httpd
httpd的常用配置
1.编译安装httpd文件介绍
httpd简介和编译安装
编译安装httpd-2.4
安装编译器和所需要的工具等
[root@czh ~]# dnf -y install gcc gcc-c++ pcre-devel zlib-devel openssl
openssl-devel make expat-devel libtool
然后下载,依赖包
https://mirrors.bfsu.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
https://mirrors.bfsu.edu.cn/apache/apr/apr-1.7.0.tar.bz2
https://mirrors.bfsu.edu.cn/apache/apr/apr-util-1.6.1.tar.bz2
进行编译安装
[root@czh ~]# tar xf apr-1.7.0.tar.bz2
[root@czh ~]# ls
anaconda-ks.cfg apr-1.7.0 apr-1.7.0.tar.bz2 apr-util-1.6.1.tar.bz2 httpd-2.4.43.tar.bz2
[root@czh ~]# cd apr-1.7.0/
[root@czh ~]# tar xf apr-util-1.6.1.tar.bz2
[root@czh apr-1.7.0]# vim configure (打开包里面的 configure 文件,将’$cfgfile’这一行注释掉 )
setopt NO_GLOB_SUBST
fi
cfgfile=${ofile}T
trap "$RM \"$cfgfile\"; exit 1" 1 2 15
R M " RM " RM"cfgfile"
然后使用我们开始安装第一个包
[root@czh apr-1.7.0]# ./configure --prefix=/usr/local/apr
checking build system type… x86_64-pc-linux-gnu
checking host system type… x86_64-pc-linux-gnu
checking target system type… x86_64-pc-linux-gnu
Configuring APR library
Platform: x86_64-pc-linux-gnu
checking for working mkdir -p… yes
APR Version: 1.7.0
checking for chosen layout… apr
checking for gcc… gcc
checking whether the C compiler works… yes
checking for C compiler default output file name… a.out
checking for suffix of executables…
checking whether we are cross compiling… no
checking for suffix of object files… o
checking whether we are using the GNU C compiler… yes
checking whether gcc accepts -g… yes
checking for gcc option to accept ISO C89… none needed
checking for a sed that does not truncate output… /usr/bin/sed
Applying APR hints file rules for x86_64-pc-linux-gnu
setting CPPFLAGS to “-DLINUX -D_REENTRANT -D_GNU_SOURCE”
(Default will be unix)
checking whether make sets $(MAKE)… yes
checking how to run the C preprocessor… gcc -E
。。。
#然后make & make install
[root@czh apr-1.7.0]# make & make install
[1] 345325
/bin/sh /root/apr-1.7.0/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -I./include -I/root/apr-1.7.0/include/arch/unix -I./include/arch/unix -I/root/apr-1.7.0/include/arch/unix -I/root/apr-1.7.0/include -I/root/apr-1.7.0/include/private -I/root/apr-1.7.0/include/private -o encoding/apr_encode.lo -c encoding/apr_encode.c && touch encoding/apr_encode.lo
make[1]: 进入目录“/root/apr-1.7.0”
/bin/sh /root/apr-1.7.0/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -I./include -I/root/apr-1.7.0/include/arch/unix -I./include/arch/unix -I/root/apr-1.7.0/include/arch/unix -I/root/apr-1.7.0/include -I/root/apr-1.7.0/include/private -I/root/apr-1.7.0/include/private -o encoding/apr_encode.lo -c encoding/apr_encode.c && touch encoding/apr_encode.lo
/root/apr-1.7.0/build/mkdir.sh tools
/bin/sh /root/apr-1.7.0/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -I./include -I/root/apr-1.7.0/include/arch/unix -I./include/arch/unix -I/root/apr-1.7.0/include/arch/unix -I/root/apr-1.7.0/include -I/root/apr-1.7.0/include/private -I/root/apr-1.7.0/include/private -o tools/gen_test_char.lo -c tools/gen_test_char.c && touch tools/gen_test_char.lo
/root/apr-1.7.0/build/mkdir.sh tools
/bin/sh /root/apr-1.7.0/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -I./include -I/root/apr-1.7.0/include/arch/unix -I./include/arch/unix -I/root…
…
#安装第二个
[root@czh ~]# ls
anaconda-ks.cfg apr-1.7.0.tar.bz2 apr-util-1.6.1.tar.bz2
apr-1.7.0 apr-util-1.6.1 httpd-2.4.43.tar.bz2
[root@czh ~]# cd apr-util-1.6.1/
[root@czh apr-util-1.6.1]# ./configure --prefix=/usr/l
lib/ lib64/ libexec/ local/
[root@czh apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
checking build system type… x86_64-pc-linux-gnu
checking host system type… x86_64-pc-linux-gnu
checking target system type… x86_64-pc-linux-gnu
checking for a BSD-compatible install… /usr/bin/install -c
checking for working mkdir -p… yes
APR-util Version: 1.6.1
checking for chosen layout… apr-util
checking for gcc… gcc
checking whether the C compiler works… yes
checking for C compiler default output file name… a.out
checking for suffix of executables…
checking whether we are cross compiling… no
checking for suffix of object files… o
checking whether we are using the GNU C compiler… yes
checking whether gcc accepts -g… yes
checking for gcc option to accept ISO C89… none needed
Applying apr-util hints file rules for x86_64-pc-linux-gnu
checking for APR… configure: error: the --with-apr parameter is incorrect. It must specify an install prefix, a build directory, or an apr-config file.
