RHEL6.3实现基于加密的用户认证验证访问
2013-02-01 16:54
781 查看
一、业务需求
Apache需要实现加密的基于用户身份认证的验证访问,来保证特定站点页面的安全。这里是需求的实现过程,请看如下分解。
二、具体实现步骤:
1、建立主目录及网页
[root@test1 www]# mkdir virt1
[root@test1 www]# ls
cgi-bin error html icons manual virt1
[root@test1 www]# cd virt1
[root@test1 virt1]# echo "welcomt to apache website">index.html
[root@test1 virt1]# ls
index.html
[root@test1 virt1]# cat index.html
welcomt to apache website
2、使用apache自带的htpasswd工具生成密码文件来作为用户访问认证的来源
格式:htpasswd options FilePath user
-c :第一次创建时使用该选项
-m :将密码使用MD5加密存放
-D :从密码文件中删除用户
[root@test1 conf]# htpasswd -cm .htpasswd aaa
New password:
Re-type new password:
Adding password for user aaa
[root@test1 conf]# cat .htpasswd
aaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1
[root@test1 conf]# htpasswd -m .htpasswd bbb
New password:
Re-type new password:
Adding password for user bbb
[root@test1 conf]# cat .htpasswd
aaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1
bbb:$apr1$QHr2Dpff$wMtQI74PcbNOMrY0mPgpa0
[root@test1 conf]#
如果是要删除用户
#htpasswd -D .htpasswd aaa
3、对指定的网页目录使用基本身份认证验证
比如对test1.demo.com网站的访问需要基于用户认证验证
配置apache的主配置文件:/etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.1.123:80
<VirtualHost 192.168.1.123:80>
DocumentRoot /var/www/virt1
ServerName test1.demo.com
ErrorLog logs/test1.demo.com-error.log
<Directory /var/www/virt1>
authName "realm"
AuthType basic
AuthUserFile /etc/httpd/conf/.htpasswd
Require User aaa bbb
</Directory>
</VirtualHost>
[root@test1 virt1]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
4、加密配置
[root@test1 conf]# (umask 077;openssl genrsa -des3 -out server.key)
Generating RSA private key, 512 bit long modulus
....++++++++++++
....++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@test1 conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Beijing]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test1.demo.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test1 conf]# openssl ca -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Jan 31 05:37:44 2013 GMT
Not After : Jan 31 05:37:44 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Hebei
organizationName = Default Company Ltd
commonName = test1.demo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CB:3D:6E:BD:48:ED:BD:FE:39:BD:27:C5:B5:57:19:96:79:11:23:14
X509v3 Authority Key Identifier:
keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
Certificate is to be certified until Jan 31 05:37:44 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
将httpd.conf中的这一段复制放到ssl.conf中并修改和添加SSL认证语句
NameVirtualHost 192.168.1.123:443
<VirtualHost 192.168.1.123:443>
DocumentRoot /var/www/virt1
SSLEngine on
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
ServerName test1.demo.com
ErrorLog logs/test1.demo.com-error.log
<Directory /var/www/virt1>
authName "realm"
AuthType basic
AuthUserFile /etc/httpd/conf/.htpasswd
Require User aaa bbb
</Directory>
</VirtualHost>
注:需要将原httpd.conf文件中的这一段进行注释或屏蔽。
[root@test1 conf]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [Thu Jan 31 01:29:41 2013] [warn] NameVirtualHost 192.168.1.123:80 has no VirtualHosts
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server test1.demo.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ]
[root@test1 conf]#
三、测试
在FIREFOX中输入https://test1.demo.com进行浏览
点击I Understand the Risks
点击Add Exception
点击Confirm Security Exception
输入用户名和密码
最后看到受保护页面内容
本文出自 “滴水穿石孙杰” 博客,谢绝转载!
