由于项目需要apache安全加固需要,需要访问用户验证,默认访问的是80端口
1.设置虚拟主机监控端口
root@10.1.1.200:apache2# cat ports.conf
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
2.配置虚拟主机
root@10.1.1.200:sites-enabled# cat ossec
<VirtualHost *:80>
ServerAdmin root@localhost
ServerName 10.1.1.200
DocumentRoot /var/www/ossec
<Directory /var/www/ossec>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from 10.1.1.200
AuthType Basic #基础认证
AuthName "ossec system" #提示
AuthBasicProvider file
AuthUserFile /etc/apache2/password/passwords #最好不要放在客户能访问的地方
Require valid-user #指定有效用户指代上面passswords 也可单独指定
</Directory>
ErrorLog /var/log/apache2/ossec_error.log
LogLevel warn
CustomLog /var/log/apache2/ossec_access.log combined
</VirtualHost>
也可将AllowOverride None,改为AllowOverride AuthConfig 这样可以把AuthType等内容从配置文件内容移到/var/www/ossec/.htaccess里(必须是这个文件),这样理论上不用重启,就可以生效密码,因为写在配置文件之外..htaccess放在的位置都需要认证.
3.生成用户数据库
root@10.1.1.200:sites-enabled# cd /etc/apache2/password/
root@10.1.1.200:password# ls
passwords
root@10.1.1.200:password# htpasswd -c /etc/apache2/password/passwords -c ossecadmin
root@10.18.21.201:password# cat passwords
ossecadmin:faarAgVTPHuXc
4.重启apache
root@10.1.1.200:~# /etc/init.d/apache2 restart
5.测试访问
如果这里我们还要ssl加密443端口访问,并且由于默认访问的是80端口,又不想用户输入https访问,其实有很多方法,这里我们可以在配置文件里做个跳转.
1.加载ssl和rewrite模块
root@10.1.1.200:mods-available# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
root@10.1.1.200:mods-available# a2enmod rewrite
Enabling module rewrite.
Run '/etc/init.d/apache2 restart' to activate new configuration!
2.生成密钥
A.创建2048字节的Key文件:(期间会提示输入密码和确认密码)
#openssl genrsa -des3 -out server.key 2048
执行完后应该在当前目录中有一个server.key文件
B.查看创建的key文件:(不是必须)
#openssl rsa -noout -text -in server.key
C.创建pem文件:(不是必须)
#openssl rsa -in server.key -out server.key.unsecure
D.创建scr文件:(系统会向你索取一些信息,其中your nane 是网站域名,如:www.dave.com,其他填写的信息应该与这个域名的注册信息一致)
#openssl req -new -key server.key -out server.csr
执行完后应该在当前目录中有一个server.csr文件
E.创建crt文件:
#openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
执行完后应该在当前目录中有一个server.crt文件
将生成的文件放入/etc/apache2/ssl
3.设置虚拟主机监控端口
root@10.1.1.200:apache2# cat ports.conf
NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
4.配置虚拟主机
root@10.1.1.200:sites-enabled# vim ossec
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/ossec
<Directory /var/www/ossec/>
Options -Indexes FollowSymLinks
AllowOverride None
Order allow,deny
allow from 10.1.1.200
AuthType Basic
AuthName "ossec system"
AuthBasicProvider file
AuthUserFile /etc/apache2/password/passwords
Require valid-user
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/server.crt #如果重启apa报错,注释即可
</VirtualHost>
<VirtualHost *:80>
ServerName 10.1.1.200
RewriteEngine On
RewriteCond %{HTTP_HOST} ^10.1.1.200 [NC]
RewriteRule ^/(.*)?$ https://10.1.1.200/$1 [L,R]
</VirtualHost>
5.重启apache2
root@10.1.1.200:sites-enabled# /etc/init.d/apache2 restart
Restarting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.1.200 for ServerName
... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.1.200 for ServerName
Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server 10.1.1.200:443 (RSA)
Enter pass phrase:
输入生成ssl密钥的密码则才能重启成功
root@10.1.1.200:sites-enabled# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::443 :::* LISTEN 562/apache2
tcp6 0 0 :::80 :::* LISTEN 562/apache2
这就带来一个问题,假如机器重启,apache服务ssl需要等待用户输入密码才能正常启动,否则机器一直处于提示等待状态.
以下方法可以解决apache重启时需要密码问题,简单来说也就是重启服务时让apa自动执行一个脚本输入密码.
root@10.1.1.200:mods-enabled# vim ssl.conf
#SSLPassPhraseDialog builtin
SSLPassPhraseDialog exec:/etc/apache2/ssl/key.sh
root@10.1.1.200:ssl# vim key.sh
#!/bin/bash
echo 'password'
root@10.1.1.200:ssl# pwd
/etc/apache2/ssl
root@10.1.1.200:ssl# ls -l #注意权限755
-rwxr-xr-x 1 root root 26 2012-05-30 13:48 key.sh
再次重启apache,就不需要用户干预输入密码了
6 测试访问
点击继续浏览此网站,加入证书
输入正确的密码,即可自动跳到https.