httpd配置三种虚拟主机
1. 虚拟主机
虚拟主机有三类
| 相同IP不同端口 |
|---|
| 不同IP相同端口 |
| 相同IP相同端口不同域名 |
2. 配置方法
2.1 配置模板文件
//全局查找一下httpd的模板文件
[root@131 ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@131 ~]#
//将查找的文件复制到conf.d/下
[root@131 ~]# cd /etc/httpd/
[root@131 httpd]# ls
conf conf.d conf.modules.d logs modules run state
[root@131 httpd]# cd conf.d/
[root@131 conf.d]# ls
README autoindex.conf userdir.conf welcome.conf
[root@131 conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
[root@131 conf.d]# ls
README autoindex.conf httpd-vhosts.conf userdir.conf welcome.conf
[root@131 conf.d]#
//进行编辑复制的模板文件
[root@131 conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost> //进行编辑,只留下实验需要的就行
//编辑好的
<VirtualHost *:80>
DocumentRoot "/var/www/dummy-host.example.com" //网站根目录
ServerName dummy-host.example.com //域名
ErrorLog "/var/log/httpd/dummy-host.example.com-error_log" //错误日志
CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common //访问日志
</VirtualHost>
2.2 第一种虚拟主机
- 相同IP不同端口
//在模板文件中留下需要的字段
[root@131 conf.d]# vim httpd-vhosts.conf
23 <VirtualHost *:80>
24 DocumentRoot "/var/www/dummy-host.example.com"
25 ServerName dummy-host.example.com
26 ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
27 CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
28 </VirtualHost>
29
30 <VirtualHost *:80>
31 DocumentRoot "/var/www/dummy-host.example.com"
32 ServerName dummy-host.example.com
33 ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
34 CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
35 </VirtualHost>
//定义自己所需的端口、根目录、域名、错误日志及访问日志
23 <VirtualHost *:80>
24 DocumentRoot "/var/www/html/feijidazhan"
25 ServerName www.feijidazhan.com
26 ErrorLog "/var/log/httpd/www.feijidazhan.com-error_log"
27 CustomLog "/var/log/httpd/www.feijidazhan.com-access_log" common
28 </VirtualHost>
29
30 Listen 81 //添加81端口
31 <VirtualHost *:81>
32 DocumentRoot "/var/www/html/tankedazhan"
33 ServerName www.tankedazhan.com
34 ErrorLog "/var/log/httpd/www.tankedazhan.com-error_log"
35 CustomLog "/var/log/httpd/www.tankedazhan.com-access_log" common
36 </VirtualHost>
37
//进入html目录下,下载飞机大战所需源码包
[root@131 conf.d]# cd /var/www/html/
//创建飞机大战目录
[root@131 html]# mkdir feijidazhan
[root@131 html]# ls
feijidazhan
//上传源码包
[root@131 html]# ls
feijidazhan feijiedazhan.zip
//安装所需解压工具
[root@131 html]# dnf install -y zip*
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:01:47 ago on Fri Jul 22 16:39:49 2022.
······
Installed:
unzip-6.0-46.el8.x86_64 zip-3.0-23.el8.x86_64
Complete!
//解压源码包
[root@131 html]# unzip feijiedazhan.zip
Archive: feijiedazhan.zip
······
inflating: HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f/js/index.js
[root@131 html]# ls
HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f feijiedazhan.zip
feijidazhan
//将解压文件移动到飞机大战目录下
[root@131 html]# mv HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f/* feijidazhan/
[root@131 html]# cd feijidazhan/
//查看到所需文件
[root@131 feijidazhan]# ls
css img index.html js
//回到html目录下删除不需要的解压目录
[root@131 feijidazhan]# cd /var/www/html/
[root@131 html]# ls
HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f feijiedazhan.zip
feijidazhan
[root@131 html]# rm -rf HTML5#U5168#U6c11#U98de#U673a#U5927#U6218#U5c0f#U6e38#U620f/
[root@131 html]# ls
feijidazhan feijiedazhan.zip
[root@131 html]#
//相同操作,下载坦克大战源码包
[root@131 html]# ls
feijidazhan feijiedazhan.zip ''$'\345\235\246\345\205\213''.zip'
[root@131 html]# unzip ''$'\345\235\246\345\205\213''.zip'
Archive: 坦克.zip
······
inflating: Battle_City/js/stage.js
inflating: Battle_City/js/tank.js
[root@131 html]#
[root@131 html]# ls
Battle_City feijiedazhan.zip
feijidazhan ''$'\345\235\246\345\205\213''.zip'
[root@131 html]# mv Battle_City/ tankedazhan
[root@131 html]# ls tankedazhan/
audio css images index.html js
