实验:多虚拟机主机和Https的实现
多虚拟机主机实现
多虚拟主机有三种实现方案:
-
基于ip:为每个虚拟主机准备至少一个ip地址
-
基于port:为每个虚拟主机使用至少一个独立的port
-
基于FQDN:为每个虚拟主机使用至少一个FQDN,请求报文中首部 Host: www.testxx.com
-
注意:
- httpd 2.4版本中,基于FQDN的虚拟主机不再需要NameVirutalHost指令
- 一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机
- 禁用方法:注释中心主机的DocumentRoot指令即可
-
虚拟主机的配置方法:
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot "/path"
</VirtualHost>
/ 建议:上述配置存放在独立的配置文件中
- 其它可用指令:
ServerAlias
:虚拟主机的别名;可多次使用
ErrorLog
:错误日志
CustomLog
:访问日志
实现基于IP的虚拟主机
/ 创建目录并生成页面文件
[root@Centos7 ~]# mkdir /data/website{1..3}
[root@Centos7 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@Centos7 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@Centos7 ~]# echo /data/website3/index.html > /data/website3/index.html
/ 编写配置文件
[root@Centos7 ~]# vim /etc/httpd/conf.d/test.conf
<virtualhost 10.0.0.8:80>
documentroot /data/website1/
customlog logs/website1_access.log combined
<directory /data/website1>
require all granted
</directory>
</virtualhost>
<virtualhost 10.0.0.18:80>
documentroot /data/website2/
customlog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost 10.0.0.28:80>
documentroot /data/website3/
customlog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
/ 配置IP地址
[root@Centos7 ~]# ip a a 10.0.0.8/24 dev eth0 label eth0:1
[root@Centos7 ~]# ip a a 10.0.0.18/24 dev eth0 label eth0:2
[root@Centos7 ~]# ip a a 10.0.0.28/24 dev eth0 label eth0:3
[root@Centos7 ~]# ip a
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:05:c8:bd brd ff:ff:ff:ff:ff:ff
inet 172.20.54.1/16 brd 172.20.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.0.8/24 scope global eth0:1
valid_lft forever preferred_lft forever
inet 10.0.0.18/24 scope global secondary eth0:2
valid_lft forever preferred_lft forever
inet 10.0.0.28/24 scope global secondary eth0:3
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe05:c8bd/64 scope link
valid_lft forever preferred_lft forever
/ 语法检查
[root@Centos7 ~]# httpd -t
Syntax OK
[root@Centos7 ~]# systemctl reload httpd
/ 测试效果
[root@Centos7 ~]# curl 10.0.0.8
/data/website1/index.html
[root@Centos7 ~]# curl 10.0.0.18
/data/website2/index.html
[root@Centos7 ~]# curl 10.0.0.28
/data/website3/index.html
/ 日志文件
[root@Centos7 ~]# ll /var/log/httpd/
total 24
-rw-r--r-- 1 root root 757 Dec 11 16:45 access_log
-rw-r--r-- 1 root root 4467 Dec 11 20:29 error_log
-rw-r--r-- 1 root root 171 Dec 11 20:29 website1_access.log
-rw-r--r-- 1 root root 171 Dec 11 20:30 website2_access.log
-rw-r--r-- 1 root root 171 Dec 11 20:30 website3_access.log
实现基于端口的虚拟主机
/ 创建目录并生成页面文件
[root@Centos7 ~]# mkdir /data/website{1..3}
[root@Centos7 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@Centos7 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@Centos7 ~]# echo /data/website3/index.html > /data/website3/index.html
/ 编写配置文件
[root@Centos7 ~]# vim /etc/httpd/conf.d/test.conf
listen 8001
listen 8002
listen 8003
<virtualhost *:8001>
documentroot /data/website1/
customlog logs/website1_access.log combined
<directory /data/website1>
require all granted
</directory>
</virtualhost>
<virtualhost *:8002>
documentroot /data/website2/
customlog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost *:8003>
documentroot /data/website3/
customlog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
/ 检查语法
[root@Centos7 ~]# httpd -t
Syntax OK
[root@Centos7 ~]# systemctl restart httpd
/ 测试效果
[root@Centos7 ~]# curl 172.20.54.1:8001
/data/website1/index.html
[root@Centos7 ~]# curl 172.20.54.1:8002
/data/website2/index.html
[root@Centos7 ~]# curl 172.20.54.1:8003
基于FQDN虚拟主机
/ 创建目录并生成页面文件
[root@Centos7 ~]# mkdir -p /www/{a.com,b.com,c.org}/htdocs
[root@Centos7 ~]# tree /www
/www
├── a.com
│ └── htdocs
├── b.com
│ └── htdocs
└── c.org
└── htdocs
[root@Centos7 ~]# echo /www/a.com/htdocs/index.html > /www/a.com/htdocs/index.html
[root@Centos7 ~]# echo /www/b.com/htdocs/index.html > /www/b.com/htdocs/index.html
[root@Centos7 ~]# echo /www/c.org/htdocs/index.html > /www/c.org/htdocs/index.html
/ 编写配置文件
[root@Centos7 ~]# vim /etc/httpd/conf.d/test.conf
<virtualhost *:80>
servername www.a.com
documentroot "/www/a.com/htdocs"
errorlog "logs/a_error_log"
customlog "logs/a_access_log" combined
<directory "/www/a.com/htdocs">
options none
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
