任务描述:请采用apache搭建企业网站
- 配置linux1为apache2服务器,使用test.com或any.test.com(any 代表任意网址前缀)访问时,自动跳转到 www.test.com。禁止使用 ip 地址访问,默认首页文档 /var/www/html/index.html 的内容为"Apache"。
- 配置linux1 为CA服务器,为linux主机颁发证书。证书颁发机构有效期 10 年,公用名为linux1.test.com。申请并颁发一张供linux服务器使用的证书,证书信息:有效期=5年,公用名=test.com,国家=CN,省=Beijing,城市=Beijing,组织=Gou,组织单位=Fugui,使用者可选名称=*.test.com和test.com。将证书test.crt 和私钥test.key 复制到需要证书的linux服务器/etc/ssl 目录。
- 客户端访问apache服务时,必需有SSL证书。
配置方案
1 安装相应的软件
[root@linux1 ~]# dnf install -y openssl* bind httpd mod_ssl
2 配置bind
[root@linux1 ~]# cat /var/named/zx
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
linux1 A 10.10.120.101
linux2 A 10.10.120.102
* A 10.10.120.101
[root@linux1 ~]# cat /var/named/fx
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.
101 PTR linux1.test.com.
102 PTR linux2.test.com.
[root@linux1 ~]#
3 配置证书
3.1 创建根证书
[root@linux1 ~]# cd /etc/pki/CA/
[root@linux1 CA]# touch index.txt
[root@linux1 CA]# echo 01 > serial
[root@linux1 CA]# openssl genrsa -out private/cakey.pem #创建私钥
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
.............................+++++
e is 65537 (0x010001)
[root@linux1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #创建根证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Gou
Organizational Unit Name (eg, section) []:Fugui
Common Name (eg, your name or your server's hostname) []:linux1.test.com
Email Address []:
[root@linux1 CA]#
3.2 为linux主机颁发证书
[root@linux1 CA]# cd /etc/ssl/
[root@linux1 ssl]# openssl genrsa -out test.key #创建私钥
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
................................................................................................................................................................+++++
e is 65537 (0x010001)
[root@linux1 ssl]# openssl req -new -key test.key -out test.csr #生成证书请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Gou
Organizational Unit Name (eg, section) []:Fugui
Common Name (eg, your name or your server's hostname) []:*.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@linux1 ssl]# echo "subjectAltName=DNS:*.test.com,DNS:test.com" >> /etc/pki/CA/sign.cnf
[root@linux1 ssl]# openssl ca -in test.csr -out test.crt -days 1825 -extfile /etc/pki/CA/sign.cnf #颁发linux证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 9 03:31:28 2024 GMT
Not After : Mar 8 03:31:28 2029 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Gou
organizationalUnitName = Fugui
commonName = *.test.com
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.test.com, DNS:test.com
Certificate is to be certified until Mar 8 03:31:28 2029 GMT (1825 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@linux1 ssl]# cat /etc/pki/CA/sign.cnf
subjectAltName=DNS:*.test.com,DNS:test.com
[root@linux1 ssl]#
3.3 将证书复制到其他设备
[root@linux1 ssl]# scp test.* 10.10.120.102:/etc/ssl
test.crt 100% 4037 2.6MB/s 00:00
test.csr 100% 1001 986.1KB/s 00:00
test.key 100% 1675 1.9MB/s 00:00
[root@linux1 ssl]# scp /etc/pki/CA/cacert.pem 10.10.120.101:/etc/ssl
cacert.pem 100% 1342 678.0KB/s 00:00
[root@linux1 ssl]# scp /etc/pki/CA/cacert.pem 10.10.120.102:/etc/ssl
cacert.pem 100% 1342 732.4KB/s 00:00
[root@linux1 ssl]# cat /etc/ssl/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt #将新的证书添加到信任列表中
[root@linux2 ~]# cat /etc/ssl/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
4 配置apache
4.1 配置httpd主配置文件
[root@linux1 ssl]# tail -n15 /etc/httpd/conf/httpd.conf
IncludeOptional conf.d/*.conf
<virtualhost *:80>
DocumentRoot "/var/www/html"
servername linux1.test.com
rewriteengine on
rewriterule ^/(.*)$ https://www.test.com/$i [R=301]
<directory "/">
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
servername 10.10.120.101
redirect 403 /
</virtualhost>
[root@linux1 ssl]#
4.2 配置ssl.conf文件
[root@linux1 ssl]# vim /etc/httpd/conf.d/ssl.conf
......
40 <VirtualHost *:443>
41
42 # General setup for the virtual host, inherited from global configuration
43 DocumentRoot "/var/www/html"
44 ServerName www.test.com:443
......
85 SSLCertificateFile /etc/ssl/skills.crt
......
93 SSLCertificateKeyFile /etc/ssl/skills.key
......
108 SSLCACertificateFile /etc/ssl/cacert.pem
......
115 SSLVerifyClient require
116 SSLVerifyDepth 10
......
203 <virtualhost *:443>
204 servername 10.10.120.101
205 sslengine on
206 sslcertificatefile /etc/ssl/test.crt
207 sslcertificatekeyfile /etc/ssl/test.key
208 redirect 403 /
209 </virtualhost>
4.3 修改文档首页
[root@linux1 ssl]# echo "Apache" > /var/www/html/index.html
4.4 生成个给windows使用的证书吧
[root@linux1 ssl]# openssl pkcs12 -export --password pass:Gou-1234 -in test.crt -inkey test.key -out test.pfx
4.5 重启apache并放行相应服务
Removed /etc/systemd/system/multi-user.target.wants/httpd.service.
[root@linux1 ssl]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@linux1 ssl]# systemctl restart httpd
[root@linux1 ssl]# firewall-cmd --add-port=80/tcp --add-port=443/tcp
success
[root@linux1 ssl]# firewall-cmd --add-port=80/tcp --add-port=443/tcp --permanent
success
[root@linux1 ssl]# firewall-cmd --reload
success
[root@linux1 ssl]#
5 测试
[root@linux2 ~]# curl 10.10.120.101
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
[root@linux2 ~]# curl https://linux1.test.com
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
[root@linux2 ~]# curl --cert
--cert --cert-status --cert-type
[root@linux2 ~]# curl --c
--cacert --ciphers --connect-to --crlf
--capath --compressed --continue-at --crlfile
--cert --compressed-ssh --cookie
--cert-status --config --cookie-jar
--cert-type --connect-timeout --create-dirs
[root@linux2 ~]# curl --cacert /etc/ssl/cacert.pem --cert /etc/ssl/test.crt --key /etc/ssl/test.key https://dasfasdd.test.com
Apache
[root@linux2 ~]#