本文详细介绍了如何在Linux环境下启动Apache服务,配置ServerName以消除启动警告,以及通过修改配置文件实现基于IP地址和端口的虚拟主机。内容涵盖了访问控制规则、网页内容修改以及通过 hosts 文件解决域名访问问题。此外,还讲解了SSL证书的创建和应用,以增强服务器的安全性。
1. 开启apache服务!
[root@lzz ~]# /usr/local/apache/bin/apachectl start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::9e5f:68a1:e08a:9f1b%ens33. Set the 'ServerName' directive globally to suppress this message
[root@lzz ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:* 2. 我们返回到虚拟机上,打开httpd的配置文件!
[root@lzz ~]# vim /etc/httpd24/httpd.conf
找到ServerName (下面) 这一栏,然后将它的注释取消掉!
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
3. 此时我们在网页上以IP地址的方式是可以打开网页的!
前提是关闭掉防火墙,然后我们可以正常访问到网页!
4. 访问控制法则!
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip IPADDR | 授权指定来源地址的主机访问 |
| Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
| Require host HOSTNAME | 授权指定来源主机名的主机访问 |
| Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
| IPADDR的类型 | HOSTNAME的类型 |
|---|---|
| IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
5. 为什么,在默认拒绝的访问的时候 我们访问到了 我们上面访问到的其实是下面网站放的的位置!
若我们修改内容 访问到的也会不同!
[root@lzz ~]# cd /usr/local/apache/
[root@lzz apache]# ls
bin build cgi-bin error htdocs icons include logs man manual modules
[root@lzz apache]# cd htdocs/
[root@lzz htdocs]# ls
index.html
[root@lzz htdocs]# cat index.html
<html><body><h1>It works!</h1></body></html>
[root@lzz htdocs]# echo 'ljj' > index.html (#我们覆盖掉原有的内容!)
(此时访问的内容也会发生改变!)
6. 我们回到配置文件,将 Require all granted 注释掉,Require all deny 通过,此时我们会访问不到!
7. 虚拟主机
虚拟有三类: 相同IP不同端口 不同IP相同端口 相同IP相同端口不同域命!
第一类:相同IP不同端口!
1. 设置不同的端口,进入配置文件进行配置!
[root@lzz ~]# vim /etc/httpd24/extra/httpd-vhosts.conf (我们在这个目录下面去编辑相关内容!)
<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache/htdocs/HTML5热气球飞行游戏代码"
ServerName dummy-host.example.com
# ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
listen 81
<VirtualHost *:81>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/usr/local/apache/htdocs/HTML5圣诞老人过悬崖小游戏"
ServerName dummy-host2.example.com
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>
此时80端口访问的就是 热气球网页! 81端口访问的就是过悬崖网页!
[root@lzz htdocs]# /usr/local/apache/bin/apachectl stop
[root@lzz htdocs]# /usr/local/apache/bin/apachectl start
[root@lzz htdocs]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
2. 配置完成之后,在网页上分别浏览!
第二类:不同IP相同端口!
1. 添加一个实验用的IP地址!并且重新修改配置文件!
[root@lzz htdocs]# ip addr add 192.168.180.200/24 dev ens33 (添加一个IP地址,用于实验!)
[root@lzz htdocs]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:8c:0f:53 brd ff:ff:ff:ff:ff:ff
inet 192.168.180.100/24 brd 192.168.180.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.180.200/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::9e5f:68a1:e08a:9f1b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:49:72:81 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:49:72:81 brd ff:ff:ff:ff:ff:ff
[root@lzz ~]# vim /etc/httpd24/extra/httpd-vhosts.conf (再次进入到配置文件)
<VirtualHost 192.168.180.100:80> (指上IP地址)
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache/htdocs/HTML5热气球飞行游戏代码"
ServerName dummy-host.example.com
# ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
#listen 81 (将监听端口注释掉)
<VirtualHost 192.168.180.200:80> (将端口改回80,并指上IP地址)
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/usr/local/apache/htdocs/HTML5圣诞老人过悬崖小游戏"
ServerName dummy-host2.example.com
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>
[root@lzz htdocs]# /usr/local/apache/bin/apachectl stop (重启服务!!!)
[root@lzz htdocs]# /usr/local/apache/bin/apachectl start
[root@lzz htdocs]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:* 2. 重新用IP地址分别浏览,都会出现相应的显示!
第三类:相同IP相同端口不同域命!
1. 同样进入到配置文件,将之前的操作删除,换成下面!
[root@lzz ~]# vim /etc/httpd24/extra/httpd-vhosts.conf
<VirtualHost *:80> (将IP地址重新删除换成 “*” )
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache/htdocs/HTML5热气球飞行游戏代码"
ServerName laolin.example.com (修改域命,以便于实验观看,此时修改为“laolin”)
# ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
#listen 81
<VirtualHost *:80> (同样将IP地址删除换成 “*”)
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/usr/local/apache/htdocs/HTML5圣诞老人过悬崖小游戏"
ServerName zzh.example.com (修改域命,此时修改为 “zzh”)
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>
[root@lzz htdocs]# /usr/local/apache/bin/apachectl stop (重启服务!!!)
