web服务搭建(apache)以及https的实现
内容:1、httpd版本以及安装
2、httpd的配置文件详解
3、httpd的用户身份验证实现
4、httpd的虚拟主机的实现
5、https的通信过程以及实现演示
1、httpd版本以及安装
centos默认的httpd版本是2.2,而centos默认的httpd版本是2.4,这里演示的是centos6的httpd-2.2版本
安装的方式有两种,一个是rpm包安装,一个是编译安装,编译安装相关的配置文件需要手动设置,这里演示的是rpm包安装
httpd2.2和2.4的区别:
2.2的MPM是非DSO机制,不支持LoadModule进行切换;
2.2和2.4的基于IP的访问控制机制命令格式有所不同
虚拟主机配置格式有点不同:
基于ServerName的虚拟主机,要使用专用指令NameVirtualHost;
2、httpd的配置文件详解
# rpm -ql httpd
/etc/httpd
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.d/README
/etc/httpd/conf.d/welcome.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/magic
/etc/httpd/logs
/etc/httpd/modules
/etc/httpd/run
/usr/lib64/httpd
/usr/sbin/httpd
/usr/sbin/httpd.event
/usr/sbin/httpd.worker
/var/log/httpd
/var/run/httpd
/var/www/html httpd的主要配置文件有几类:
应用程序的文件:/usr/sbin/httpd
配置文件:/etc/httpd/conf.d/*.conf和/etc/httpd/conf/httpd.conf
日志文件:/var/log/httpd
web资源主目录:/var/www/html
这里对/etc/httpd/conf/httpd.conf文件进行详细的说明,因为绝大部分的web服务设置都是在该配置文件进行完成的。
注意:配置文件里的对本地文件系统文件的引用一般要加上""双引号进行引用。
主配置文件位置: /etc/httpd/conf/httpd.conf
httpd -t 可测试配置文件的语法是否有误
配置文件大概分为3个部分,可以通过grep命令来大致查看:
# grep "Section" httpd.conf
### Section 1: Global Environment
### Section 2: 'Main' server configuration
### Section 3: Virtual Hosts 另外,Main server和Virtual Hosts配置同时只能有一个生效
可以在/etc/httpd/conf.d/目录下定义以.conf结尾的文件来定义属性,也可以直接修改httpd.conf文件
httpd.conf配置文件的内容格式基本都是
directive-name directive-value 比如
MaxKeepAliveRequests 100
下面基于httpd2.2的配置做了个思维导图说明:
3、httpd的用户身份验证实现
有时访问默写资源时,需要验证用户的身份信息,这就需要进行身份的质询认证,这里的身份验证是利用http协议自身提供的功能,并不是利用其他表单等工具实现
身份信息存储位置(帐号密码),可以另定义:
文件:/etc/httpd/conf/.htpasswd
认证类型(auth):
basic: 基本认证,帐号和密码明文发送;
digest:摘要认证,hash编程之后发送;
这里实验采用basic认证方式
实现步骤概述:
(1)编辑httpd.conf配置文件,对需要认证的URL资源进行设定身份认证
(2)使用htpasswd命令生成相应的帐号密码
htpasswd FILE_PATH USERNAME
-c:首次创建文件时才需要此选项,否则会重置覆盖原文件
-m:密码进行md5加密
-D:删除用户
(3)访问资源进行验证
就是这么简单,下面来验证:用户访问/admin/index.html时需要进行身份验证
# tree /var/www/html/
/var/www/html/
├── admin
│ └── index.html
├── index.html
└── test.html
1 directory, 3 files 编辑httpd.conf配置文件(在空白处添加以下内容),对需要认证的URL资源进行设定身份认证:
options none #options指令
allowoverride authconfig #
authname "please input your ID/PASSWD" #登录提示语
authtype basic #认证方式
authuserfile "/etc/httpd/conf/.htpasswd" #指定用户密码的存放路径
authgroupfile "/etc/httpd/conf/.htgroup" #指定组用户的存放路径
require valid-user #指定哪里用户客户登录,valid-user表示文件路径存放的都可以访问,后面也可以逐个添加用户,只需要写上用户名即可
require group admins #指定那个组的用户可以登录
修改配置后,使用httpd -t进行配置文件的语法检测(强烈推荐,这是一个基本的良好习惯):
# httpd -t
Syntax OK
使用htpasswd添加相关的用户以及组:
# htpasswd -c -m /etc/httpd/conf/.htpasswd hill
New password:
Re-type new password:
Adding password for user hill
#htpasswd-m /etc/httpd/conf/.htpasswd jason
New password:
Re-type new password:
Adding password for user jason
#htpasswd -m /etc/httpd/conf/.htpasswd nancy
New password:
Re-type new password:
Adding password for user nancy
#cat /etc/httpd/conf/.htgroup
admin: hill nancy
# cat /etc/httpd/conf/.htpasswd
hill:$apr1$Y66c0zU3$oK9237JoHPrbcc9JIYPjD0
jason:$apr1$lfmcM6jh$b2n50Np7dgST8qIBT/RL00
nancy:$apr1$ye576Up7$LvHzYot8mVl/EkO85HJI4.
