標籤:https構建
CentOS6主要使用http2.2版本,CentOS7使用的是http2.4版本,兩個版本之間存在這部分區別,2.2的event模組是處於測試階段的,2.4的event模組則是可以正常投入使用的;2.2不支援動態裝卸載模組,而2.4支援動態裝卸載模組;
使用CentOS6.7來建立httpd服務,主要實現的功能有:
①建立兩個虛擬機器主機www1,www2,擁有單獨的錯誤記錄檔和訪問日誌;
②通過www1的server-status能夠查看狀態資訊,但只有link使用者能夠訪問;
③www2設定存取範圍,允許其他主機訪問,但不允許192.168.1.0/24IP地址訪問;
④為www2提供https服務;
首先建立兩個虛擬機器主機,在/etc/httpd/conf.d/下建立兩個片虛擬機器主機檔案,vhosts-www1.conf與
vhosts-www2.conf
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/9F/5E/wKioL1mb0HzRNa_NAAAjBgo6_HA767.jpg-wh_500x0-wm_3-wmp_4-s_2152980162.jpg" title="QQ20170822143414.jpg" alt="wKioL1mb0HzRNa_NAAAjBgo6_HA767.jpg-wh_50" />
書寫片設定檔vhosts-www1.conf的主要配置
如DocmentRoot,ServerName,ErrorLog,CustomLog並設定其server-status的存取權限,只允許link使用者訪問,建立其根檔案系統在/myweb/vhosts/www1下;
片設定檔vhosts-www1.conf
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M02/00/AF/wKiom1mb1VWzmhw3AAA_G1GEB7k633.jpg-wh_500x0-wm_3-wmp_4-s_3981410801.jpg" title="QQ20170822145458.jpg" alt="wKiom1mb1VWzmhw3AAA_G1GEB7k633.jpg-wh_50" />
建立www1,錯誤記錄檔,訪問日誌的對應目錄路徑;使用htpasswd命令建立虛擬使用者密鑰;
-c選項只有在第一次建立虛擬使用者檔案時需要,-m選項表示用md5單向密碼編譯演算法加密;
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M02/9F/5F/wKioL1mb1iOzjI90AABIrbLfiiA377.jpg-wh_500x0-wm_3-wmp_4-s_2127519042.jpg" title="QQ20170822145826.jpg" alt="wKioL1mb1iOzjI90AABIrbLfiiA377.jpg-wh_50" />
www1運行結果:
首頁
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M02/9F/5F/wKioL1mb1q-T1dHRAAASuRLpyNk243.jpg-wh_500x0-wm_3-wmp_4-s_921368834.jpg" title="QQ20170822150031.jpg" alt="wKioL1mb1q-T1dHRAAASuRLpyNk243.jpg-wh_50" />
server-status:
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M01/00/AF/wKiom1mb1u7DEtsBAABBmoSvOQs731.jpg-wh_500x0-wm_3-wmp_4-s_3630513216.jpg" title="QQ20170822150143.jpg" alt="wKiom1mb1u7DEtsBAABBmoSvOQs731.jpg-wh_50" />
書寫片設定檔vhosts-www2.conf的主要配置:
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M00/00/B0/wKiom1mb4YmRe4NwAAA-i1d_cKI261.jpg-wh_500x0-wm_3-wmp_4-s_396002702.jpg" title="QQ20170822154700.jpg" alt="wKiom1mb4YmRe4NwAAA-i1d_cKI261.jpg-wh_50" />
設定了Order許可權,使用telnet進行測試
如:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/9F/60/wKioL1mb4fCx7Q2rAABNxMk30FM967.jpg-wh_500x0-wm_3-wmp_4-s_862364313.jpg" title="QQ20170822154853.jpg" alt="wKioL1mb4fCx7Q2rAABNxMk30FM967.jpg-wh_50" />
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/00/B0/wKiom1mb4iDQD1pZAABVv41BW4c353.jpg-wh_500x0-wm_3-wmp_4-s_2985798979.jpg" title="QQ20170822154924.jpg" alt="wKiom1mb4iDQD1pZAABVv41BW4c353.jpg-wh_50" />
