源码安装httpd2.4及实现用户访问控制及https的实现
实验环境:CentOS release 6.6(Final) 1台
Windows XP 1台
IP地址:
172.16.31.8 http1.stu31.com web服务器端
172.16.31.188 Windows XP 测试客户端
WindowsXP 安装了chrom浏览器和系统自带的IE浏览器
软件版本:
httpd-2.4.9.tar.bz2
一.实验准备阶段:
程序开发包组安装
1
2
# yum groupinstallDevelopment Tools
# yum groupinstall ServerPlatform Development
支持正则表达式包安装:
1
# yum install -y pcre-devel
安装openssl的开发包:
1
# yum install –yopenssl-devel
二.DNS搭建
安装bind
1
# yum install bind
配置主配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package toconfigure the ISC BIND named(8) DNS
// server as a caching only nameserver (asa localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ forexample named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置主区域文件:
1
2
3
4
5
# vim/etc/named.rfc1912.zones
zone "stu31.com" IN {
type master;
file "stu31.com.zone";
};
创建区域解析库文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# cd /var/named
# vim stu31.com.zone
$TTL 600
$ORIGIN stu31.com.
@ IN SOA ns1.stu31.com.admin.stu31.com. (
2014121501
1H
5M
3D
6H)
IN NS ns1.stu31.com.
IN MX 5 mail
ns1 IN A 172.16.31.8
www IN A 172.16.31.8
www1 IN A 172.16.31.8
mail IN A 172.16.31.8
pop3 IN CNAME mail
iamp4IN CNAME mail
区域文件语法检查:
1
2
3
# named-checkzonestu31.com stu31.com.zone
zone stu31.com/IN: loaded serial 2014121501
OK
启动DNS服务:
1
2
3
# service named start
Generating /etc/rndc.key:
Starting named:
测试DNS服务器:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# dig -t SOA stu31.com@172.16.31.8
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t SOA stu31.com@172.16.31.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,status: NOERROR, id: 5919
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1,AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;stu31.com. IN SOA
;; ANSWER SECTION:
stu31.com. 600 IN SOA ns1.stu31.com.admin.stu31.com. 2014121501 3600 300 259200 21600
;; AUTHORITY SECTION:
stu31.com. 600 IN NS ns1.stu31.com.
;; ADDITIONAL SECTION:
ns1.stu31.com. 600 IN A 172.16.31.8
;; Query time: 0 msec
;; SERVER: 172.16.31.8#53(172.16.31.8)
;; WHEN: Mon Dec 15 12:07:37 2014
;; MSG SIZE rcvd: 103
三.源码安装httpd-2.4.9
1.获取源码程序包及依赖程序源码apr及apr-util
1
2
3
4
# ls
anaconda-ks.cfg apr-util-1.5.3.tar.bz2install.log
apr-1.5.0.tar.bz2httpd-2.4.9.tar.bz2 install.log.syslog
# tar xf apr-1.5.0.tar.bz2
2.编译安装apr:
1
2
3
4
# ./configure--prefix=/usr/local/apr
# make &&make install
# ls /usr/local/apr/
bin build-1includelib
3.编译安装apr-util:
# tar xfapr-util-1.5.3.tar.bz2
# cd apr-util-1.5.3
需要告诉apr在哪里:
1
2
# ./configure --prefix=/usr/local/apr-util--with-apr=/usr/local/apr
#make && make install
4.编译安装httpd-2.4.9:
httpd2.2已经安装了,需要卸载,不卸载就需要将httpd-2.4安装在独立目录:
解压源码包:
# tar xf httpd-2.4.9.tar.bz2
# cd httpd-2.4.9
查看帮助:
# ./configure--help |less
重要常用选项介绍:
支持DSO装载:--enable-so
支持ssl加密:--enable-ssl
支持通用网关接口:--enable-cgi
支持URL重写:--enable-rewrite
使用特定压缩库:--with-zlib
支持扩展正则表达式:--with-pcre
程序依赖包apr:--with-apr
程序依赖包arp-util:--with-apr-util
模块启用,启用大多数:--enable-modules=most
编译安装:
1
2
# ./configure--prefix=/usr/local/apache --sysconfdir=/etc/httpd24 --enable-so--enable-ssl --enable-cgi--enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr--with-apr-util=/usr/local/apr-util --enable-modules=most--enable-mpms-shared=all --with-mpm=prefork
#make &&make install
1
2
3
4
5
6
7
# vim/etc/profile.d/httpd24.sh
export PATH=/usr/local/apache/bin:$PATH
