这里写目录标题
web网站服务–httpd
- httpd
- nginx
- tomcat
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
IPADDR的类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.1.20
Require all granted
</RequireAll>
</Directory>
虚拟主机:
虚拟主机有三类:
相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名
安装服务
yum下载httpd服务
[root@zyq ~]# yum install httpd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 2:19:59 ago on Mon 10 Jul 2023 08:54:40 PM PDT.
Dependencies resolved.
=======================
......
Installed:
apr-1.6.3-12.el8.x86_64 apr-util-1.6.1-6.el8.x86_64
apr-util-bdb-1.6.1-6.el8.x86_64 apr-util-openssl-1.6.1-6.el8.x86_64
centos-logos-httpd-85.8-2.el8.noarch httpd-2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
httpd-filesystem-2.4.37-43.module_el8.5.0+1022+b541f3b1.noarch httpd-tools-2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
mod_http2-1.15.7-3.module_el8.4.0+778+c970deab.x86_64
Complete!
[root@zyq ~]#
[root@zyq ~]# rpm -qa | grep httpd
httpd-2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
httpd-filesystem-2.4.37-43.module_el8.5.0+1022+b541f3b1.noarch
centos-logos-httpd-85.8-2.el8.noarch
httpd-tools-2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
设置开机自启
[root@zyq ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@zyq ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-07-10 23:18:35 PDT; 4s ago
Docs: man:httpd.service(8)
Main PID: 36054 (httpd)
Status: "Started, listening on: port 80"
......
查看服务端口
[root@zyq ~]# ss -antl | grep *:80
LISTEN 0 128 *:80 *:*
关闭防火墙
[root@zyq ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
在浏览器上测试效果
[root@zyq ~]# ls /var/www/html/
[root@zyq ~]# vi /var/www/html/index.html
[root@zyq ~]# cat /var/www/html/index.html
<html>
<heat>
<title>快乐学习</title>
</heat>
<body>
<h1>这是测试页面</h1>
</body>
</html>
编写完成后在浏览器上测试效果
查看配置文件信息
[root@zyq ~]# cd /etc/httpd/
[root@zyq httpd]# ls
conf conf.d conf.modules.d logs modules run state
[root@zyq httpd]# ls conf
httpd.conf magic
[root@zyq httpd]# grep -i 'include' /etc/httpd/conf/httpd.conf
Include conf.modules.d/*.conf
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# Possible values include: debug, info, notice, warn, error, crit,
# If you include a trailing / on /webpath then the server will
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
AddOutputFilter INCLUDES .shtml
IncludeOptional conf.d/*.conf
[root@zyq httpd]# cd conf.d/
[root@zyq conf.d]# ls
autoindex.conf README userdir.conf welcome.conf
[root@zyq conf.d]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@zyq conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf vhosts.conf
[root@zyq conf.d]# ls
autoindex.conf README userdir.conf vhosts.conf welcome.conf
配置虚拟主机的访问方式
相同端口,不同IP
相同ip,不同端口(得加监听端口号)
相同IP、端口,不同域名
更改配置文件
[root@zyq conf.d]# vi vhosts.conf
[root@zyq conf.d]# cat vhosts.conf | grep -v '#'
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html/www.zyq.com"
ServerName www.zyq.com
ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www.zyq.com-error_log"
CustomLog "/var/log/httpd/www.zyq.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/var/www/dummy-host2.example.com"
ServerName dummy-host2.example.com
ErrorLog "/var/log/httpd/dummy-host2.example.com-error_log"
CustomLog "/var/log/httpd/dummy-host2.example.com-access_log" common
</VirtualHost>
[root@zyq conf.d]# mkdir -p /var/www/html/www.zyq.com
[root@zyq conf.d]# echo "peace and love" > /var/www/html/www.zyq.com/index.html
[root@zyq conf.d]# cat /var/www/html/www.zyq.com/index.html
peace and love
[root@zyq conf.d]# systemctl restart httpd
刷新页面测试
配置不同IP,相同端口
[root@zyq conf.d]# ls /var/www/html/
index.html www.zyq.com
[root@zyq conf.d]# mkdir -p /var/www/html/blog.zyq.com
[root@zyq conf.d]# ls /var/www/html/
blog.zyq.com index.html www.zyq.com
[root@zyq conf.d]# echo 'blog test page' > /var/www/html/blog.zyq.com/index.html
[root@zyq conf.d]# cat /var/www/html/blog.zyq.com/index.html
blog test page
添加一个IP
[root@zyq conf.d]# ip addr 192.168.227.151/24 dev ens160
Command "192.168.227.151/24" is unknown, try "ip address help".
