web服务之Apache实现的https访问

64yuty

本文旨在实践httpd-2.4基于域名的虚拟主机配置，让指定用户访问站点状态信息，并为站点提供https服务。

知识储备

---

HTTPS协议
    HTTPS协议就是“HTTP协议”和“SSL/TLS”协议的结合，HTTP over SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后，成为二进制形式传输.

SSL会话简化过程  
    (1) 客户端发送可供选择的加密方式，并向服务器请求证书；
    (2) 服务器端发送证书以及选定的加密方式给客户端；
    (3) 客户端取得证书并进行证书验正：
        如果信任给其发证书的CA机构：则
        (a) 验正证书来源的合法性；用CA的公钥解密证书上数字签名；
        (b) 验正证书的内容的合法性：完整性验正
        (c) 检查证书的有效期限；
        (d) 检查证书是否被吊销；
        (e) 证书中拥有者的名字，与访问的目标主机要一致；
    (4) 客户端生成临时会话密钥（对称密钥），并使用服务器端的公钥加密此数据发送给服务器，
        完成密钥交换；
    (5) 服务用此密钥加密用户请求的资源，响应给客户端；
    注意：SSL会话是基于IP地址创建；所以单IP的主机上，仅可以使用一个https虚拟主机；


SSL/TLS协议模型
   

环境准备

---

1.操作系统及软件
   2台 Centos 7.2 x86_64
   httpd：httpd-2.4.6-40.el7.centos.x86_64
2.IP地址
    172.16.52.51/16 web服务

    172.16.52.1/6  CA证书颁发机构

2.提供2个基于域名的虚拟主机
    域名 www1.linux.com、www2.linux.com
    站点目录:/web/vhosts/www{1,2}

    访问日志:/var/log/httpd/www{1,2}/www{1,2}.access_log
    错误日志:/var/log/httpd/www{1,2}/www{1,2}.error_log
3.输出www1.linux.com的状态信息，且要求只允许提供账号的用户访问
4.www1不允许10.0.0.0/24网络中的主机访问
5.为www2提供https服务。
注意：关闭防火墙和selinux

安装httpd并配置虚拟主机

---

1.安装httpd

1	[iyunv@study ~]# yum -y install httpd

2.注释主配置文件的DocumentRoot

1 2	[iyunv@study ~]# grep "#DocumentRoot" /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html"

3.配置虚拟主机

1 2 3 4 5 6 7 8 9 10 11 12

[iyunv@study conf.d]# cat www1.conf <VirtualHost *:80>     ServerName www1.linux.com     DocumentRoot "/web/vhosts/www1"     CustomLog "/var/log/httpd/www1/www1.access_log" combined     ErrorLog "/var/log/httpd/www1/www1.error_log"     <Directory "/web/vhosts/www1">         Options None         AllowOverride None         Require all granted     </Directory> </VirtualHost>

www2的配置与此并无差别，不在不再赘述

    配置站点主页  

1 2 3

[iyunv@study ~]# cat /web/vhosts/www{1,2}/index.html www1 websit http://www1.linux.com www2 websit http://www2.linux.com

4.检查并启动服务  

1 2 3

[iyunv@study conf.d]# httpd -t Syntax OK [iyunv@study conf.d]# systemctl start httpd.service

5.测试

1 2	[iyunv@study conf.d]# curl www1.linux.com www1 websit http://www1.linux.com

1 2	[iyunv@study conf.d]# curl www2.linux.com www2 websit http://www2.linux.com

6.输出www1.linux.com的状态信息，且要求只允许提供账号的用户访问
    6.1 编辑www1的虚拟主机文件：添加一个<Location></Location>标签

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

[iyunv@study conf.d]# cat www1.conf <VirtualHost *:80> ServerName www1.linux.com DocumentRoot "/web/vhosts/www1" CustomLog "/var/log/httpd/www1/www1.access_log" combined ErrorLog "/var/log/httpd/www1/www1.error_log"     <Directory "/web/vhosts/www1">         Options None         AllowOverride None         Require all granted     </Directory>     <Location "/server-status">         SetHandler server-status         AuthType basic         AuthName "For Adminstrator"         AuthUserFile "/etc/httpd/conf/.htpasswd"         Require user tom     </Location> </VirtualHost>

    6.2 提供账号和密码存储文件

1 2 3 4

[iyunv@study conf]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom     New password:     Re-type new password:     Adding password for user tom

    6.3 测试：

    浏览器输入http://www1.linux.com/server-status
   
   

7. www1不允许10.0.0.0/24网络中的主机访问
    配置www1虚拟主机，在<Directory></Directory>标签段内添加<RequireAll>段

1 2 3 4 5 6 7 8

<Directory "/web/vhosts/www1">         Options None         AllowOverride None         <RequireAll>             Require all granted             Require not ip 10.0.0.0/24         </RequireAll>     </Directory>

实现虚拟主机 www2 https访问

---

在172.16.52.1 CA服务器上：
1. 配置CA证书颁发机构
    1.1 查看openssl相关文件

1 2 3 4 5 6 7

[iyunv@CA ~]# cd /etc/pki/CA [iyunv@CA CA]# ll total 16 drwxr-xr-x. 2 root root 4096 Jul 24 03:09 certs drwxr-xr-x. 2 root root 4096 Jul 24 03:09 crl drwxr-xr-x. 2 root root 4096 Jul 24 03:09 newcerts drwx------. 2 root root 4096 Jul 24 03:09 private

