標籤:https 使用者認證
部落格作業:分別使用httpd-2.2和httpd-2.4實現
1、建立httpd服務,要求:
(1) 提供兩個基於名稱的虛擬機器主機www1, www2;有單獨的錯誤記錄檔和訪問日誌;
(2) 通過www1的/server-status提供狀態資訊,且僅允許tom使用者訪問;
(3) www2不允許192.168.0.0/24網路中任意主機訪問;
2、為上面的第2個虛擬機器主機提供https服務;
前提準備:
172.16.1.1測試httpd-2.4,這是centos7系統
172.16.1.2測試httpd-2.2,這是centos6系統
172.16.1.3作為CA伺服器,為其他兩個主機派發認證
暫時關閉selinux和iptables
產生私密金鑰CA伺服器自己的私密金鑰,準備給自己做個根憑證
[[email protected] ~]# cd /etc/pki/CA [[email protected] CA]# (umask 077;openssl genrsa 2048 > private/cakey.pem cakey.pem為CA服務的自己的私密金鑰 |
##因為這裡是建立私人CA,同一個機構,國家,省,組織 ,所以為了後續給自己簽證方便,這裡需要修改
[[email protected] CA]# vim /etc/pki/tls/openssl.cnf country Name_default = CN StateOrprovinceName_default = Beijing LocatityName_default = Shangdi 0.organizationName_default = M19 organizationUnitName = Jishu |
產生自簽認證(根CA)
[[email protected] CA]# openssl req -new -x509 /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem Common Name (eg, your name or your server‘s hostname) []:haizei.zou.com 這裡需要自己定義自己的主機名稱,最好與主機名稱或者可以解析的網域名稱一致 |
準備好做CA伺服器的資料庫等檔案
[[email protected] CA]# mkdir -p /etc/pki/CA/{certs,crl,newcerts} [[email protected] CA]# touch /etc/pki/CA/{serial,index.txt} [[email protected] CA]# echo 001 > /etc/pki/CA/serial |
httpd2.2基礎上面(Centos6)
產生自己的私密金鑰和認證檔案,傳送給根伺服器驗證
[[email protected] www2]# mkdir /etc/httpd/conf/.ssh [[email protected] www2]# cd /etc/httpd/conf/.ssh [[email protected] .ssh]# (umask 077;openssl genrsa 4096 > http.key) [[email protected] .ssh]# openssl req -new -key http.key -out httpd.csr |
跟伺服器簽發認證,並把認證發送回來
[[email protected]~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 [[email protected]~]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/conf/.ssh |
修改主設定檔支援基於FQDN的主機名稱
[[email protected]~]# vim /etc/httpd/conf/httpd.conf NameVirtualHost 172.16.1.2:80 |
配置httpd支援ssl
| ~]# yum -y install mod_ssl |
為虛部主機2進程配置設定
| [[email protected] www2]# vim /etc/httpd/conf/ssl.conf <VirtualHost _default_:443> ServerName www2.zou.com DocumentRoot /data/vhosts/www2 ErrorLog logs/ssl_www2-error_log LogLevel warn TransferLog logs/ssl_www2_access_log SSLCertificateFile /etc/httpd/conf/.ssh/httpd.crt SSLCertificateKeyFile /etc/httpd/conf/.ssh/http.key </VirtualHost>
<Directory /data/vhosts/www2> Options None AllowOverride None Order deny,allow Deny from 192.168.0.0/24 </Directory> |
650) this.width=650;" src="http://s4.51cto.com/wyfs02/M01/84/2E/wKiom1eHkjKBW3FLAAAhGm_kNgs923.png" style="float:none;" title="07-14-005.png" alt="wKiom1eHkjKBW3FLAAAhGm_kNgs923.png" />
為虛擬機器主機1進行配置設定
| [[email protected] www2]# vim /etc/httpd/conf.d/www1.conf <VirtualHost 172.16.1.2:80> ServerName www1.zou.com DocumentRoot /data/vhosts/www1 ErrorLog logs/www1-error_log LogLevel warn CustomLog logs/www1-access_log combined <Directory /data/vhosts/www1> Options None AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> <Location /server-status> SetHandler server-status Order deny,allow Allow from all AuthType Basic AuthName "Server-stauts" AuthBasicProvider file AuthUserFile "/etc/httpd/conf/.htpasswd" Require user tom </Location> |