www2運行結果:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M02/9F/61/wKioL1mb6k7xcDU1AAATDUf68x4594.jpg-wh_500x0-wm_3-wmp_4-s_1395768412.jpg" title="QQ20170822162409.jpg" alt="wKioL1mb6k7xcDU1AAATDUf68x4594.jpg-wh_50" />
要使用網域名稱的方式訪問時,需要在windows下的hosts設定檔中加一條關於該網域名稱的記錄,
如:
172.16.72.4 www.wujunqi2.com
為www2虛擬機器主機設定https服務:
首先在用戶端處產生私密金鑰,及其請求認證:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M02/00/B4/wKiom1mb_0SCKcEGAACG5tz94hg361.jpg-wh_500x0-wm_3-wmp_4-s_2709827161.jpg" title="QQ20170822175346.jpg" alt="wKiom1mb_0SCKcEGAACG5tz94hg361.jpg-wh_50" />
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M02/9F/64/wKioL1mb_5nSh6PpAABj0b9AxYc796.jpg-wh_500x0-wm_3-wmp_4-s_3226994824.jpg" title="QQ20170822175524.jpg" alt="wKioL1mb_5nSh6PpAABj0b9AxYc796.jpg-wh_50" />
使用scp將用戶端請求認證發往私人CA處:
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M01/9F/64/wKioL1mb_9KA2xHrAAAfcwtsvBQ167.jpg-wh_500x0-wm_3-wmp_4-s_2182214352.jpg" title="QQ20170822175611.jpg" alt="wKioL1mb_9KA2xHrAAAfcwtsvBQ167.jpg-wh_50" />
安裝mod_ssl,使用yum install mod_ssl
mod_ssl是https使用的前提
構建私人CA:
將私密金鑰以及公開金鑰放在指定路徑下
私密金鑰:/etc/pki/CA/private/cakey.pem
公開金鑰:/etc/pki/CA/cacert.pem
建立兩個私人CA需要的設定檔在/etc/pki/CA下
echo 01 > serial
touch index.txt
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/9F/64/wKioL1mcAaSzsB62AAA0ncXptZY732.jpg-wh_500x0-wm_3-wmp_4-s_3089699713.jpg" title="QQ20170822180351.jpg" alt="wKioL1mcAaSzsB62AAA0ncXptZY732.jpg-wh_50" />
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/9F/64/wKioL1mcAi2gSDUHAABov5VOHUo312.jpg-wh_500x0-wm_3-wmp_4-s_2430241693.jpg" title="QQ20170822180558.jpg" alt="wKioL1mcAi2gSDUHAABov5VOHUo312.jpg-wh_50" />
使用scp將產生的用戶端認證發送給用戶端
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/9F/64/wKioL1mcAorBmyGzAAAtNbZcSI8284.jpg-wh_500x0-wm_3-wmp_4-s_1335798757.jpg" title="QQ20170822180750.jpg" alt="wKioL1mcAorBmyGzAAAtNbZcSI8284.jpg-wh_50" />
用戶端:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M02/05/B9/wKiom1mqk7eRmPXCAAAbScc_-qQ363.jpg-wh_500x0-wm_3-wmp_4-s_2803277552.jpg" title="QQ20170902191832.jpg" alt="wKiom1mqk7eRmPXCAAAbScc_-qQ363.jpg-wh_50" />
將伺服器端私人CA的公開金鑰到處到本地windows下,並將其匯入到瀏覽器中的認證檔案中
如:Google
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M01/A4/6A/wKioL1mqlD6DPx01AADZ8-BkoX8201.jpg-wh_500x0-wm_3-wmp_4-s_595276395.jpg" title="QQ20170902192125.jpg" alt="wKioL1mqlD6DPx01AADZ8-BkoX8201.jpg-wh_50" />
用戶端下/etc/httpd/conf.d/ssl.conf
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/05/B9/wKiom1mqlKOzT5LnAABeTe7d0EM982.jpg-wh_500x0-wm_3-wmp_4-s_2855975810.jpg" title="QQ20170902192243.jpg" alt="wKiom1mqlKOzT5LnAABeTe7d0EM982.jpg-wh_50" />
