三种虚拟主机与https
httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
[root@zwl ~]# cd /etc/httpd/conf.modules.d/
[root@zwl conf.modules.d]# ls
00-base.conf 00-optional.conf 01-cgi.conf
00-dav.conf 00-proxy.conf 10-h2.conf
00-lua.conf 00-ssl.conf 10-proxy_h2.conf
00-mpm.conf 00-systemd.conf README
[root@zwl conf.modules.d]# vim 00-mpm.conf
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
#
# NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux
# boolean should be enabled, to allow graceful stop/shutdown.
#
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
IPADDR的类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.159.168
Require all granted
</RequireAll>
</Directory>
虚拟主机:
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
//相同IP不同端口
//设置主机名
[root@zwl ~]# vim /etc/httpd/conf/httpd.conf
ServerName www.example.com:80 //取消此行前面的#号
[root@zwl ~]# find / -name *vhosts.conf
/etc/httpd24/extra/httpd-vhosts.conf
/etc/httpd24/original/extra/httpd-vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
/usr/local/src/httpd-2.4.54/docs/conf/extra/httpd-vhosts.conf
[root@zwl ~]# cp /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/
[root@zwl ~]# ls /etc/httpd/conf.d/
README httpd-vhosts.conf userdir.conf
autoindex.conf ssl.conf welcome.conf
[root@zwl ~]#
[root@zwl html]# ls
zhuawawaji.zip 坦克.zip
[root@zwl html]# unzip zhuawawaji.zip //解压
[root@zwl html]# unzip 坦克.zip //解压
[root@zwl html]# mv Battle_City tanke
[root@zwl html]# mv jQuery抓娃娃机游戏代码 zhuawawa
[root@zwl html]# ls
tanke zhuawawa zhuawawaji.zip 坦克.zip
[root@zwl html]# rm -rf zhuawawaji.zip
[root@zwl html]# rm -rf 坦克.zip
[root@zwl html]# ls
tanke zhuawawa
[root@zwl html]# vim /etc/httpd/conf.d/httpd-vhosts.conf //在配置文件的最后加上如下内容
[root@zwl html]# cat /etc/httpd/conf.d/httpd-vhosts.conf
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot "/var/www/html/zhuawawa"
ServerName www.zhuawawa.com
ErrorLog "/var/log/httpd/www.zhuawawa.com-error_log"
CustomLog "/var/log/httpd/www.zhuawawa.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tankecom-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@zwl html]#
[root@zwl html]# httpd -t
Syntax OK
[root@zwl html]# systemctl start httpd
[root@zwl html]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
80端口
81端口
//不同IP相同端口
//添加一个临时网卡
[root@zwl ~]# ip addr add 192.168.159.169/24 dev ens33
[root@zwl ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:7f:6e:ed brd ff:ff:ff:ff:ff:ff
inet 192.168.159.168/24 brd 192.168.159.255 scope global dynamic noprefixroute ens33
valid_lft 1048sec preferred_lft 1048sec
inet 192.168.159.169/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe7f:6eed/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@zwl ~]#
//在配置文件的最后加上如下内容
[root@zwl ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
[root@zwl ~]# httpd -t
Syntax OK
[root@zwl ~]# systemctl restart httpd
[root@zwl ~]# cat /etc/httpd/conf.d/httpd-vhosts.conf
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost 192.168.159.168:80>
DocumentRoot "/var/www/html/zhuawawa"
ServerName www.zhuawawa.com
ErrorLog "/var/log/httpd/www.zhuawawa.com-error_log"
CustomLog "/var/log/httpd/www.zhuawawa.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.159.169:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tankecom-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@zwl ~]#
//相同IP相同端口不同域名
[root@zwl html]# vim /etc/httpd/conf.d/httpd-vhosts.conf
[root@zwl html]# httpd -t
Syntax OK
[root@zwl html]# systemctl restart httpd
[root@zwl html]# cat /etc/httpd/conf.d/httpd-vhosts.conf
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost 192.168.159.168:80>
DocumentRoot "/var/www/html/zhuawawa"
ServerName www.zhuawawa.com
ErrorLog "/var/log/httpd/www.zhuawawa.com-error_log"
CustomLog "/var/log/httpd/zhuawawa.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.159.168:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/tanke.com-access_log" common
</VirtualHost>
[root@zwl html]#
C:\Windows\System32\drivers\etc //windowsNFS解析域名地址 ,在这里面添加自定义域名
配置https
https(全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 http 通道,在 http 的基础上通过传输加密和身份认证保证了传输过程的安全性。
1.生成证书
实现私有CA:
- CA的配置文件:/etc/pki/tls/openssl.cnf
//CA生成一对密钥
root@zwl ~]# cd /etc/pki/
[root@zwl pki]# mkdir CA
[root@zwl pki]# cd CA/
[root@zwl CA]# mkdir private
[root@zwl CA]# (umask 077;openssl genrsa -out private/cakey.pem 204
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+
....+++++
e is 65537 (0x010001)
//CA生成自签署证书
[root@zwl CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:rt
Organizational Unit Name (eg, section) []:xy
Common Name (eg, your name or your server's hostname) []:www.tanke.com
Email Address []:1@2.com
[root@zwl CA]# mkdir certs newcerts crl
[root@zwl CA]# touch index.txt && echo 01 > serial
//客户端生成密钥
[root@zwl CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@zwl ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
.........................................................+++++
e is 65537 (0x010001)
//客户端生成证书签署请求
//跟上述的CA生成的自签证书填写信息须一致
[root@zwl ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:rt
Organizational Unit Name (eg, section) []:xy
Common Name (eg, your name or your server's hostname) []:www.tanke.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//CA签署客户端提交上来的证书
[root@zwl ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@zwl ssl]# ls
httpd.crt httpd.csr httpd.key
2.配置ssl
//安装ssl模块
[root@zwl ~]# dnf -y install mod_ssl
[root@zwl ~]# systemctl restart httpd
[root@zwl ~]# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html/fj"
ServerName www.yf.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
//检查语法,重启服务
[root@zwl ~]# apachectl -t
Syntax OK
[root@zwl ~]# systemctl restart httpd