為tom使用者認證做準備
| [[email protected] www2]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom |
重啟服務
~]# service httpd restart
650) this.width=650;" src="http://s4.51cto.com/wyfs02/M02/84/2D/wKioL1eHkjOD0bWFAABRtEOygQc980.png" title="07-14-006.png" style="float:none;" alt="wKioL1eHkjOD0bWFAABRtEOygQc980.png" />
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M01/84/2E/wKiom1eHkjSQeq8TAAB0F52HCtM887.png" title="07-14-007.png" style="float:none;" alt="wKiom1eHkjSQeq8TAAB0F52HCtM887.png" />
httpd2.4(Centos7版本上)
產生自己的私密金鑰和認證檔案,傳送給根伺服器驗證
[[email protected] www2]# mkdir /etc/httpd/conf/.ssh
[[email protected] www2]# cd /etc/httpd/conf/.ssh
[[email protected] .ssh]# (umask 077;openssl genrsa 4096 > http.key)
[[email protected] .ssh]# openssl req -new -key http.key -out httpd.csr
Common Name (eg, your name or your server‘s hostname) []:www2.zou.com
[[email protected] .ssh]# scp httpd.csr [email protected]:/mnt
跟伺服器簽發認證,並把認證發送回來
[[email protected] ~]# openssl ca -in /mnt/httpd.csr -out /etc/pki/CA/certs/httpd002.crt
[[email protected] ~]# scp /etc/pki/CA/certs/httpd002.crt [email protected]:/etc/httpd/conf/.ssh
回到web伺服器上面來
[[email protected] ~]# cd /etc/httpd/conf/.ssh;cp httpd002.crt httpd.crt
安裝支援ssl的http模組
[[email protected] ~]# yum install mod_ssl -y
配置虛擬機器主機1
[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443> ServerName www2.zou.com DocumentRoot /data/vhosts/www2 ErrorLog logs/ssl_www2-error_log LogLevel warn TransferLog logs/ssl_www2_access_log SSLCertificateFile /etc/httpd/conf/.ssh/httpd.crt SSLCertificateKeyFile /etc/httpd/conf/.ssh/http.key </VirtualHost> <Directory /data/vhosts/www2> <RequireAll> Require all granted Require not ip 192.168.0.0/24 </RequireAll> </Directory> |
650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/84/2E/wKiom1eHoBqwbpGXAAAlC-2jLz0463.png" style="float:none;" title="07-14-009.png" alt="wKiom1eHoBqwbpGXAAAlC-2jLz0463.png" />
設定www1的虛擬機器主機
[[email protected] ~]# vim /etc/httpd/conf.d/www1.conf <VirtualHost 172.16.1.1:80> ServerName www1.zou.com DocumentRoot /data/vhosts/www1 ErrorLog logs/www1-error_log LogLevel warn CustomLog logs/www1-access_log combined <Directory /data/vhosts/www1> <RequireAll> Require all granted </RequireAll> </Directory> </VirtualHost> <Location /server-status> SetHandler server-status <RequireAll> Require all granted AuthType Basic AuthName "Server-stauts" AuthBasicProvider file AuthUserFile "/etc/httpd/conf/.htpasswd" Require user tom </RequireAll> </Location> |
建立認證登入使用者tom
[[email protected] vhosts]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
重新載入服務
[[email protected] .ssh]# systemctl reload httpd
650) this.width=650;" src="http://s2.51cto.com/wyfs02/M00/84/2D/wKioL1eHoBqCrG3kAAB0g8rrUVI127.png" title="07-14-008.png" style="float:none;" alt="wKioL1eHoBqCrG3kAAB0g8rrUVI127.png" />
本文出自 “北極的linux” 部落格,請務必保留此出處http://941012521.blog.51cto.com/9253690/1826533
https的部落格作業
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