[root@lzz htdocs]# /usr/local/apache/bin/apachectl start
[root@lzz htdocs]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
[root@lzz htdocs]#
2. 再次回到浏览器,分别使用刚刚新设置的域命进行查看! 然而此时查看的结果会报错 会提示查不到!!
3. 来解决查找不到的问题!
第一步:我们找到自己主机电脑里 Win/system32/drivers/etc 里面的 hosts 文件!
第二步:我们将文件拖到桌面上去,右键选择写字板打开,输入 192.168.180.100 laolin.example.cim zzh.example.com 也就是图片里面最后一行内容!
第三步: 我们再次返回到浏览器上去以域命的方式查看网页! 这次就可以访问了!!!
证书认证!
第一步: 修改对应的配置文件,将需要的文件取消注释!
[root@lzz extra]# vim ../httpd.conf (.. 为上一级目录里面的 httpd.conf)
#LoadModule session_dbd_module modules/mod_session_dbd.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so (将这一行的注释取消掉!)
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
Include /etc/httpd24/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
Include /etc/httpd24/extra/httpd-ssl.conf (将这一行的注释也取消掉!)
#
# Note: The following must must be present to support
上述可以在打开文件时 使用 ssl 来查找对应位置!第二步:创建证书需要的环境!
[root@lzz extra]# mkdir /etc/pki/CA (创建一个CA目录)
[root@lzz extra]# cd /etc/pki/CA (进入到目录里面去)
[root@lzz CA]# mkdir private (创建 private 目录 是因为下一条命令需要用到这个目录)
[root@lzz CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
...................................+++++
e is 65537 (0x010001)
[root@lzz CA]# ls private (查看目录!)
cakey.pem
[root@lzz CA]#
[root@lzz CA]# openssl rsa -in private/cakey.pem -pubout (提取公钥 可查看也可不查看公钥!)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyPHqMkfAHxjOG9Gq3vvN
IJzibNjjJL8HyUM0/UBv1ewecF7AvaN9jx5gDOZ+YyblRR2dOGfxAPb8KlZiGzG/
5+r0PrxYPASbMaZmh246U2FuBY1GDfx/2qoheBgKZt5ZHypjSliviE/JbzHhQukm
rt0wGd622ij2lqvPTrFHHAzwl25nUUySOXe10Zysg/Jf2lMy88Qotltg56RhJIi7
z8cF6jGxPgqEui1djICp/qekSkauC3P+4RjkncoLtV4oLTqBC7T0WbsNFIeGu5O2
/ZS/EiTz313UEut2c/qxVyrZbe5eD8yacb+i+6QLTPQtoaaHgzdVuHRzGh6AVrhs
2QIDAQAB
-----END PUBLIC KEY-----
[root@lzz CA]# 第三步:生成新的证书!
[root@lzz CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
注:用x509的协议生成一个源文件为 private.cakey.pem 输出文件为 cacert.pem 且时间为365天的新证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (国家名字)
State or Province Name (full name) []:HB (所在省份)
Locality Name (eg, city) [Default City]:WH (所在城市)
Organization Name (eg, company) [Default Company Ltd]:JXRT (公司名称)
Organizational Unit Name (eg, section) []:JXRT (组织名字)
Common Name (eg, your name or your server's hostname) []:zzh.example.com (选择域命 实名制)
Email Address []:3@4.com (邮箱)
[root@lzz CA]# ls
cacert.pem private (此时生成的是CA证书,不是客户端证书!)
[root@lzz CA]# openssl x509 -text -in cacert.pem 查看证书内容 可看可不看!
第四步:客户端生成证书!
[root@lzz CA]# mkdir certs newcerts crl (创建目录!)
[root@lzz CA]# touch index.txt && echo 01 > serial
[root@lzz CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@lzz CA]# cat serial
01
[root@lzz CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
................+++++
e is 65537 (0x010001)
[root@lzz CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (以下内容必须和上次一样!)
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:JXRT
Organizational Unit Name (eg, section) []:JXRT
Common Name (eg, your name or your server's hostname) []:zzh.example.com
Email Address []:3@4.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lzz CA]# ls (查看刚刚生成的!)
cacert.pem certs crl httpd.csr httpd.key index.txt newcerts private serial
CA 签署客户端提交上来的证书!
[root@lzz CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 11:16:09 2021 GMT
Not After : Apr 27 11:16:09 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = JXRT
organizationalUnitName = JXRT
commonName = zzh.example.com
emailAddress = 3@4.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
73:8D:EF:94:B6:02:47:10:5C:53:C9:6F:AC:5D:38:98:7E:1F:4F:01
X509v3 Authority Key Identifier:
keyid:19:3E:75:4C:60:0E:CB:7B:B2:18:49:6A:F1:45:2F:76:34:C3:2D:A9
Certificate is to be certified until Apr 27 11:16:09 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
第五步:将证书移动到对应位置去!
[root@lzz CA]# mv httpd.key httpd.crt /etc/httpd24/
[root@lzz CA]# systemctl restart httpd
第六步:测试界面!
扫一扫
2048
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