make & make install 编译安装
[root@czh apr-util-1.6.1]# make & make install
[1] 64382
/bin/sh /usr/local/apr/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -I/usr/src/apr-util-1.6.1/include -I/usr/src/apr-util-1.6.1/include/private -I/usr/local/apr/include/apr-1 -o buckets/apr_brigade.lo -c buckets/apr_brigade.c && touch buckets/apr_brigade.lo
make[1]: 进入目录“/usr/src/apr-util-1.6.1”
/bin/sh /usr/local/apr/build-1/libtool --silent --mode=compile gcc -g -O2
…
解压第三个 在进去后
[root@czh src]# tar xf httpd-2.4.43.tar.bz2
[root@czh src]# cd httpd-2.4.43/
[root@czh httpd-2.4.43]# ./configure --prefix=/usr/local/apache
–sysconfdir=/etc/httpd24
–enable-so
–enable-ssl
–enable-cgi
–enable-rewrite
–with-zlib
–with-pcre
–with-apr=/usr/local/apr
–with-apr-util=/usr/local/apr-util/
–enable-modules=most
–enable-mpms-shared=all
–with-mpm=prefork
checking for chosen layout… Apache
checking for working mkdir -p… yes
checking for grep that handles long lines and -e… /usr/bin/grep
checking for egrep… /usr/bin/grep -E
#然后make & make install
[root@czh httpd-2.4.43]# make & make install
[1] 80620
Making all in srclib
Making install in srclib
make[1]: 进入目录“/usr/src/httpd-2.4.43/srclib”
make[1]: 进入目录“/usr/src/httpd-2.4.43/srclib”
make[1]: 离开目录“/usr/src/httpd-2.4.43/srclib”
Making all in os
make[2]: 进入目录“/usr/src/httpd-2.4.43/srclib”
make[1]: 进入目录“/usr/src/httpd-2.4.43/os”
make[2]: 离开目录“/usr/src/httpd-2.4.43/srclib”
make[1]: 离开目录“/usr/src/httpd-2.4.43/srclib”
Making install in os
Making all in unix
make[1]: 进入目录“/usr/src/httpd-2.4.43/os”
…
#启动服务
[root@czh ~]# /usr/local/apache/bin/apachectl start
#关闭防火墙
[root@czh ~]# systemctl stop firewalld
[root@czh ~]# setenforce 0
#查看端口
[root@czh ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]😗
LISTEN 0 128 :80 :
LISTEN 0 128 [::]:22 [::]:
LISTEN 0 5 [::1]:631 [::]😗
- 模块文件配置 /etc/httpd24/extra/ httpd-mpm.conf
[root@czh extra]# vim httpd-mpm.conf
#//mpm_name.so类型有三种:
prefork
event
worker
*<IfModule mpm_prefork_module > *
StartServers 5 # 开始进程
MinSpareServers 5 #最小备用进程5
MaxSpareServers 10 #最大备用进程10
MaxRequestWorkers 250 #最大的请求worker 250
MaxConnectionsPerChild 0 #最大连接数没有限制 (在这里0表示无线)
- 主配置文件 /etc/httpd24/httpd.conf
[root@czh ~]# vim /etc/httpd24/httpd.conf
启动apache
绝对路径的方法
[root@czh ~]# /usr/local/apache/bin/apachectl start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::ee55:280d:7a94:887c%ens33. Set the 'ServerName' directive globally to suppress this message
创建配置文件,命令打开
[root@czh ~]# cat /etc/profile.d/httpd.sh
export PATH=/usr/local/apache/bin:$PATH
[root@czh ~]# source /etc/profile.d/httpd.sh
[root@czh ~]# httpd -v
Server version: Apache/2.4.46 (Unix)
Server built: Apr 26 2021 04:48:21
[root@czh ~]# apachectl start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::ee55:280d:7a94:887c%ens33. Set the 'ServerName' directive globally to suppress this message
httpd (pid 86742) already running
[root@czh ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
查看进程数量
[root@czh ~]# ps -ef |grep httpd