重载服务进行访问验证:
略
4、httpd的虚拟主机的实现
传统的是一个物理主机提供一个web服务站点,使用了虚拟主机设置后,可以实现在一个物理主机进行多个web站点的设置
注意,一般中心主机和虚拟主机不同时使用,所以使用虚拟主机时,需要把中心主机注释掉,注释DocumentRoot即可
虚拟主机的分类:
基于不同的IP实现不同的虚拟主机:
变化IP
基于不同的port实现不同的虚拟主机:
变化port
基于不同的FQDN实现不同的虚拟主机:
变化ServerName的值
基于不同的IP实现不同的虚拟主机:
创建不同的站点:
# mkdir/var/www/html/{www1,www2}
#touch/var/www/html/{www1,www2}/index.html
#echo "www1" > /var/www/html/www1/index.html
# echo "www2" > /var/www/html/www1/index.html
# tree
.
├── admin
│ └── index.html
├── index.html
├── test.html
├── www1
│ └── index.html
└── www2
└── index.html
3 directories, 5 files 编辑配置文件,添加虚拟主机:
#不同IP的同一端口
documentroot "/var/www/html/www1" #设置根目录路径
servername "www1.nihao.com" #设置站点FQDN
#不同IP的同一端口
documentroot "/var/www/html/www2" #设置根目录路径
servername "www2.nihao.com" #设置站点FQDN
临时设置本机IP进行实验:
# ifconfig eth0:1 172.18.16.140/24
# ifconfig eth0:2 172.18.16.141/24
# ip addr show
1: lo:mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f4:30:a5 brd ff:ff:ff:ff:ff:ff
inet 172.18.16.139/24 brd 172.18.16.255 scope global eth0
inet 172.18.16.140/24 brd 172.18.16.255 scope global secondary eth0:1
inet 172.18.16.141/24 brd 172.18.16.255 scope global secondary eth0:2
inet6 fe80::20c:29ff:fef4:30a5/64 scope link
valid_lft forever preferred_lft forever
重置httpd服务后,验证成功:
# curl 172.18.16.140
www1
# curl 172.18.16.141
www2 基于不同的port实现不同的虚拟主机:
编辑配置文件,添加虚拟主机:
listen 8080
documentroot "/var/www/html/www1"
servername "www1.nihao.com"
documentroot "/var/www/html/www2"
servername "www2.nihao.com"
重置httpd服务后,验证成功:
# curl 172.18.16.140
www1
# curl 172.18.16.140:8080
www2
基于不同的FQDN实现不同的虚拟主机:
编辑配置文件,添加虚拟主机(与前面不同的是,要在首行加入:namevirtualhost IP:prot):
namevirtualhost 172.18.16.140:80 #在httpd-2.2的版本中,如果是基于FQDN的虚拟主机,要加上此行
documentroot "/var/www/html/www1"
servername "www1.nihao.com"
documentroot "/var/www/html/www2"
servername "www2.nihao.com"
修改测试机器的hosts文件,能解析FQDN
# cat !$
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 centos6.8
172.18.16.140 www1.nihao.com
172.18.16.140 www2.nihao.com 重置httpd服务后,验证成功:
# curl www1.nihao.com
www1
# curl www2.nihao.com
www2
5、https的实现
在前面安全章已经学习,https是基于ssl的安全加密通信,https的默认端口是443
https的通信过程:
https的实现步骤:
(1)CA服务器签发证书
(2)把签发的证书发回到web服务器
(3)web服务端配置httpd支持使用lls,安装mod_ssl模块支持ssl协议
(4)设置mod_ssl的相关配置文件,如指定web根目录、https的端口指定等等
(4)客户端安装CA证书进行访问测试
下面来按步骤进行演示:
(1)
搭建私有根CA服务器:
# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
# (umask 066;openssl genrsa -out private/cakey.pem)
Generating RSA private key, 1024 bit long modulus
......................................++++++
.......++++++
e is 65537 (0x10001)
#openssl req -new -x509 -key private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) :BEIJING
Organization Name (eg, company) :nihao
Organizational Unit Name (eg, section) []:nihao.com
Common Name (eg, your name or your server's hostname) []:ca.nihao.com
Email Address []:admin@nihao.com
# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│?? └── cakey.pem
└── serial
4 directories, 4 files web服务器生成证书的申请文件:
# mkdir -p /etc/httpd/ssl/private
#(umask 066;openssl genrsa -out /etc/httpd/ssl/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
........................................................+++
e is 65537 (0x10001)
#openssl req -new -key /etc/httpd/ssl/private/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) :BEIJING
Organization Name (eg, company) :nihao
Organizational Unit Name (eg, section) []:www.nihao.com
Common Name (eg, your name or your server's hostname) []:www.nihao.com
Email Address []:aadmin@nihao.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# scp /etc/httpd/ssl/httpd.csr 192.168.31.29:/etc/pki/CA/certs/
ssh: connect to host 192.168.31.29 port 22: No route to host
lost connection 把申请证书文件上传到根CA服务器以便签署:
# scp /etc/httpd/ssl/httpd.csr 192.168.31.49:/etc/pki/CA/certs/
The authenticity of host '192.168.31.49 (192.168.31.49)' can't be established.
