httpd配置三种虚拟主机带访问控制
文章目录
虚拟主机:
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
配置模板文件
[root@jiang ~]# find / -name *vhosts.conf //查找模板文件
/usr/share/doc/httpd/httpd-vhosts.conf
[root@jiang ~]# cd /etc/httpd/
[root@jiang httpd]# ls
conf conf.modules.d modules state
conf.d logs run
[root@jiang httpd]# cd conf.d/
[root@jiang conf.d]# ls
README userdir.conf
autoindex.conf welcome.conf
[root@jiang conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
[root@jiang conf.d]# ls
README userdir.conf
autoindex.conf welcome.conf
httpd-vhosts.conf
[root@jiang conf.d]# vi httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost> //进行编辑,只留下实验需要的就行
//编辑好的
<VirtualHost *:80>
DocumentRoot "/var/www/dummy-host.example.com" //网站根目录
ServerName dummy-host.example.com //域名
ErrorLog "/var/log/httpd/dummy-host.example.com-error_log" //错误日志
CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common //访问日志
</VirtualHost>
第一种虚拟主机
相同IP不同端口
[root@jiang conf.d]# vi httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/zhuawawa"
ServerName www.zhuawawa.com
ErrorLog "/var/log/httpd/www.zhuawawa.com-error_log"
CustomLog "/var/log/httpd/www.zhuawawa.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/html/feijidazhan"
ServerName www.feijidazhan.com
ErrorLog "/var/log/httpd/www.feijidazhan.com-error_log"
CustomLog "/var/log/httpd/www.feijidazhan.com-access_log" common
</VirtualHost>
root@jiang conf.d]# cd /var/www/html
[root@jiang html]# ls
[root@jiang html]# mkdir zhuawawa doudizhu
[root@localhost html]# ls
fejidazhan zhuawawa
[root@jiang html]# cd zhuawawa/
[root@jiang zhuawawa]# ls
[root@jiang zhuawawa]# ls
feijiedazhan.zip zhuawawaji.zip
[root@jiang zhuawawa]# dnf -y install zip*
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:11:31 ago on Sat Jul 23 14:02:03 2022.
Dependencies resolved.
===============================================================
Package Architecture Version Repository Size
===============================================================
Installing:
zip x86_64 3.0-23.el8 baseos 270 k
Installing dependencies:
unzip x86_64 6.0-46.el8 baseos 196 k
Transaction Summary
===============================================================
Install 2 Packages
Total download size: 466 k
Installed size: 1.2 M
Downloading Packages:
(1/2): unzip-6.0-46.el8.x86_64 587 kB/s | 196 kB 00:00
(2/2): zip-3.0-23.el8.x86_64.r 577 kB/s | 270 kB 00:00
---------------------------------------------------------------
Total 231 kB/s | 466 kB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : unzip-6.0-46.el8.x86_64 1/2
Installing : zip-3.0-23.el8.x86_64 2/2
Running scriptlet: zip-3.0-23.el8.x86_64 2/2
Verifying : unzip-6.0-46.el8.x86_64 1/2
Verifying : zip-3.0-23.el8.x86_64 2/2
Installed products updated.
Installed:
unzip-6.0-46.el8.x86_64 zip-3.0-23.el8.x86_64
Complete!
///解压源码包
[root@jiang zhuawawa]# unzip zhuawawaji.zip
Archive: zhuawawaji.zip
.....................................................
creating: jQuery#U6293#U5a03#U5a03#U673a#U6e38#U620f#U4ee3#U7801/js/
inflating: jQuery#U6293#U5a03#U5a03#U673a#U6e38#U620f#U4ee3#U7801/js/jquery.min.js
[root@jiang zhuawawa]# ls
jQuery#U6293#U5a03#U5a03#U673a#U6e38#U620f#U4ee3#U7801
zhuawawaji.zip
[root@jiang zhuawawa]# rm -rf zhuawawaji.zip
[root@jiang zhuawawa]# ls
images img index.html js
[root@jiang fejidazhan]# unzip feijiedazhan.zip
Archive: feijiedazhan.zip
....................................