# source/etc/profile.d/httpd24.sh
# echo $PATH
/usr/local/apache/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
# which apachectl
/usr/local/apache/bin/apachectl
测试安装模块:
核心模块:
1
2
3
4
5
# httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
全部模块:可以知道MPM模式已经动态模块化了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# httpd -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
access_compat_module (shared)
auth_basic_module (shared)
reqtimeout_module (shared)
filter_module (shared)
mime_module (shared)
log_config_module (shared)
env_module (shared)
headers_module (shared)
setenvif_module (shared)
version_module (shared)
mpm_prefork_module (shared)
unixd_module (shared)
status_module (shared)
autoindex_module (shared)
dir_module (shared)
alias_module (shared)
启动httpd服务:
1
# apachectl start
查看服务监听端口:
1
2
# ss -tnl |grep 80
LISTEN 0 128 :::80 :::*
5.配置一个简单的web网页测试:
1
2
3
4
5
6
7
8
9
10
# vim /etc/httpd24/httpd.conf
ServerRoot "/www/htdocs/"
Pidfile"/var/run/httpd/httpd.pid"
ServerName www.stu31.com:80
DocumentRoot "/www/htdocs"
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
6.服务脚本创建:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# cat/etc/rc.d/init.d/httpd24
#!/bin/bash
#
# httpd24 Startup script for the Apache HTTPServer
#
# chkconfig: - 85 15
# description: The Apache HTTP Server is anefficient and extensible
# server implementing the currentHTTP standards.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd/httpd.pid
#
### BEGIN INIT INFO
# Provides: httpd
# Required-Start: $local_fs $remote_fs$network $named
# Required-Stop: $local_fs $remote_fs$network
# Should-Start: distcache
# Short-Description: start and stop ApacheHTTP Server
# Description: The Apache HTTP Server is anextensible server
# implementing the current HTTP standards.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
#if [ -f /etc/sysconfig/httpd ]; then
# . /etc/sysconfig/httpd
#fi
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
# This will prevent initlog from swallowingup a pass-phrase prompt if
# mod_ssl needs a pass-phrase from theuser.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in/etc/sysconfig/httpd to use a server
# with the thread-based "worker"MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM;notably PHP will refuse to start.
# Path to the apachectl script, serverbinary, and short-form for messages.
apachectl=/usr/local/apache/bin/apachectl
httpd=${HTTPD-/usr/local/apache/bin/httpd}
prog=httpd
pidfile=${PIDFILE-/var/run/httpd/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0
STOP_TIMEOUT=${STOP_TIMEOUT-10}
# The semantics of these two functions differfrom the way apachectl does
# things -- attempting to start whilerunning is a failure, and shutdown
# when not running is also a failure.So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
# When stopping httpd, a delay (of default10 second) is required
# before SIGKILLing the httpd parent; thisgives enough time for the
# httpd parent to SIGKILL any errantchildren.
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} -d ${STOP_TIMEOUT} $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=6
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntaxerror"
else
# Force LSB behaviour from killproc
LSB=1 killproc -p ${pidfile} $httpd -HUP
RETVAL=$?
