apache服务之https、访问控制、status等功能

1312

https:
客户端：申请证书

1 2 3

[iyunv@martin ssl]# pwd /etc/httpd/ssl [iyunv@martin ssl]# (umask 077; openssl genrsa  -out martin01.key 2048)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

[iyunv@martin ssl]# openssl req -new -key martin01.key -out martin01.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:zhejiang Locality Name (eg, city) [Default City]:ningbo Organization Name (eg, company) [Default Company Ltd]:martin Organizational Unit Name (eg, section) []:martin Common Name (eg, your name or your server's hostname) []:martin Email Address []:martin@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

1	[iyunv@martin ssl]# scp -P 6789 martin01.csr marvin:/mydata/ssl/csr

CA服务器:审核证书

1 2	[iyunv@marvin CA]# openssl ca -in /mydata/ssl/csr/martin01.csr  -out /mydata/ssl/crt/martin01.crt -days 800 [iyunv@marvin CA]# scp -P6789 /mydata/ssl/crt/martin01.crt martin:/etc/httpd/ssl/

客户端:

1 2 3 4 5 6 7 8 9

# Required modules: mod_log_config, mod_setenvif, mod_ssl, #          socache_shmcb_module (for default value of SSLSessionCache) [iyunv@martin httpd]# vim /etc/httpd/httpd.conf LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule log_config_module modules/mod_log_config.so Include /etc/httpd/extra/httpd-ssl.conf

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

[iyunv@martin httpd]# vim extra/httpd-ssl.conf DocumentRoot "/www/web/ssl" ServerName www.ssl.com:443 <Directory "/www/web/ssl">         Options  none         AllowOverride all         Require all granted </Directory> SSLCertificateFile /etc/httpd/ssl/martin01.crt SSLCertificateKeyFile /etc/httpd/ssl/martin01.key [iyunv@martin httpd]# echo ok > /www/web/ssl/index.html [iyunv@martin httpd]# httpd -t Syntax OK [iyunv@martin httpd]# /etc/init.d/httpd restart

证书创建若有疑问



虚拟主机:

1 2 3

[iyunv@martin httpd]# vim /etc/httpd/httpd.conf LoadModule rewrite_module modules/mod_rewrite.so Include /etc/httpd/extra/httpd-vhosts.conf

1 2 3 4 5 6 7 8 9 10

[iyunv@martin httpd]# vim extra/httpd-vhosts.conf <VirtualHost *:80>     DocumentRoot  "/www/web/martin"     ServerName www.martin.com     <Directory "/www/web/martin">         Options  none         AllowOverride all         Require all granted     </Directory> </VirtualHost>

1	[iyunv@martin httpd]# echo martin > /www/web/martin/index.html

基于IP访问控制：2.4新特性

    允许所有主机访问：Require all granted
    拒绝所有主机访问：Require all deny
控制某主机的访问：

    Require ip IPADDR
    Require not ip IPADDR

    Require host IPADDR
   Require not host IPADDR

1 2 3 4 5 6

<Directory "/www/web/martin">         Options  none         AllowOverride all         Require ip 192.168.1         Require all denied </Directory>

status:

1 2 3

[iyunv@martin htdocs]# vim  /etc/httpd/httpd.conf LoadModule status_module modules/mod_status.so Include /etc/httpd/extra/httpd-info.conf

1 2 3 4 5 6 7

[iyunv@martin htdocs]# vim /etc/httpd/extra/httpd-info.conf <Location /server-status>     SetHandler server-status     #Require host .example.com     Require ip 127     Require ip 192.168.1 </Location>

这是一个httpd的内嵌handler，通过status可查看当前服务器的状态。它通过一个HTML页面展示了当前服务器的统计数据。这些数据通常包括但不限于：

(1) 处于工作状态的worker进程数；

(2) 空闲状态的worker进程数；

(3) 每个worker的状态，包括此worker已经响应的请求数，及由此worker发送的内容的字节数；

(4) 当前服务器总共发送的字节数；

(5) 服务器自上次启动或重启以来至当前的时长；

(6) 平均每秒钟响应的请求数、平均每秒钟发送的字节数、平均每个请求所请求内容的字节数；

基于用户的访问控制

1 2 3 4 5 6 7 8 9

<Directory "/www/web/martin">         Options  none         AuthType Basic         AuthName "Admin status"         AuthUserFile /etc/httpd/conf/.htpasswd         AllowOverride all         Require ip 192.168.1         Require all denied     </Directory>

1 2 3 4

[iyunv@martin httpd]# /usr/local/apache/bin/htpasswd -m -c /etc/httpd/.htpasswd admin New password: Re-type new password: Adding password for user admin