RSA key fingerprint is d1:42:7c:63:7d:e2:7f:70:b5:b3:ea:4d:6e:bc:97:af.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.31.49' (RSA) to the list of known hosts.
root@192.168.31.49's password:
httpd.csr 100% 1062 1.0KB/s 00:00 (2)对申请证书进行签署,并把签署的证书发送回web服务器:
# openssl ca -in certs/httpd.csr -out httpd.key
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 29 08:44:15 2016 GMT
Not After : Sep 29 08:44:15 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = nihao
organizationalUnitName = www.nihao.com
commonName = www.nihao.com
emailAddress = aadmin@nihao.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A8:83:56:22:E3:F1:EE:B6:6D:59:A1:E1:59:87:E0:01:DA:06:11:33
X509v3 Authority Key Identifier:
keyid:CD:0B:CD:B6:10:FE:3D:8E:A9:CB:DF:B4:DC:AD:6F:C6:F2:4E:EE:13
Certificate is to be certified until Sep 29 08:44:15 2017 GMT (365 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# ll certs/
total 4
-rw-r--r--. 1 root root 1062 Sep 29 16:41 httpd.csr
-rw-r--r--. 1 root root 0 Sep 29 16:43 httpd.key
# scp certs/httpd.key 192.168.31.212:/etc/httpd/ssl/
The authenticity of host '192.168.31.212 (192.168.31.212)' can't be established.
RSA key fingerprint is 37:57:be:b6:cb:a7:e4:2a:77:a1:98:ed:63:5e:30:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.31.212' (RSA) to the list of known hosts.
root@192.168.31.212's password:
httpd.key 100% 0 0.0KB/s 00:00
(3)web服务端配置httpd支持使用lls,安装mod_ssl模块支持ssl协议
# rpm -q mod_ssl
package mod_ssl is not installed
# yum install -y mod_ssl
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.sina.cn
* extras: mirrors.yun-idc.com
* updates: mirrors.yun-idc.com
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 2.1 MB 00:01
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-54.el6.centos will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-54.el6.centos updates 97 k
Transaction Summary
=========================================================================================================================
Install 1 Package(s)
Total download size: 97 k
Installed size: 187 k
Downloading Packages:
mod_ssl-2.2.15-54.el6.centos.x86_64.rpm |97 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:mod_ssl-2.2.15-54.el6.centos.x86_64 1/1
Verifying: 1:mod_ssl-2.2.15-54.el6.centos.x86_64 1/1
Installed:
mod_ssl.x86_64 1:2.2.15-54.el6.centos
Complete!
#rpm -qy mod_ssl
mod_ssl-2.2.15-54.el6.centos.x86_64 (4)设置mod_ssl的相关配置文件:/etc/httpd/conf.d/ssl.conf
# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem 需要修改的配置文件的地方,其他的默认就可以:
ServerName:改成自己的web站点名称
SSLCertificateFile:指定web的签署证书路径
SSLCertificateKeyFile:指定web的证书私钥路径
# grep "^[^#]" /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialogbuiltin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ServerName www.nihao.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/http/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/private/httpd.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
修改后httpd -t检查语法没有问题,重载服务后,发现已经开始监听443端口,也就是https已经开始工作
# httpd -t
Syntax OK
# service httpd reload
Reloading httpd:
# netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.31.212:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 192.168.31.212:48896 192.168.31.49:22 TIME_WAIT
tcp 0 0 192.168.31.212:22 192.168.31.19:63115 ESTABLISHED
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 ::1:53 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 ::1:953 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN (4)客户端浏览器到处证书,测试正常!
OK,更多文章请关注我的博客。
页:
[1]