实验环境
使用 yum 安装 httpd 软件,配置一个默认的 index.html 页面,启动测试。这里用的是最小化安装的centos8系统。关闭防火墙以及selinux。主机位centos8,对应IP为192.168.32.8
[root@centos8 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:a5:39:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.8/24 brd 192.168.32.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
[root@centos8 ~]#cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)
[root@centos8 ~]#
[root@centos8 ~]#firewall-cmd --state
not running
[root@centos8 ~]#
[root@centos8 ~]#getenforce
Disabled
[root@centos8 ~]#yum list httpd*
Last metadata expiration check: 3 days, 9:43:01 ago on Sun 08 Dec 2019 05:11:56 AM CST.
Available Packages
httpd.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-devel.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-filesystem.noarch 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-manual.noarch 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-tools.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
[root@centos8 ~]#dnf install httpd -y
[root@centos8 ~]#rpm -qi httpd
Name : httpd
Version : 2.4.37
Release : 12.module_el8.0.0+185+5908b0db
Architecture: x86_64
Install Date: Wed 11 Dec 2019 02:55:14 PM CST
Group : System Environment/Daemons
Size : 5148135
License : ASL 2.0
Signature : RSA/SHA256, Thu 10 Oct 2019 05:33:32 AM CST, Key ID 05b555b38483c65d
Source RPM : httpd-2.4.37-12.module_el8.0.0+185+5908b0db.src.rpm
Build Date : Tue 08 Oct 2019 05:42:59 AM CST
Build Host : x86-01.mbox.centos.org
Relocations : (not relocatable)
Packager : CentOS Buildsys <bugs@centos.org>
Vendor : CentOS
URL : https://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#systemctl start httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#echo "This is a HTTPD(apache) test for kaivi" > /var/www/html/index.html
[root@centos8 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for kaivi
禁止trace方法
TraceEnable [on|off|extended]
是否支持trace方法,默认on,基于安全风险,建议关闭
范例:关闭trace方法
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
TraceEnable off
[root@centos8 ~]#
[root@centos8 ~]#curl -IX OPTIONS http://127.0.0.1
HTTP/1.1 200 OK
Date: Thu, 12 Dec 2019 13:07:47 GMT
Server: Apache/2.4.37 (centos)
Allow: GET,POST,OPTIONS,HEAD,TRACE #默认开启TRACE选项
Content-Length: 0
Content-Type: text/html; charset=UTF-8
[root@centos8 ~]#systemctl reload httpd
[root@centos8 ~]#curl -IX OPTIONS http://127.0.0.1
HTTP/1.1 200 OK
Date: Thu, 12 Dec 2019 13:08:26 GMT
Server: Apache/2.4.37 (centos)
Allow: GET,POST,OPTIONS,HEAD # 关闭了TRACE选项
Content-Length: 0
Content-Type: text/html; charset=UTF-8
[root@centos8 ~]#
多虚拟主机
httpd 支持在一台物理主机上实现多个网站,即多虚拟主机
网站的唯一标识:
IP相同,但端口不同
IP不同,但端口均为默认端口
FQDN不同:
多虚拟主机有三种实现方案:
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN,请求报文中首部 Host: likai.tech
注意:httpd 2.4版本中,基于FQDN的虚拟主机不再需要NameVirutalHost指令
虚拟主机的基本配置方法:
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot “/path"
</VirtualHost>
建议:上述配置存放在独立的配置文件中
其它常用可用指令:
ServerAlias:虚拟主机的别名;可多次使用
ErrorLog: 错误日志
CustomLog:访问日志
<Directory “/path"> </Directory>
范例:基于端口的虚拟主机
[root@centos8 ~]#mkdir /data/website{1,2,3}
[root@centos8 ~]#echo "This is NO.1 website!" > /data/website1/index.html
[root@centos8 ~]#echo "This is NO.2 website!" > /data/website2/index.html
[root@centos8 ~]#echo "This is NO.3 website!" > /data/website3/index.html
[root@centos8 ~]#tree /data/
/data/
├── website1
│ └── index.html
├── website2
│ └── index.html
└── website3
└── index.html
3 directories, 3 files
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
listen 8001
listen 8002
listen 8003
<virtualhost *:8001> #指定端口
documentroot /data/website1/ #指定定义的路径
CustomLog logs/website1_access.log combined #增加对应的日志
<directory /data/website1> #对于文件给与访问权限
require all granted
</directory>
</virtualhost>
<virtualhost *:8002>
documentroot /data/website2/
CustomLog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost *:8003>
documentroot /data/website3/
CustomLog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#[root@centos8 ~]#ll /var/log/httpd/ #各有各的访问日志
total 24
-rw-r--r-- 1 root root 2084 Dec 12 21:41 access_log
-rw-r--r-- 1 root root 4441 Dec 12 21:40 error_log
-rw-r--r-- 1 root root 506 Dec 12 21:42 website1_access.log
-rw-r--r-- 1 root root 506 Dec 12 21:43 website2_access.log
-rw-r--r-- 1 root root 570 Dec 12 21:44 website3_access.log
[root@centos8 ~]#
[root@centos8 ~]#curl 192.168.32.8:8001
This is NO.1 website!
