CentOS6.7上搭建httpd-2.2

1.实验需求：

1、建立httpd服务，要求：
(1) 提供两个基于名称的虚拟主机www1,www2；有单独的错误日志和访问日志；
(2) 通过www1的/server-status提供状态信息，且仅允许tom用户访问；
(3) www2不允许192.168.0.0/24网络中任意主机访问；
2、为上面的第2个虚拟主机提供https服务

2.实验环境：

Linux服务器操作系统版本：CentOS release 6.7 (Final) IP：172.16.66.60
WIN7系统客户机：IP：172.16.250.100

3.实验前提：
1）关闭防火墙和SELinux

~]# service iptables stop
~]# setenforce 0

4.实验过程：

1.提供两个基于名称的虚拟主机www1,www2；有单独的错误日志和访问日志

一、安装服务

1.yum安装httpd-2.2

~]# yum install httpd -y
~]# rpm -qa httpd
~]# rpm -ql httpd
~]# rpm -qc httpd
~]# service httpd restart
~]# chkconfig httpd on
~]# ss -lnt

二、配置虚拟主机

~]# cat /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.66.60:80>
ServerName www1.magedu.com
DocumentRoot /data/vhosts/www1
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
</VirtualHost>

~]# cat /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.66.60:80>
ServerName www2.magedu.com
DocumentRoot /data/vhosts/www2
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
</VirtualHost>

三、修改配置参数:

1)备份原有的配置文件
~]# cp -p httpd.conf httpd.conf.bak

2)开启虚拟主机：NameVirtualHost
~]# sed -n '990p' /etc/httpd/httpd.conf
NameVirtualHost 172.16.66.60:80

3)创建站点目录：
~]# mkdir -pv /data/vhosts/www{1,2}
~]# echo "<h1> www1.magedu.com </h1>" > /data/vhosts/www1/index.html
~]# echo "<h1> www2.magedu.com </h1>" > /data/vhosts/www2/index.html

4)添加hosts域名解析
~]# echo " 172.16.66.60 www1.magedu.com www2.magedu.com " >> /etc/hsots

四、PC端上测试内容

1)在wind7上添加域名解析：路径：C:\Windows\System32\drivers\etc\hosts
2)用记事本打开hosts添加并保存：172.16.66.60 www1.magedu.com www2.magedu.com
3)测试都正常访问



2.通过www1的/server-status提供状态信息，且仅允许tom用户访问；


一、修改配置文件：

1)只允许tom用户访问/server-status;
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName "For tom"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Location>

2)创建虚拟用户tom文件
~]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom

3)检查语法并重载配置文件
~]# httpd -t
~]# service httpd reload

二、在PC机浏览器中测试：

1)输入 http://172.16.66.60/server-status 需要用户tom认证才能访问

3、为上面的第2个虚拟主机提供https服务；

工作目录:/etc/pki/CA/

1)生成私钥
CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)

2)生成自签证书
CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.',the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg,city) [Default City]:Beijing
Organization Name (eg,company) [Default Company Ltd]:liyang
Organizational Unit Name (eg,section) []:0ps
Common Name (eg,your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu@com

3)提供辅助文件
CA]# touch index.txt
CA]# echo 01 > serial 序列号


二、节点申请证书

1)生成私钥

~]# mkdir -pv /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 1024)

2)生成证书签署请求：
ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg,your name or your server's hostname) []:www2.magedu.com
Email Address []:magedu@com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3)把请求发给CA
ssl]# cp httpd.csr /tmp/

三、CA签发证书 1)签署证书~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crtUsing configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 12 13:01:20 2016 GMT Not After : Jul 12 13:01:20 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = liyang organizationalUnitName = 0ps commonName = www2.magedu.com emailAddress = magedu@com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F6:C2:E3:DC:3F:D9:50:39:52:43:35:BF:99:BC:FF:5E:26:EB:9E:29 X509v3 Authority Key Identifier: keyid:15:71:78:70:3E:9B:23:64:A0:37:DE:91:1E:6B:73:F6:AD:3C:A7:A7Certificate is to be certified until Jul 12 13:01:20 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified,commit? [y/n]yWrite out database with 1 new entriesData Base Updated 2)把签署好的证书发还给请求者。~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/注意：本次私建CA在一台机器完成。四、配置httpd支持使用ssl，及使用的证书 1)yum安装mod_ssl模块~]# httpd -M | grep ssl ~]# yum install mod_ssl -y~]# rpm -ql mod_ssl/etc/httpd/conf.d/ssl.conf/usr/lib64/httpd/modules/mod_ssl.so 2）修改配置文件~]# cat /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> DocumentRoot "/data/vhosts/www2" ServerName www2.magedu.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log SSLProtocol all -SSLv2 SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key </VirtualHost> 五、测试结果： 1)在PC机浏览器中测试：https://www2.magedu.com 通过443端口访问 2)在PC机浏览器中测试：http://www2.magedu.com 通过80端口访问