httpd配置

最新推荐文章于 2024-05-03 13:44:38 发布

听风微寒

最新推荐文章于 2024-05-03 13:44:38 发布

阅读量831

点赞数 2

文章标签： linux https

本文链接：https://blog.csdn.net/weihan_nh/article/details/108224593

版权

httpd服务配置

1.httpd-2.4版本默认是拒绝所有主机访问的，所以安装以后必须做显示授权访问

1.1 禁止访问parttime

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
...
<Directory "/var/www/html/parttime">
    <RequireAll>
        Require not ip 192.168.159.1
        Require all granted
    </RequireAll>
</Directory>

查看是否报错

[root@localhost ~]# httpd -t
Syntax OK

重启服务

[root@localhost ~]# systemctl restart httpd

本机可以访问

[root@localhost ~]# curl http://192.168.159.134/parttime/index.html
hello zhongguo

网站不能访问parttime
可以访问showtime

2. 虚拟主机

2.1 相同主机不同端口

用find命令找到vhosts.conf

[root@localhost ~]#  find / -name *vhosts.conf
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf

进入/etc/httpd/conf.d将vhosts.conf复制过来

[root@localhost conf.d]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf .
[root@localhost conf.d]# ls
autoindex.conf  httpd-vhosts.conf  README  userdir.conf  welcome.conf

进入vim httpd-vhosts.conf修改

[root@localhost conf.d]# vim httpd-vhosts.conf
...
<VirtualHost *:80>
    DocumentRoot "/var/www/html/parttime"
    ServerName parttime.example.com
    ErrorLog "/var/log/httpd/parttime.example.com-error_log"
    CustomLog "/var/log/httpd/parttime.example.com-access_log" common
</VirtualHost>

Listen 81
<VirtualHost *:81>
    DocumentRoot "/var/www/html/showtime"
    ServerName parttime.example.com
    ErrorLog "/var/log/httpd/showtime.example.com-error_log"
    CustomLog "/var/log/httpd/showtime.example.com-access_log" common
</VirtualHost>

启动,查看端口号，并修改showtime

[root@localhost conf.d]# systemctl restart httpd
[root@localhost conf.d]# ss -antl
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      100    127.0.0.1:25                      *:*                  
LISTEN      0      128         *:22                      *:*                  
LISTEN      0      100     [::1]:25                   [::]:*                  
LISTEN      0      128      [::]:80                   [::]:*                  
LISTEN      0      128      [::]:81                   [::]:*                  
LISTEN      0      128      [::]:22                   [::]:*       
[root@localhost conf.d]#  cd /var/www/html
[root@localhost html]# ls
parttime  showtime
[root@localhost html]# cd showtime
[root@localhost showtime]# ls
a.html
[root@localhost showtime]# mv a.html index.html
[root@localhost showtime]# ls
index.html

访问网站,默认进入80端口parttime
访问网站,默认进入81端口showtime

2.2 相同端口不同ip

进入vim httpd-vhosts.conf修改为相同端口

<VirtualHost 192.168.159.134:80>
    DocumentRoot "/var/www/html/parttime"
    ServerName parttime.example.com
    ErrorLog "/var/log/httpd/parttime.example.com-error_log"
    CustomLog "/var/log/httpd/parttime.example.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.159.135:80>
    DocumentRoot "/var/www/html/parttime"
    ServerName showtime.example.com
    ErrorLog "/var/log/httpd/showtime.example.com-error_log"
    CustomLog "/var/log/httpd/showtime.example.com-access_log" common
</VirtualHost>

重启服务

[root@localhost ~]# systemctl restart httpd

访问192.168.159.134
访问192.168.159.135

2.3 相同IP相同端口不同域名

进入vim httpd-vhosts.conf修改为相同端口

<VirtualHost *:80>
    DocumentRoot "/var/www/html/parttime"
    ServerName parttime.example.com
    ErrorLog "/var/log/httpd/parttime.example.com-error_log"
    CustomLog "/var/log/httpd/parttime.example.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/var/www/html/showtime"
    ServerName showtime.example.com
    ErrorLog "/var/log/httpd/showtime.example.com-error_log"
    CustomLog "/var/log/httpd/showtime.example.com-access_log" common
</VirtualHost>

重新启动

[root@localhost ~]# systemctl restart httpd

访问http://parttime.example.com
访问http://showtime.example.com

配置https（ssL证书是需要买的）

1. 安装mod_ssl

[root@localhost ~]# yum -y install mod_ssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base                                                    | 3.6 kB     00:00     
extras                                                  | 2.9 kB     00:00     
updates                                                 | 2.9 kB     00:00     
Resolving Dependencies
--> Running transaction check
...

