apache服务之https、访问控制、status等功能
https:客户端:申请证书
1
2
3
# pwd
/etc/httpd/ssl
# (umask 077; openssl genrsa-out martin01.key 2048)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# openssl req -new -key martin01.key -out martin01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) :ningbo
Organization Name (eg, company) :martin
Organizational Unit Name (eg, section) []:martin
Common Name (eg, your name or your server's hostname) []:martin
Email Address []:martin@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
1
# scp -P 6789 martin01.csr marvin:/mydata/ssl/csr
CA服务器:审核证书
1
2
# openssl ca -in /mydata/ssl/csr/martin01.csr-out /mydata/ssl/crt/martin01.crt -days 800
# scp -P6789 /mydata/ssl/crt/martin01.crt martin:/etc/httpd/ssl/
客户端:
1
2
3
4
5
6
7
8
9
# Required modules: mod_log_config, mod_setenvif, mod_ssl,
# socache_shmcb_module (for default value of SSLSessionCache)
# vim /etc/httpd/httpd.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule log_config_module modules/mod_log_config.so
Include /etc/httpd/extra/httpd-ssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# vim extra/httpd-ssl.conf
DocumentRoot "/www/web/ssl"
ServerName www.ssl.com:443
<Directory "/www/web/ssl">
Optionsnone
AllowOverride all
Require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/martin01.crt
SSLCertificateKeyFile /etc/httpd/ssl/martin01.key
# echo ok > /www/web/ssl/index.html
# httpd -t
Syntax OK
# /etc/init.d/httpd restart
证书创建若有疑问
虚拟主机:
1
2
3
# vim /etc/httpd/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
Include /etc/httpd/extra/httpd-vhosts.conf
1
2
3
4
5
6
7
8
9
10
# vim extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot"/www/web/martin"
ServerName www.martin.com
<Directory "/www/web/martin">
Optionsnone
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
1
# echo martin > /www/web/martin/index.html
基于IP访问控制:2.4新特性
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all deny
控制某主机的访问:
Require ip IPADDR
Require not ip IPADDR
Require host IPADDR
Require not host IPADDR
1
2
3
4
5
6
<Directory "/www/web/martin">
Optionsnone
AllowOverride all
Require ip 192.168.1
Require all denied
</Directory>
status:
1
2
3
# vim/etc/httpd/httpd.conf
LoadModule status_module modules/mod_status.so
Include /etc/httpd/extra/httpd-info.conf
1
2
3
4
5
6
7
# vim /etc/httpd/extra/httpd-info.conf
<Location /server-status>
SetHandler server-status
#Require host .example.com
Require ip 127
Require ip 192.168.1
</Location>
这是一个httpd的内嵌handler,通过status可查看当前服务器的状态。它通过一个HTML页面展示了当前服务器的统计数据。这些数据通常包括但不限于:(1) 处于工作状态的worker进程数;(2) 空闲状态的worker进程数;(3) 每个worker的状态,包括此worker已经响应的请求数,及由此worker发送的内容的字节数;(4) 当前服务器总共发送的字节数;(5) 服务器自上次启动或重启以来至当前的时长;(6) 平均每秒钟响应的请求数、平均每秒钟发送的字节数、平均每个请求所请求内容的字节数;基于用户的访问控制
1
2
3
4
5
6
7
8
9
<Directory "/www/web/martin">
Optionsnone
AuthType Basic
AuthName "Admin status"
AuthUserFile /etc/httpd/conf/.htpasswd
AllowOverride all
Require ip 192.168.1
Require all denied
</Directory>
1
2
3
4
# /usr/local/apache/bin/htpasswd -m -c /etc/httpd/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
页:
[1]