1漩勤、建立httpd服務(wù),要求:
(1) 提供兩個(gè)基于名稱的虛擬主機(jī):
www1.stuX.com目胡,頁(yè)面文件目錄為/web/vhosts/www1锯七;錯(cuò)誤日志為/var/log/httpd/www1/error_log,訪問(wèn)日志為/var/log/httpd/www1/access_log誉己;
www2.stuX.com眉尸,頁(yè)面文件目錄為/web/vhosts/www2;錯(cuò)誤日志為/var/log/httpd/www2/error_log巨双,訪問(wèn)日志為/var/log/httpd/www2/access_log噪猾;
(2) 通過(guò)www1.stuX.com/server-status輸出其狀態(tài)信息,且要求只允許提供賬號(hào)的用戶訪問(wèn)筑累;
(3) www1不允許192.168.0.88主機(jī)訪問(wèn)袱蜡;
2、為上面的第2個(gè)虛擬主機(jī)提供https服務(wù)慢宗,使得用戶可以通過(guò)https安全的訪問(wèn)此web站點(diǎn)坪蚁;
(1) 要求使用證書(shū)認(rèn)證,證書(shū)中要求使用國(guó)家(CN)镜沽,州(Beijing)敏晤,城市(Beijing),組織為(MageEdu)缅茉;
(2) 設(shè)置部門為Ops, 主機(jī)名為www2.stuX.com嘴脾;
3、為https訪問(wèn)配置強(qiáng)制跳轉(zhuǎn)蔬墩,訪問(wèn)http://www2.stuX.com會(huì)跳轉(zhuǎn)到https://www2.stuX.com上面去译打。
在Centos 7 基于httpd-2.4實(shí)現(xiàn)
在進(jìn)行配置前,首先安裝httpd服務(wù)及mod_ssl:
[root@localhost ~]# yum install -y mod_ssl httpd
1拇颅、建立httpd服務(wù)
首先創(chuàng)建頁(yè)面文件目錄及日志文件目錄:
[root@localhost ~]# mkdir -pv /web/vhosts/www1 #創(chuàng)建www1web目錄
mkdir: created directory ‘/web’
mkdir: created directory ‘/web/vhosts’
mkdir: created directory ‘/web/vhosts/www1’
[root@localhost ~]# mkdir /var/log/httpd/www1 #創(chuàng)建www1 log目錄
[root@localhost ~]# mkdir -pv /web/vhosts/www2 #創(chuàng)建www2 web目錄
mkdir: created directory ‘/web/vhosts/www2’
[root@localhost ~]# mkdir /var/log/httpd/www2 ##創(chuàng)建www2 log目錄
[root@localhost ~]# chcon -R --reference /var/www/ /web/ #設(shè)置安全上下文
隨后編輯配置配置文件:
[root@localhost ~]# vim /etc/httpd/conf.d/vhosts.conf
LoadModule status_module modules/mod_status.so #加載status模塊
<virtualhost *:80> #定義基于域名www1.stuX.com的虛擬主機(jī)
ServerName www1.stuX.com
Documentroot /web/vhosts/www1
CustomLog "/var/log/httpd/www1/access_log" combined #定義access_log
ErrorLog "/var/log/httpd/www1/error_log" #定義error_log
<Directory "/web/vhosts/www1">
Options none
AllowOverride none
<RequireAll>
Require all granted
Require not ip 192.168.0.88 #禁止192.168.0.88訪問(wèn)www1目錄
</RequireAll>
</Directory>
<Location /server-status> #配置server-status頁(yè)面
SetHandler server-status #啟動(dòng)服務(wù)器的status信息
Options none
AllowOverride none
AuthType basic
AuthName "welcome to www1.stuX.com"
AuthUserFile "/web/vhosts/www1passwd"
Require user charlie wch #限制只允許指定的賬號(hào)認(rèn)證訪問(wèn)
</Location>
</virtualhost>
<virtualhost *:80> #定義基于域名www2.stuX.com的虛擬主機(jī)
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
之后配置用戶認(rèn)證文件:
[root@localhost ~]# htpasswd -cb /web/vhosts/www1passwd charlie 123456
Adding password for user charlie
[root@localhost ~]# htpasswd -b /web/vhosts/www1passwd wch magedu
Adding password for user wch
使用httpd -t檢查配置奏司,如無(wú)報(bào)錯(cuò)后啟動(dòng)服務(wù):
[root@localhost ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK
測(cè)試認(rèn)證訪問(wèn):
我這邊用windows測(cè)試,本地Ip為192.168.0.38樟插,修改保存C:\Windows\System32\drivers\etc\hosts文件:
127.0.0.1 localhost
127.0.0.1 steamcommunity.com
192.168.0.109 www1.stuX.com
192.168.0.109 www2.stuX.com
然后測(cè)試訪問(wèn):
能正常訪問(wèn)www1目錄
IP192.168.0.88無(wú)法訪問(wèn)www1目錄
訪問(wèn)server-status頁(yè)面需要賬號(hào)認(rèn)證