[root@131 html]# rm -rf ''$'\345\235\246\345\205\213''.zip'
[root@131 html]# ls
feijidazhan feijiedazhan.zip tankedazhan
[root@131 html]# rm -f feijiedazhan.zip
//所需的两个源码包文件下载完成
[root@131 html]# ls
feijidazhan tankedazhan
[root@131 html]#
//检查一下配置文件是否存在语法错误
[root@131 html]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
Syntax OK
//重启服务
[root@131 html]# systemctl restart httpd
//查看端口
[root@131 html]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
[root@131 html]#
//关闭防火墙
[root@131 html]# systemctl stop firewalld
- 查看效果
网页访问IP查看默认的80端口
网页访问IP查看81端口
2.3 第二种虚拟主机
- 不同IP相同端口
//进入模板文件定义成自己的主机IP
[root@131 html]# cd /etc/httpd/conf.d
[root@131 conf.d]# vim httpd-vhosts.conf
<VirtualHost 192.168.183.131:80>
DocumentRoot "/var/www/html/feijidazhan"
ServerName www.feijidazhan.com
ErrorLog "/var/log/httpd/www.feijidazhan.com-error_log"
CustomLog "/var/log/httpd/www.feijidazhan.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.183.132:80>
DocumentRoot "/var/www/html/tankedazhan"
ServerName www.tankedazhan.com
ErrorLog "/var/log/httpd/www.tankedazhan.com-error_log"
CustomLog "/var/log/httpd/www.tankedazhan.com-access_log" common
</VirtualHost>
//本机没有132IP地址,需要加一个临时IP,如果想要永久生效就需要写网卡配置文件
[root@131 conf.d]# ip addr add 192.168.183.132/24 dev ens33
[root@131 conf.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:ee:f3:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.183.131/24 brd 192.168.183.255 scope global dynamic noprefixroute ens33
valid_lft 968sec preferred_lft 968sec
inet 192.168.183.132/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feee:f386/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@131 conf.d]#
//可以ping通IP
[root@131 conf.d]# ping 192.168.183.132
PING 192.168.183.132 (192.168.183.132) 56(84) bytes of data.
64 bytes from 192.168.183.132: icmp_seq=1 ttl=64 time=0.059 ms
64 bytes from 192.168.183.132: icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from 192.168.183.132: icmp_seq=3 ttl=64 time=0.023 ms
^C
--- 192.168.183.132 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2067ms
rtt min/avg/max/mdev = 0.023/0.040/0.059/0.016 ms
[root@131 conf.d]#
//检查语法,重启服务
[root@131 conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@131 conf.d]# systemctl restart httpd
- 查看效果
网页访问131主机IP,默认80端口号
网页访问132主机IP,默认80端口号
2.4 第三种虚拟主机
- 相同IP相同端口不同域名
//修改模板文件为相同IP相同端口
[root@131 conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/feijidazhan"
ServerName www.feijidazhan.com
ErrorLog "/var/log/httpd/www.feijidazhan.com-error_log"
CustomLog "/var/log/httpd/www.feijidazhan.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/tankedazhan"
ServerName www.tankedazhan.com
ErrorLog "/var/log/httpd/www.tankedazhan.com-error_log"
CustomLog "/var/log/httpd/www.tankedazhan.com-access_log" common
</VirtualHost>
//修改配置文件后检查语法并重启服务
[root@131 conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@131 conf.d]# systemctl restart httpd
- 域名映射
- Linux系统和mac系统:/etc/hosts
- Windows:C:\windows\system32\drivers\etc\hosts 先把hosts文件移动到桌面上进行修改,修改完成后移动回原文件夹中
1.进入hosts所在文件夹,将其移动到桌面进行修改;
2.右击打开方式选择记事本
3.写入相同IP不同域名
4.进行保存,移动回原文件夹中,本机域名完成
- 查看效果
网页访问域名:www.feijidazhan.com
网页访问域名:www.tankedazhan.com
3. 访问控制
3.1 添加访问控制权限
- 添加访问控制配置
//添加访问控制授权权限
[root@131 conf.d]# vim httpd-vhosts.conf
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.183.1
Require all granted
</RequireAll>
</Directory>
[root@131 conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@131 conf.d]# systemctl restart httpd
4. 安装ssl安全模块
[root@131 ~]# dnf install -y mod_ssl
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:05:15 ago on Fri Jul 22 19:40:03 2022.
Dependencies resolved.
······
Installed:
mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
sscg-2.3.3-14.el8.x86_64
Complete!
