CentOS6.7上搭建httpd

fswdnr

　　
CentOS6.7上搭建httpd-2.2

1.实验需求：

1、建立httpd服务，要求：
    (1) 提供两个基于名称的虚拟主机www1, www2；有单独的错误日志和访问日志；
    (2) 通过www1的/server-status提供状态信息，且仅允许tom用户访问；
    (3) www2不允许192.168.0.0/24网络中任意主机访问；
2、为上面的第2个虚拟主机提供https服务

2.实验环境：

Linux服务器操作系统版本：CentOS release 6.7 (Final) IP：172.16.66.60
WIN7系统客户机：IP：172.16.250.100

3.实验前提：
    1）关闭防火墙和SELinux
   
    ~]# service iptables stop
    ~]# setenforce 0
   
4.实验过程：

1.提供两个基于名称的虚拟主机www1, www2；有单独的错误日志和访问日志
　　

　　一、安装服务

1.yum安装httpd-2.2

~]# yum install httpd -y
~]# rpm -qa httpd
~]# rpm -ql httpd
~]# rpm -qc httpd
~]# service httpd restart
~]# chkconfig httpd on
~]# ss -lnt

二、配置虚拟主机

~]# cat /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.66.60:80>
    ServerName www1.magedu.com
    DocumentRoot /data/vhosts/www1
    ErrorLog logs/www1-error_log
    CustomLog logs/www1-access_log combined
</VirtualHost>

~]# cat /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.66.60:80>
    ServerName www2.magedu.com
    DocumentRoot /data/vhosts/www2
    ErrorLog logs/www2-error_log
    CustomLog logs/www2-access_log combined
</VirtualHost>

三、修改配置参数:

    1)备份原有的配置文件
~]# cp -p httpd.conf httpd.conf.bak

    2)开启虚拟主机：NameVirtualHost                    
~]# sed -n '990p' /etc/httpd/httpd.conf
NameVirtualHost 172.16.66.60:80

    3)创建站点目录：
~]# mkdir -pv /data/vhosts/www{1,2}
~]# echo "<h1> www1.magedu.com </h1>" > /data/vhosts/www1/index.html
~]# echo "<h1> www2.magedu.com </h1>" > /data/vhosts/www2/index.html
   
    4)添加hosts域名解析
~]# echo " 172.16.66.60 www1.magedu.com www2.magedu.com " >> /etc/hsots

四、PC端上测试内容

    1)在wind7上添加域名解析：路径：C:\Windows\System32\drivers\etc\hosts
    2)用记事本打开hosts添加并保存：172.16.66.60 www1.magedu.com www2.magedu.com
    3)测试都正常访问

   
   
2.通过www1的/server-status提供状态信息，且仅允许tom用户访问；


一、修改配置文件：
   
    1)只允许tom用户访问/server-status;
<Location /server-status>
    SetHandler server-status
    AuthType basic
    AuthName "For tom"
    AuthUserFile "/etc/httpd/conf/.htpasswd"
    Require user tom
</Location>   

    2)创建虚拟用户tom文件
~]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom

    3)检查语法并重载配置文件
~]# httpd -t                                
~]# service httpd reload        

二、在PC机浏览器中测试：

    1)输入 http://172.16.66.60/server-status 需要用户tom认证才能访问

3、为上面的第2个虚拟主机提供https服务；

工作目录:/etc/pki/CA/
　　

　　1)生成私钥
CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)

    2)生成自签证书
CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liyang
Organizational Unit Name (eg, section) []:0ps
Common Name (eg, your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu@com
　　

　　3)提供辅助文件
CA]# touch index.txt
CA]# echo 01 > serial 序列号


二、节点申请证书
   
    1)生成私钥
　　~]# mkdir -pv /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
　　

　　2)生成证书签署请求：
ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liyang
Organizational Unit Name (eg, section) []:0ps
Common Name (eg, your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu@com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

    3)把请求发给CA
ssl]# cp httpd.csr /tmp/

　　

　　三、CA签发证书

    1)签署证书
~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 12 13:01:20 2016 GMT
            Not After : Jul 12 13:01:20 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = liyang
            organizationalUnitName    = 0ps
            commonName                = www2.magedu.com
            emailAddress              = magedu@com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F6:C2:E3:DC:3F:D9:50:39:52:43:35:BF:99:BC:FF:5E:26:EB:9E:29
            X509v3 Authority Key Identifier:
                keyid:15:71:78:70:3E:9B:23:64:A0:37:DE:91:1E:6B:73:F6:AD:3C:A7:A7

Certificate is to be certified until Jul 12 13:01:20 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


    2)把签署好的证书发还给请求者。
~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/


注意：本次私建CA在一台机器完成。


四、配置httpd支持使用ssl，及使用的证书

    1)yum安装mod_ssl模块
~]# httpd -M | grep ssl        
~]# yum install mod_ssl -y
~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
   
    2）修改配置文件
~]# cat /etc/httpd/conf.d/ssl.conf
    <VirtualHost _default_:443>
    DocumentRoot "/data/vhosts/www2"
    ServerName www2.magedu.com:443
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log   
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/httpd/ssl/httpd.crt
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
    </VirtualHost>
   
五、测试结果：
    1)在PC机浏览器中测试：https://www2.magedu.com  通过443端口访问
    2)在PC机浏览器中测试：http://www2.magedu.com   通过80端口访问