if [ $RETVAL -eq 7 ]; then
failure $"httpd shutdown"
fi
fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p ${pidfile} $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart|try-restart)
if status -p ${pidfile} $httpd >&/dev/null; then
stop
start
fi
;;
force-reload|reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog{start|stop|restart|condrestart|try-restart|force-reload|reload|status|fullstatus|graceful|help|configtest}"
RETVAL=2
esac
exit $RETVAL
7.添加到启动项并启动服务
1
2
3
4
# chkconfig --add httpd24
# chkconfig httpd24 on
# service httpd24 start
Starting httpd:
成功启动
四:基于IP的虚拟主机配置;
1.创建web网页存放目录:
1
2
3
4
# mkdir /web/vhosts/www1 -pv
mkdir: created directory `/web'
mkdir: created directory `/web/vhosts'
mkdir: created directory `/web/vhosts/www1'
2.加入测试网页:
1
2
3
4
# vim/web/vhosts/www1/index.html
/web/vhosts/www1172.16.31.8:80
# mkdir /web/vhosts/www2
# echo "access from192" > /web/vhosts/www2/index.html
3.修改httpd主配置文件
注释掉主服务器部分,开启虚拟主机
1
2
3
4
5
6
7
8
# vim /etc/httpd24/httpd.conf
ServerRoot "/usr/local/apache/"
Pidfile"/var/run/httpd/httpd.pid"
Listen 80
#ServerName www.stu31.com:80
#DocumentRoot "/www/htdocs"
# Virtual hosts
Include/etc/httpd24/extra/httpd-vhosts.conf
4.编辑基于IP的虚拟主机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# vim/etc/httpd24/extra/httpd-vhosts.conf
DocumentRoot "/web/vhosts/www1"
ServerName www.stu31.com
ErrorLog "/web/vhosts/www1/www1-error_log"
CustomLog "/web/vhosts/www1/www1-access_log" common
Require all granted
DocumentRoot "/web/vhosts/www2"
ServerName www.stu31.com
ErrorLog "/web/vhosts/www2/www1-error_log"
CustomLog "/web/vhosts/www2/www1-access_log" common
Require all granted
5.添加一个ip地址,用于测试不同ip的返回结果:
1
2
3
4
5
6
7
8
# ip addr add 192.168.31.8/24dev eth0
# ip addr show eth0
2: eth0:
mtu 1500 qdisc pfifo_fast state UP qlen1000
link/ether 08:00:27:7c:87:48 brd ff:ff:ff:ff:ff:ff
inet 172.16.31.8/16 brd 172.16.255.255 scope global eth0
inet 192.168.31.8/24 scope global eth0
inet6 fe80::a00:27ff:fe7c:8748/64 scope link
valid_lft forever preferred_lft forever
6.启动服务进行测试:
1
2
3
4
5
6
7
# service httpd24restart
Stopping httpd:
Starting httpd:
# curl 192.168.31.8
access from 192
# curl 172.16.31.8
/web/vhosts/www1172.16.31.8:80
五.基于端口的虚拟主机搭建
1.编辑虚拟主机配置文件,添加端口,小小的修改一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# vim/etc/httpd24/extra/httpd-vhosts.conf
Listen 8080
DocumentRoot "/web/vhosts/www1"
ServerName www.stu31.com
ErrorLog "/web/vhosts/www1/www1-error_log"
CustomLog "/web/vhosts/www1/www1-access_log" common
Require all granted
DocumentRoot "/web/vhosts/www2"
ServerName www.stu31.com
ErrorLog "/web/vhosts/www2/www1-error_log"
CustomLog "/web/vhosts/www2/www1-access_log" common
Require all granted
2.重启服务测试
1
2
3
4
5
6
7
8
# service httpd24restart
Stopping httpd:
Starting httpd:
# curl 172.16.31.8:80
/web/vhosts/www1172.16.31.8:80
# curl 172.16.31.8:8080
access from 192
#
六.基于域名的虚拟主机
1.修改一下测试网页,以便分辨
1
2
3
4
5
# cat/web/vhosts/www1/index.html
/web/vhosts/www1172.16.31.8:80
# cat/web/vhosts/www2/index.html
/web/vhost/www2 www1.stu31.com
2.在虚拟主机配置文件中定义
在httpd2.2版本定义基于域名的虚拟主机时,需要加入如下现象,在2.4则不再需要,直接定义即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# vim/etc/httpd24/extra/httpd-vhosts.conf
DocumentRoot "/web/vhosts/www1"
ServerName www.stu31.com
ErrorLog "/web/vhosts/www1/www1-error_log"
CustomLog "/web/vhosts/www1/www1-access_log" common
Require all granted
DocumentRoot "/web/vhosts/www2"
ServerName www1.stu31.com
ErrorLog "/web/vhosts/www2/www2-error_log"
CustomLog "/web/vhosts/www2/www2-access_log" common
Require all granted
3.重启服务测试
1
2
3
4
5
6
7
8
9
# service httpd24restart
Stopping httpd:
Starting httpd:
# curl www.stu31.com
/web/vhosts/www1172.16.31.8:80
# curl www1.stu31.com
/web/vhost/www2 www1.stu31.com
六.用户访问控制实现
1.我们需要对www.stu31.com的状态信息网页进行用户访问控制:
查看编译有没有状态信息模块:
1
2
# ls/usr/local/apache/modules/ |grep mod_status
mod_status.so
2.我们需要在网页查看apache的状态信息,apache状态信息模块是默认开启的
1
2
# vim /etc/httpd24/httpd.conf
LoadModule status_modulemodules/mod_status.so
1
2
3.