servername www.b.com
documentroot "/www/b.com/htdocs"
errorlog "logs/b_error_log"
customlog "logs/b_access_log" combined
<directory "/www/b.com/htdocs">
options none
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
servername www.c.org
documentroot "/www/c.org/htdocs"
errorlog "logs/c_error_log"
customlog "logs/c_access_log" combined
<directory "/www/c.org/htdocs">
options none
allowoverride none
require all granted
</directory>
</virtualhost>
/ 语法检查
[root@Centos7 ~]# httpd -t
Syntax OK
[root@Centos7 ~]# systemctl restart httpd
/ 配置hosts文件
172.20.54.1 www.a.com
172.20.54.1 www.b.com
172.20.54.1 www.c.org
/ 测试效果
[root@Centos7 ~]# curl www.a.com
/www/a.com/htdocs/index.html
[root@Centos7 ~]# curl www.b.com
/www/b.com/htdocs/index.html
[root@Centos7 ~]# curl www.c.org
/www/c.org/htdocs/index.html
Https实现
1️⃣为httpd服务器申请数字证书
- 通过创建私有CA签发证书
[root@Centos7 ~]# mkdir /data/ssl
[root@Centos7 ~]# cd /data/ssl/
[root@Centos7 ssl]# (umask 066; opensll genrsa 2048 > cakey.pem)
-bash: opensll: command not found
[root@Centos7 ssl]# (umask 066; openssl genrsa 2048 > cakey.pem)
Generating RSA private key, 2048 bit long modulus
.........................................................................................+++
...+++
e is 65537 (0x10001)
[root@Centos7 ssl]# openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijng
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:devopls
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:
[root@Centos7 ssl]# openssl req -newkey rsa:1024 -nodes -keyout httpd.key > httpd.csr
Generating a 1024 bit RSA private key
........++++++
.....++++++
writing new private key to 'httpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:devopls
Common Name (eg, your name or your server's hostname) []:www.web01.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Centos7 ssl]# openssl x509 -req -in httpd.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > httpd.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=test/OU=devlps/CN=www.web01.com
Getting CA Private Key
[root@Centos7 ssl]# ll
total 16
-rw-r--r-- 1 root root 1318 Dec 11 21:17 cacert.pem
-rw------- 1 root root 1679 Dec 11 21:16 cakey.pem
-rw-r--r-- 1 root root 1013 Dec 11 21:38 httpd.crt
-rw-r--r-- 1 root root 655 Dec 11 21:18 httpd.csr
-rw-r--r-- 1 root root 916 Dec 11 21:18 httpd.key
2️⃣配置httpd支持使用ssl
[root@Centos7 conf.d]# httpd -M | grep mod_ssl
[root@Centos7 conf.d]# yum -y install mod_ssl
/ 配置证书
[root@Centos7 conf.d]# vim ssl.conf
# Server Certificate:
SSLCertificateFile /data/ssl/httpd.crt
# Server Private Key:
SSLCertificateKeyFile /data/ssl/httpd.key
# Certificate Authority (CA):
SSLCACertificateFile /data/ssl/cacert.pem
[root@Centos7 ~]# echo "<h1> my https by my CA </h1>" > /var/www/html/index.html
/ 语法检查
[root@Centos7 ~]# httpd -t
[root@Centos7 ~]# systemctl restart httpd
/ 测试效果
[root@Centos7 ssl]# curl http://127.0.0.1
<h1> my https by my CA </h1>
[root@Centos7 ssl]# curl https://127.0.0.1:443 -k
<h1> my https by my CA </h1>
/ 详细查看过程 CA证书使用过程
[root@Centos7 ssl]# curl https://127.0.0.1:443 -kv
* About to connect() to 127.0.0.1 port 443 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=www.web01.com,OU=devlps,O=test,L=beijing,ST=beijing,C=CN
* start date: Dec 11 13:38:36 2019 GMT
* expire date: Jan 10 13:38:36 2020 GMT
* common name: www.web01.com
* issuer: CN=ca.test.com,OU=devopls,O=test,L=beijing,ST=beijng,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 11 Dec 2019 13:40:38 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
< Last-Modified: Wed, 11 Dec 2019 13:35:14 GMT
< ETag: "1d-5996db2d546c0"
< Accept-Ranges: bytes
< Content-Length: 29
< Content-Type: text/html; charset=UTF-8
<
<h1> my https by my CA </h1>
* Connection #0 to host 127.0.0.1 left intact
3️⃣配置 http 重定向到 https
[root@Centos7 ~]# vim /etc/httpd/conf.d/test.conf
Header always set Strict-Transport-Security "max-age=31536000"
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
[root@Centos7 conf.d]# systemctl restart httpd
/ 测试效果
[root@Centos7 conf.d]# curl 127.0.0.1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title> / 302代码 说明已经跳转重定向了 临时重定向代码
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://127.0.0.1/">here</a>.</p>
</body></html> / 跳转到https