root 86742 1 0 02:27 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 87266 86742 0 02:27 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 87267 86742 0 02:27 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 87268 86742 0 02:27 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 87269 86742 0 02:27 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 87270 86742 0 02:27 ? 00:00:00 /usr/local/apache/bin/httpd -k start
root 131213 2154 0 02:47 pts/0 00:00:00 grep --color=auto httpd
可以看到有5个相关进程
默认情况下httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
[root@czh ~]# cd /etc/httpd24/
[root@czh httpd24]# ls
extra httpd.conf magic mime.types original
[root@czh httpd24]# vim httpd.conf ==(这是主配置文件)==
<Directory /var/www/html/www> //目录地址
<RequireAll>
Require not ip 192.168.1.20 //拒绝192.168.1.20的ip访问
Require all granted //允许所有主机访问
</RequireAll>
</Directory>
<Directory />
AllowOverride none
Require all denied //拒绝所有主机访问
</Directory>
<Directory "/usr/local/apache/htdocs"> //httpd的网站的根目录
Options Indexes FollowSymLinks
Require all granted //允许所有主机访问
</Directory>
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Reqiore ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
虚拟主机:
虚拟主机有三类:
相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名
设置主机名
进到主配置文件
[root@czh ~]# vim /etc/httpd24/httpd.conf
取消注释
# Virtual hosts
Include /etc/httpd24/extra/httpd-vhosts.conf(就可以看到)
编辑文件
[root@czh ~]# cd /etc/httpd24/extra/
[root@czh extra]# ls
httpd-autoindex.conf httpd-languages.conf httpd-ssl.conf
httpd-dav.conf httpd-manual.conf httpd-userdir.conf
httpd-default.conf httpd-mpm.conf httpd-vhosts.conf
httpd-info.conf httpd-multilang-errordoc.conf proxy-html.conf
[root@czh extra]# vim httpd-vhosts.conf
各个代表的含义
<VirtualHost *:80> #虚拟主机 *:80的意思是监听这台主机上所有IP上面的80端口号
ServerAdmin webmaster@dummy-host.example.com #当前主机的管理员的邮箱地址(基本不用可以删掉)
DocumentRoot "/usr/local/apache/htdocs/text1" #指定网页放置的位置
ServerName text1.example.com #域名
ServerAlias www.dummy-host.example.com #别名(不太需要)
ErrorLog "/usr/local/apache/htdocs/index.html" #错误日志的位置
CustomLog "/usr/local/apache/htdocs/index.html" common #定制的日志,正常访问的日志
</VirtualHost>
然后修改文件配置
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/text1"
ServerName text1.example.com
ErrorLog "logs/text1.example.com-error_log"
CustomLog "logs/text1.example.com-access_log" common
</VirtualHost>
listen 81
<VirtualHost *:81>
DocumentRoot "/usr/local/apache/htdocs/text2"
ServerName text2.example.com
ErrorLog "logs/text2.example.com-error_log"
CustomLog "logs/text2.example.com-access_log" common
</VirtualHost>
[root@czh extra]# vim httpd-vhosts.conf
[root@czh extra]# apachectl restart
[root@czh ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
不同ip相同端口的配置方式:
先新给一个IP给ens33
[root@czh ~]# ip addr add 192.168.31.139/24 dev ens33
[root@czh ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:28:4f:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.31.128/24 brd 192.168.31.255 scope global dynamic noprefixroute ens33
valid_lft 1115sec preferred_lft 1115sec
