httpd服务配置
1.httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
1.1 禁止访问parttime
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
...
<Directory "/var/www/html/parttime">
<RequireAll>
Require not ip 192.168.159.1
Require all granted
</RequireAll>
</Directory>
- 查看是否报错
[root@localhost ~]# httpd -t
Syntax OK
- 重启服务
[root@localhost ~]# systemctl restart httpd
- 本机可以访问
[root@localhost ~]# curl http://192.168.159.134/parttime/index.html
hello zhongguo
- 网站不能访问parttime
- 可以访问showtime
2. 虚拟主机
2.1 相同主机不同端口
- 用find命令找到vhosts.conf
[root@localhost ~]# find / -name *vhosts.conf
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
- 进入/etc/httpd/conf.d将vhosts.conf复制过来
[root@localhost conf.d]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf .
[root@localhost conf.d]# ls
autoindex.conf httpd-vhosts.conf README userdir.conf welcome.conf
- 进入vim httpd-vhosts.conf修改
[root@localhost conf.d]# vim httpd-vhosts.conf
...
<VirtualHost *:80>
DocumentRoot "/var/www/html/parttime"
ServerName parttime.example.com
ErrorLog "/var/log/httpd/parttime.example.com-error_log"
CustomLog "/var/log/httpd/parttime.example.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/html/showtime"
ServerName parttime.example.com
ErrorLog "/var/log/httpd/showtime.example.com-error_log"
CustomLog "/var/log/httpd/showtime.example.com-access_log" common
</VirtualHost>
- 启动,查看端口号,并修改showtime
[root@localhost conf.d]# systemctl restart httpd
[root@localhost conf.d]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:81 [::]:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost conf.d]# cd /var/www/html
[root@localhost html]# ls
parttime showtime
[root@localhost html]# cd showtime
[root@localhost showtime]# ls
a.html
[root@localhost showtime]# mv a.html index.html
[root@localhost showtime]# ls
index.html
- 访问网站,默认进入80端口parttime
- 访问网站,默认进入81端口showtime
2.2 相同端口不同ip
- 进入vim httpd-vhosts.conf修改为相同端口
<VirtualHost 192.168.159.134:80>
DocumentRoot "/var/www/html/parttime"
ServerName parttime.example.com
ErrorLog "/var/log/httpd/parttime.example.com-error_log"
CustomLog "/var/log/httpd/parttime.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.159.135:80>
DocumentRoot "/var/www/html/parttime"
ServerName showtime.example.com
ErrorLog "/var/log/httpd/showtime.example.com-error_log"
CustomLog "/var/log/httpd/showtime.example.com-access_log" common
</VirtualHost>
- 重启服务
[root@localhost ~]# systemctl restart httpd
- 访问192.168.159.134
- 访问192.168.159.135
2.3 相同IP相同端口不同域名
- 进入vim httpd-vhosts.conf修改为相同端口
<VirtualHost *:80>
DocumentRoot "/var/www/html/parttime"
ServerName parttime.example.com
ErrorLog "/var/log/httpd/parttime.example.com-error_log"
CustomLog "/var/log/httpd/parttime.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/showtime"
ServerName showtime.example.com
ErrorLog "/var/log/httpd/showtime.example.com-error_log"
CustomLog "/var/log/httpd/showtime.example.com-access_log" common
</VirtualHost>
- 重新启动
[root@localhost ~]# systemctl restart httpd
-
访问http://parttime.example.com
-
访问http://showtime.example.com
配置https(ssL证书 是需要买的)
1. 安装mod_ssl
[root@localhost ~]# yum -y install mod_ssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
Resolving Dependencies
--> Running transaction check
...