inflating: HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f/js/._.DS_Store
inflating: HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f/js/._index.js
inflating: HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f/js/index.js
[root@jiang fejidazhan]# ls
HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f
feijiedazhan.zip
[root@jiang fejidazhan]# rm -rf feijiedazhan.zip
[root@jiang fejidazhan]# ls
css img index.html index.js js
//检查一下配置文件是否存在语法错误
[root@jiang html]# ls
fejidazhan zhuawawa
[root@jiang html]# httpd -t
AH00112: Warning: DocumentRoot [/var/www/zhuawawa.com] does not exist
AH00112: Warning: DocumentRoot [/var/www/feijidazhan.com] does not exist
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::9e26:e42:e48e:6000. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@jiang html]# systemctl restart httpd
[root@jiang html]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
查看效果
用80端口查看
用81端口查看
第二种虚拟主机
不同IP相同端
[root@jiang ~]# cd /etc/httpd/
[root@jiang httpd]# ls
conf conf.d conf.modules.d logs modules run state
[root@jiang httpd]# cd conf.d
[root@jiang conf.d]# vim httpd-vhosts.conf
<VirtualHost 192.168.205.144:80>
DocumentRoot "/var/www/html/zhuawawa"
ServerName www.zhuawawa.com
ErrorLog "/var/log/httpd/www.zhuawawa.com-error_log"
CustomLog "/var/log/httpd/www.zhuawawa.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.205.145:80>
DocumentRoot "/var/www/html/feijidazhan"
ServerName www.feijidazhan.com
ErrorLog "/var/log/httpd/www.feijidazhan.com-error_log"
CustomLog "/var/log/httpd/www.feijidazhan.com-access_log" common
</VirtualHost>
//添加一个临时ip
[root@jiang conf.d]# ip addr add 192.168.205.145/24 dev ens33
[root@jiang conf.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:63:98:e5 brd ff:ff:ff:ff:ff:ff
inet 192.168.205.144/24 brd 192.168.205.255 scope global dynamic noprefixroute ens33
valid_lft 1413sec preferred_lft 1413sec
inet 192.168.205.145/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::9e26:e42:e48e:6000/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@jiang conf.d]# ping 192.168.205.145
PING 192.168.205.145 (192.168.205.145) 56(84) bytes of data.
64 bytes from 192.168.205.145: icmp_seq=1 ttl=64 time=0.016 ms
64 bytes from 192.168.205.145: icmp_seq=2 ttl=64 time=0.021 ms
64 bytes from 192.168.205.145: icmp_seq=3 ttl=64 time=0.025 ms
^C
--- 192.168.205.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2074ms
rtt min/avg/max/mdev = 0.016/0.020/0.025/0.006 ms
[root@jiang conf.d]# systemctl restart httpd
[root@jiang conf.d]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
查看效果
访问192.168.205.144
访问192.168.205.145
第三种虚拟主机
相同IP相同端口不同域名
[root@jiang conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/zhuawawa"
ServerName www.zhuawawa.com
ErrorLog "/var/log/httpd/www.zhuawawa.com-error_log"
CustomLog "/var/log/httpd/www.zhuawawa.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/feijidazhan"
ServerName www.feijidazhan.com
ErrorLog "/var/log/httpd/www.feijidazhan.com-error_log"
CustomLog "/var/log/httpd/www.feijidazhan.com-access_log" common
</VirtualHost>
[root@jiang conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@jiang conf.d]#
[root@jiang conf.d]# systemctl restart httpd
[root@jiang conf.d]#
域名映射
Linux系统和mac系统:/etc/hosts
Windows:C:\windows\system32\drivers\etc\hosts 先把hosts文件移动到桌面上进行修 改,修改完成后移动回原文件夹中
拖到桌面
用记事本打开
写入域名
查看效果
访问控制
添加访问控制权限
[root@jiang conf.d]# vim httpd-vhosts.conf
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.205.1
Require all granted
</RequireAll>
</Directory>
[root@jiang conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this
message
Syntax OK
[root@jiang conf.d]# systemctl restart httpd
安装ssl安全模块
[root@jiang ~]# dnf -y install mod_ssl
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:26:12 ago on Sat Jul 23 15:50:14 2022.
Dependencies resolved.
===============================================================
Package Arch Version Repo Size
===============================================================
Installing:
mod_ssl x86_64 1:2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1
appstream 137 k
Installing dependencies:
sscg x86_64 2.3.3-15.el8 appstream 49 k
Transaction Summary
===============================================================
Install 2 Packages
Total download size: 187 k
Installed size: 364 k
Downloading Packages:
(1/2): sscg-2.3.3-15.el8.x86_6 398 kB/s | 49 kB 00:00
(2/2): mod_ssl-2.4.37-47.modul 787 kB/s | 137 kB 00:00
---------------------------------------------------------------
Total 255 kB/s | 187 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : sscg-2.3.3-15.el8.x86_64 1/2
Installing : mod_ssl-1:2.4.37-47.module_el8.6.0+ 2/2
Running scriptlet: mod_ssl-1:2.4.37-47.module_el8.6.0+ 2/2
Verifying : mod_ssl-1:2.4.37-47.module_el8.6.0+ 1/2
Verifying : sscg-2.3.3-15.el8.x86_64 2/2
Installed products updated.
