stoppinghttpd:[OK]
Startinghttpd:[OK]
View the service listening port:
[root@wwwconf.d]#ss-tunl|grep443
tcpLISTEN0128:::443:::*
Test on windows:
First, install the certificate of the CA server in windows. Then, send cacert. pem to windows, change the name of cacert. crt, and install the certificate:
Test using the chrom Browser
The experiment is complete! (* ^__ ^ *)