httpd配置三种虚拟主机带访问控制和配置https安全加密模块

风早君

已于 2022-07-24 17:04:04 修改

阅读量1.1k

点赞数

文章标签： https 安全 apache

于 2022-07-22 23:00:38 首次发布

本文链接：https://blog.csdn.net/weixin_52813907/article/details/125941470

版权

文章目录

一、httpd配置三种虚拟主机带访问控制
- 1.虚拟主机有三类：
- 2.实验如下：
二、配置https安全加密模块

一、httpd配置三种虚拟主机带访问控制

1.虚拟主机有三类：

相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名

2.实验如下：

第一种，相同IP不同端口

第一步

准备好html包     //（源码之家）
[root@yxt ~]# cd /var/www/html/
[root@yxt html]# ll
total 536
-rw-r--r--. 1 root root     19 Jul 21 19:51 index.html
-rw-r--r--. 1 root root 167427 Jul 22 12:48 坦克.zip
-rw-r--r--. 1 root root 376297 Jul 22 12:48 斗地主.zip
//[root@yxt html]# yum -y install unzip zip   //下载uzp解压工具进行解压
[root@yxt html]# unzip 斗地主.zip 
[root@yxt html]# unzip 坦克.zip 
[root@yxt html]# ll
total 536
drwxr-xr-x. 6 root root     72 Sep 24  2015  Battle_City
drwxr-xr-x. 3 root root    114 Sep 11  2017 'HTML5 canvas移动端斗地主小游戏'
-rw-r--r--. 1 root root     19 Jul 21 19:51  index.html
-rw-r--r--. 1 root root 167427 Jul 22 12:48  坦克.zip
-rw-r--r--. 1 root root 376297 Jul 22 12:48  斗地主.zip
[root@yxt html]# rm -rf 坦克.zip  斗地主.zip 
[root@yxt html]# mv Battle_City/ tanke
[root@yxt html]# ll
total 4
drwxr-xr-x. 3 root root 114 Sep 11  2017 doudizhu
-rw-r--r--. 1 root root  19 Jul 21 19:51 index.html
drwxr-xr-x. 6 root root  72 Sep 24  2015 tanke

第二步
//查找虚拟主机配置文件
[root@yxt ~]# find / -name *hosts.conf
/etc/httpd/conf.d/httpd-vhosts.conf
/root/httpd-2.4.51/docs/conf/extra/httpd-vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf
/usr/local/apache/conf/original/extra/httpd-vhosts.conf
//将查找到的虚拟主机配置文件 复制到/etc/httpd/conf.d/中
[root@yxt ~]# cd /usr/share/doc/httpd
[root@yxt httpd]# cp httpd-vhosts.conf  /etc/httpd/conf.d/
[root@yxt ~]# cd /etc/httpd/conf.d/
[root@yxt conf.d]# ls
autoindex.conf  httpd-vhosts.conf  README  userdir.conf  welcome.conf
[root@yxt conf.d]# vim httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html/doudizhu"
    ServerName www.doudizhu.com
    ErrorLog "/var/log/httpd/www.douditzhu.com-error_log"
    CustomLog "/var/log/httpd/www.doutizhu.com-access_log" common
</VirtualHost>

Listen 81    //添加81端口
<VirtualHost *:81>
    DocumentRoot "/var/www/html/tanke"
    ServerName www.tanke.com
    ErrorLog "/var/log/httpd/www.tanke.com-error_log"
    CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@yxt html]# httpd -t
[root@yxt html]# systemctl  restart httpd
[root@yxt tanke]# ss -anlt
State            Recv-Q           Send-Q                     Local Address:Port                       Peer Address:Port           Process           
LISTEN           0                128                              0.0.0.0:22                              0.0.0.0:*                                
LISTEN           0                128                                    *:80                                    *:*                                
LISTEN           0                128                                    *:81                                    *:*                                
LISTEN           0                128                                 [::]:22                                 [::]:*

效果图：
在这里插入图片描述

第二种，不同IP相同端口

[root@yxt ~]# ip addr add 192.168.160.133/24 dev ens33   //临时添加一个IP
[root@yxt ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
<VirtualHost 192.168.160.132:80>
    DocumentRoot "/var/www/html/doudizhu"
    ServerName www.doudizhu.com
    ErrorLog "/var/log/httpd/www.douditzhu.com-error_log"
    CustomLog "/var/log/httpd/www.doutizhu.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.160.133:80>
    DocumentRoot "/var/www/html/tanke"
    ServerName www.tanke.com
    ErrorLog "/var/log/httpd/www.tanke.com-error_log"
    CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@yxt ~]# httpd -t
[root@yxt ~]# systemctl  restart httpd

