Apache2.4版本环境下基于虚拟主机、ssl、用户控制

时间:2022-06-28 12:57:34

环境说明:此篇博客是基于编译安装httpd2.4博客基础上进行的

一、虚拟主机;

1.1基于host

[root@burgess apache]# vim/etc/httpd24/httpd.conf

Include/etc/httpd24/extra/httpd-vhosts.conf   #开启虚拟主机

#DocumentRoot"/www/htdocs"    #将中心主机注释掉

[root@burgess apache]# cd/etc/httpd24/extra

[root@burgess extra]# vim httpd-vhosts.conf

#其余原有信息全部注释掉

#添加虚拟主机

<VirtualHost*:80>

#    ServerAdminwebmaster@dummy-host2.example.com

        DocumentRoot"/Vhosts/www.rocky.com"

        ServerName www.rocky.com

        ErrorLog"logs/www.rocky.com-error_log"

        CustomLog"logs/www.rocky.com-access_log" common

<Directory"/Vhosts/www.rocky.org">

        Options None

             AllowOverride None

              Require all granted

</Directory>

 </VirtualHost>

     

<VirtualHost*:80>

#    ServerAdminwebmaster@dummy-host2.example.com

        DocumentRoot"/Vhosts/www.rocky.org"

        ServerName www.rocky.org

        ErrorLog"logs/www.rocky.org-error_log"

        CustomLog"logs/www.rocky.org-access_log" common

<Directory"/Vhosts/www.rocky.org">

        Options None

         AllowOverride None

        Require all granted

</Directory>

    </VirtualHost>

 

保存退出, 检查语法 httpd -t
[root@burgess ~]# mkdir -pv/Vhosts/www.rocky.{com,org} …………………….创建Droot

mkdir:created directory `/Vhosts'

mkdir:created directory `/Vhosts/www.rocky.com'

mkdir:created directory `/Vhosts/www.rocky.org'

[root@burgess~]# vim /Vhosts/www.rocky.org/index.html ……………………内容为<h1>Like A Fish InWater</h1>
[root@burgess ~]# vim/Vhosts/www.rocky.com/index.html ………………………….内容为<h1>Beautylies in the lover’s eyes</h1>
保存退出, 检查语法 httpd -t 重启 service httpd24 restart

可在命令行输入主机名,则显示相对应的信息

[root@burgess~]# curl http://www.rocky.com

<h1>Beauty liesin the lover's eyes</h1>

[root@burgess~]# curl http://www.rocky.org

<h1>Like A FishIn Water</h1>

本机演示的为虚拟主机,所以若在浏览器中查看,则在本地host文件加入主机名及虚拟机IPwindows 下的路径/c/windows/system32/driver/etc/hosts………….若在里面更改不了,可以拖出来更改;

 

1.2基于IP  (环境: eth0: 172.16.249.120:80 ; eth0:0172.16.249.121 ;)

[root@burgess~]# vim /etc/httpd24/extra/httpd-vhosts.conf

<VirtualHost 172.16.249.120:80>

#    ServerAdminwebmaster@dummy-host2.example.com

        DocumentRoot"/Vhosts/www.rocky.com"

        ServerName www.rocky.com

        ErrorLog"logs/www.rocky.com-error_log"

        CustomLog"logs/www.rocky.com-access_log" common

<Directory "/Vhosts/www.rocky.org">

        Options None

             AllowOverride None

              Require all granted

</Directory>

 </VirtualHost>

     

<VirtualHost 172.16.249.121:80>

#    ServerAdminwebmaster@dummy-host2.example.com

        DocumentRoot"/Vhosts/www.rocky.org"

        ServerName www.rocky.org

        ErrorLog"logs/www.rocky.org-error_log"

        CustomLog"logs/www.rocky.org-access_log" common

<Directory"/Vhosts/www.rocky.org">

        Options None

         AllowOverride None

        Require all granted

</Directory>

    </VirtualHost>

[root@burgess~]# service httpd24 restart

browser中输入IP则可以看到对应网页信息

 

1.3基于端口;

[root@burgess~]# vim /etc/httpd24/extra/httpd-vhosts.conf

<VirtualHost172.16.249.120:80>

#    ServerAdmin webmaster@dummy-host2.example.com

        DocumentRoot"/Vhosts/www.rocky.com"

        ServerName www.rocky.com

        ErrorLog"logs/www.rocky.com-error_log"

        CustomLog"logs/www.rocky.com-access_log" common

<Directory"/Vhosts/www.rocky.org">

        Options None

             AllowOverride None

              Require all granted

</Directory>

 </VirtualHost>

     

<VirtualHost 172.16.249.120:8080>

#    ServerAdminwebmaster@dummy-host2.example.com

        DocumentRoot"/Vhosts/www.rocky.org"

        ServerName www.rocky.org

        ErrorLog"logs/www.rocky.org-error_log"

        CustomLog"logs/www.rocky.org-access_log" common

<Directory"/Vhosts/www.rocky.org">

        Options None

         AllowOverride None

        Require all granted

</Directory>

    </VirtualHost>

[root@burgess~]# vim /etc/httpd24/httpd.conf

Listen 80

 Listen 8080

[root@burgess~]# service httpd24 restart

此时可以在浏览器中输入IP:port就可以得到相应内容了

 

 

二、基于用户的访问控制(认证方式为基本认证,访问路径/www/htdocs/index.html下的内容,已经创建过内容,不再创建演示)

