配置虚拟主机与https
一、配置虚拟主机
httpd服务在实际应用中有这样一种场景;我们有一台服务器,但是想挂多个网站,按照上面的配置方式就无法实现。那么我们就可以通过配置虚拟主机的方式实现一个服务器上运行多个网站,每个网站都是一个虚拟主机;虚拟主机其实就是通过httpd服务访问同一个服务器上的不同站点。
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
注意:虚拟主机的配置可以写在主配置文件;也可以将配置写在扩展配置文件,扩展配置文件需要自行创建。
1.准备工作
[root@nfs-server ~]# dnf -y install httpd //安装httpd服务
[root@nfs-server ~]# systemctl stop firewalld.service //临时关闭防火墙,立即生效
[root@nfs-server ~]# systemctl disable firewalld.service
[root@nfs-server ~]# setenforce 0
[root@nfs-server ~]# systemctl restart httpd //启动httpd服务
[root@nfs-server ~]# systemctl enable httpd //把httpd服务设置为开机自启
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
访问测试:
2.配置相同IP不同端口
//搜索vhost的模板文件
[root@nfs-server ~]# find / -name "*vhosts.conf"
/usr/share/doc/httpd/httpd-vhosts.conf
//进入到可放置虚拟主机配置文件的目录
[root@nfs-server ~]# cd /etc/httpd/conf.d/
//把模板文件拷贝至目录下
[root@nfs-server conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf ./
[root@nfs-server conf.d]# vim httpd-vhosts.conf
[root@nfs-server conf.d]# cat httpd-vhosts.conf //配置内容如下
<VirtualHost *:80> //指定该网站的IP地址与端口号
DocumentRoot "/var/www/html/fj" //存放网页内容的根目录
ServerName www.yf.com //指定域名
ErrorLog "/var/log/httpd/fj_log/error_log" //错误日志文件位置
CustomLog "/var/log/httpd/fj_log/access_log" common //访问日志文件位置
</VirtualHost>
Listen 82 //监听82端口
<VirtualHost *:82>
DocumentRoot "/var/www/html/tk"
ServerName www.yf.com
ErrorLog "/var/log/httpd/tk_log/error_log"
CustomLog "/var/log/httpd/tk_log/access_log" common
</VirtualHost>
//创建两台虚拟主机网页内容存放的目录并把属主属组修改为apache
[root@nfs-server conf.d]# cd /var/www/html/
[root@nfs-server html]# ls
[root@nfs-server html]# mkdir fj tk
drwxr-xr-x. 2 root root 6 Jul 22 14:56 fj
drwxr-xr-x. 2 root root 6 Jul 22 14:56 tk
[root@nfs-server html]# chown -R apache.apache fj
[root@nfs-server html]# chown -R apache.apache tk
[root@nfs-server html]# ll
total 0
drwxr-xr-x. 2 apache apache 6 Jul 22 14:56 fj
drwxr-xr-x. 2 apache apache 6 Jul 22 14:56 tk
//获取网页内容
[root@nfs-server html]# mv /root/feijiedazhan.zip ./ //把源码包移到网页存放目录
[root@nfs-server html]# mv /root/坦克.zip ./
[root@nfs-server html]# unzip feijiedazhan.zip ; unzip 坦克.zip //解压源码包
[root@nfs-server html]# ls //查看解压出的目录和文件
Battle_City feijiedazhan.zip fj HTML5全民飞机大战小游戏 tk 坦克.zip
[root@nfs-server html]# mv HTML5全民飞机大战小游戏/* fj //将内容移到想存放的位置
[root@nfs-server html]# mv Battle_City/* tk/
[root@nfs-server html]# ls fj
css img index.html js
[root@nfs-server html]# ls tk
audio css images index.html js
//创建日志文件存放目录并把属主属组设置为apache
[root@nfs-server html]# mkdir /var/log/httpd/{fj_log,tk_log}
[root@nfs-server html]# ll /var/log/httpd/
drwxr-xr-x. 2 root root 6 Jul 22 14:58 fj_log
drwxr-xr-x. 2 root root 6 Jul 22 14:58 tk_log
[root@nfs-server html]# chown apache.apache /var/log/httpd/{fj_log,tk_log}
[root@nfs-server html]# ll /var/log/httpd/
drwxr-xr-x. 2 apache apache 6 Jul 22 14:58 fj_log
drwxr-xr-x. 2 apache apache 6 Jul 22 14:58 tk_log
[root@nfs-server conf.d]# apachectl -t //检查语法
Syntax OK