2. 在/etc/pki中创建CA文件

[root@localhost pki]# mkdir CA
[root@localhost pki]# ls
CA  ca-trust  java  nssdb  nss-legacy  rpm-gpg  rsyslog  tls
[root@localhost pki]# cd CA
[root@localhost CA]# pwd
/etc/pki/CA

3. 生成密钥

[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) 
Generating RSA private key, 2048 bit long modulus
.....................+++
......................................+++
e is 65537 (0x10001)

3.1查看一下生成的文件

[root@localhost CA]# ls
certs  crl  newcerts  private
[root@localhost CA]# ls private/
cakey.pem

3.2 提取公钥

[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8Pkiy8hP+4nCcj425xMU
7ADiG2zfDz69sXb/7P9d2oLky7w9rL3jvvAfHrvvTxZNCdlQMrZWJEk+8Ks+pFx4
AdxXHV/7FwQEGDZ7c37DmnPSHTE5ihJRC6v2qtUDWoQyYpvbnDq2bwa2vYeVjoDl
r5oS3Pi3nGsQOUl12RMj2U3sNZkhzPH5OwSQCee/iuCSEmRM4SiJw20YbIj0Jznp
C2HgZjfMcG4kn2bEz2Cc3611HjiHVKWS9HHX55SkPaXh4IuaJy8miBX9ZqTzrMtl
fzHrA+SGZlbxxwPlWD2hKZ01TN5vMIuH5MMDxYv8L+MvqcTciFzRwPdtYL6fzyI8
KwIDAQAB
-----END PUBLIC KEY-----

4. 生成自签署证书

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:parttime.example.com
Organizational Unit Name (eg, section) []:parttime.example.com
Common Name (eg, your name or your server's hostname) []:parttime.example.com
Email Address []:1@2.com

4.1 读出cacert.pem证书的内容

[root@localhost CA]# openssl x509 -text -in cacert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c6:e9:fe:0f:17:60:80:83
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HB, L=WH, O=parttime.example.com, OU=parttime.example.com, CN=parttime.example.com/emailAddress=1@2.com
        Validity
            Not Before: Aug 25 11:54:56 2020 GMT
            Not After : Aug 25 11:54:56 2021 GMT
...

4.2 创建三个目录

[root@localhost CA]#  ls
cacert.pem  certs  crl  newcerts  private

4.3 创建虚拟号

[root@localhost CA]#   touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cat index.txt
[root@localhost CA]# cat serial
01

5. 客户端生成密钥

[root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# ls
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
..................................+++
e is 65537 (0x10001)

6.客户端生成证书签署请求

[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:parttime.example.com
Organizational Unit Name (eg, section) []:parttime.example.com
Common Name (eg, your name or your server's hostname) []:parttime.example.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

6.1 查看生成的文件

[root@localhost ssl]# ls
httpd.csr  httpd.key

7. CA签署客户端提交上来的证书

[root@localhost ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 25 12:17:13 2020 GMT
            Not After : Aug 25 12:17:13 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = parttime.example.com
            organizationalUnitName    = parttime.example.com
            commonName                = parttime.example.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2E:C5:11:27:2D:B3:C4:1C:70:44:74:81:0E:0B:09:BC:7A:69:47:5E
            X509v3 Authority Key Identifier: 
                keyid:C0:58:71:5D:8F:61:49:D9:57:76:EB:EE:75:3D:1C:71:17:41:A5:60

Certificate is to be certified until Aug 25 12:17:13 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7.1 查看

[root@localhost ssl]# ls
httpd.crt  httpd.csr  httpd.key

7.2 删除csr

[root@localhost ssl]# ls
httpd.crt  httpd.csr  httpd.key
[root@localhost ssl]# rm -f httpd.csr
[root@localhost ssl]# ls
httpd.crt  httpd.key

8. 启用模块

[root@localhost httpd]# cd /etc/httpd
[root@localhost httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run  ssl
[root@localhost httpd]# ls conf.modules.d/
00-base.conf  00-lua.conf  00-proxy.conf  00-systemd.conf
00-dav.conf   00-mpm.conf  00-ssl.conf    01-cgi.conf
[root@localhost httpd]# vim conf.modules.d/00-ssl.conf 

LoadModule ssl_module modules/mod_ssl.so

9. 配置https

[root@localhost httpd]# cat conf.modules.d/00-ssl.conf 
LoadModule ssl_module modules/mod_ssl.so
[root@localhost httpd]# cd
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
[root@localhost ~]# ls /etc/httpd/conf.d
！              httpd-vhosts.conf  ssl.conf      welcome.conf
autoindex.conf  README             userdir.conf

9.1 在httpd-ssl.conf中配置证书的位置

...
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/parttime"
ServerName parttime.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
...
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...

9.2 重启服务

[root@localhost conf.d]# systemctl restart httpd

查看

[root@localhost conf.d]# ss -antl
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      100    127.0.0.1:25                      *:*                  
LISTEN      0      128         *:22                      *:*                  
LISTEN      0      100     [::1]:25                   [::]:*                  
LISTEN      0      128      [::]:443                  [::]:*                  
LISTEN      0      128      [::]:80                   [::]:*                  
LISTEN      0      128      [::]:22                   [::]:*

10 访问https网站，查看证书

在这里插入图片描述

听风微寒

关注

2
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
httpd配置

httpd配置1.httpd-2.4版本默认是拒绝所有主机访问的，所以安装以后必须做显示授权访问1.1 禁止访问parttime[root@localhost ~]# vim /etc/httpd/conf/httpd.conf...<Directory "/var/www/html/parttime"> <RequireAll> Require not ip 192.168.159.1 Require all granted
复制链接

扫一扫