web服务之Apache实现的https访问
本文旨在实践httpd-2.4基于域名的虚拟主机配置,让指定用户访问站点状态信息,并为站点提供https服务。知识储备
HTTPS协议
HTTPS协议就是“HTTP协议”和“SSL/TLS”协议的结合,HTTP over SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二进制形式传输.
SSL会话简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书;
(2) 服务器端发送证书以及选定的加密方式给客户端;
(3) 客户端取得证书并进行证书验正:
如果信任给其发证书的CA机构:则
(a) 验正证书来源的合法性;用CA的公钥解密证书上数字签名;
(b) 验正证书的内容的合法性:完整性验正
(c) 检查证书的有效期限;
(d) 检查证书是否被吊销;
(e) 证书中拥有者的名字,与访问的目标主机要一致;
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,
完成密钥交换;
(5) 服务用此密钥加密用户请求的资源,响应给客户端;
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机;
SSL/TLS协议模型
环境准备
1.操作系统及软件
2台 Centos 7.2 x86_64
httpd:httpd-2.4.6-40.el7.centos.x86_64
2.IP地址
172.16.52.51/16 web服务
172.16.52.1/6CA证书颁发机构
2.提供2个基于域名的虚拟主机
域名 www1.linux.com、www2.linux.com
站点目录:/web/vhosts/www{1,2}
访问日志:/var/log/httpd/www{1,2}/www{1,2}.access_log
错误日志:/var/log/httpd/www{1,2}/www{1,2}.error_log
3.输出www1.linux.com的状态信息,且要求只允许提供账号的用户访问
4.www1不允许10.0.0.0/24网络中的主机访问
5.为www2提供https服务。
注意:关闭防火墙和selinux
安装httpd并配置虚拟主机
1.安装httpd
1
# yum -y install httpd
2.注释主配置文件的DocumentRoot
1
2
# grep "#DocumentRoot" /etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html"
3.配置虚拟主机
1
2
3
4
5
6
7
8
9
10
11
12
# cat www1.conf
<VirtualHost *:80>
ServerName www1.linux.com
DocumentRoot "/web/vhosts/www1"
CustomLog "/var/log/httpd/www1/www1.access_log" combined
ErrorLog "/var/log/httpd/www1/www1.error_log"
<Directory "/web/vhosts/www1">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
www2的配置与此并无差别,不在不再赘述
配置站点主页
1
2
3
# cat /web/vhosts/www{1,2}/index.html
www1 websit http://www1.linux.com
www2 websit http://www2.linux.com
4.检查并启动服务
1
2
3
# httpd -t
Syntax OK
# systemctl start httpd.service
5.测试
1
2
# curl www1.linux.com
www1 websit http://www1.linux.com
1
2
# curl www2.linux.com
www2 websit http://www2.linux.com
6.输出www1.linux.com的状态信息,且要求只允许提供账号的用户访问
6.1 编辑www1的虚拟主机文件:添加一个<Location></Location>标签
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cat www1.conf
<VirtualHost *:80>
ServerName www1.linux.com
DocumentRoot "/web/vhosts/www1"
CustomLog "/var/log/httpd/www1/www1.access_log" combined
ErrorLog "/var/log/httpd/www1/www1.error_log"
<Directory "/web/vhosts/www1">
Options None
AllowOverride None
Require all granted
</Directory>
<Location "/server-status">
SetHandler server-status
AuthType basic
AuthName "For Adminstrator"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>
</VirtualHost>
6.2 提供账号和密码存储文件
1
2
3
4
# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
New password:
Re-type new password:
Adding password for user tom
6.3 测试:
浏览器输入http://www1.linux.com/server-status
7. www1不允许10.0.0.0/24网络中的主机访问
配置www1虚拟主机,在<Directory></Directory>标签段内添加<RequireAll>段
1
2
3
4
5
6
7
8
<Directory "/web/vhosts/www1">
Options None
AllowOverride None
<RequireAll>
Require all granted
Require not ip 10.0.0.0/24
</RequireAll>
</Directory>
实现虚拟主机 www2 https访问
在172.16.52.1 CA服务器上:
1. 配置CA证书颁发机构
1.1 查看openssl相关文件
1
2
3
4
5
6
7
# cd /etc/pki/CA
# ll
total 16
drwxr-xr-x. 2 root root 4096 Jul 24 03:09 certs
drwxr-xr-x. 2 root root 4096 Jul 24 03:09 crl
drwxr-xr-x. 2 root root 4096 Jul 24 03:09 newcerts
drwx------. 2 root root 4096 Jul 24 03:09 private
1.2 使用openssl生成CA私钥
1
2
3
4
5
# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....................................................................................................................................................+++
.....................................................................................+++
e is 65537 (0x10001)
1.3 使用openssl给CA服务器生成自签名证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) :Beijing
Organization Name (eg, company) :magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:ca@test.com
1.4 创建CA相关目录和文件,指定序列号起始数字
1
2
3
# touch index.txt#新建索引文件
# touch serial #建立序列号文件
# echo 01 > serial #写入起始序列号
web服务器创建申请证书
2. 创建申请证书
2.1 在web服务器配置目录创建ssl目录
1
# mkdir /etc/httpd/ssl
2.2 生成httpd 服务私钥
1
2
3
4
5
# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..................++++++
..............................++++++
e is 65537 (0x10001)
1
2
3
# ll /etc/httpd/ssl/httpd.key
-rw------- 1 root root 887 Jul 14 15:29 /etc/httpd/ssl/httpd.key
2.3 生成证书签署请求文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) :Beijing
Organization Name (eg, company) :magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www1.linux.com
Email Address []:ops@admin.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2.4 把httpd申请证书发送到CA颁发机构上
1
2
3
# scp httpd.csr 172.16.52.1:/tmp
root@172.16.52.1's password:
httpd.csr 100%696 0.7KB/s 00:00
2.5 在CA端为给客户端签名并颁发正式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# openssl ca -in httpd.csr -out httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 15 18:13:23 2015 GMT
Not After : Dec 12 18:13:23 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = magedu
organizationalUnitName = ops
commonName = www1.linux.com
emailAddress = ops@admin.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:C4:3B:E1:C4:59:25:D4:0E:DF:AF:83:9C:48:D6:A8:D9:CC:27:27
X509v3 Authority Key Identifier:
keyid:67:CC:F6:A8:E6:0B:73:CE:6C:A1:6D:B8:A6:99:1F:CA:7A:A3:D3:AB
Certificate is to be certified until Dec 12 18:13:23 2025 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
1
2
3
# ll httpd*
-rw-r--r-- 1 root root 3830 Dec 16 02:15 httpd.crt
-rw-r--r-- 1 root root696 Dec 16 02:12 httpd.csr
2.6 将生成的证书复制到web服务器上
1
# scp httpd.crt root@172.16.52.51:/etc/httpd/ssl
2.7 web服务器查看收到的证书
1
2
3
4
5
# ll
total 12
-rw-r--r-- 1 root root 3830 Dec 162015 httpd.crt
-rw-r--r-- 1 root root696 Jul 14 16:01 httpd.csr
-rw------- 1 root root887 Jul 14 16:00 httpd.key
3. web服务器配置ssl模块
3.1装载mod_ssl
1
# yum -y install mod_ssl
3.2 修改ssl配置文件
配置/etc/httpd/conf.d/ssl.conf
DocumentRoot
1
2
# sed -n "/^DocumentRoot/p" /etc/httpd/conf.d/ssl.conf
DocumentRoot "/web/vhosts/www2"
ServerName
1
2
# sed -n "/^ServerName/p" /etc/httpd/conf.d/ssl.conf
ServerName www2.linux.com:443
<Directory "">
1
2
3
4
5
6
# sed -n "186,190p" /etc/httpd/conf.d/ssl.conf
<Directory "/web/vhosts/www2">
Options None
AllowOverride None
Require all granted
</Directory>
SSLCertificateFile
SSLCertificateKeyFile
1
2
3
# sed -n '101p;109p' /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
3.3 重启httpd服务
1
2
3
# systemctl restart httpd.service
# ss -tnlp|grep 443
LISTEN 0 128 :::443 :::* users:(("httpd",pid=2475,fd=6),("httpd",pid=2474,fd=6),("httpd",pid=2473,fd=6),("httpd",pid=2472,fd=6),("httpd",pid=2471,fd=6),("httpd",pid=2469,fd=6))
3.5 浏览器访问
这是证书未收信任,把httpd.crt证书导入浏览器就好了.
页:
[1]