http指令以及https的练习
2016-07-19 02:01
417 查看
分别使用httpd-2.2和httpd-2.4实现
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务;
1.httpd-2.2-----环境CentOS6.7
主配置文件
#vim /etc/httpd/conf/httpd.conf
NameVirtualHost 172.16.8.100:80
LoadModule status_module modules/mod_status.so
www1配置文件
#vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www1
ServerName www1.marvel.com
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "status"
AuthType basic
AuthUserFile "/etc/httpd/www1_passwd"
Require user tom
</Location>
</VirtualHost>
www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www2
ServerName www2.marvel.com
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
<directory "/data/www2">
options none
allowoverride none
order allow,deny
allow from all
</directory>
</VirtualHost>
为www2配置https
#yum install mod_ssl
#httpd -M //查看是否启用ssl模块,如果未启用,在主配置文件或ssl.conf文件加入LoadModule ssl_module modules/mod_ssl.so即可
为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服务器创建证书签署请求 172.16.8.100
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安装了mod_ssl,在这个文件中为ssl提供了配置文件ssl.conf,其中规定了私钥和公钥的存放位置
(c) CA签证
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.100:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
2.http-2.4--环境Centos7.1
1.加载status模块
在/etc/httpd/conf.modules.d/00-base.conf中,加入或取消注释下面一行
LoadModule status_module modules/mod_status.so
2.编辑虚拟主机www1的配置文件,httpd-2.4不再需要NameVirtualHost指令了
#vim /etc/httpd/conf.d/www1.conf
<virtualhost 172.16.8.102:80>
servername www1.marvel.com
documentroot "/data/www1"
errorlog logs/www1-error_log
customlog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "staus"
AuthType basic
AuthUserFile "/data/www1/.www1_passwd"
require user tom
</Location>
<directory "/data/www1">
<RequireAll>
Require all granted
Require not ip 192.168.0.0/24
</RequireAll>
</directory>
</virtualhost>
3.编辑www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<virtualhost 172.16.8.102:80>
servername www2.marvel.com
documentroot "/data/www2"
errorlog logs/www2-error_log
customlog logs/www2-access_log combined
<directory "/data/www2">
Require all granted
</directory>
</virtualhost>
4.为www2提供https
安装mod_ssl模块
#yum install mod_ssl
安装mod_ssl会自动生成/etc/httpd/conf.modules.d/00-ssl.conf,其中包含加载模块的指令
LoadModule ssl_module modules/mod_ssl.so
为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服务器创建证书签署请求 172.16.8.102
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安装了mod_ssl,在这个文件中为ssl提供了配置文件ssl.conf,其中规定了私钥和公钥的存放位置
(c) CA签证
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.102:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
<directory "/data/www2">
require all granted
</directory>
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机www1, www2;有单独的错误日志和访问日志;
(2) 通过www1的/server-status提供状态信息,且仅允许tom用户访问;
(3) www2不允许192.168.0.0/24网络中任意主机访问;
2、为上面的第2个虚拟主机提供https服务;
1.httpd-2.2-----环境CentOS6.7
主配置文件
#vim /etc/httpd/conf/httpd.conf
NameVirtualHost 172.16.8.100:80
LoadModule status_module modules/mod_status.so
www1配置文件
#vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www1
ServerName www1.marvel.com
ErrorLog logs/www1-error_log
CustomLog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "status"
AuthType basic
AuthUserFile "/etc/httpd/www1_passwd"
Require user tom
</Location>