設定用戶端的私密金鑰以及認證完後的認證存放路徑,分別用指令SSLCertificateKeyFile和
SSLCertificateFile;
https設定結果:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/A4/6A/wKioL1mqlYfyUWx6AAAlUu_scGA911.jpg-wh_500x0-wm_3-wmp_4-s_618176730.jpg" title="QQ20170902192650.jpg" alt="wKioL1mqlYfyUWx6AAAlUu_scGA911.jpg-wh_50" />
使用CentOS7.0建立httpd服務,主要實現的功能有:
①建立兩個虛擬機器主機www1,www2,擁有單獨的錯誤記錄檔和訪問日誌;
②通過www1的server-status能夠查看狀態資訊,但只有link使用者能夠訪問;
③www2設定存取範圍,允許其他主機訪問,但不允許192.168.1.0/24IP地址訪問;
④為www2提供https服務;
在centos7的/etc/httpd/conf.d下建立片設定檔vhosts-www1.conf與vhosts-www2.conf
vhosts-www1.conf:
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M00/9F/66/wKioL1mcHzPDQZZ6AABRdG1qdBg611.jpg-wh_500x0-wm_3-wmp_4-s_417812908.jpg" title="QQ20170822201010.jpg" alt="wKioL1mcHzPDQZZ6AABRdG1qdBg611.jpg-wh_50" />
CentOS7的httpd是2.4版本的,該版本下的片設定檔的書寫大致相同,不同在於,CentOS6.7對於存取範圍若不指定時預設是全部,而CentOS7對於存取範圍不指定時預設的就是沒有,這樣所有的IP都無法訪問該網頁;
Require all granted:全部IP都可以訪問;
Require all denied:全部IP都不可以訪問;
設定伺服器狀態的存取權限也同CentOS6一樣;
建立根目錄,並在根目錄中加入網頁檔案;
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M00/9F/66/wKioL1mcImqAbix7AAANR2C5v9s006.jpg-wh_500x0-wm_3-wmp_4-s_63973399.jpg" title="QQ20170822201819.jpg" alt="wKioL1mcImqAbix7AAANR2C5v9s006.jpg-wh_50" />
建立錯誤記錄檔以及訪問日誌的目錄:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M02/00/B6/wKiom1mcIqvhJ6GzAAATsGhJ5QM663.jpg-wh_500x0-wm_3-wmp_4-s_2724604214.jpg" title="QQ20170822202453.jpg" alt="wKiom1mcIqvhJ6GzAAATsGhJ5QM663.jpg-wh_50" />
重載httpd設定檔:
systemctl reload httpd.service
www1運行結果:
首頁
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/9F/66/wKioL1mcIvyhSyE8AAARujeLljg168.jpg-wh_500x0-wm_3-wmp_4-s_4136131979.jpg" title="QQ20170822202621.jpg" alt="wKioL1mcIvyhSyE8AAARujeLljg168.jpg-wh_50" />
server-status
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/00/B6/wKiom1mcI3nwd6_PAABAF5H0jsA421.jpg-wh_500x0-wm_3-wmp_4-s_3661478244.jpg" title="QQ20170822202819.jpg" alt="wKiom1mcI3nwd6_PAABAF5H0jsA421.jpg-wh_50" />
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/00/B6/wKiom1mcI6TDzXZvAACVgIKDOkQ282.jpg-wh_500x0-wm_3-wmp_4-s_3616857874.jpg" title="QQ20170822202856.jpg" alt="wKiom1mcI6TDzXZvAACVgIKDOkQ282.jpg-wh_50" />
vhosts-www2.conf:
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M01/9F/67/wKioL1mcKzbg49pgAABDovXxlRI092.jpg-wh_500x0-wm_3-wmp_4-s_1318430604.jpg" title="QQ20170822210129.jpg" alt="wKioL1mcKzbg49pgAABDovXxlRI092.jpg-wh_50" />
同時控制主機訪問以及拒絕時,需要將其放置在<RequireAll></RequireAll>中進行設定;
建立根目錄以及日誌目錄:
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M00/9F/67/wKioL1mcK77hNS4aAAAj1fz0L_0644.jpg-wh_500x0-wm_3-wmp_4-s_2424540888.jpg" title="QQ20170822210347.jpg" alt="wKioL1mcK77hNS4aAAAj1fz0L_0644.jpg-wh_50" />