Apache需要实现加密的基于用户身份认证的验证访问,来保证特定站点页面的安全。这里是需求的实现过程,请看如下分解。
二、具体实现步骤:
1、建立主目录及网页
[root@test1 www]# mkdir virt1
[root@test1 www]# ls
cgi-bin error html icons manual virt1
[root@test1 www]# cd virt1
[root@test1 virt1]# echo "welcomt to apache website">index.html
[root@test1 virt1]# ls
index.html
[root@test1 virt1]# cat index.html
welcomt to apache website
2、使用apache自带的htpasswd工具生成密码文件来作为用户访问认证的来源
格式:htpasswd options FilePath user
-c :第一次创建时使用该选项
-m :将密码使用MD5加密存放
-D :从密码文件中删除用户
[root@test1 conf]# htpasswd -cm .htpasswd aaa
New password:
Re-type new password:
Adding password for user aaa
[root@test1 conf]# cat .htpasswd
aaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1
[root@test1 conf]# htpasswd -m .htpasswd bbb
New password:
Re-type new password:
Adding password for user bbb
[root@test1 conf]# cat .htpasswd
aaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1
bbb:$apr1$QHr2Dpff$wMtQI74PcbNOMrY0mPgpa0
[root@test1 conf]#
如果是要删除用户
#htpasswd -D .htpasswd aaa
3、对指定的网页目录使用基本身份认证验证
比如对test1.demo.com网站的访问需要基于用户认证验证
配置apache的主配置文件:/etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.1.123:80
<VirtualHost 192.168.1.123:80>
DocumentRoot /var/www/virt1
ServerName test1.demo.com
ErrorLog logs/test1.demo.com-error.log
<Directory /var/www/virt1>
authName "realm"
AuthType basic
AuthUserFile /etc/httpd/conf/.htpasswd
Require User aaa bbb
</Directory>
</VirtualHost>
[root@test1 virt1]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
4、加密配置
[root@test1 conf]# (umask 077;openssl genrsa -des3 -out server.key)
Generating RSA private key, 512 bit long modulus
....++++++++++++
....++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@test1 conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Beijing]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test1.demo.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test1 conf]# openssl ca -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Jan 31 05:37:44 2013 GMT
Not After : Jan 31 05:37:44 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Hebei
organizationName = Default Company Ltd
commonName = test1.demo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CB:3D:6E:BD:48:ED:BD:FE:39:BD:27:C5:B5:57:19:96:79:11:23:14
X509v3 Authority Key Identifier:
keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
Certificate is to be certified until Jan 31 05:37:44 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
将httpd.conf中的这一段复制放到ssl.conf中并修改和添加SSL认证语句
NameVirtualHost 192.168.1.123:443
<VirtualHost 192.168.1.123:443>
DocumentRoot /var/www/virt1
SSLEngine on
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
ServerName test1.demo.com
ErrorLog logs/test1.demo.com-error.log
<Directory /var/www/virt1>
authName "realm"
AuthType basic
AuthUserFile /etc/httpd/conf/.htpasswd
Require User aaa bbb
</Directory>
</VirtualHost>
注:需要将原httpd.conf文件中的这一段进行注释或屏蔽。
[root@test1 conf]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [Thu Jan 31 01:29:41 2013] [warn] NameVirtualHost 192.168.1.123:80 has no VirtualHosts
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server test1.demo.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ]
[root@test1 conf]#
三、测试
在FIREFOX中输入https://test1.demo.com进行浏览
点击I Understand the Risks
点击Add Exception
点击Confirm Security Exception
输入用户名和密码
最后看到受保护页面内容
本文出自 “滴水穿石孙杰” 博客,谢绝转载!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- AngularJS中实现用户访问的身份认证和表单验证功能
- RHEL6.3配置Apache服务器(4) 基于用户的访问控制
- AngularJS中实现用户访问的身份认证和表单验证功能
- 利用servlet 实现JAVAWeb访问微信OAuth2.0认证,获取用户信息的实例
- 用SHA1或MD5 算法加密数据(示例:对用户身份验证的简单实现)
- 用户登录图片验证的实现---基于servlet
- 用SHA1或MD5 算法加密数据(示例:对用户身份验证的简单实现)
- 基于JSP的AJAX的实现(用户注册验证)
- 【总结】基于Spring LDAP和Spring Security的用户认证和权限控制Web实现
- 19、vftpd基于PAM_MYSQL进行虚拟用户的认证且每个用户有自己的独立目录及不同的访问权限
- ASP.NET基于表单的验证实现网上安全访问,管理
- 基于ubuntu中使用mysql实现opensips用户认证的解决方法
- ftp奥妙之怎么实现基于mysql的数据库和对应的表中的字段来完成对用户认证的? 推荐
- FTP(六)实现基于MYSQL验证的FTP虚拟用户
- 构建Postfix+Mysql+Dovecot邮件系统,实现以Web页面访问的功能、添加SASL认证以及TLS加密传输 推荐
- 用SHA1或MD5 算法加密数据(示例:对用户身份验证的简单实现)
- 基于basic认证机制配置httpd服务器拥有用户访问控制功能
- 《Apache服务用户身份验证管理》RHEL6.3
- 多功能复合机基于用户认证功能的实现过程详解 推荐
- 基于用户认证来实现不同域的邮件转发