[root@centos8 ~]#curl 192.168.32.8:8002
This is NO.2 website!
[root@centos8 ~]#curl 192.168.32.8:8003
This is NO.3 website!
[root@centos8 ~]#
不会让用户每次都会输入端口号,所以适合内部员工使用。
范例:基于IP的虚拟主机
[root@centos8 ~]#ip a a 192.168.32.18/24 dev eth0
[root@centos8 ~]#ip a a 192.168.32.28/24 dev eth0
[root@centos8 ~]#ip a a 192.168.32.38/24 dev eth0
[root@centos8 ~]#ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:a5:39:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.8/24 brd 192.168.32.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 192.168.32.18/24 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 192.168.32.28/24 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 192.168.32.38/24 scope global secondary eth0
valid_lft forever preferred_lft forever
[root@centos8 ~]#
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<virtualhost *:80>
ServerName www.aaa.com
documentroot /data/website1/
CustomLog logs/website1_access.log combined
<directory /data/website1>
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
ServerName www.bbb.com
documentroot /data/website2/
CustomLog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
ServerName www.ccc.com
documentroot /data/website3/
CustomLog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
[root@centos8 ~]#systemctl reload httpd
[root@centos8 ~]#curl 192.168.32.18
This is NO.1 website!
[root@centos8 ~]#curl 192.168.32.28
This is NO.2 website!
[root@centos8 ~]#curl 192.168.32.38
This is NO.3 website!
范例:基于FQDN虚拟主机
这里用相同子域的192.168.32.7主机来访问主机centos8
在主机192.168.32.7中配置对应的/etc/hosts文件
[root@centos7 ~]#vim /etc/hosts
[root@centos7 ~]#cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.32.18 www.aaa.com
192.168.32.28 www.bbb.com
192.168.32.38 www.ccc.com
[root@centos7 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for kaivi
[root@centos7 ~]#curl www.aaa.com
This is NO.1 website!
[root@centos7 ~]#curl www.bbb.com
This is NO.2 website!
[root@centos7 ~]#curl www.ccc.com
This is NO.3 website!
[root@centos7 ~]#
[root@centos7 ~]#
可以看出访问能够正常访问,但是不可能存在一个页面站点就用一个特定的ip来访问,这个也不现实。所以可以用同一个IP,用DNS解析进行区分,用报文头部的主机头信息。每一个浏览器输入的域名会有一个键值对HOST,主机头不一样。用主机头来区分。
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<virtualhost *:80>
ServerName www.aaa.com #增加主机头验证信息
documentroot /data/website1/
CustomLog logs/website1_access.log combined
<directory /data/website1>
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
ServerName www.bbb.com
documentroot /data/website2/
CustomLog logs/website2_access.log combined
<directory /data/website2>
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
ServerName www.ccc.com
documentroot /data/website3/
CustomLog logs/website3_access.log combined
<directory /data/website3>
require all granted
</directory>
</virtualhost>
[root@centos8 ~]#systemctl reload httpd
在centos7:192.168.32.7主机中验证
[root@centos7 ~]#curl www.aaa.com
This is NO.1 website!
[root@centos7 ~]#curl www.bbb.com
This is NO.2 website!
[root@centos7 ~]#curl www.ccc.com
This is NO.3 website!
[root@centos7 ~]#
#用telnet命令验证
[root@centos7 ~]#telnet 192.168.32.8 80
Trying 192.168.32.8...
Connected to 192.168.32.8.
Escape character is '^]'.
GET / HTTP/1.1
HOST: www.aaa.com
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 01:39:38 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Fri, 13 Dec 2019 01:25:50 GMT
ETag: "16-5998bbdffe7d0"
Accept-Ranges: bytes
Content-Length: 22
Content-Type: text/html; charset=UTF-8
This is NO.1 website! #访问对应的网页内容
Connection closed by foreign host.
[root@centos7 ~]#telnet 192.168.32.8 80
Trying 192.168.32.8...
Connected to 192.168.32.8.
Escape character is '^]'.