用指定的用戶賬號(hào)完成認(rèn)證后能正常訪問(wèn)
虛擬主機(jī)www2也能正常訪問(wèn)
查看相應(yīng)的日志文件:
[root@localhost ~]# tail -5 /var/log/httpd/www1/access_log
192.168.0.88 - - [01/May/2018:19:18:00 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 403 244 "http://www1.stux.com/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:18:06 +0800] "GET /server-status HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:18:06 +0800] "GET /server-status HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - charlie [01/May/2018:19:18:40 +0800] "GET /server-status HTTP/1.1" 200 4315 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:20:06 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
[root@localhost ~]# tail -5 /var/log/httpd/www1/error_log
[Tue May 01 19:22:51.202586 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user asdasda not found: /server-status
[Tue May 01 19:22:51.445776 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user not found: /server-status
[Tue May 01 19:22:52.552326 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user asdasda not found: /server-status
[Tue May 01 19:22:53.682249 2018] [auth_basic:error] [pid 11446] [client 192.168.0.88:50872] AH01618: user adasd not found: /server-status
[Tue May 01 19:22:55.105525 2018] [authz_core:error] [pid 11446] [client 192.168.0.88:50872] AH01630: client denied by server configuration: /web/vhosts/www1/favicon.ico, referer: http://www1.stux.com/server-status
[root@localhost ~]# tail -5 /var/log/httpd/www2/access_log
192.168.0.38 - - [01/May/2018:18:54:40 +0800] "GET / HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
192.168.0.88 - - [01/May/2018:19:20:13 +0800] "GET / HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
[root@localhost ~]# tail -5 /var/log/httpd/www2/error_log
空
相關(guān)日志log均能正常記錄訪問(wèn)结澄。
2哥谷、為第2個(gè)虛擬主機(jī)提供https服務(wù),使得用戶可以通過(guò)https安全的訪問(wèn)此web站點(diǎn)
首先創(chuàng)建CA服務(wù)器麻献,用于簽發(fā)證書(shū):
[root@localhost ~]# cd /etc/pki/CA/private/
[root@localhost private]# (umask 077;openssl genrsa -out CA.key 1024) #生成CA的私鑰
Generating RSA private key, 1024 bit long modulus
..............................................++++++
....................++++++
e is 65537 (0x10001)
[root@localhost private]# ll
total 4
-rw-------. 1 root root 887 May 1 19:57 CA.key
[root@localhost private]# cd ../certs/
[root@localhost certs]# openssl req -new -x509 -key /etc/pki/CA/private/CA.key -out CA.crt -days 365 #生成CA的自簽證書(shū)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:
root@localhost certs]# cd
[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt} #生成serial们妥,index.txt文件
[root@localhost ~]# echo 00 > /etc/pki/CA/serial #輸入序列號(hào)
隨后生成簽發(fā)服務(wù)器證書(shū):
[root@localhost ~]# mkdir /etc/httpd/ssl #創(chuàng)建httpd的ssl目錄
[root@localhost ~]# cd /etc/httpd/ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd-ssl.key 1024) #生成httpd-ssl的私鑰
Generating RSA private key, 1024 bit long modulus
....................++++++