</VirtualHost>
www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<VirtualHost 172.16.8.100:80>
DocumentRoot /data/www2
ServerName www2.marvel.com
ErrorLog logs/www2-error_log
CustomLog logs/www2-access_log combined
<directory "/data/www2">
options none
allowoverride none
order allow,deny
allow from all
</directory>
</VirtualHost>
为www2配置https
#yum install mod_ssl
#httpd -M //查看是否启用ssl模块,如果未启用,在主配置文件或ssl.conf文件加入LoadModule ssl_module modules/mod_ssl.so即可
为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服务器创建证书签署请求 172.16.8.100
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安装了mod_ssl,在这个文件中为ssl提供了配置文件ssl.conf,其中规定了私钥和公钥的存放位置
(c) CA签证
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.100:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
2.http-2.4--环境Centos7.1
1.加载status模块
在/etc/httpd/conf.modules.d/00-base.conf中,加入或取消注释下面一行
LoadModule status_module modules/mod_status.so
2.编辑虚拟主机www1的配置文件,httpd-2.4不再需要NameVirtualHost指令了
#vim /etc/httpd/conf.d/www1.conf
<virtualhost 172.16.8.102:80>
servername www1.marvel.com
documentroot "/data/www1"
errorlog logs/www1-error_log
customlog logs/www1-access_log combined
<Location /server-status>
SetHandler server-status
options none
allowoverride none
AuthName "staus"
AuthType basic
AuthUserFile "/data/www1/.www1_passwd"
require user tom
</Location>
<directory "/data/www1">
<RequireAll>
Require all granted
Require not ip 192.168.0.0/24
</RequireAll>
</directory>
</virtualhost>
3.编辑www2配置文件
#vim /etc/httpd/conf.d/www2.conf
<virtualhost 172.16.8.102:80>
servername www2.marvel.com
documentroot "/data/www2"
errorlog logs/www2-error_log
customlog logs/www2-access_log combined
<directory "/data/www2">
Require all granted
</directory>
</virtualhost>
4.为www2提供https
安装mod_ssl模块
#yum install mod_ssl
安装mod_ssl会自动生成/etc/httpd/conf.modules.d/00-ssl.conf,其中包含加载模块的指令
LoadModule ssl_module modules/mod_ssl.so
为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
openssl req -new -x509 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/crl/cacert.pem
echo 01 > serial
touch index.txt
(b) 在服务器创建证书签署请求 172.16.8.102
(umask 077;openssl genrsa -out /etc/pki/tls/private/httpd.key 1024)
openssl req -new -key /etc/pki/tls/private/httpd.key -out /etc/pki/tls/httpd.csr
scp /etc/pki/tls/httpd.csr 172.16.8.101:/tmp
Attention:在安装了mod_ssl,在这个文件中为ssl提供了配置文件ssl.conf,其中规定了私钥和公钥的存放位置
(c) CA签证
openssl ca -in /tmp/httpd.csr -out /tmp/httpd/crt
scp /tmp/httpd.crt 172.16.8.102:/etc/pki/tls/certs/httpd.crt
#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 172.16.8.100:443>
...
servername www2.marvel.com
DocumentRoot "/data/www2"
<directory "/data/www2">
require all granted
</directory>
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
...
</VirtualHost>
相关文章推荐
- 启用TCP高性能数据传输
- 在android中使用Retrofit网络框架
- apache2.4出现(OS 64)指定的网络名不再可用。 : AH00341: winnt_accept: Asynchronous AcceptEx failed.问题
- Swift使用AFNetwroking访问网络数据
- 测试python HTTPServer功能
- https建立通讯过程及运行机制
- Win10 + VMware-CentOS7文件共享、网络连接
- libvirt网络过滤规则简单总结
- libvirt网络过滤规则:禁止客户机(bridge方式)连接外网
- java网络编程
- 配置KVM虚拟机的网络,Bridge和Nat方式
- httpoxy漏洞的一些整理
- 网络协程编程
- 深度学习实战——caffe windows 下训练自己的网络模型
- 网络CCNA基础了解
- LAMP 搭建和压力测试
- 关于ELM
- workerman新增tcp端口支持app socket通信
- 网络编程+多线程实现简单的聊天室功能
- luogu2038[NOIP2014 T4]无线网络发射器选址