GET / HTTP/1.1
HOST: www.bbb.com
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 01:40:21 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Fri, 13 Dec 2019 01:25:59 GMT
ETag: "16-5998bbe80f2f7"
Accept-Ranges: bytes
Content-Length: 22
Content-Type: text/html; charset=UTF-8
This is NO.2 website! #访问对应的网页内容
Connection closed by foreign host.
[root@centos7 ~]#telnet 192.168.32.8 80
Trying 192.168.32.8...
Connected to 192.168.32.8.
Escape character is '^]'.
GET / HTTP/1.1
HOST: www.ccc.com
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 01:40:39 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Fri, 13 Dec 2019 01:26:07 GMT
ETag: "16-5998bbf030ba7"
Accept-Ranges: bytes
Content-Length: 22
Content-Type: text/html; charset=UTF-8
This is NO.3 website! #访问对应的网页内容
Connection closed by foreign host.
[root@centos7 ~]#
注意:
任意目录下的页面只有显式授权才能被访问
三种方式的虚拟主机可以混和使用
压缩
压缩简介
使用mod_deflate模块压缩页面优化传输速度
LoadModule deflate_module modules/mod_deflate.so SetOutputFilter
适用场景:
(1) 节约带宽,额外消耗CPU;同时,可能有些较老浏览器不支持
(2) 压缩适于压缩的资源,例如文本文件
确认是否加载浏览器压缩模块:
[root@centos8 ~]#httpd -M |grep deflate
deflate_module (shared)
[root@centos8 ~]#
源码编译的时候可能不支持,需要检查。有着模块代表支持压缩功能
压缩指令
#可选项
SetOutputFilter DEFLATE
# 指定对哪种MIME类型进行压缩,必须指定项
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
#压缩级别 (Highest 9 - Lowest 1) ,默认gzip 默认级别是有库决定
DeflateCompressionLevel 9
#排除特定旧版本的浏览器,不支持压缩
#Netscape 4.x 只压缩text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
#Netscape 4.06-08 三个版本 不压缩
BrowserMatch ^Mozilla/4\.0[678] no-gzip
#Internet Explorer标识本身为“Mozilla / 4”,但实际上是能够处理请求的压缩。如果用户代理首部
匹配字符串“MSIE”(“B”为单词边界”),就关闭之前定义的限制
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
压缩对比实验
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<virtualhost *:80>
documentroot /data/website1/
servername www.aaa.com
<directory /data/website1/>
require all granted
</directory>
CustomLog "logs/a_access_log" combined
AddOutputFilterByType DEFLATE text/plain #增加压缩机制
AddOutputFilterByType DEFLATE text/html #增加压缩机制
DeflateCompressionLevel 9 #选择默认压缩比
</virtualhost>
<virtualhost *:80>
documentroot /data/website2/
servername www.bbb.com
<directory /data/website2/>
require all granted
</directory>
CustomLog "logs/a_access_log" combined
#AddOutputFilterByType DEFLATE text/plain #注释掉 形成对比
#AddOutputFilterByType DEFLATE text/html #注释掉 形成对比
#DeflateCompressionLevel 9 #注释掉 形成对比
</virtualhost>
[root@centos8 ~]#vim /etc/hosts
[root@centos8 ~]#cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.32.8 www.aaa.com www.bbb.com #新增DNS解析
[root@centos8 ~]#
[root@centos8 ~]#cp blog.txt /data/website1/blog_test1.html #拷贝一个测试文件到网页
[root@centos8 ~]#cp blog.txt /data/website2/blog_test2.html
[root@centos8 ~]#cd /data/website1
[root@centos8 website1]#ll
total 20
-rw-r--r-- 1 root root 15422 Dec 13 10:14 blog_test1.html #注意大小为15422
-rw-r--r-- 1 root root 22 Dec 13 09:25 index.html
[root@centos8 website1]#cd /data/website2
[root@centos8 website2]#ll
total 20
-rw-r--r-- 1 root root 15422 Dec 13 10:14 blog_test2.html #注意大小为15422
-rw-r--r-- 1 root root 22 Dec 13 09:25 index.html
如果文件的权限不是644则需要增加对应的权限:
chmod 644 blog_testX.html
[root@centos8 website2]#cd
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl www.aaa.com
This is NO.1 website!
[root@centos8 ~]#curl www.bbb.com
This is NO.2 website!