编辑虚拟主机配置文件,修改第一个虚拟主机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# vim/etc/httpd24/extra/httpd-vhosts.conf
DocumentRoot "/web/vhosts/www1"
ServerName www.stu31.com
ErrorLog "/web/vhosts/www1/www1-error_log"
CustomLog "/web/vhosts/www1/www1-access_log" common
SetHandler server-status
Authtype Basic
Authname "status area"
AuthUserFile /etc/httpd24/users/.htpasswd
Require valid-user
4.创建配置文件中需要的用户控制认证文件
1
2
3
4
5
# mkdir /etc/httpd24/users
# htpasswd -c -m/etc/httpd24/users/.htpasswd status
New password:
Re-type new password:
Adding password for user status
5.重启服务进行测试
1
2
3
# service httpd24 restart
Stopping httpd:
Starting httpd:
七.实现网站https加密传输
要求:我们针对www1.stu31.com实现https加密认证传输
1.mod_ssl模块的检查存在和装载
1
2
# ls/usr/local/apache/modules/ |grep mod_ssl
mod_ssl.so
2.构建私有CA服务器
# cd /etc/pki/CA/
私钥文件建立:
1
2
3
4
5
# (umask 077 ; opensslgenrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit longmodulus
...............+++
.............................+++
e is 65537 (0x10001)
自签署证书构建:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# openssl req -new -x509-key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter informationthat will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:HA
Locality Name (eg, city) :ZZ
Organization Name (eg, company) :stu31
Organizational Unit Name (eg, section)[]:ops
Common Name (eg, your name or your server'shostname) []:www1.stu31.com
Email Address []:mail@stu31.com
CA服务器索引库构建:
1
# touch index.txt
CA服务器序列号文件:
1
2
3
4
# touch serial
# echo 01 >serial
# ls
cacert.pem certscrlindex.txt newcertsprivateserial
3.web服务器证书申请
1
2
# mkdir /etc/httpd24/certs
# cd /etc/httpd24/certs
web服务器私钥生成:
1
2
3
4
5
# (umask 077; opensslgenrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit longmodulus
...............+++
............................................................+++
e is 65537 (0x10001)
web服务器证书请求生成:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# openssl req -new -keyhttpd.key -out httpd.csr -days 3650
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:HA
Locality Name (eg, city) :ZZ
Organization Name (eg, company) :stu31
Organizational Unit Name (eg, section)[]:ops
Common Name (eg, your name or your server'shostname) []:www1.stu31.com
Email Address []:mail@stu31.com
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4.CA服务器签署web服务器的证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# openssl ca -inhttpd.csr -out httpd.crt -days 3650
Using configuration from/etc/pki/tls/openssl.cnf
Check that the request matches thesignature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 15 05:48:01 2014 GMT
Not After : Dec 12 05:48:01 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = stu31
organizationalUnitName = ops
commonName =www1.stu31.com
emailAddress =mail@stu31.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:87:AD:7C:62:92:A1:DA:6D:40:BE:F8:4C:EC:2F:2E:71:9B:D7:35
X509v3 Authority Key Identifier:
keyid:D9:4A:F1:A1:16:F2:5F:89:49:C5:0B:93:B5:B3:11:57:0A:DA:2F:54
Certificate is to be certified until Dec 1205:48:01 2024 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit?y
Write out database with 1 new entries
Data Base Updated
5.httpd服务器开启https加密传输
修改主配置文件加载如下模块及开启httpd的ssl:
1
2
3
4
5
# vim/etc/httpd24/httpd.conf
LoadModule socache_shmcb_modulemodules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
# Secure (SSL/TLS) connections
Include /etc/httpd24/extra/httpd-ssl.conf
配置ssl配置文件,开启https传输:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# vim/etc/httpd24/extra/httpd-ssl.conf
DocumentRoot "/web/vhosts/www2"
ServerName www1.stu31.com:443
ServerAdmin mail@stu31.com
ErrorLog"/usr/local/apache/logs/error_log"
TransferLog"/usr/local/apache/logs/access_log"
SSLEngine on
SSLCertificateFile"/etc/httpd24/certs/httpd.crt"
SSLCertificateKeyFile"/etc/httpd24/certs/httpd.key"
6.检查语法,重新启动httpd服务测试:
1
2
3
4
5
# httpd -t
Syntax OK
# service httpd restart
Stopping httpd:
Starting httpd:
将CA服务器的证书发送给客户端
客户端安装证书进行测试:
实验成功,整个源码编译安装apache httpd-2.4.9完成了!!!
页:
[1]