Installed:
mod_ssl-1:2.4.37-47.module_el8.6.0+1111+ce6f4ceb.1.x86_64
sscg-2.3.3-15.el8.x86_64
Complete!
[root@jiang ~]# systemctl restart httpd
[root@jiang ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@jiang ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
[root@jiang ~]# httpd -M | grep ssl
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
ssl_module (shared)
配置https
openssl实现私有CA:
CA生成一对密钥
[root@jiang ~]# cd /etc/pki/
[root@jiang pki]# ls
ca-trust entitlement product rpm-gpg tls
consumer java product-default rsyslog
[root@jiang pki]# mkdir CA
[root@jiang pki]# cd CA/
[root@jiang CA]# pwd
/etc/pki/CA
[root@jiang CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@jiang CA]# mkdir private
[root@jiang CA]# ls
private
[root@jiang CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................................+++++
.................+++++
e is 65537 (0x010001)
[root@jiang CA]# cd private/
[root@jiang private]# ls
cakey.pem
[root@jiang CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoJuaXUswTPLys4D+dV0/
CiE8jCco94xcVTzRFTthd+8SN0mqT4U+Rf0ir3B9ydgcMjymvLR7NaDBeZGVhUnu
ogG2NPA/X/qbN389C/GXPuhB4ZdDEh9E6csMJ0LqUJ6OqcAKEe9YHNF2dceZYyaz
4ZSdvLg4FNZcTIgIa5X0vOHtI9Ukpsyaf0Utdoah52YEUrHs8nyf4utknu+vUjdl
mrGT9EKFqgdKu3RGRObNIWtymmT9WwZfzXESxwmPxLVZRfZ3y8S8udKkSPdFTn4c
79DQ7WbQLsr1Js6XRQnvkSX5wWgxfkboNQeRN74fRZrEIjfln9GVZq1ip3yOxs1E
AQIDAQAB
-----END PUBLIC KEY-----
CA生成自签署证书
[root@jiang CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtie
Organizational Unit Name (eg, section) []:peixun
Common Name (eg, your name or your server's hostname) []:www.zhuawawa.com
Email Address []:1@2.com
[root@jiang CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:0f:ac:92:6b:27:61:a4:9e:d5:0d:66:fa:1a:b3:d4:83:e2:36:88
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = hb, L = wh, O = runtie, OU = peixun, CN = www.zhuawawa.com, emailAddress = 1@2.com
Validity
Not Before: Jul 23 08:32:53 2022 GMT
Not After : Jul 23 08:32:53 2023 GMT
Subject: C = cn, ST = hb, L = wh, O = runtie, OU = peixun, CN = www.zhuawawa.com, emailAddress = 1@2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
.........................................
root@jiang CA]# mkdir certs newcerts crl
[root@jiang CA]# touch index.txt && echo 01 > serial
[root@jiang CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@jiang CA]# cat serial
01
客户端生成密钥
[root@jiang CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@jiang ssl]# pwd
/etc/httpd/ssl
[root@jiang ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................................................................+++++
.........................+++++
e is 65537 (0x010001)
[root@jiang ssl]# ls
httpd.key
客户端生成证书签署请求
[root@jiang ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtie
Organizational Unit Name (eg, section) []:peixun
Common Name (eg, your name or your server's hostname) []:www.zhuawawa.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@jiang ssl]# ls
httpd.csr httpd.key
CA签署客户端提交上来的证书
[root@jiang ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 23 08:39:50 2022 GMT
Not After : Jul 23 08:39:50 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = runtie
organizationalUnitName = peixun
commonName = www.zhuawawa.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BA:2B:23:0F:1E:D8:29:8C:CB:52:51:C8:F4:DD:44:4A:4C:2E:84:FB
X509v3 Authority Key Identifier:
keyid:9A:46:E7:8A:D6:FE:13:8D:CB:7F:61:4B:23:52:02:74:D9:A3:C3:9F
Certificate is to be certified until Jul 23 08:39:50 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@jiang ssl]# ls
httpd.crt httpd.csr httpd.key
修改ssl.conf配置文件
[root@jiang ssl]# cd /etc/httpd/conf.d
[root@jiang conf.d]# ls
README httpd-vhosts.conf userdir.conf
autoindex.conf ssl.conf welcome.conf
[root@jiang conf.d]# vim ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/feijidazhan" //注释
ServerName www.feijidazhan.com:443 //注释
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
# parallel.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@jiang conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@jiang conf.d]# systemctl restart httpd
[root@jiang conf.d]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*