[root@nfs-server conf.d]# systemctl restart httpd //重启服务生效配置文件
192.168.133.157:80
192.168.133.157:82
3.配置不同IP相同端口
//添加一个ip给虚拟主机使用
[root@nfs-server conf.d]# ip addr add 192.168.133.158 dev eth0
[root@nfs-server conf.d]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:7c:f5:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.133.157/24 brd 192.168.133.255 scope global dynamic noprefixroute eth0
valid_lft 1407sec preferred_lft 1407sec
inet 192.168.133.158/32 scope global eth0
valid_lft forever preferred_lft forever
//修改虚拟主机配置文件
[root@nfs-server conf.d]# vim httpd-vhosts.conf
[root@nfs-server conf.d]# cat httpd-vhosts.conf
<VirtualHost 192.168.133.157:80>
DocumentRoot "/var/www/html/dz"
ServerName www.yf.com
ErrorLog "/var/log/httpd/dz_log/error_log"
CustomLog "/var/log/httpd/dz_log/access_log" common
</VirtualHost>
<VirtualHost 192.168.133.158:80>
DocumentRoot "/var/www/html/tk"
ServerName www.yf.com
ErrorLog "/var/log/httpd/tk_log/error_log"
CustomLog "/var/log/httpd/tk_log/access_log" common
</VirtualHost>
//创建网页存放目录并设置属主属组为apache。创建日志存放目录并设置属主属组为apache。
//由于第二个虚拟主机的网页存放目录和日志存放目录未作变动,这里不用创建
[root@nfs-server conf.d]# mkdir /var/www/html/dz
[root@nfs-server conf.d]# chown -R apache.apache /var/www/html/dz
[root@nfs-server conf.d]# mkdir /var/log/httpd/dz_log
[root@nfs-server conf.d]# chown -R apache.apache /var/log/httpd/dz_log/
[root@nfs-server conf.d]# ll -d /var/www/html/dz ; ll -d /var/log/httpd/dz_log/
drwxr-xr-x. 2 apache apache 6 Jul 22 15:29 /var/www/html/dz
drwxr-xr-x. 2 apache apache 6 Jul 22 15:29 /var/log/httpd/dz_log/
//检查语法,重启httpd服务生效配置
[root@nfs-server conf.d]# apachectl -t
Syntax OK
[root@nfs-server conf.d]# systemctl restart httpd
192.168.133.157
192.168.133.158
4.配置不同域名
//由于做了先前的配置,这次只修改域名,其他的内容不作变动。
[root@nfs-server conf.d]# vim httpd-vhosts.conf
[root@nfs-server conf.d]# cat httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/dz"
ServerName www.yf.com
ErrorLog "/var/log/httpd/dz_log/error_log"
CustomLog "/var/log/httpd/dz_log/access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/tk"
ServerName www.fy.com
ErrorLog "/var/log/httpd/tk_log/error_log"
CustomLog "/var/log/httpd/tk_log/access_log" common
</VirtualHost>
//检查语法,重启httpd服务生效配置文件
[root@nfs-server conf.d]# apachectl -t
Syntax OK
[root@nfs-server conf.d]# systemctl restart httpd
注意:
-
由于该域名只能在局域网内使用,宿主机的浏览器无法识别该域名,把该域名添加进宿主机的本地dns解析文件里。
-
文件路径:
C:\Windows\System32\drivers\etc\hosts
-
如果无法直接修改该文件,可以该文件移到桌面修改完再放回原本位置。
www.yf.com
www.fy.com
5.设置访问控制
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
-
IPADDR的类型:
- IP:192.168.1.1
- Network/mask:192.168.1.0/255.255.255.0
- Network/Length:192.168.1.0/24
- Net:192.168
-
HOSTNAME的类型:
-
FQDN:特定主机的全名
-
DOMAIN:指定域内的所有主机
-
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
[root@nfs-server conf.d]# vim httpd-vhosts.conf
//添加访问控制9行-14行
[root@nfs-server conf.d]# cat httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/fj"
ServerName www.yf.com
ErrorLog "/var/log/httpd/fj_log/error_log"