(a)   先检查/etc/httpd24/httpd.conf 是否有以下几个重要modules及是否开启

LoadModuleauth_basic_module modules/mod_auth_basic.so

LoadModuleauthn_file_module modules/mod_authn_file.so

LoadModuleauthz_host_module modules/mod_authz_host.so

LoadModuleauthz_user_module modules/mod_authz_user.so

#Include /etc/httpd24/extra/httpd-vhosts.conf   #查看虚拟机文件路径是否关闭

(b)  定义 security realm

[root@burgess ~]# vim /etc/httpd24/httpd.conf

<Directory"/www/htdocs/">

Options None

AllowOverride None

#    Require all granted

AuthType Basic   #…..认证类型

AuthName " AdminArea"   # 安全域名, 自定义

AuthUserFile/etc/httpd24/users/.htpasswd   # 认证文件, 即存放的认证密码、 用户名等信息, /etc/passwd/无关, 一般用隐藏文件存放; 路径可自定义, 路径目录若没有需要创建(.htpasswd之前的路径需要创建);

Require valid-user             #…………………允许所有合法用户访问, 即有密码(如果规定 Wade Bosh 访问则 Reqireuser Wade Bosh若还有用户则可以在其后面列出;Require valid-user: 允许账号文件中的所有有账号密码的用户访问, Require 后注意所有用户与列出用户书写方式的区别)

</Directory>

(c).提供用于认证的文件及需要创建的目录等

[root@Burgesshtdocs]# htpasswd -c -m /etc/httpd24/users/.htpasswd Wade   # ……………………第一次创建用户密码用 -c

New password:       #……………………….密码为 burgess

Re-type new password:

Adding password foruser Wade

[root@Burgesshtdocs]# htpasswd -m /etc/httpd24/users/.htpasswd Bosh

New password:    # ……………………….密码为 burgess

Re-type new password:

Adding password foruser Bosh

 

三、ssl配置

        (1)   建立私有CA (切换到 /etc/pki/CA目录)

[root@burgess CA]# (umask 077; opensslgenrsa -out private/cakey.pem 2048)

[root@burgess CA]# openssl req -new -x509 -key private/cakey.pem-days 19890 -out cacert.pem

[root@burgess CA]# echo 01 > serial    #序列号从一开始

[root@burgess CA]# touch index.txt

(2) 为服务器生成证书

[root@burgess CA]# mkdir /etc/httpd/ certs

[root@burgess certs]# (umask 077;openssl genrsa -out httpd.key 2048 )

[root@burgess certs]#openssl req -new-key httpd.key -out httpd.csr -days 19890

[root@burgess certs]#openssl ca -in httpd.csr -outhttpd.crt -days 19890

                详细步骤参考博客:http://burgess8909.blog.51cto.com/9607271/1588151

         (3)配置httpd使用数字证书

[root@Burgess conf]# yum install mod_ssl  -y    #……………….. 安装相应的模块程序包,默认没有安装

[root@Burgess ~]# rpm -ql mod_ssl

/etc/httpd/conf.d/ssl.conf     # …………………..为其配置文件

/usr/lib64/httpd/modules/mod_ssl.so

/var/cache/mod_ssl

/var/cache/mod_ssl/scache.dir

/var/cache/mod_ssl/scache.pag

/var/cache/mod_ssl/scache.sem

[root@Burgess ~]# ss -tnl 

LISTEN    0      128                                        :::443                                       :::*    ……………….可以看到443端口开启,若没有,则restart一下;

编辑/etc/httpd24/extra/httpd-ssl.conf,开启检查以下相关信息

                   LoadModule   ssl_modulemodules/mod_ssl.so

                   Listen 443

                   <VirtualHost IP:PORT>

                   ServerName   www.burgess.com:443

                   DocumentRoot    可以修改DR路径,如修改为/www/sslhost

SSLCipherSuiteALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW    #!表示移除,+表加进来的

                   SSLEngine on      # ………………………SSL功能是否开启

                   SSLCertificateFile      #/etc/httpd/certs/httpd.crt将路径修改为已生成的CA证书路径

                   SSLCertificateKeyFile      #/etc/httpd/certs/httpd.key生成密钥路径

                   </VirtualHost>

保存退出;检查语法;reload;tail /var/log/httpd/error_log 查看信息,显示路径/www/sslhost不存在;创建之,并为其创建一个index.html页面

                          [root@Burgess ~]#  mkdir /www/sslhost24 -pv

 [root@Burgess~]#  vim /www/sslhost24/index.html

<h1>Lovers don't finally meet somewhere.They're in each other all along</h1>

                         更改/etc/httpd/conf/httpd.conf下的DocumentRoot路径为/www/sslhost 

                         在浏览器输入172.16.249.120;则显示您的链接不是私密链接;之所以出现这样的情况,是因为本地不能识别CA证书,所以把应该CA导入到本地,其次CA的名称应该为www.burgess.com,而非访问IP地址。

                         CA/etc/pki/CA/cacert.pem)导入到本地:直接复制到本地;并将cacerts.pem后缀更改为cacerts.crt;双击直接导入,安装,证书存储位置

                         访问地址与持有者身份不一致:则将www.burgess.com与对应IP写进hosts文件;windows下的路径/c/windows/system32/drivers/etc/hosts  ………….若在里面更改不了,可以拖出来更改

                          再次访问输入:www.burgess.com;则会显示正常信息

                         curl访问则需要将IP与主机名写进/etc/hosts文件中


本文出自 “西来龙象” 博客,请务必保留此出处http://burgess8909.blog.51cto.com/9607271/1592382