• httpd练习.md


    需求说明

    分别用httpd-2.2和httpd-2.4 实现以下功能:

    • 两个虚拟主机,名字为www.a.comwww.b.org

    • www.a.com 页面文件为/opt/a.com/htdocs,访问日志文件路径/var/log/httpd/a.com/access.log,错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。

    • www.b.org 页面文件为/opt/b.org/htdocs,访问日志文件路径/var/log/httpd/b.org/access.log,错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。

    • 通过www.a.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;

    • wwww.a.com/server-status只允许192.168.5.0/24 网络中的主机访问。

    • 同时为这两个虚拟主机提供https服务。

    说明:测试中的httpd全部为yum安装,httpd-2.2会在CentOS 6中演示,httpd-2.4会在CentOS 7中演示。

    httpd-2.2 配置

    安装

    安装可以使用yum安装也可以使用编译安装,但是CentOS 6中系统yum源默认的是httpd-2.2版本,这个需要注意。

    #yum install -y httpd httpd-devel mod_ssl
    

    ssl证书签署

    以下操作是在CA机器上进行的操作。

    生成CA证书

    # yum install -y openssl openssl-devel
    # cd /etc/pki/CA/
    #  (umask 077; openssl genrsa 2048 > private/cakey.pem)
    # openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:ShangHai
    Locality Name (eg, city) [Default City]:ShangHai
    Organization Name (eg, company) [Default Company Ltd]:example
    Organizational Unit Name (eg, section) []:ops
    Common Name (eg, your name or your server's hostname) []:www.example.com      
    Email Address []:admin@example.com
    #  touch index.txt serial
    # echo 01 > serial
    

    a.com域名证书签署

    # mkdir /opt/ssl/a.com -p
    # (umask 077 ;openssl genrsa 2048 > a.key)
    #  openssl req -new -key a.key -out a.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:ShangHai
    Locality Name (eg, city) [Default City]:ShangHai
    Organization Name (eg, company) [Default Company Ltd]:example    
    Organizational Unit Name (eg, section) []:ops
    Common Name (eg, your name or your server's hostname) []:www.a.com
    Email Address []:admin@a.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    # openssl ca -in a.csr -out a.crt
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Nov 28 08:05:37 2016 GMT
                Not After : Nov 28 08:05:37 2017 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = ShangHai
                organizationName          = example
                organizationalUnitName    = ops
                commonName                = www.a.com
                emailAddress              = admin@a.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90
                X509v3 Authority Key Identifier: 
                    keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06
    
    Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    

    签署b.org域名的证书

    # mkdir /opt/ssl/b.org/
    # cd /opt/ssl/b.org/
    # (umask 077 ;openssl genrsa 2048 > b.key)
    # openssl req -new -key b.key -out b.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:ShangHai
    Locality Name (eg, city) [Default City]:ShangHai
    Organization Name (eg, company) [Default Company Ltd]:example
    Organizational Unit Name (eg, section) []:ops
    Common Name (eg, your name or your server's hostname) []:www.b.org
    Email Address []:admin@b.org
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    #  openssl ca -in b.csr -out b.crt
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 2 (0x2)
            Validity
                Not Before: Nov 28 08:12:01 2016 GMT
                Not After : Nov 28 08:12:01 2017 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = ShangHai
                organizationName          = example
                organizationalUnitName    = ops
                commonName                = www.b.org
                emailAddress              = admin@b.org
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E
                X509v3 Authority Key Identifier: 
                    keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06
    
    Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    

    复制证书到httpd主机

    # scp -r  /opt/ssl/* root@192.168.5.194:/etc/httpd/ssl/
    

    注意httpd服务器上ssl目录的创建。

    查看签署信息

    # cat serial
    03
    # cat index.txt
    V   171128080537Z       01  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/emailAddress=admin@a.com
    V   171128081201Z       02  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/emailAddress=admin@b.org
    

    httpd配置

    以下操作是在httpd服务器上进行的操作。

    # vim /etc/httpd/conf.d/www.conf
    <VirtualHost *:80>
    ServerName www.a.com
    DocumentRoot "/opt/a.com/htdocs"
    DirectoryIndex index.html index.htm
    #CustomLog logs/a.com/access_log combined
    CustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combined
    ErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"
    <Location /server-status>
    SetHandler server-status
    Order allow,Deny
    Allow from 192.168.5
    AuthType Basic 
    AuthName "a.com basic"
    AuthUserFile "/etc/httpd/conf/.htpasswd"
    Require user bols
    </Location>
    </VirtualHost>
    
    <VirtualHost *:80>
    ServerName www.b.org
    DocumentRoot "/opt/b.org/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combined
    ErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"
    #CustomLog logs/b.org/access_log combined
    #ErrorLog logs/b.org/error_log
    </VirtualHost>
    