[root@centos8 ~]#curl -I --compressed www.aaa.com/blog_test1.html #默认curl没有压缩,需要加参数--compressed
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 02:22:29 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Fri, 13 Dec 2019 02:14:32 GMT
ETag: "3c3e-5998c6c2c195b-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip #压缩机制工具gzip
Content-Length: 2155 #压缩后的大小
Content-Type: text/html; charset=UTF-8
[root@centos8 ~]#curl -I --compressed www.bbb.com/blog_test2.html
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 02:22:45 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Fri, 13 Dec 2019 02:14:45 GMT
ETag: "3c3e-5998c6ce8741a"
Accept-Ranges: bytes
Content-Length: 15422 #没有压缩的大小,配置文件中website2压缩被注释
Content-Type: text/html; charset=UTF-8
通过对比发现,只有 website1实现了压缩功能
实现 https(443端口)
(1) 客户端发送可供选择的加密方式,并向服务器请求证书
(2) 服务器端发送证书以及选定的加密方式给客户端
(3) 客户端取得证书并进行证书验证,如果信任给其发证书的CA
(1) 验证证书来源的合法性;用CA的公钥解密证书上数字签名
(2) 验证证书的内容的合法性:完整性验证
(3)检查证书的有效期限
(4) 检查证书是否被吊销
(5) 证书中拥有者的名字,与访问的目标主机要一致
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换
(5) 服务用此密钥加密用户请求的资源,响应给客户端
注意:SSL是基于IP地址实现,单IP的httpd主机,仅可以使用一个https虚拟主机
安装 mod_ssl 软件包
[root@centos8 ~]#yum install mod_ssl
Last metadata expiration check: 1:14:34 ago on Fri 13 Dec 2019 09:38:41 AM CST.
Dependencies resolved.
===================================================================================================================
Package Arch Version Repository Size
===================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.37-12.module_el8.0.0+185+5908b0db centos8 130 k
Installing dependencies:
sscg x86_64 2.3.3-6.el8 centos8 43 k
Transaction Summary
===================================================================================================================
Install 2 Packages
Total download size: 173 k
Installed size: 351 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): sscg-2.3.3-6.el8.x86_64.rpm 36 kB/s | 43 kB 00:01
(2/2): mod_ssl-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64.rpm 105 kB/s | 130 kB 00:01
-------------------------------------------------------------------------------------------------------------------
Total 139 kB/s | 173 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : sscg-2.3.3-6.el8.x86_64 1/2
Installing : mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_64 2/2
Running scriptlet: mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_64 2/2
Verifying : mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_64 1/2
Verifying : sscg-2.3.3-6.el8.x86_64 2/2
Installed:
mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_64 sscg-2.3.3-6.el8.x86_64
Complete!
[root@centos8 ~]#cd /etc/httpd/conf.d/
[root@centos8 conf.d]#ll
total 32
-rw-r--r-- 1 root root 2926 Oct 8 05:42 autoindex.conf
-rw-r--r-- 1 root root 400 Oct 8 05:44 README
-rw-r--r-- 1 root root 8720 Oct 8 05:40 ssl.conf
-rw-r--r-- 1 root root 621 Dec 13 10:26 test.conf
-rw-r--r-- 1 root root 1252 Oct 8 05:40 userdir.conf
-rw-r--r-- 1 root root 516 Oct 8 05:40 welcome.conf
[root@centos8 conf.d]#
[root@centos8 conf.d]#cd
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#
[root@centos8 ~]#ss -ntl #查看端口https:443 是否开启
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl -kv https://192.168.32.8
* Rebuilt URL to: https://192.168.32.8/
* Trying 192.168.32.8...
* TCP_NODELAY set
* Connected to 192.168.32.8 (192.168.32.8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
......省略部分
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; O=Unspecified; CN=centos8; emailAddress=root@centos8
* start date: Dec 13 02:54:19 2019 GMT
os8
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: 192.168.32.8
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Date: Fri, 13 Dec 2019 02:55:07 GMT
< Server: Apache/2.4.37 (centos) OpenSSL/1.1.1
< Last-Modified: Fri, 13 Dec 2019 01:26:34 GMT
< ETag: "27-5998bc0a040e5"
< Accept-Ranges: bytes
< Content-Length: 39
< Content-Type: text/html; charset=UTF-8
<
This is a HTTPD(apache) test for kaivi
* Connection #0 to host 192.168.32.8 left intact
[root@centos8 ~]#
https 服务安装成功,可以使用浏览器验证一下 https://192.168.32.8
能够访问,但是没有权威的CA证书,所以会出现上述的情况
自己创建证书,配置 https 功能
下面我们在之前实验的基础上使用我们自己创建的 CA 文件
在centos8中/etc/pki/tls/certs/Makefile已经没有了,Makefile文件可以帮助我们直接生成自己创建的CA。所以这里我们从centos7:192.168.32.7中拷贝到centos8:192.168.32.8中.