2. 在/etc/pki中创建CA文件
[root@localhost pki]# mkdir CA
[root@localhost pki]# ls
CA ca-trust java nssdb nss-legacy rpm-gpg rsyslog tls
[root@localhost pki]# cd CA
[root@localhost CA]# pwd
/etc/pki/CA
3. 生成密钥
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
......................................+++
e is 65537 (0x10001)
3.1查看一下生成的文件
[root@localhost CA]# ls
certs crl newcerts private
[root@localhost CA]# ls private/
cakey.pem
3.2 提取公钥
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Pkiy8hP+4nCcj425xMU
7ADiG2zfDz69sXb/7P9d2oLky7w9rL3jvvAfHrvvTxZNCdlQMrZWJEk+8Ks+pFx4
AdxXHV/7FwQEGDZ7c37DmnPSHTE5ihJRC6v2qtUDWoQyYpvbnDq2bwa2vYeVjoDl
r5oS3Pi3nGsQOUl12RMj2U3sNZkhzPH5OwSQCee/iuCSEmRM4SiJw20YbIj0Jznp
C2HgZjfMcG4kn2bEz2Cc3611HjiHVKWS9HHX55SkPaXh4IuaJy8miBX9ZqTzrMtl
fzHrA+SGZlbxxwPlWD2hKZ01TN5vMIuH5MMDxYv8L+MvqcTciFzRwPdtYL6fzyI8
KwIDAQAB
-----END PUBLIC KEY-----
4. 生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:parttime.example.com
Organizational Unit Name (eg, section) []:parttime.example.com
Common Name (eg, your name or your server's hostname) []:parttime.example.com
Email Address []:1@2.com
4.1 读出cacert.pem证书的内容
[root@localhost CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c6:e9:fe:0f:17:60:80:83
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HB, L=WH, O=parttime.example.com, OU=parttime.example.com, CN=parttime.example.com/emailAddress=1@2.com
Validity
Not Before: Aug 25 11:54:56 2020 GMT
Not After : Aug 25 11:54:56 2021 GMT
...
4.2 创建三个目录
[root@localhost CA]# ls
cacert.pem certs crl newcerts private
4.3 创建虚拟号
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cat index.txt
[root@localhost CA]# cat serial
01
5. 客户端 生成密钥
[root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# ls
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
..................................+++
e is 65537 (0x10001)
6.客户端生成证书签署请求
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:parttime.example.com
Organizational Unit Name (eg, section) []:parttime.example.com
Common Name (eg, your name or your server's hostname) []:parttime.example.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6.1 查看生成的文件
[root@localhost ssl]# ls
httpd.csr httpd.key
7. CA签署客户端提交上来的证书
[root@localhost ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 25 12:17:13 2020 GMT
Not After : Aug 25 12:17:13 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = parttime.example.com
organizationalUnitName = parttime.example.com
commonName = parttime.example.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2E:C5:11:27:2D:B3:C4:1C:70:44:74:81:0E:0B:09:BC:7A:69:47:5E
X509v3 Authority Key Identifier:
keyid:C0:58:71:5D:8F:61:49:D9:57:76:EB:EE:75:3D:1C:71:17:41:A5:60
Certificate is to be certified until Aug 25 12:17:13 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7.1 查看
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
7.2 删除csr
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
[root@localhost ssl]# rm -f httpd.csr
[root@localhost ssl]# ls
httpd.crt httpd.key
8. 启用模块
[root@localhost httpd]# cd /etc/httpd
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run ssl
[root@localhost httpd]# ls conf.modules.d/
00-base.conf 00-lua.conf 00-proxy.conf 00-systemd.conf
00-dav.conf 00-mpm.conf 00-ssl.conf 01-cgi.conf
[root@localhost httpd]# vim conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
9. 配置https
[root@localhost httpd]# cat conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
[root@localhost httpd]# cd
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
[root@localhost ~]# ls /etc/httpd/conf.d
! httpd-vhosts.conf ssl.conf welcome.conf
autoindex.conf README userdir.conf
9.1 在httpd-ssl.conf中配置证书的位置
...
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/parttime"
ServerName parttime.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
...
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
9.2 重启服务
[root@localhost conf.d]# systemctl restart httpd
- 查看
[root@localhost conf.d]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:443 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*