效果图：
在这里插入图片描述

第三种，相同IP相同端口不同域名

[root@yxt ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
<VirtualHost 192.168.160.132:80>
    DocumentRoot "/var/www/html/doudizhu"
    ServerName www.doudizhu.com
    ErrorLog "/var/log/httpd/www.douditzhu.com-error_log"
    CustomLog "/var/log/httpd/www.doutizhu.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.160.132:80>
    DocumentRoot "/var/www/html/tanke"
    ServerName www.tanke.com
    ErrorLog "/var/log/httpd/www.tanke.com-error_log"
    CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@yxt ~]# httpd -t
[root@yxt ~]# systemctl  restart httpd

//在本机C盘修改hosts文件
//C:\Windows\System32\drivers\etc\hosts文件
添加 192.168.160.132 www.doudizhu.com www.tanke.com

效果图：
在这里插入图片描述

二、配置https安全加密模块

1. httpds介绍

HTTPS - Hyper Text Transfer Protocol over SecureSocket Layer，是以安全为目标的HTTP通道，在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性；HTTPS在HTTP的基础下加入SSL层，HTTPS的安全基础是SSL，因此加密的详细内容就需要SSL；HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层（在HTTP与TCP之间）这个系统提供了身份验证与加密通讯方法，它被广泛用于万维网上安全敏感的通讯；服务端口为443

mod_ssl模块：
这个模块提供了使用安全套接字层 (SSL v2/v3)和传输层安全 (TLS v1)协议实现高强度加密传输的功能。它由mod_ssl项目的作者Ralf S. Engeschall贡献，而mod_ssl最早是基于Ben Laurie的工作开发的。

2. openssl实现私有CA：

[root@yxt ~]# yum -y install mod_ssl openssl   //下载ssl启用模块和openssl对称
加密的实现工具
[root@yxt conf.modules.d]# systemctl  restart httpd
[root@yxt conf.modules.d]# httpd -t

使用openssl实现私有CA：
 a) CA生成一对密钥
 [root@yxt yxt]# mkdir /etc/pki/CA
 [root@yxt ~]# cd /etc/pki/CA/
 [root@yxt CA]# mkdir private
 [root@yxt CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)   //生成密钥，括号必须要
 [root@yxt CA]# openssl rsa -in private/cakey.pem -pubout  //提取公钥

 b) CA生成自签署证书
[root@yxt CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365         //生成自签署证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn    //国家
State or Province Name (full name) []:hb   //省份
Locality Name (eg, city) [Default City]:wh //城市
Organization Name (eg, company) [Default Company Ltd]:yxt    //公司
Organizational Unit Name (eg, section) []:xs     //职位
Common Name (eg, your name or your server's hostname) []:www.tanke.com   //域名
Email Address []:2237966451@qq.com  //邮箱
[root@yxt CA]# openssl x509 -text -in cacert.pem    //读出cacert.pem证书的内容
[root@yxt CA]# mkdir certs newcerts crl
[root@yxt CA]# touch index.txt && echo 01 > serial

c) 客户端（例如httpd服务器）生成密钥
[root@yxt CA]# cd /etc/httpd/ && mkdir ssl &&cd ssl
[root@yxt ssl]# (umask 077;openssl genrsa -out httpd.key 2048)

d) 客户端生成证书签署请求
[root@yxt ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:yxt
Organizational Unit Name (eg, section) []:xs
Common Name (eg, your name or your server's hostname) []:www.tanke.com
Email Address []:2237966451@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

e) CA签署客户端提交上来的证书
[root@yxt ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
[root@yxt ssl]# ls
httpd.crt  httpd.csr  httpd.key
[root@yxt ssl]# pwd
/etc/httpd/ssl

3. httpd-ssl.conf的配置

[root@yxt ssl]# cd /etc/httpd/conf.d/
[root@yxt conf.d]# vim ssl.conf 
//注释取消,修改指定路径和指定域名
DocumentRoot "/var/www/html/tanke"  
ServerName www.tanke.com:443

//修改在httpd-ssl.conf中配置证书的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@yxt conf.d]# httpd -t
[root@yxt conf.d]# systemctl  restart httpd