    1.2 使用openssl生成CA私钥

1 2 3 4 5

[iyunv@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ....................................................................................................................................................+++ .....................................................................................+++ e is 65537 (0x10001)

    1.3 使用openssl给CA服务器生成自签名证书   

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

[iyunv@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing   Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:ca.test.com Email Address []:ca@test.com

    1.4 创建CA相关目录和文件，指定序列号起始数字

1 2 3

[iyunv@CA CA]# touch index.txt  #新建索引文件 [iyunv@CA CA]# touch serial     #建立序列号文件 [iyunv@CA CA]# echo 01 > serial #写入起始序列号

web服务器创建申请证书
2. 创建申请证书
    2.1 在web服务器配置目录创建ssl目录

1	[iyunv@study ~]# mkdir /etc/httpd/ssl

    2.2 生成httpd 服务私钥

1 2 3 4 5

[iyunv@study ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 1024) Generating RSA private key, 1024 bit long modulus ..................++++++ ..............................++++++ e is 65537 (0x10001)

1 2 3

[iyunv@study ~]# ll /etc/httpd/ssl/httpd.key -rw------- 1 root root 887 Jul 14 15:29 /etc/httpd/ssl/httpd.key

    2.3 生成证书签署请求文件

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

[iyunv@study ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www1.linux.com Email Address []:ops@admin.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

    2.4 把httpd申请证书发送到CA颁发机构上

1 2 3

[iyunv@study ssl]# scp httpd.csr 172.16.52.1:/tmp root@172.16.52.1's password: httpd.csr                                  100%  696     0.7KB/s   00:00

    2.5 在CA端为给客户端签名并颁发正式  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

[iyunv@CA tmp]# openssl ca -in httpd.csr -out httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 1 (0x1)         Validity             Not Before: Dec 15 18:13:23 2015 GMT             Not After : Dec 12 18:13:23 2025 GMT         Subject:             countryName               = CN             stateOrProvinceName       = Beijing             organizationName          = magedu             organizationalUnitName    = ops             commonName                = www1.linux.com             emailAddress              = ops@admin.com         X509v3 extensions:             X509v3 Basic Constraints:                 CA:FALSE             Netscape Comment:                 OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                 D0:C4:3B:E1:C4:59:25:D4:0E:DF:AF:83:9C:48:D6:A8:D9:CC:27:27             X509v3 Authority Key Identifier:                 keyid:67:CC:F6:A8:E6:0B:73:CE:6C:A1:6D:B8:A6:99:1F:CA:7A:A3:D3:AB Certificate is to be certified until Dec 12 18:13:23 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

1 2 3

[iyunv@CA tmp]# ll httpd*     -rw-r--r-- 1 root root 3830 Dec 16 02:15 httpd.crt     -rw-r--r-- 1 root root  696 Dec 16 02:12 httpd.csr

    2.6 将生成的证书复制到web服务器上

1	[iyunv@ca tmp]# scp httpd.crt root@172.16.52.51:/etc/httpd/ssl

    2.7 web服务器查看收到的证书

1 2 3 4 5

[iyunv@study ssl]# ll total 12 -rw-r--r-- 1 root root 3830 Dec 16  2015 httpd.crt -rw-r--r-- 1 root root  696 Jul 14 16:01 httpd.csr -rw------- 1 root root  887 Jul 14 16:00 httpd.key

3. web服务器配置ssl模块
    3.1装载mod_ssl

1	[iyunv@study ssl]# yum -y install mod_ssl

    3.2 修改ssl配置文件
        配置/etc/httpd/conf.d/ssl.conf
        DocumentRoot

1 2	[iyunv@study ssl]# sed -n "/^DocumentRoot/p" /etc/httpd/conf.d/ssl.conf     DocumentRoot "/web/vhosts/www2"

        ServerName

1 2	[iyunv@study ssl]# sed -n "/^ServerName/p" /etc/httpd/conf.d/ssl.conf ServerName www2.linux.com:443

        <Directory "">

1 2 3 4 5 6

[iyunv@study ssl]# sed -n "186,190p" /etc/httpd/conf.d/ssl.conf <Directory "/web/vhosts/www2"> Options None AllowOverride None Require all granted </Directory>

        SSLCertificateFile
        SSLCertificateKeyFile

1 2 3

[iyunv@study conf.d]# sed -n '101p;109p' /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

    3.3 重启httpd服务

1 2 3

[iyunv@study conf.d]# systemctl restart httpd.service [iyunv@study conf.d]# ss -tnlp|grep 443 LISTEN     0      128         :::443                     :::*                   users:(("httpd",pid=2475,fd=6),("httpd",pid=2474,fd=6),("httpd",pid=2473,fd=6),("httpd",pid=2472,fd=6),("httpd",pid=2471,fd=6),("httpd",pid=2469,fd=6))

    3.5 浏览器访问

   
    这是证书未收信任，把httpd.crt证书导入浏览器就好了.