文章目录
一、httpd配置三种虚拟主机带访问控制
1.虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
2.实验如下:
第一种,相同IP不同端口
第一步
准备好html包 //(源码之家)
[root@yxt ~]# cd /var/www/html/
[root@yxt html]# ll
total 536
-rw-r--r--. 1 root root 19 Jul 21 19:51 index.html
-rw-r--r--. 1 root root 167427 Jul 22 12:48 坦克.zip
-rw-r--r--. 1 root root 376297 Jul 22 12:48 斗地主.zip
//[root@yxt html]# yum -y install unzip zip //下载uzp解压工具进行解压
[root@yxt html]# unzip 斗地主.zip
[root@yxt html]# unzip 坦克.zip
[root@yxt html]# ll
total 536
drwxr-xr-x. 6 root root 72 Sep 24 2015 Battle_City
drwxr-xr-x. 3 root root 114 Sep 11 2017 'HTML5 canvas移动端斗地主小游戏'
-rw-r--r--. 1 root root 19 Jul 21 19:51 index.html
-rw-r--r--. 1 root root 167427 Jul 22 12:48 坦克.zip
-rw-r--r--. 1 root root 376297 Jul 22 12:48 斗地主.zip
[root@yxt html]# rm -rf 坦克.zip 斗地主.zip
[root@yxt html]# mv Battle_City/ tanke
[root@yxt html]# ll
total 4
drwxr-xr-x. 3 root root 114 Sep 11 2017 doudizhu
-rw-r--r--. 1 root root 19 Jul 21 19:51 index.html
drwxr-xr-x. 6 root root 72 Sep 24 2015 tanke
第二步
//查找虚拟主机配置文件
[root@yxt ~]# find / -name *hosts.conf
/etc/httpd/conf.d/httpd-vhosts.conf
/root/httpd-2.4.51/docs/conf/extra/httpd-vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf
/usr/local/apache/conf/original/extra/httpd-vhosts.conf
//将查找到的虚拟主机配置文件 复制到/etc/httpd/conf.d/中
[root@yxt ~]# cd /usr/share/doc/httpd
[root@yxt httpd]# cp httpd-vhosts.conf /etc/httpd/conf.d/
[root@yxt ~]# cd /etc/httpd/conf.d/
[root@yxt conf.d]# ls
autoindex.conf httpd-vhosts.conf README userdir.conf welcome.conf
[root@yxt conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/doudizhu"
ServerName www.doudizhu.com
ErrorLog "/var/log/httpd/www.douditzhu.com-error_log"
CustomLog "/var/log/httpd/www.doutizhu.com-access_log" common
</VirtualHost>
Listen 81 //添加81端口
<VirtualHost *:81>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@yxt html]# httpd -t
[root@yxt html]# systemctl restart httpd
[root@yxt tanke]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
效果图:
第二种,不同IP相同端口
[root@yxt ~]# ip addr add 192.168.160.133/24 dev ens33 //临时添加一个IP
[root@yxt ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.160.132:80>
DocumentRoot "/var/www/html/doudizhu"
ServerName www.doudizhu.com
ErrorLog "/var/log/httpd/www.douditzhu.com-error_log"
CustomLog "/var/log/httpd/www.doutizhu.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.160.133:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@yxt ~]# httpd -t
[root@yxt ~]# systemctl restart httpd
效果图:
第三种,相同IP相同端口不同域名
[root@yxt ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.160.132:80>
DocumentRoot "/var/www/html/doudizhu"
ServerName www.doudizhu.com
ErrorLog "/var/log/httpd/www.douditzhu.com-error_log"
CustomLog "/var/log/httpd/www.doutizhu.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.160.132:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@yxt ~]# httpd -t
[root@yxt ~]# systemctl restart httpd
//在本机C盘修改hosts文件
//C:\Windows\System32\drivers\etc\hosts文件
添加 192.168.160.132 www.doudizhu.com www.tanke.com
效果图:
二、配置https安全加密模块
1. httpds介绍
HTTPS - Hyper Text Transfer Protocol over SecureSocket Layer,是以安全为目标的HTTP通道,在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性;HTTPS在HTTP的基础下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL;HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)这个系统提供了身份验证与加密通讯方法,它被广泛用于万维网上安全敏感的通讯;服务端口为443
mod_ssl模块:
这个模块提供了使用安全套接字层 (SSL v2/v3)和传输层安全 (TLS v1)协议实现高强度加密传输的功能。 它由mod_ssl项目的作者Ralf S. Engeschall贡献,而mod_ssl最早是基于Ben Laurie的工作开发的。
2. openssl实现私有CA:
[root@yxt ~]# yum -y install mod_ssl openssl //下载ssl启用模块和openssl对称
加密的实现工具
[root@yxt conf.modules.d]# systemctl restart httpd
[root@yxt conf.modules.d]# httpd -t
使用openssl实现私有CA:
a) CA生成一对密钥
[root@yxt yxt]# mkdir /etc/pki/CA
[root@yxt ~]# cd /etc/pki/CA/
[root@yxt CA]# mkdir private
[root@yxt CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //生成密钥,括号必须要
[root@yxt CA]# openssl rsa -in private/cakey.pem -pubout //提取公钥
b) CA生成自签署证书
[root@yxt CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 //生成自签署证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn //国家
State or Province Name (full name) []:hb //省份
Locality Name (eg, city) [Default City]:wh //城市
Organization Name (eg, company) [Default Company Ltd]:yxt //公司
Organizational Unit Name (eg, section) []:xs //职位
Common Name (eg, your name or your server's hostname) []:www.tanke.com //域名
Email Address []:2237966451@qq.com //邮箱
[root@yxt CA]# openssl x509 -text -in cacert.pem //读出cacert.pem证书的内容
[root@yxt CA]# mkdir certs newcerts crl
[root@yxt CA]# touch index.txt && echo 01 > serial
c) 客户端(例如httpd服务器)生成密钥
[root@yxt CA]# cd /etc/httpd/ && mkdir ssl &&cd ssl
[root@yxt ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
d) 客户端生成证书签署请求
[root@yxt ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:yxt
Organizational Unit Name (eg, section) []:xs
Common Name (eg, your name or your server's hostname) []:www.tanke.com
Email Address []:2237966451@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
e) CA签署客户端提交上来的证书
[root@yxt ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
[root@yxt ssl]# ls
httpd.crt httpd.csr httpd.key
[root@yxt ssl]# pwd
/etc/httpd/ssl
3. httpd-ssl.conf的配置
[root@yxt ssl]# cd /etc/httpd/conf.d/
[root@yxt conf.d]# vim ssl.conf
//注释取消,修改指定路径和指定域名
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com:443
//修改在httpd-ssl.conf中配置证书的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@yxt conf.d]# httpd -t
[root@yxt conf.d]# systemctl restart httpd
效果图: