標籤:httpd-2.4 安全訪問 https 虛擬機器主機
準備工作:在Centos7中安裝httpd,使用yum安裝或自己編譯安裝,建議使用yum安裝,快捷又方便。
關閉防火牆及selinux。
提供兩個基於名稱的虛擬機器主機www1, www2;有單獨的錯誤記錄檔和訪問日誌;
先建立虛擬機器主機www1
a.在httpd的輔助設定檔目錄/etc/httpd/conf.d/中建立屬於虛擬機器主機自己的設定檔
~]# vim /etc/httpd/conf.d/vhosts-www1.conf<VirtualHost 192.168.127.128:80> DocumentRoot "/myweb/vhosts/www1" ServerName www.link1.com ErrorLog "/myweb/vhosts/www1/logs/error_log" CustomLog "/myweb/vhosts/www1/logs/access_log" combined</VirtualHost><Directory "/myweb/vhosts/www1"> AllowOverride None Options None Require all granted</Directory>
b.建立好設定檔後,再建立主目錄及日誌目錄
~]# mkdir /myweb/vhosts/www1/logs -pv
c.建立並向主目錄下的index.html寫點東西,並在原生C:\Windows\System32\drivers\etc目錄下的HOST檔案中添加192.168.127.128 www.link1.com。
重新載入設定檔
systemctl reload httpd.service
然後用本地瀏覽器開啟,結果如下:
650) this.width=650;" src="https://s1.51cto.com/wyfs02/M01/A4/4A/wKioL1mnxxOy62MhAAA_HF2_Nos662.jpg-wh_500x0-wm_3-wmp_4-s_3474665312.jpg" title="36020170829160225228.jpg" alt="wKioL1mnxxOy62MhAAA_HF2_Nos662.jpg-wh_50" />
查看訪問日誌/myweb/vhosts/www1/logs/access_log,內容如下:
192.168.127.1 - - [29/Aug/2017:15:40:00 +0800] "GET /sky/ HTTP/1.1" 200 1319 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0"
狀態代碼為200,請求成功。
虛擬機器主機www2的建立過程與www1的沒有差別,只不過把相關名稱改了就行,最後用瀏覽器測試,結果如下:650) this.width=650;" src="https://s2.51cto.com/wyfs02/M02/05/99/wKiom1mnybWBoyddAAA7OwbcWg8430.jpg-wh_500x0-wm_3-wmp_4-s_4135152778.jpg" title="36020170829160157758.jpg" alt="wKiom1mnybWBoyddAAA7OwbcWg8430.jpg-wh_50" />
2.存取控制
a.通過www1的/server-status提供狀態資訊,且僅允許link使用者訪問;
a-1.修改www1的設定檔如下:
<VirtualHost 192.168.127.128:80> DocumentRoot "/myweb/vhosts/www1" ServerName www.link1.com ErrorLog "/myweb/vhosts/www1/logs/error_log" CustomLog "/myweb/vhosts/www1/logs/access_log" combined</VirtualHost><Directory "/myweb/vhosts/www1"> AllowOverride None Options None AuthType basic AuthName "Please input user and password to login,only link has permission to access!!" AuthUserFile /etc/httpd/users/.htpasswd Require user link</Directory>
a-2.使用htpasswd命令建立虛擬使用者
~]# mkdir /etc/httpd/users~]# htpasswd -c -m /etc/httpd/users/.htpasswd link~]# htpasswd -m /etc/httpd/users/.htpasswd link1
a-3.重新載入設定檔,開啟瀏覽器輸入就會出現以下情況:
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M01/05/9A/wKiom1mn03aT2MLXAAIBhN0oI7I299.jpg-wh_500x0-wm_3-wmp_4-s_1651760900.jpg" title="36020170831171019759.jpg" alt="wKiom1mn03aT2MLXAAIBhN0oI7I299.jpg-wh_50" />
當輸入link使用者及密碼後:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M02/A4/4B/wKioL1mn08nDQaN2AACdRoG3ruU344.jpg-wh_500x0-wm_3-wmp_4-s_3734496783.jpg" title="36020170831171149133.jpg" alt="wKioL1mn08nDQaN2AACdRoG3ruU344.jpg-wh_50" />
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/A4/4B/wKioL1mn0-7Qx4n6AACNDwVbSDk641.jpg-wh_500x0-wm_3-wmp_4-s_1204800773.jpg" title="36020170831171207883.jpg" alt="wKioL1mn0-7Qx4n6AACNDwVbSDk641.jpg-wh_50" />
當輸入link1使用者及密碼時:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/05/9A/wKiom1mn1FHAI0qJAACgDQuwGp0919.jpg-wh_500x0-wm_3-wmp_4-s_2238281029.jpg" title="36020170831171242451.jpg" alt="wKiom1mn1FHAI0qJAACgDQuwGp0919.jpg-wh_50" />