.....++++++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd-ssl.key -out httpd-ssl.csr -days 365 #生成httpd-ssl證書(shū)簽發(fā)請(qǐng)求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.stuX.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@localhost ssl]# openssl ca -in httpd-ssl.csr -out httpd-ssl.crt -days 365 -cert /etc/pki/CA/certs/CA.crt -keyfile /etc/pki/CA/private/CA.key #簽發(fā)httpd-ssl證書(shū)
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 1 12:33:28 2018 GMT
Not After : May 1 12:33:28 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www2.stuX.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:DC:0A:C4:72:EE:DC:9E:57:4A:F8:38:49:DA:B1:DF:24:24:73:3D
X509v3 Authority Key Identifier:
keyid:E7:5E:74:26:B2:A4:C6:C7:67:7A:BB:8B:8B:DF:E8:C4:AF:39:03:B0
Certificate is to be certified until May 1 12:33:28 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
之后編輯/etc/httpd/conf.d/ssl.conf文件:
Listen 443 https #確保有此項(xiàng)配置
SSLCertificateFile /etc/httpd/ssl/httpd-ssl.crt #修改為剛生成的httpd-ssl證書(shū)
SSLCertificateKeyFile /etc/httpd/ssl/httpd-ssl.key #修改為剛生成的httpd-ssl私鑰
編輯/etc/httpd/conf.d/vhost.conf文件:
<virtualhost *:80> #配置80端口的虛擬主機(jī)
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
<virtualhost *:443> #新增虛擬主機(jī)的監(jiān)聽(tīng)端口為443
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
重啟httpd服務(wù)月帝,后測(cè)試訪問(wèn):
能正常訪問(wèn)https頁(yè)面
此時(shí)訪問(wèn)http://www2.stuX.com頁(yè)面浸赫,不會(huì)跳轉(zhuǎn)到https頁(yè)面訪問(wèn):
http頁(yè)面也能正常訪問(wèn)
3秒拔、配置https強(qiáng)制跳轉(zhuǎn)
首先確認(rèn)配置文件是否加載了mod_rewrite裂明,httpd-2.4 module配置文件在/etc/httpd/conf.modules.d/00-base.conf中:
[root@localhost ~]# vim /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so #如若沒(méi)有指定的mod加載語(yǔ)句借宵,可自行添加
隨后編輯www2的虛擬主機(jī)配置:
[root@localhost ~]# vim /etc/httpd/conf.d/vhosts.conf
<virtualhost *:80>
ServerName www2.stuX.com
Documentroot /web/vhosts/www2
CustomLog "/var/log/httpd/www2/access_log" combined
ErrorLog "/var/log/httpd/www2/error_log"
RewriteEngine on #啟動(dòng)Rewrite引擎
RewriteCond %{SERVER_PORT} 80 #定義URL匹配條件惠窄,此處匹配端口80
RewriteRule ^(/test.*)$ https://%{HTTP_HOST}$1 [R,L] #定義Rewrite復(fù)寫(xiě)規(guī)則武花,此處將帶有test的URL路徑重寫(xiě)為https://www2.stuX.com/test.html
<Directory "/web/vhosts/www2">
Options none
AllowOverride none
Require all granted
</Directory>
</virtualhost>
保存后重啟httpd服務(wù)凄吏,訪問(wèn)相應(yīng)的頁(yè)面測(cè)試:
訪問(wèn)www2.stuX.com/test.html時(shí)會(huì)跳轉(zhuǎn)到https訪問(wèn)
此時(shí)訪問(wèn)www2.stuX.com的其他路徑不會(huì)跳轉(zhuǎn)到https訪問(wèn)頁(yè)面短纵,如index.html带污。
訪問(wèn)index.html的不會(huì)跳轉(zhuǎn)到https
Rewrite的模塊使用比較復(fù)雜,此處我也是剛接觸有興趣的同學(xué)可以參考下面的鏈接進(jìn)行學(xué)習(xí):
配置https服務(wù):https://blog.csdn.net/wlzx120/article/details/52597338
配置https強(qiáng)制跳轉(zhuǎn):https://www.centos.bz/2018/01/apache-%E5%BC%BA%E5%88%B6-http-%E5%85%A8%E9%83%A8%E8%B7%B3%E8%BD%AC%E5%88%B0-https/
Rewrite模塊:http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
Rewrite模塊中文手冊(cè):http://man.chinaunix.net/newsoft/Apache2.2_chinese_manual/mod/mod_rewrite.html#rewriterule
RewriteRule和RewriteCond規(guī)則參數(shù)的詳細(xì)介紹:https://blog.csdn.net/lijunwyf/article/details/54948463
