https:
客户端:申请证书
1
2
3
| [iyunv@martin ssl]# pwd
/etc/httpd/ssl
[iyunv@martin ssl]# (umask 077; openssl genrsa -out martin01.key 2048)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| [iyunv@martin ssl]# openssl req -new -key martin01.key -out martin01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:ningbo
Organization Name (eg, company) [Default Company Ltd]:martin
Organizational Unit Name (eg, section) []:martin
Common Name (eg, your name or your server's hostname) []:martin
Email Address []:martin@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
1
| [iyunv@martin ssl]# scp -P 6789 martin01.csr marvin:/mydata/ssl/csr
|
CA服务器:审核证书
1
2
| [iyunv@marvin CA]# openssl ca -in /mydata/ssl/csr/martin01.csr -out /mydata/ssl/crt/martin01.crt -days 800
[iyunv@marvin CA]# scp -P6789 /mydata/ssl/crt/martin01.crt martin:/etc/httpd/ssl/
|
客户端:
1
2
3
4
5
6
7
8
9
| # Required modules: mod_log_config, mod_setenvif, mod_ssl,
# socache_shmcb_module (for default value of SSLSessionCache)
[iyunv@martin httpd]# vim /etc/httpd/httpd.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule log_config_module modules/mod_log_config.so
Include /etc/httpd/extra/httpd-ssl.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| [iyunv@martin httpd]# vim extra/httpd-ssl.conf
DocumentRoot "/www/web/ssl"
ServerName www.ssl.com:443
<Directory "/www/web/ssl">
Options none
AllowOverride all
Require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/martin01.crt
SSLCertificateKeyFile /etc/httpd/ssl/martin01.key
[iyunv@martin httpd]# echo ok > /www/web/ssl/index.html
[iyunv@martin httpd]# httpd -t
Syntax OK
[iyunv@martin httpd]# /etc/init.d/httpd restart
|
证书创建若有疑问
虚拟主机:
1
2
3
| [iyunv@martin httpd]# vim /etc/httpd/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
Include /etc/httpd/extra/httpd-vhosts.conf
|
1
2
3
4
5
6
7
8
9
10
| [iyunv@martin httpd]# vim extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/www/web/martin"
ServerName www.martin.com
<Directory "/www/web/martin">
Options none
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
|
1
| [iyunv@martin httpd]# echo martin > /www/web/martin/index.html
|
基于IP访问控制:2.4新特性
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all deny
控制某主机的访问:
Require ip IPADDR
Require not ip IPADDR
Require host IPADDR
Require not host IPADDR
1
2
3
4
5
6
| <Directory "/www/web/martin">
Options none
AllowOverride all
Require ip 192.168.1
Require all denied
</Directory>
|
status:
1
2
3
| [iyunv@martin htdocs]# vim /etc/httpd/httpd.conf
LoadModule status_module modules/mod_status.so
Include /etc/httpd/extra/httpd-info.conf
|
1
2
3
4
5
6
7
| [iyunv@martin htdocs]# vim /etc/httpd/extra/httpd-info.conf
<Location /server-status>
SetHandler server-status
#Require host .example.com
Require ip 127
Require ip 192.168.1
</Location>
|
这是一个httpd的内嵌handler,通过status可查看当前服务器的状态。它通过一个HTML页面展示了当前服务器的统计数据。这些数据通常包括但不限于: (1) 处于工作状态的worker进程数; (2) 空闲状态的worker进程数; (3) 每个worker的状态,包括此worker已经响应的请求数,及由此worker发送的内容的字节数; (4) 当前服务器总共发送的字节数; (5) 服务器自上次启动或重启以来至当前的时长; (6) 平均每秒钟响应的请求数、平均每秒钟发送的字节数、平均每个请求所请求内容的字节数; 基于用户的访问控制
1
2
3
4
5
6
7
8
9
| <Directory "/www/web/martin">
Options none
AuthType Basic
AuthName "Admin status"
AuthUserFile /etc/httpd/conf/.htpasswd
AllowOverride all
Require ip 192.168.1
Require all denied
</Directory>
|
1
2
3
4
| [iyunv@martin httpd]# /usr/local/apache/bin/htpasswd -m -c /etc/httpd/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
|
|