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/A4/4B/wKioL1mn1G2gzLRuAAFE4DTLo5g269.jpg-wh_500x0-wm_3-wmp_4-s_4211956908.jpg" title="36020170831171335165.jpg" alt="wKioL1mn1G2gzLRuAAFE4DTLo5g269.jpg-wh_50" />
因為只允許link使用者登入:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M00/05/9A/wKiom1mn1QrA2btiAAA58OedfeY417.jpg-wh_500x0-wm_3-wmp_4-s_2922775774.jpg" title="36020170831171111894.jpg" alt="wKiom1mn1QrA2btiAAA58OedfeY417.jpg-wh_50" />
至此,要求實現。
b.www2不允許192.168.127.0/24 網路中任意主機訪問;
從之前查看訪問日誌中看到本主機的ip地址為192.168.127.1。
那我們就將www2的設定檔修改如下:
<VirtualHost 192.168.127.128:80> DocumentRoot "/myweb/vhosts/www2" ServerName www.link2.com ErrorLog "/myweb/vhosts/www2/logs/error_log" CustomLog "/myweb/vhosts/www2/logs/access_log" combined<Directory "/myweb/vhosts/www2"> AllowOverride None Options None <RequireAll> Require all granted Require not ip 192.168.127.0/24 </RequireAll></Directory></VirtualHost>
修改之前訪問如下:
650) this.width=650;" src="https://s3.51cto.com/wyfs02/M00/A4/4D/wKioL1mn7-aQB8CHAABqbUz7C6c893.jpg-wh_500x0-wm_3-wmp_4-s_2925449766.jpg" title="36020170831183959892.jpg" alt="wKioL1mn7-aQB8CHAABqbUz7C6c893.jpg-wh_50" />
修改之後訪問如下:
650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/A4/4D/wKioL1mn8COxXUgAAABWDqMdaX4141.jpg-wh_500x0-wm_3-wmp_4-s_1513024017.jpg" title="36020170831184359531.jpg" alt="wKioL1mn8COxXUgAAABWDqMdaX4141.jpg-wh_50" />
至此,所要求的功能實現。
3.為上面的www2虛擬機器主機提供https服務
建立私人CA,然後再為本伺服器頒發自簽認證。
a.建立私人CA
a-1.建立私人CA私密金鑰檔案
~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
a-2.產生自簽認證
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3653
a-3.滿足CA所必須的目錄級檔案和文字檔的布局
~]# touch /etc/pki/CA/index.txt~]# echo 01 > /etc/pki/CA/serial
b.為伺服器提供認證
b-1.建立伺服器的私密金鑰檔案
~]# mkdir /etc/httpd/conf/ssl~]# cd /etc/httpd/conf/sslssl]# (umask 077 ; openssl genrsa -out httpd.key 4096)
b-2.產生認證請求檔案
ssl]# openssl req -new -key httpd.key -out httpd.csr -days 3653
b-3.由CA簽發認證:在CA所在的伺服器上完成
ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
至此憑證發行完成。
c.安裝mod_ssl模組
yum -y install mod_ssl
修改ssl的設定檔的部分內容如下:
SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt<directory "/myweb/vhosts/ssl"> AllowOverride None Options None Require all granted</Directory>DocumentRoot "/myweb/vhosts/ssl"ServerName www.link2.comSSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key
然後再建立/myweb/vhosts/ssl目錄
~]# mkdir /myweb/vhosts/ssl~]# echo "welcome to https://www.link2.com" >> /myweb/vhosts/ssl/index.html
然後重啟服務。
不加密的訪問如下:
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M01/A4/4D/wKioL1mn9wGy4KhyAABqbUz7C6c253.jpg-wh_500x0-wm_3-wmp_4-s_1435647821.jpg" title="36020170831183959892.jpg" alt="wKioL1mn9wGy4KhyAABqbUz7C6c253.jpg-wh_50" />
https訪問如下:
650) this.width=650;" src="https://s5.51cto.com/wyfs02/M01/A4/4D/wKioL1mn98nRovZRAAA4mLMgUGk322.jpg-wh_500x0-wm_3-wmp_4-s_1766040925.jpg" title="36020170831194901196.jpg" alt="wKioL1mn98nRovZRAAA4mLMgUGk322.jpg-wh_50" />
因為該認證是我們自己頒發的,所以剛開始訪問時會說認證不受信任或有風險,添加例外就行了。
httpd-2.4實現虛擬機器主機、存取控制及https功能