[root@centos7 ~]#cd /etc/pki/tls/certs/
[root@centos7 certs]#ll
total 12
lrwxrwxrwx. 1 root root 49 Dec 5 21:43 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-
bundle.pem
lrwxrwxrwx. 1 root root 55 Dec 5 21:43 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-
bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Oct 31 2018 make-dummy-cert
-rw-r--r--. 1 root root 2516 Oct 31 2018 Makefile #自创建CA文件
-rwxr-xr-x. 1 root root 829 Oct 31 2018 renew-dummy-cert
[root@centos7 certs]#scp Makefile 192.168.32.8:/etc/pki/tls/certs/
The authenticity of host 192.168.32.8 (192.168.32.8)' can't be established.
ECDSA key fingerprint is SHA256:ofG5ch7HSw0hxj2Ef76oh4WuOnpubsABj0/YiNrGqYw.
ECDSA key fingerprint is MD5:cc:68:4d:5c:63:31:d1:62:2b:f9:d4:b5:fc:5e:1d:7c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.32.8' (ECDSA) to the list of known hosts.
root@192.168.32.8's password:
Makefile 100% 2516 1.2MB/s 00:00
然后再centos8:192.168.32.8中创建CA
[root@centos8 ~]#cd /etc/pki/tls/certs/
[root@centos8 certs]#ll
total 4
lrwxrwxrwx. 1 root root 49 May 11 2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-
bundle.pem
lrwxrwxrwx. 1 root root 55 May 11 2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-
bundle.trust.crt
-rw-r--r-- 1 root root 3737 Dec 13 11:32 localhost.crt #之前安装mod_ssl模块重启时自己生产的证书文件
-rw-r--r-- 1 root root 2516 Dec 13 11:30 Makefile
这里直接使用Makefile文件会要输入一个加密的口令,这里实验先把它取消:
[root@centos8 certs]#vim Makefile
%.key:
umask 77 ; \
# /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ #把加密算法-aes128去掉即可
/usr/bin/openssl genrsa $(KEYLEN) > $@
创建CA
[root@centos8 certs]#make magedu.org.crt
umask 77 ; \
/usr/bin/openssl genrsa 2048 > magedu.org.key #生产的Key
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..................+++++
e is 65537 (0x010001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key magedu.org.key -x509 -days 365 -out magedu.org.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #CN
State or Province Name (full name) []:beijing #beijing
Locality Name (eg, city) [Default City]:beijing #beijing
Organization Name (eg, company) [Default Company Ltd]:magedu #组织名magedu
Organizational Unit Name (eg, section) []:M39 #部门名称 M39 班级名
Common Name (eg, your name or your server's hostname) []:likai.tech #CA域名
Email Address []:
[root@centos8 certs]#ll
total 16
lrwxrwxrwx. 1 root root 49 May 11 2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-
bundle.pem
lrwxrwxrwx. 1 root root 55 May 11 2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-
bundle.trust.crt
-rw------- 1 root root 1334 Dec 13 11:33 magedu.org.crt #生成的CA
-rw------- 1 root root 1679 Dec 13 11:33 magedu.org.key #生成的KEY
-rw-r--r-- 1 root root 2509 Dec 13 11:32 Makefile
查看自创建CA
[root@centos8 certs]#openssl x509 -in magedu.org.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5a:e1:f3:b4:97:69:8b:02:dd:9b:32:5d:4e:ea:ee:61:16:15:12:6f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = M39, CN = likai.tech
Validity
Not Before: Dec 13 03:33:52 2019 GMT
Not After : Dec 12 03:33:52 2020 GMT
Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = M39, CN = likai.tech
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
......部分省略
25:ba:24:ce:84:91:e7:c0:bb:24:55:7f:2b:e1:67:84:e2:e2:
1e:1a:f9:14:4f:35:d7:e8:f3:77:34:08:9e:94:a4:f5:2b:ee:
cb:92:72:6e:6f:4d:93:a1:93:52:73:fa:1f:0e:bd:17:42:e6:
81:da:5d:6c:80:a9:51:62:03:dc:7f:07:7e:9e:00:65:3e:b7:
ab:4f:81:8d:79:aa:df:b3:38:05:17:e6:a6:7b:13:c3:fa:7b:
6f:88:30:ea