inet 192.168.31.139/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::ee55:280d:7a94:887c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:f4:06:4e brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:f4:06:4e brd ff:ff:ff:ff:ff:ff
修改配置文件
[root@czh extra]# vim httpd-vhosts.conf
[root@czh extra]# apachectl restart
[root@czh extra]#
<VirtualHost 192.168.31.128:80>
DocumentRoot "/usr/local/apache/htdocs/text1"
ServerName text1.example.com
ErrorLog "logs/text1.example.com-error_log"
CustomLog "logs/text1.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.31.139:80>
DocumentRoot "/usr/local/apache/htdocs/text2"
ServerName text2.example.com
ErrorLog "logs/text2.example.com-error_log"
CustomLog "logs/text2.example.com-access_log" common
</VirtualHost>
相同ip相同端口不通域名的配置方式
更改配置文件
<VirtualHost 192.168.31.128:80>
DocumentRoot "/usr/local/apache/htdocs/text1"
ServerName text1.example.com
ErrorLog "logs/text1.example.com-error_log"
CustomLog "logs/text1.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.31.128:80>
DocumentRoot "/usr/local/apache/htdocs/text2"
ServerName text2.example.com
ErrorLog "logs/text2.example.com-error_log"
CustomLog "logs/text2.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.31.128:80>
DocumentRoot "/usr/local/apache/htdocs/text3"
ServerName text3.example.com
ErrorLog "logs/text3.example.com-error_log"
CustomLog "logs/text3.example.com-access_log" common
</VirtualHost>
在本机里面找到C: \windows\sys tem32\drivers\etc\hosts
拖到桌面上
右键以管理员身份用写字板打开,写入以下内容
192.168.31.128 text1. example. com
text2. examp le. com text3. examp le . com
把host s拖回c: \w indows\system32\drivers\etc\hosts
目录
在使用域名登录就行了
CA证书的配置(https)
启用ssl模块:
编辑/etc/httpd24/httpd.conf 文件,找到以下这两行取消注释
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so(把他放出来)
#LoadModule lbmethod_byrequests_module modules/
# Secure (SSL/TLS) connections
Include /etc/httpd24/extra/httpd-ssl.conf(取消这一行,启用这个文件)
httpd-ssl.conf 文件参数的含义
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs" https网站的根目录
ServerName www.example.com:443 域名
ServerAdmin you@example.com 管理员邮箱
ErrorLog "/usr/local/apache/logs/error_log" 错误日志文件放在的位置
TransferLog "/usr/local/apache/logs/access_log" 正确日志文件放的位置
然后进行修改
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/text1"
ServerName text1.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/text1_error_log"
TransferLog "/usr/local/apache/logs/text1_access_log"
SSLCertificateFile "/etc/httpd24/httpd.crt" 设置证书放在的地方
SSLCertificateKeyFile "/etc/httpd24/httpd.key" 设置证书放置的地方
检查问题
[root@czh httpd24]# apachectl -t
AH00526: Syntax error on line 92 of /etc/httpd24/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
第92条命令有语法上的错误
就全部注释掉就行了
[root@czh httpd24]# vim +92 /etc/httpd24/extra/httpd-ssl.conf
#SSLSessionCache "dbm:/usr/local/apache/logs/ssl_scache"
#SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
[root@czh httpd24]# apachectl -t
AH00526: Syntax error on line 144 of /etc/httpd24/extra/httpd-ssl.conf:
SSLCertificateFile: file '/etc/httpd24/httpd.crt' does not exist or is empty
这个没事,因为没得证书
ca生成自签证书
[root@czh CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 所在的国家
State or Province Name (full name) []:HB 所在的省份
