- Webserver(apache2)
- 提供www.skills.cn
- skills公司的门户网站;
- 使用apache服务;
- 网页文件放在/htdocs/skills;
- 服务以用户webuser运行;
- 首页内容为“This is the front page of skills's website.”;
- /htdocs/sdskills/staff.html内容为“Staff Information”;
- 该页面需要员工的账号认证才能访问;
- 员工账号存储在ldap中,账号为zsuser、lsus
- 网站使用https协议;
- SSL使用RServer颁发的证书, 颁发给:
- C = CN
- ST = China
- L = ShangDong
- O = skills
- OU = Operations Departments
- CN = *.skills.cn
- Rserver的CA证书路径:/CA/cacert.pem
- 签发数字证书,颁发者:
- C = CN;
- O = Inc
- OU = www.shills.cn
- CN = shill Global Root CA
- 客户端访问https时应无浏览器(含终端)安全警告信息;
- 当用户使用http访问时自动跳转到https安全连接;
- 当用户使用skills.cn或any.skills.cn(any代表任意网址前缀)访问时,自动跳转到 www.skills.com。
一、安装apache服务
[root@server04 /]# apt install apache2 -y
二、添加web用户
[root@server04 /]# useradd -r webuser
[root@server04 /]# vim /etc/apache2/apache2.conf
User webuser
Group webuser
三、创建服务证书并向CA请求签名
#修改默认位置
[root@server04 /]# nano /etc/ssl/openssl.cnf
dir = /CA
[root@server04 /]#mkdir /CA
[root@server04 /]# cp -rf /etc/ssl/* /CA
[root@server04 /]# touch index.txt
[root@server04 /]# echo 01 >serial
[root@server04 /]# cd /CA
[root@server04 /CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.................................+++++
e is 65537 (0x010001)
[root@server04 /CA]#openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA
Email Address []:
[root@server04 /CA]# openssl genrsa -out apache.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
........................................................+++++
e is 65537 (0x010001)
[root@server04 /CA]# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:ShangDong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (e.g. server FQDN or YOUR name) []:*.skills.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server04 /CA]# openssl x509 -req -in apache.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = China, L = ShangDong, O = skills, OU = Operations Departments, CN = *.skills.cn
Getting CA Private Key
四、创建网页根目录
[root@server04 ]# mkdir /htdocs/skills -p
[root@server04 ]# echo "This is the front page of skills's website." >> /htdocs/skills/index.html
[root@server04 ]# echo "Staff Information" >> /htdocs/skills/staff.html
五、修改apache配置文件
[root@server04 /]# nano /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
Redirect permanent / https://www.skills.cn/
</VirtualHost>
<VirtualHost *:443>
SSLEngine ON
SSLCertificateFile /CA/apache.crt
SSLCertificateKeyFile /CA/apache.key
</VirtualHost>
<VirtualHost *:443>
ServerName www.skills.cn
DocumentRoot /htdocs/skills
SSLEngine ON
SSLCertificateFile /CA/apache.crt
SSLCertificateKeyFile /CA/apache.key
<Directory /htdocs/skills>
Require all granted
</Directory>
<Directory /htdocs/skills/staff.html>
AuthType Basic
AuthName "login"
AuthUserFile "/var/passwd"
Require valid-user
</Directory>
</VirtualHost>
六、创建认证用户
[root@server04 /]# htpasswd -c /var/passwd zsuser
[root@server04 /]# htpasswd /var/passwd lsusr
七、重启服务和ssl
[root@server04 /]# a2enmod ssl
[root@server04 /]# systemctl restart apache2
八、客户端测试