把生成的CA移动到对应的配置文件中
[root@centos8 certs]#pwd
/etc/pki/tls/certs
[root@centos8 ~]#mkdir /etc/httpd/conf.d/ssl
[root@centos8 certs]#mv magedu.org.* /etc/httpd/conf.d/ssl
[root@centos8 certs]#ls /etc/httpd/conf.d/ssl/
magedu.org.crt magedu.org.key
修改对应的CA的配置文件
[root@centos8 certs]#rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/70/221b67fd81b65321f5220d22dcb99c36d3841c
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl
[root@centos8 certs]#cd
[root@centos8 ~]#vim /etc/httpd/conf.d/ssl.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/ssl.conf |grep -Ev "^#|^$"
Listen 443 https #端口
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443> #自带虚拟主机
ErrorLog logs/ssl_error_log #自带错误日志
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/httpd/conf.d/ssl/magedu.org.crt #默认CA为/etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/magedu.org.key #默认key为/etc/httpd/conf.d/ssl/magedu.org.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#ss -ntl #查看端口443端口是否打开 打开说明https服务起来
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl -k https://127.0.0.1
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#curl -kv https://127.0.0.1 443
* Rebuilt URL to: https://127.0.0.1/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=CN; ST=beijing; L=beijing; O=magedu; OU=M39; CN=likai.tech #自签名相关信息
* start date: Dec 13 03:33:52 2019 GMT
* expire date: Dec 12 03:33:52 2020 GMT
* issuer: C=CN; ST=beijing; L=beijing; O=magedu; OU=M39; CN=likai.tech
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Date: Fri, 13 Dec 2019 04:21:40 GMT
< Server: Apache/2.4.37 (centos) OpenSSL/1.1.1
< Last-Modified: Wed, 11 Dec 2019 06:59:00 GMT
< ETag: "27-5996829d3b0b9"
< Accept-Ranges: bytes
< Content-Length: 39
< Content-Type: text/html; charset=UTF-8
<
This is a HTTPD(apache) test for kaivi #能够访问相关内容
* Connection #0 to host 127.0.0.1 left intact
访问网页
因为是自签名证书,所以网址不信任。但是搭建CA证书已经成功
实现多个虚拟主机站点,apache不能支持,nginx支持
URL重定向
URL重定向,即将httpd 请求的URL转发至另一个的URL
重定向指令
Redirect [status] URL-path URL
status状态:
permanent: 返回永久重定向状态码 301
temp:返回临时重定向状态码302. 此为默认值
范例:
Redirect temp / https://www.magedu.com/ # / 表示根
实验:
修改默认访问页面内容,这个是http不进行加密的时候访问
[root@centos8 ~]#echo "HTTP 这是一个不加密的网址" > /var/www/html/index.html
创建一个新的文件夹/data/html,用来放置加密之后的页面访问内容
[root@centos8 ~]#mkdir /data/html
[root@centos8 ~]#echo "HTTPS 这是一个加密的网址" > /data/html/index.html
[root@centos8 ~]#vim /etc/httpd/conf.d/ssl.conf #修改加密网页访问的文件路径并且授权
#DocumentRoot "/var/www/html" #默认路径,注释掉
DocumentRoot "/data/html" #指定新的路径
<directory /data/html> #对访问文件夹授权
require all granted
</directory>
#ServerName www.example.com:443
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#systemctl restart httpd
访问页面对比:
2个不同的站点。在实际中这个2个虚拟主机访问的网页应该相同,所以需要进行跳转
让一个URL地址跳转到另外一个URL地址
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
Redirect temp / https://192.168.32.8/ #跳转的地址 表示从 /(根) 跳转到https://192.168.32.8/
[root@centos8 ~]#systemctl restart httpd
在centos7:192.168.32.7中访问:
[root@centos7 ~]#curl -I -k https://192.168.32.8 #直接访问https
HTTP/1.1 302 Found
Date: Fri, 13 Dec 2019 05:41:48 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1
Location: https://192.168.32.8/
Content-Type: text/html; charset=iso-8859-1
[root@centos7 ~]#curl -I -k http://192.168.32.8 #跳转访问
HTTP/1.1 302 Found #状态302,表示临时跳转 如果配置文件中为permanent 则这里为301
Date: Fri, 13 Dec 2019 05:39:22 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1
Location: https://192.168.32.8/ #跳转的地址
Content-Type: text/html; charset=iso-8859-1
