UOS配置apache

• Webserver(apache2)
• 提供www.skills.cn
• skills公司的门户网站；
• 使用apache服务；
• 网页文件放在/htdocs/skills；
• 服务以用户webuser运行；
• 首页内容为“This is the front page of skills's website.”;
• /htdocs/sdskills/staff.html内容为“Staff Information”；
• 该页面需要员工的账号认证才能访问；
• 员工账号存储在ldap中，账号为zsuser、lsus
• 网站使用https协议；
• SSL使用RServer颁发的证书, 颁发给:
• C = CN
• ST = China
• L = ShangDong
• O = skills
• OU = Operations Departments
• CN =  *.skills.cn
• Rserver的CA证书路径：/CA/cacert.pem
• 签发数字证书，颁发者：
• C = CN;
• O =  Inc
• OU = www.shills.cn
• CN = shill Global Root CA
• 客户端访问https时应无浏览器（含终端）安全警告信息；
• 当用户使用http访问时自动跳转到https安全连接；
• 当用户使用skills.cn或any.skills.cn（any代表任意网址前缀）访问时，自动跳转到 www.skills.com。

---

 

一、安装apache服务

[root@server04 /]# apt install apache2  -y

 

二、添加web用户

[root@server04 /]# useradd -r webuser
[root@server04 /]# vim /etc/apache2/apache2.conf  
User webuser
Group webuser

 

三、创建服务证书并向CA请求签名

#修改默认位置
[root@server04 /]# nano /etc/ssl/openssl.cnf
dir             =  /CA
[root@server04 /]#mkdir /CA
[root@server04 /]# cp -rf /etc/ssl/* /CA
[root@server04 /]# touch index.txt
[root@server04 /]# echo 01 >serial
[root@server04 /]# cd /CA
[root@server04 /CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.................................+++++
e is 65537 (0x010001)
[root@server04 /CA]#openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA
Email Address []:
[root@server04 /CA]# openssl genrsa -out apache.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
........................................................+++++
e is 65537 (0x010001)

[root@server04 /CA]# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:ShangDong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (e.g. server FQDN or YOUR name) []:*.skills.cn  
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@server04 /CA]# openssl x509 -req -in apache.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = China, L = ShangDong, O = skills, OU = Operations Departments, CN = *.skills.cn
Getting CA Private Key

 

四、创建网页根目录

[root@server04 ]# mkdir /htdocs/skills -p
[root@server04 ]# echo "This is the front page of skills's website." >> /htdocs/skills/index.html
[root@server04 ]#  echo "Staff Information" >> /htdocs/skills/staff.html

 

五、修改apache配置文件

[root@server04 /]# nano /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
Redirect permanent / https://www.skills.cn/
</VirtualHost>
<VirtualHost *:443>
SSLEngine ON
SSLCertificateFile /CA/apache.crt
SSLCertificateKeyFile /CA/apache.key
</VirtualHost>
<VirtualHost *:443>
ServerName www.skills.cn
DocumentRoot /htdocs/skills
SSLEngine ON
SSLCertificateFile /CA/apache.crt
SSLCertificateKeyFile /CA/apache.key
<Directory /htdocs/skills>
Require all granted
</Directory>
<Directory /htdocs/skills/staff.html>
AuthType Basic
AuthName "login"
AuthUserFile "/var/passwd"
Require valid-user
</Directory>
</VirtualHost>

 

六、创建认证用户

[root@server04 /]# htpasswd -c /var/passwd zsuser
[root@server04 /]# htpasswd /var/passwd lsusr

 

七、重启服务和ssl

[root@server04 /]# a2enmod ssl
[root@server04 /]# systemctl restart apache2

 

八、客户端测试