Locality Name (eg, city) [Default City]:WH 城市
Organization Name (eg, company) [Default Company Ltd]:jxrt
Organizational Unit Name (eg, section) []:jxrt
Common Name (eg, your name or your server's hostname) []:text1.example.com 对应的域名
Email Address []:123@1.com 邮箱
[root@czh CA]# ls 查看文件
cacert.pem private
[root@czh CA]# openssl x509 -text -in cacert.pem 查看密钥可以不看
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:58:a5:64:e9:a1:3e:a8:1c:2b:ed:ed:b3:5a:2f:33:ee:ae:3c:d6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = HB, L = WH, O = jxrt, OU = jxrt, CN = text1.example.com, emailAddress = 123@1.com
Validity
Not Before: Apr 27 11:06:58 2021 GMT
Not After : Apr 27 11:06:58 2022 GMT
Subject: C = CN, ST = HB, L = WH, O = jxrt, OU = jxrt, CN = text1.example.com, emailAddress = 123@1.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c5:e4:5b:4f:93:48:11:d6:4d:6f:3c:19:ab:54:
55:9e:b9:26:bb:39:89:4a:c3:b1:18:7b:a2:32:1d:
cb:1c:92:7a:b8:56:f2:19:31:77:21:14:aa:1c:12:
94:18:42:34:33:00:9b:9b:01:6c:d1:c3:dc:fe:a8:
44:82:e7:e0:04:22:8b:f8:12:fe:f9:2d:91:1c:da:
41:aa:46:49:76:41:f1:56:32:19:ff:8b:6d:9d:7b:
97:c6:e8:65:6f:91:75:2a:53:c5:3d:af:72:d6:74:
e6:04:75:91:a0:33:a8:8d:62:3e:7e:40:0c:d0:f6:
e3:60:6a:bb:98:40:6e:0b:d5:9f:d4:19:fc:9f:9a:
55:53:dc:d4:0a:76:35:b5:5d:48:2d:d2:ad:7c:1c:
ad:7d:a7:65:3e:76:5e:e0:1e:c3:ef:6f:e4:28:38:
85:11:e1:71:ce:14:79:4c:dd:3f:c9:61:5d:b9:06:
e1:c1:bf:16:53:d9:5a:d9:67:60:79:57:96:60:52:
6f:46:6b:bd:be:5f:9d:6c:84:73:c7:51:31:ab:24:
c6:a9:f0:8a:e4:5a:7b:2e:f8:c4:4f:11:54:e8:9c:
ce:2a:2f:66:8a:b2:88:3c:3e:da:c0:fa:20:28:49:
cf:46:79:f5:e7:08:cd:06:f4:9c:4b:53:76:49:99:
f1:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DE:94:E2:1A:0D:66:7A:61:AD:40:0D:EF:32:E3:29:E1:4C:34:89:D7
X509v3 Authority Key Identifier:
keyid:DE:94:E2:1A:0D:66:7A:61:AD:40:0D:EF:32:E3:29:E1:4C:34:89:D7
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
32:0f:78:b4:82:12:59:32:ec:b1:fc:fb:0c:3c:52:46:23:01:
4f:f2:07:1d:62:40:de:3f:5d:58:ab:63:6c:98:2c:3a:fd:d9:
37:0f:7b:13:10:76:24:5b:55:da:b5:72:4c:1c:f8:91:85:5e:
05:46:a1:be:02:cd:e3:2c:e2:e6:29:10:f4:33:f2:2b:19:1a:
28:e0:07:8d:59:a2:f8:ad:ef:c8:fa:04:0d:8d:a5:4b:df:46:
c7:ce:92:20:43:7a:b9:66:0a:42:ec:02:71:82:a8:65:d9:fa:
f3:b2:7f:13:6d:b3:d6:7b:12:0b:49:b7:6a:91:f6:77:fe:4d:
cf:51:20:48:40:c8:19:e2:66:57:b6:87:01:81:80:0a:a0:61:
3d:73:ca:dd:2d:0a:6c:af:05:21:95:4e:fb:23:07:0c:46:bd:
07:0e:f9:ab:46:27:48:fe:be:38:54:b1:e8:4e:46:35:ae:60:
fa:3a:fd:64:60:6e:de:22:f7:24:50:43:1f:c2:ee:5b:33:f5:
bd:f8:04:ef:ba:76:91:94:b7:68:88:f0:be:39:d1:d1:2a:73:
e6:5f:76:a9:aa:f0:17:b9:a4:c2:11:ea:df:7e:54:55:5d:30:
4f:22:74:02:f0:29:f3:e8:95:f7:22:de:f7:78:8b:79:67:08:
6e:7b:bb:47
-----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgIUDlilZOmhPqgcK+3ts1ovM+6uPNYwDQYJKoZIhvcNAQEL
BQAwezELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhCMQswCQYDVQQHDAJXSDENMAsG
A1UECgwEanhydDENMAsGA1UECwwEanhydDEaMBgGA1UEAwwRdGV4dDEuZXhhbXBs
ZS5jb20xGDAWBgkqhkiG9w0BCQEWCTEyM0AxLmNvbTAeFw0yMTA0MjcxMTA2NTha
Fw0yMjA0MjcxMTA2NThaMHsxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJIQjELMAkG
A1UEBwwCV0gxDTALBgNVBAoMBGp4cnQxDTALBgNVBAsMBGp4cnQxGjAYBgNVBAMM
EXRleHQxLmV4YW1wbGUuY29tMRgwFgYJKoZIhvcNAQkBFgkxMjNAMS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF5FtPk0gR1k1vPBmrVFWeuSa7
OYlKw7EYe6IyHcscknq4VvIZMXchFKocEpQYQjQzAJubAWzRw9z+qESC5+AEIov4
Ev75LZEc2kGqRkl2QfFWMhn/i22de5fG6GVvkXUqU8U9r3LWdOYEdZGgM6iNYj5+
QAzQ9uNgaruYQG4L1Z/UGfyfmlVT3NQKdjW1XUgt0q18HK19p2U+dl7gHsPvb+Qo
OIUR4XHOFHlM3T/JYV25BuHBvxZT2VrZZ2B5V5ZgUm9Ga72+X51shHPHUTGrJMap
8IrkWnsu+MRPEVTonM4qL2aKsog8PtrA+iAoSc9GefXnCM0G9JxLU3ZJmfHrAgMB
AAGjUzBRMB0GA1UdDgQWBBTelOIaDWZ6Ya1ADe8y4ynhTDSJ1zAfBgNVHSMEGDAW
gBTelOIaDWZ6Ya1ADe8y4ynhTDSJ1zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQAyD3i0ghJZMuyx/PsMPFJGIwFP8gcdYkDeP11Yq2NsmCw6/dk3
D3sTEHYkW1XatXJMHPiRhV4FRqG+As3jLOLmKRD0M/IrGRoo4AeNWaL4re/I+gQN
jaVL30bHzpIgQ3q5ZgpC7AJxgqhl2frzsn8TbbPWexILSbdqkfZ3/k3PUSBIQMgZ
4mZXtocBgYAKoGE9c8rdLQpsrwUhlU77IwcMRr0HDvmrRidI/r44VLHoTkY1rmD6
Ov1kYG7eIvckUEMfwu5bM/W9+ATvunaRlLdoiPC+OdHRKnPmX3apqvAXuaTCEerf
flRVXTBPInQC8Cnz6JX3It73eIt5Zwhue7tH
-----END CERTIFICATE-----
[root@czh CA]# mkdir certs newcerts crl
[root@czh CA]# touch index.txt && echo 01 > serial
[root@czh CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@czh ~]# cd /opt/
[root@czh opt]# ls
[root@czh opt]# (umask 077;openssl genrsa -out httpd.key 2048) 客户端(例如httpd服务器)生成密钥
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
...+++++
e is 65537 (0x010001)
[root@czh opt]# ls
httpd.key
[root@czh opt]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate 也是一样的,下面要和上面写的一摸一样
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:jxrt
Organizational Unit Name (eg, section) []:jxrt
Common Name (eg, your name or your server's hostname) []:text1.examplo.com
Email Address []:123@1.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@czh opt]# ls
httpd.csr httpd.key
[root@czh opt]# ll
总用量 8
-rw-r--r--. 1 root root 1029 4月 27 07:13 httpd.csr
-rw-------. 1 root root 1679 4月 27 07:11 httpd.key
[root@czh opt]# openssl ca -in /opt/httpd.csr -out httpd.crt -days 365 然后签属
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 11:14:10 2021 GMT
Not After : Apr 27 11:14:10 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = jxrt
organizationalUnitName = jxrt
commonName = text1.examplo.com
emailAddress = 123@1.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E8:F1:50:37:39:F3:FA:59:D2:7F:E6:80:C6:C3:19:60:3A:DF:F0:71
X509v3 Authority Key Identifier:
keyid:DE:94:E2:1A:0D:66:7A:61:AD:40:0D:EF:32:E3:29:E1:4C:34:89:D7
Certificate is to be certified until Apr 27 11:14:10 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@czh opt]# ls
httpd.crt httpd.csr httpd.key
[root@czh opt]# mv httpd.crt httpd.key /etc/httpd24/ 移动到httpd24下面就可以了
[root@czh opt]# cd /etc/httpd24/
[root@czh httpd24]# ls
extra httpd.conf httpd.crt httpd.key magic mime.types original
[root@czh httpd24]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
[root@czh httpd24]# systemctl restart httpd 重启 查看端口起来没
[root@czh httpd24]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 *:443 *:*
```