[root@centos7 ~]#
如果再网页中访问,因为没有设置访问条件,所以导致会出现不断的跳转,会出现放过跳转次数过多的提示,要解决可以用下面的HSTS技术。
实现HSTS
HSTS:HTTP Strict Transport Security , 服务器端配置支持HSTS后,会在给浏览器返回的HTTP首部中携
带HSTS字段。浏览器获取到该信息后,会将所有HTTP访问请求在内部做307跳转到HTTPS。而无需任
何网络过程,实现更高的安全性
HSTS preload list: 是Chrome浏览器中的HSTS预载入列表,在该列表中的网站,使用Chrome浏览器访
问时,会自动转换成HTTPS。Firefox、Safari、Edge浏览器也会采用这个列表
范例:
vim /etc/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=31536000"
#为了解决最前面跳转时候的风险,在浏览器中就实现自动跳转 后面时间单位为s 这里为一年
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
#Redirect temp / https://192.168.32.8/ #把之前的注释掉
Header always set Strict-Transport-Security "max-age=31536000"
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302] #后向引用
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#
在centos7:192.168.32.7中访问:
[root@centos7 ~]#curl -I -k http://192.168.32.8
HTTP/1.1 302 Found
Date: Fri, 13 Dec 2019 05:52:34 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1
Location: https://192.168.32.8/
Content-Type: text/html; charset=iso-8859-1
[root@centos7 ~]#
网页中查看:
直接访问192.168.32.8被跳转到了https://192.168.32.8
正向代理和反向代理
启用反向代理
ProxyPass "/" "http://www.example.com/"
ProxyPassReverse "/" "http://www.example.com/"
特定URL反向代理
ProxyPass "/images" "http://www.example.com/"
ProxyPassReverse "/images" http://www.example.com/
apache即使有反向代理功能,基本也没有人用,但是有这个功能。调度到另外一台服务器。
Sendfile机制
不用 sendfile 的传统网络传输过程: read(file, tmp_buf, len) write(socket, tmp_buf, len) 硬盘 >>
kernel buffer >> user buffer >> kernel socket buffer >> 协议栈
一般网络应用通过读硬盘数据,写数据到 socket 来完成网络传输,底层执行过程:
1 系统调用 read() 产生一个上下文切换:从 user mode 切换到 kernel mode,然后 DMA 执行拷贝,把文件数据从硬盘读到一个 kernel buffer 里。
2 数据从 kernel buffer 拷贝到 user buffer,然后系统调用 read() 返回,这时又产生一个上下文切换:从kernel mode 切换到 user mode
3 系统调用 write() 产生一个上下文切换:从 user mode 切换到 kernel mode,然后把步骤2读到 user buffer 的数据拷贝到 kernelbuffer(数据第2次拷贝到 kernel buffer),不过这次是个不同的 kernel buffer,这个 buffer和socket 相关联。
4 系统调用 write() 返回,产生一个上下文切换:从 kernel mode 切换到 usermode(第4次切换),然后DMA从 kernel buffer 拷贝数据到协议栈(第4次拷贝)
上面4个步骤有4次上下文切换,有4次拷贝,如果能减少切换次数和拷贝次数将会有效提升性能
Sendfile机制
在kernel 2.0+ 版本中,系统调用 sendfile() 就是用来简化上面步骤提升性能的。sendfile() 不但能减少切换次数而且还能减少拷贝次数用 sendfile() 来进行网络传输的过程: sendfile(socket, file, len); 硬盘>> kernel buffer (快速拷贝到kernel socket buffer) >> 协议栈
1 系统调用 sendfile() 通过 DMA 把硬盘数据拷贝到 kernel buffer,然后数据被 kernel 直接拷贝到另外一个与 socket 相关的 kernel buffer。这里没有 user mode 和 kernel mode 之间的切换,在 kernel 中直接完成了从一个 buffer 到另一个buffer 的拷贝
2 DMA 把数据从 kernel buffer 直接拷贝给协议栈,没有切换,也不需要数据从 usermode 拷贝到 kernel mode,因为数据就在 kernel 里
查看centos8中的sendfile模块
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep "EnableSendfile"
# EnableMMAP and EnableSendfile: On systems that support it,
# Defaults if commented: EnableMMAP On, EnableSendfile Off
EnableSendfile on #默认开启
httpd 配置 basic 验证
方法一:
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin/>
authtype basic
AuthName "admin test for kaivi"
AuthUserFile "/etc/httpd/conf.d/.httpuser" #验证的特定账户文件
Require user kaivi duanxin #特定账户
</directory>
[root@centos8 ~]#mkdir -pv /var/www/html/admin #新建一个文件目录
mkdir: created directory '/var/www/html/admin'
[root@centos8 ~]#
[root@centos8 ~]#echo '<h1> admin tset for kaivi !</h1>' > /var/www/html/admin/index.html
[root@centos8 ~]#
[root@centos8 ~]#htpasswd -c /etc/httpd/conf.d/.httpuser kaivi #创建第一个指定用户 -c
New password:
Re-type new password:
Adding password for user kaivi
[root@centos8 ~]#htpasswd /etc/httpd/conf.d/.httpuser duanxin #创建新增一个指定用户 取消-c
New password:
Re-type new password:
Adding password for user duanxin