//重启服务
[root@131 ~]# systemctl restart httpd
[root@131 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
Syntax OK
//查看到443端口
[root@131 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
//过滤ssl安全模块
[root@131 ~]# httpd -M |grep ssl
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
ssl_module (shared)
[root@131 ~]#
5. 配置https
- openssl实现私有CA
5.1 CA生成一对密钥
[root@131 ~]# cd /etc/pki/
[root@131 pki]# ls
ca-trust java rpm-gpg rsyslog tls
[root@131 pki]# mkdir CA
[root@131 pki]# cd CA/
[root@131 CA]# pwd
/etc/pki/CA
[root@131 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@131 CA]# mkdir private
[root@131 CA]# ls
private
//生成密钥
[root@131 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
..............+++++
e is 65537 (0x010001)
[root@131 CA]# ls
private
[root@131 CA]# cd private/
cakey.pem
[root@131 private]#
//提取公钥
[root@131 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAzcrLg9nEyTOrBWDFTw
wuverIAqzRck1FlrlgqfOFux9zcJ7tCvzg/ZBbu9btEK1YtiGV09TaHWWajKEppR
YFNJo5V9QrP1v5lCXS9MCt3sabuPNANcjTtM9bm3L2XprPf2U0Nk/s348BVc9vLq
BQ3DSAIWrkCCWGCR7RE9iTttM69AIbsBqHKi9bR425/wugR6cXFm89/Gd9C5sGCD
eb0SudjT9iCnUQnfxxjAYfiHkrJdiu+MbuTbA+3LyUDpntCR71fFdqi/h2FMI3oV
xI5pm20+RBX/MHNHH90L4F6bBpQsRtbHP5Ol8weKg0T2Ft3tXXmzp10g8KlyzcLA
+wIDAQAB
-----END PUBLIC KEY-----
[root@131 CA]#
5.2 CA生成自签署证书
//生成自签署证书
[root@131 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:peixun
Common Name (eg, your name or your server's hostname) []:www.feijidazhan.com
Email Address []:1@2.com
//读出cacert.pem证书
[root@131 CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:04:37:70:a8:c8:18:87:25:0d:27:7c:18:25:55:70:92:b4:6f:43
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = hb, L = wh, O = runtime, OU = peixun, CN = www.feijidazhan.com, emailAddress = 1@2.com
Validity
Not Before: Jul 22 12:07:55 2022 GMT
Not After : Jul 22 12:07:55 2023 GMT
Subject: C = cn, ST = hb, L = wh, O = runtime, OU = peixun, CN = www.feijidazhan.com, emailAddress = 1@2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a0:0c:dc:ac:b8:3d:9c:4c:93:3a:b0:56:0c:54:
f0:c2:eb:de:ac:80:2a:cd:17:24:d4:59:6b:96:0a:
······
-----END CERTIFICATE-----
[root@131 CA]#
[root@131 CA]# mkdir certs newcerts crl
[root@131 CA]# touch index.txt && echo 01 > serial
[root@131 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@131 CA]# cat serial
01
[root@131 CA]#
5.3 客户端生成密钥
[root@131 CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@131 ssl]# pwd
/etc/httpd/ssl
[root@131 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
.................................................................................................................................................................+++++
e is 65537 (0x010001)
[root@131 ssl]# ls
httpd.key
[root@131 ssl]#
5.4 客户端生成证书签署请求
[root@131 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:peixun
Common Name (eg, your name or your server's hostname) []:www.feijidazhan.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@131 ssl]# ls
httpd.csr httpd.key
[root@131 ssl]#
5.5 CA签署客户端提交上来的证书
[root@131 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 22 12:20:15 2022 GMT
Not After : Jul 22 12:20:15 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = runtime
organizationalUnitName = peixun
commonName = www.feijidazhan.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:43:83:CF:B5:41:22:86:9E:AB:1B:CA:A4:AC:01:07:7B:83:C9:0A
X509v3 Authority Key Identifier:
keyid:3E:25:EF:2F:73:9F:0D:F4:DA:1E:5C:A9:97:78:B5:13:41:33:4D:58
Certificate is to be certified until Jul 22 12:20:15 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@131 ssl]# ls
httpd.crt httpd.csr httpd.key
[root@131 ssl]#
5.6 修改ssl.conf配置文件
[root@131 ssl]# cd /etc/httpd/conf.
conf.d/ conf.modules.d/
[root@131 ssl]# cd /etc/httpd/conf.d/
[root@131 conf.d]# ls
README autoindex.conf httpd-vhosts.conf ssl.conf userdir.conf welcome.conf
[root@131 conf.d]# vim ssl.conf
43 DocumentRoot "/var/www/html/feijidazhan" //去掉注释
44 ServerName www.feijidazhan.com:443 //去掉注释
85 SSLCertificateFile /etc/httpd/ssl/httpd.crt
86
87 # Server Private Key:
88 # If the key is not combined with the certificate, use this
89 # directive to point at the key file. Keep in mind that if
90 # you've both a RSA and a DSA private key you can configure
91 # both in parallel (to also allow the use of DSA ciphers, etc.)
92 # ECC keys, when in use, can also be configured in parallel
93 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@131 conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.131. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@131 conf.d]# systemctl restart httpd
[root@131 conf.d]# ss -anlt | grep 443
LISTEN 0 128 *:443 *:*
5.7 查看效果
扫一扫
690
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