httpd -t驗證文法是否正確:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M02/9F/67/wKioL1mcK--TVbnpAAAw8csHoYU624.jpg-wh_500x0-wm_3-wmp_4-s_963855226.jpg" title="QQ20170822210434.jpg" alt="wKioL1mcK--TVbnpAAAw8csHoYU624.jpg-wh_50" />
重載httpd設定檔:
systemctl reload httpd.service
www2運行結果:
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M00/9F/67/wKioL1mcLILw17hLAAAVd2VDQog506.jpg-wh_500x0-wm_3-wmp_4-s_2208068327.jpg" title="QQ20170822210658.jpg" alt="wKioL1mcLILw17hLAAAVd2VDQog506.jpg-wh_50" />
www2設定https:
建立私人CA:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/A4/6B/wKioL1mqr9Txg2gRAABneJol_sQ577.jpg-wh_500x0-wm_3-wmp_4-s_1518612829.jpg" title="QQ20170902211855.jpg" alt="wKioL1mqr9Txg2gRAABneJol_sQ577.jpg-wh_50" />
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M02/05/BA/wKiom1mqsBLALoyxAABzI-IRgnc206.jpg-wh_500x0-wm_3-wmp_4-s_1650353923.jpg" title="QQ20170902211942.jpg" alt="wKiom1mqsBLALoyxAABzI-IRgnc206.jpg-wh_50" />
用戶端配置:
yum install httpd
yum install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M01/A4/6B/wKioL1mqsGaiIbjVAAA6uXZi-TQ347.jpg-wh_500x0-wm_3-wmp_4-s_3541616132.jpg" title="QQ20170902212135.jpg" alt="wKioL1mqsGaiIbjVAAA6uXZi-TQ347.jpg-wh_50" />
mkdir -p /myweb/vhosts/www2
在該目錄下建立index.html檔案;
配置該用戶端的私密金鑰,並產生認證請求檔案
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M01/A4/6B/wKioL1mqsO2Sx9Q6AABVjSk02vs086.jpg-wh_500x0-wm_3-wmp_4-s_442877557.jpg" title="QQ20170902212349.jpg" alt="wKioL1mqsO2Sx9Q6AABVjSk02vs086.jpg-wh_50" />
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M02/05/BA/wKiom1mqsTvDH59LAABip6AYCSg109.jpg-wh_500x0-wm_3-wmp_4-s_3424475599.jpg" title="QQ20170902212435.jpg" alt="wKiom1mqsTvDH59LAABip6AYCSg109.jpg-wh_50" />
將httpd.csr檔案發往伺服器端,產生認證
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M02/A4/6B/wKioL1mqsVTBFRxnAABDyuY6g5U863.jpg-wh_500x0-wm_3-wmp_4-s_3031184184.jpg" title="QQ20170902212532.jpg" alt="wKioL1mqsVTBFRxnAABDyuY6g5U863.jpg-wh_50" />
將該認證發往用戶端,並將伺服器端的CA公開金鑰放在windows下,將其匯入到要訪問的瀏覽器的認證中;
用戶端:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M02/05/BA/wKiom1mqscWDvmZJAAAUamSEx1s310.jpg-wh_500x0-wm_3-wmp_4-s_3369177735.jpg" title="QQ20170902212656.jpg" alt="wKiom1mqscWDvmZJAAAUamSEx1s310.jpg-wh_50" />
瀏覽器:
650) this.width=650;" src="https://s2.51cto.com/wyfs02/M01/A4/6B/wKioL1mqscWxYOg1AAArG4FSn9I286.jpg-wh_500x0-wm_3-wmp_4-s_2784645692.jpg" title="QQ20170902212724.jpg" alt="wKioL1mqscWxYOg1AAArG4FSn9I286.jpg-wh_50" />
http主要應用