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpuser #查看指定访问用户文件
kaivi:$apr1$FS/FeT6f$6q46m2TLyCOl8k0Um0J12/
duanxin:$apr1$56bpeN9g$5H22EP5sbnj1CcHcZ4MeT1
[root@centos8 ~]#
[root@centos8 ~]#chmod 600 /etc/httpd/conf.d/.httpuser #授权
[root@centos8 ~]#
[root@centos8 ~]#setfacl -m u:apache:r /etc/httpd/conf.d/.httpuser #授权
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl 192.168.32.8/admin/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn t understand how to supply
the credentials required.</p>
</body></html>
[root@centos8 ~]#curl -u kaivi 192.168.32.8/admin/index.html
Enter host password for user 'kaivi': #输入对应的口令
<h1> admin tset for kaivi !</h1>
方法二
上面实验中我们配置实现了 basic 验证, 下面我们在之前的基础上使用另外一种配置方式,实现相同的功能
[root@centos8 ~]#systemctl stop httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin/>
# authtype basic
# AuthName "admin test for kaivi"
# AuthUserFile "/etc/httpd/conf.d/.httpuser"
# Require user kaivi duanxin
allowoverride authconfig #允许.htaccess文件覆盖授权
</directory>
[root@centos8 ~]#vim /var/www/html/admin/.htaccess
[root@centos8 ~]#cat /var/www/html/admin/.htaccess
authtype basic
AuthName "admin test for kaivi"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user kaivi duanxin #指定访问用户
[root@centos8 ~]#systemctl start httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl 192.168.32.8/admin/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn t understand how to supply
the credentials required.</p>
</body></html>
[root@centos8 ~]#curl -u duanxin 192.168.32.8/admin/index.html
Enter host password for user 'duanxin': #输入账号口令
<h1> admin tset for kaivi !</h1>
[root@centos8 ~]#
组用户访问设置
上一个实验中的用户身份验证方式是基于单个用户的, 现在我们在之前的演示基础上继续进行配,使用 用户组 basic 验证
[root@centos8 ~]#vim /etc/httpd/conf.d/.httpgroup
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpgroup
group1: kaivi #分配在组1中
group2: duanxin
[root@centos8 ~]#chown apache. /etc/httpd/conf.d/.httpgroup
[root@centos8 ~]#
[root@centos8 ~]#ll /etc/httpd/conf.d/
total 20
-rw-r--r-- 1 root root 2926 Oct 8 05:42 autoindex.conf
-rw-r--r-- 1 root root 400 Oct 8 05:44 README
-rw-r--r-- 1 root root 197 Dec 13 14:38 test.conf
-rw-r--r-- 1 root root 1252 Oct 8 05:40 userdir.conf
-rw-r--r-- 1 root root 516 Oct 8 05:40 welcome.conf
[root@centos8 ~]#ls -al /etc/httpd/conf.d/
total 28
drwxr-xr-x 2 root root 134 Dec 13 14:45 .
drwxr-xr-x 5 root root 105 Dec 11 14:55 ..
-rw-r--r-- 1 root root 2926 Oct 8 05:42 autoindex.conf
-rw-r--r-- 1 apache apache 30 Dec 13 14:45 .httpgroup
-rw-r-----+ 1 root root 90 Dec 13 14:26 .httpuser
-rw-r--r-- 1 root root 400 Oct 8 05:44 README
-rw-r--r-- 1 root root 197 Dec 13 14:38 test.conf
-rw-r--r-- 1 root root 1252 Oct 8 05:40 userdir.conf
-rw-r--r-- 1 root root 516 Oct 8 05:40 welcome.conf
[root@centos8 ~]#
[root@centos8 ~]#vim /var/www/html/admin/.htaccess
[root@centos8 ~]#cat /var/www/html/admin/.htaccess
authtype basic
AuthName "admin test for kaivi"
AuthUserFile "/etc/httpd/conf.d/.httpuser" #指定的用户文件
#Require user kaivi duanxin
AuthGroupFile "/etc/httpd/conf.d/.httpgroup" #指定组里面的特定用户 2个要求都要满足
Require group group1 #组1中的用户能够访问 kaivi
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl -u kaivi 192.168.32.8/admin/index.html #访问成功
Enter host password for user 'kaivi':
<h1> admin tset for kaivi !</h1>
[root@centos8 ~]#curl -u duanxin 192.168.32.8/admin/index.html #访问失败
Enter host password for user 'duanxin':
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
1643
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
