如何删除顽固文件

一、作业要求

主站点 http://www.zz.com 192.168.145.100 站点主目录 /var/www/html

技术部站点 https://tec.zz.com 192.168.145.101 站点主目录 /var/www/tec

市场部站点 https://mkt.zz.com 192.168.145.102 站点主目录 /var/www/mkt

二、拓扑图

三、配置

站点配置 首先我们要确定已经搭建dns服务器，web服务器和CA.可以从上面几篇博文进行搭建和安全设置。

实现多个ip

[root@localhost ~]# ifconfig eth0:0 192.168.145.101

[root@localhost ~]# ifconfig eth0:1 192.168.145.102

[root@localhost ~]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:1B:E2:73

inet addr:192.168.145.100 Bcast:192.168.145.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe1b:e273/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:7181 errors:0 dropped:0 overruns:0 frame:0

TX packets:4888 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:620809 (606.2 KiB) TX bytes:705252 (688.7 KiB)

Interrupt:67 Base address:0x2000

eth0:0 Link encap:Ethernet HWaddr 00:0C:29:1B:E2:73

inet addr:192.168.145.101 Bcast:192.168.145.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Interrupt:67 Base address:0x2000

eth0:1 Link encap:Ethernet HWaddr 00:0C:29:1B:E2:73

inet addr:192.168.145.102 Bcast:192.168.145.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Interrupt:67 Base address:0x2000

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1803 errors:0 dropped:0 overruns:0 frame:0

TX packets:1803 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2949156 (2.8 MiB) TX bytes:2949156 (2.8 MiB)

[root@localhost named]# cd /var/named/chroot/etc/

[root@localhostetc]#vim named.rfc1912.zones



创建站点主目录。主站点已经有了。创建主页面。供测试用。

root@localhost etc]# mkdir /var/www/tec

[root@localhost etc]# mkdir /var/www/mkt

[root@localhost etc]# cd /var/www/tec

[root@localhost tec]# echo "welcome to tec" >index.html

[root@localhost tec]# cd /var/www/mkt

[root@localhost mkt]# echo "welcome to mkt" >index.html

[root@localhost mkt]# vim /etc/httpd/conf/httpd.conf

下面将进行站点证书发放。 上次的CA搭建已经完成，直接申请证书。还需要安装mod_ssl 包。上次环境已经安装。 如果是不同的站点。我们需要做自己的私钥。

[root@localhost html]# cd /etc/httpd/certs/

[root@localhost certs]# openssl genrsa 1024 >tec_httpd.key

Generating RSA private key, 1024 bit long modulus ..............................................++++++ .............................++++++ e is 65537 (0x10001)

[root@localhost certs]# openssl req -new -key tec_httpd.key -out tec_httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [My Company Ltd]:zz.com

Organizational Unit Name (eg, section) []:tec

Common Name (eg, your name or your server's hostname) []:tec.zz.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: An optional company name []:

[root@localhost certs]# openssl ca -in tec_httpd.csr -out tec_httpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Aug 11 11:15:01 2012 GMT

Not After : Aug 11 11:15:01 2013 GMT

Subject:

countryName = CN

stateOrProvinceName = BEIJING

organizationName = zz.com

organizationalUnitName = tec

commonName = tec.zz.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier: AA:38:0C:7F:6A:6D:88:6E:EE:5A:F5:BF:D7:C7:C5:8D:4E:92:AE:85

X509v3 Authority Key Identifier: keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8

Certificate is to be certified until Aug 11 11:15:01 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries Data Base Updated

[root@localhost certs]#

[root@localhost certs]# openssl genrsa 1024 >mkt_httpd.key

Generating RSA private key, 1024 bit long modulus ...............++++++ ................++++++ e is 65537 (0x10001)

[root@localhost certs]# openssl req -new -key mkt_httpd.key -out mkt_httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

SHANGHAI Locality Name (eg, city) [BEIJING]:shanghai

Organization Name (eg, company) [My Company Ltd]:zz.com

Organizational Unit Name (eg, section) []:mkt

Common Name (eg, your name or your server's hostname) []:mkt.zz.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@localhost certs]# openssl ca -in mkt_httpd.csr -out mkt_httpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature Signature ok Certificate Details: Serial Number: 3 (0x3)

Validity

Not Before: Aug 11 11:17:32 2012 GMT

Not After : Aug 11 11:17:32 2013 GMT

Subject:

countryName = CN

stateOrProvinceName = SHANGHAI

organizationName = zz.com

organizationalUnitName = mkt

commonName = mkt.zz.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier: 0C:0B:21:28:85:86:58:FB:52:5D:A0:29:BB:38:B9:60:09:32:C7:38

X509v3 Authority Key Identifier: keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8

Certificate is to be certified until Aug 11 11:17:32 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries Data Base Updated

为了安全考虑，修改权限。

[root@localhost certs]# chmod 600 *

[root@localhost certs]# ll

总计 36

-rw------- 1 root root 3053 08-11 16:54 httpd.cert

-rw------- 1 root root 643 08-11 16:53 httpd.csr

-rw------- 1 root root 887 08-11 16:51 httpd.key

-rw------- 1 root root 3066 08-11 22:58 mkt_httpd.cert

-rw------- 1 root root 651 08-11 22:58 mkt_httpd.csr

-rw------- 1 root root 887 08-11 22:57 mkt_httpd.key

-rw------- 1 root root 3061 08-11 22:56 tec_httpd.cert

-rw------- 1 root root 647 08-11 22:55 tec_httpd.csr

-rw------- 1 root root 891 08-11 22:53 tec_httpd.key

需要指明证书文件所在目录 [root@localhost conf.d]# vim ssl.conf

四、测试

改写监听端口。使用户不能通过http 访问https网站

本文出自 “Fighting！！！” 博客，请务必保留此出处http://zhangzhenzz.blog.51cto.com/5117763/970091