CustomLog "/var/log/httpd/fj_log/access_log" common
<Directory /var/www/html/fj>
<RequireAll>
Require all granted
Require not ip 192.168.92.129
</RequireAll>
</Directory>
</VirtualHost>
//检查语法,重启服务
[root@nfs-server conf.d]# apachectl -t
Syntax OK
[root@nfs-server conf.d]# systemctl restart httpd
二、配置https
https(全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 http 通道,在 http 的基础上通过传输加密和身份认证保证了传输过程的安全性。
1.生成证书
实现私有CA:
- CA的配置文件:/etc/pki/tls/openssl.cnf
//CA生成一对密钥
[root@nfs-server ~]# cd /etc/pki/
[root@nfs-server pki]# mkdir CA
[root@nfs-server pki]# cd CA/
[root@nfs-server CA]# mkdir private
[root@nfs-server CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
//CA生成自签署证书
[root@nfs-server CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn //国家
State or Province Name (full name) []:hb //州\省份
Locality Name (eg, city) [Default City]:wh //城市
Organization Name (eg, company) [Default Company Ltd]:rt //公司
Organizational Unit Name (eg, section) []:xy //职位
Common Name (eg, your name or your server's hostname) []:www.yf.com //域名
Email Address []:1@2.com //邮箱
//以上填写的信息可随意指定,只要后续签署证书时跟这里填写一致就行
[root@nfs-server CA]# mkdir certs newcerts crl
[root@nfs-server CA]# touch index.txt && echo 01 > serial
//客户端生成密钥
[root@nfs-server CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@nfs-server ssl]# pwd
/etc/httpd/ssl
[root@nfs-server ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
//客户端生成证书签署请求
//跟上述的CA生成的自签证书填写信息须一致
[root@nfs-server ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:rt
Organizational Unit Name (eg, section) []:xy
Common Name (eg, your name or your server's hostname) []:www.yf.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车不用管
An optional company name []: //直接回车不用管
//CA签署客户端提交上来的证书
[root@nfs-server ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@nfs-server ssl]# ls
httpd.crt httpd.csr httpd.key
2.配置ssl
mod_ssl 模块可以实现https加密认证。
//查询httpd服务是否安装了ssl模块,如果没有就安装一个
[root@nfs-server ~]# apachectl -M | grep ssl
//安装ssl模块
[root@nfs-server ~]# dnf -y install mod_ssl
//重启服务,生效模块
[root@nfs-server ~]# systemctl restart httpd
[root@nfs-server conf.d]# pwd
/etc/httpd/conf.d
//找到这四行取消注释并修改网页内容的根路径和证书的路径
[root@nfs-server conf.d]# vim ssl.conf
DocumentRoot "/var/www/html/fj"
ServerName www.yf.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
//检查语法,重启服务
[root@nfs-server conf.d]# apachectl -t
Syntax OK
[root@nfs-server conf.d]# systemctl restart httpd
访问测试:
3.http重定向至https
站点配置为https后,在浏览器访问网站时如果不添加https协议,默认还是http,所以需要将访问http站点的请求转发至https。
//配置重定向的参数是第五行到第七行
[root@nfs-server conf.d]# vim httpd-vhosts.conf
[root@nfs-server conf.d]# cat httpd-vhosts.conf
<VirtualHost 192.168.92.128:80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.yf.com$1 [L,R]
DocumentRoot "/var/www/html/fj"
ServerName www.yf.com
ErrorLog "/var/log/httpd/fj_log/error_log"
CustomLog "/var/log/httpd/fj_log/access_log" common
<Directory /var/www/html/fj>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>