[root@zyq conf.d]# ip addr add 192.168.227.151/24 dev ens160
[root@zyq conf.d]# ip a | grep 192.168.227.151
inet 192.168.227.151/24 scope global secondary ens160
更改配置文件信息
[root@zyq conf.d]# vi vhosts.conf
[root@zyq conf.d]# cat vhosts.conf | grep -v '#'
<VirtualHost 192.168.227.150:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html/www.zyq.com"
ServerName www.zyq.com
ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www.zyq.com-error_log"
CustomLog "/var/log/httpd/www.zyq.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.227.151:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/var/www/html/blog.zyq.com"
ServerName blog.zyq.com
ErrorLog "/var/log/httpd/blog.zyq.com-error_log"
CustomLog "/var/log/httpd/blog.zyq.com-access_log" common
</VirtualHost>
[root@zyq conf.d]# systemctl restart httpd
测试效果
相同IP,不同端口
更改配置文件
[root@zyq conf.d]# vi vhosts.conf
[root@zyq conf.d]# cat vhosts.conf | grep -v '#'
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html/www.zyq.com"
ServerName www.zyq.com
ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www.zyq.com-error_log"
CustomLog "/var/log/httpd/www.zyq.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/var/www/html/blog.zyq.com"
ServerName blog.zyq.com
ErrorLog "/var/log/httpd/blog.zyq.com-error_log"
CustomLog "/var/log/httpd/blog.zyq.com-access_log" common
</VirtualHost>
[root@zyq conf.d]# systemctl restart httpd
测试
相同IP、相同端口,不同域名
更改配置文件
[root@zyq conf.d]# vim vhosts.conf
[root@zyq conf.d]# cat vhosts.conf | grep -v '#'
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html/www.zyq.com"
ServerName www.zyq.com
ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www.zyq.com-error_log"
CustomLog "/var/log/httpd/www.zyq.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/var/www/html/blog.zyq.com"
ServerName blog.zyq.com
ErrorLog "/var/log/httpd/blog.zyq.com-error_log"
CustomLog "/var/log/httpd/blog.zyq.com-access_log" common
</VirtualHost>
[root@zyq conf.d]# systemctl restart httpd
在Windows上修改hosts文件
测试
虚拟主机网站的位置:/var/www/hrml/
部署多个虚拟主机:
在上面目录下创建
加密
生成证书
[root@zyq ~]# mkdir /etc/pki/CA
[root@zyq ~]# cd /etc/pki/CA
[root@zyq CA]# mkdir private
[root@zyq CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................................................................+++++
.....+++++
e is 65537 (0x010001)
客户端生成证书签署请求
[root@zyq CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated
req: Use -help for summary.
[root@zyq CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.zyq.com
Organizational Unit Name (eg, section) []:www.zyq.com
Common Name (eg, your name or your server's hostname) []:www.zyq.com
Email Address []:
客户端(例如httpd服务器)生成密钥
[root@zyq CA]# mkdir certs newcerts crl
[root@zyq CA]# touch index.txt && echo 01 > serial
[root@zyq CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................................+++++
...+++++
e is 65537 (0x010001)
客户端把证书签署请求文件发送给CA
[root@zyq CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.zyq.com
Organizational Unit Name (eg, section) []:www.zyq.com
Common Name (eg, your name or your server's hostname) []:www.zyq.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@zyq CA]# ls
cacert.pem certs crl httpd.csr httpd.key index.txt newcerts private serial
CA签署客户端提交上来的证书
[root@zyq CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 11 13:32:57 2023 GMT
Not After : Jul 10 13:32:57 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.zyq.com
organizationalUnitName = www.zyq.com
commonName = www.zyq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:59:31:D0:28:6A:D5:24:68:B8:1D:6F:01:BF:24:57:A9:A5:7A:F1
X509v3 Authority Key Identifier:
keyid:75:F4:7A:96:5F:E4:B0:4B:A3:68:78:71:B1:A1:3E:39:FB:76:51:C5
Certificate is to be certified until Jul 10 13:32:57 2024 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@zyq CA]# ls
cacert.pem certs crl httpd.crt httpd.csr httpd.key index.txt index.txt.attr index.txt.old newcerts private serial serial.old
下载服务
[root@zyq CA]# rm -rf httpd.csr
[root@zyq CA]# yum -y install mod_ssl
.....
配置https的文件:/etc/httpd/co
更改ServerName的域名
SSLCer写入生成crt文件的路径(证书http.crt/http.key的位置)
更改家目录默认路径(DocumentRoot)
[root@zyq CA]# ls /etc/httpd/conf.modules.d/
00-base.conf 00-dav.conf 00-lua.conf 00-mpm.conf 00-optional.conf 00-proxy.conf 00-ssl.conf 00-systemd.conf 01-cgi.conf 10-h2.conf 10-proxy_h2.conf README
[root@zyq CA]# vi /etc/httpd/conf.modules.d/00-ssl.conf
重启服务
[root@zyq ~]# vi /etc/httpd/conf.d/ssl.conf
[root@zyq ~]# grep -Ev '^$|^#' /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/www.zyq.com"
ServerName www.zyq.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/CA/httpd.crt
SSLCertificateKeyFile /etc/pki/CA/httpda.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@zyq ~]# systemctl restart httpd
查看端口号
[root@zyq ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
进行访问测试