    <VirtualHost *:443>
    ServerName www.b.org:443
    DocumentRoot "/opt/b.org/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog /var/log/httpd/b.org/access_ssl.log combined
    ErrorLog /var/log/httpd/b.org/error_ssl.log
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
    SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
    </VirtualHost>
    
    <VirtualHost *:443>
    ServerName www.a.com:443
    DocumentRoot "/opt/a.com/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog /var/log/httpd/a.com/access_ssl.log combined
    ErrorLog /var/log/httpd/a.com/error_ssl.log
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
    SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
    </VirtualHost>
    

    测试

    • 创建网站测试的文件

    [root@db-02 ~]# cat /opt/a.com/htdocs/index.html 
    <h1>www.a.com</h1>
    [root@db-02 ~]# cat /opt/b.org/htdocs/index.html 
    <h1>www.b.org</h1>
    
    • 导入根证书

    请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。

    • 相关所需文件的创建

    # mkdir /var/log/httpd/a.com/
    # mkdir /var/log/httpd/b.org/
    # /etc/init.d/httpd start
    # htpasswd -cm /etc/httpd/conf/.htpasswd bols
    
    • 测试

    测试前请在hosts文件写入域名和想对应的解析IP:

    # curl  http://www.a.com/index.html
    <h1>www.a.com</h1>
    # curl  http://www.b.org/index.html
    <h1>www.b.org</h1>
    
    # openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem
    ......
    GET /index.html HTTP/1.1
    Host:www.b.org
    
    HTTP/1.1 200 OK
    Date: Mon, 28 Nov 2016 09:58:20 GMT
    Server: Apache/2.2.15 (CentOS)
    Last-Modified: Wed, 23 Nov 2016 09:17:33 GMT
    ETag: "2405e-13-541f45be79532"
    Accept-Ranges: bytes
    Content-Length: 19
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <h1>www.b.org</h1>
    closed
    
    # openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem
    ......
    GET /index.html HTTP/1.1
    Host:www.a.com
    
    HTTP/1.1 200 OK
    Date: Mon, 28 Nov 2016 09:57:39 GMT
    Server: Apache/2.2.15 (CentOS)
    Last-Modified: Wed, 23 Nov 2016 09:17:04 GMT
    ETag: "2405f-13-541f45a2f779e"
    Accept-Ranges: bytes
    Content-Length: 19
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <h1>www.a.com</h1>
    closed
    
    [root@bid-02 ~]# curl -I --user bols:bols http://www.a.com/server-status
    HTTP/1.1 200 OK
    Date: Mon, 28 Nov 2016 11:05:37 GMT
    Server: Apache/2.2.15 (CentOS)
    Content-Length: 2536
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    

    安装配置出现问题:

    • 语法检测时出现警告

    # httpd -t
    httpd: apr_sockaddr_info_get() failed for db-02
    httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
    [Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
    [Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    Syntax OK
    

    首先第一个是httpd的配置文件中ServerName 没有指定:

    # vim /etc/httpd/conf/httpd.conf +276
    ServerName *:80
    

    之后在检测开始报错:

    # httpd -t
    [Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
    [Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    Syntax OK
    

    这个是由于NameVirtualHost 没有指定:

    vim /etc/httpd/conf/httpd.conf +991
    NameVirtualHost *:80
    NameVirtualHost *:443
    
    • 配置日志滚动时出现滚动日志失败

    原因:问题原因不清楚,但是解决方法是将日志文件使用绝对路径,不要使用相对路径。

    httpd-2.4

    安装

    # yum install -y httpd httpd-devel mod_ssl
    

    CA证书配置

    ssl证书还是用于在CentOS 6系统中创建的,并把文件拷贝至/etc/httpd/ssl目录中,注意这个目录需要手动创建。

    网站测试文件创建

    # cat /opt/a.com/htdocs/index.html 
    <h1>www.a.com</h1>
    # cat /opt/b.org/htdocs/index.html 
    <h1>www.b.org</h1>
    

    认证文件创建

    htpasswd 命令的使用请自行谷歌。

    # htpasswd -cm /etc/httpd/conf/htpasswd bols
    

    配置

    <VirtualHost *:80>
    ServerName www.a.com
    DocumentRoot "/opt/a.com/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog /var/log/httpd/a.com/access.log  combined
    ErrorLog  /var/log/httpd/a.com/error.log
    <Directory "/opt/a.com/htdocs">
    Options None
    AllowOverride None
    Require all granted 
    </Directory>
    <Location /server-status>
    SetHandler server-status
    Options None
    AuthType Basic 
    AuthName "a.com basic"
    AuthUserFile "/etc/httpd/conf/htpasswd"
    Require user bols
    </Location>
    </VirtualHost>
    
    <VirtualHost *:80>
    ServerName www.b.org
    DocumentRoot "/opt/b.org/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog /var/log/httpd/b.org/access.log combined
    ErrorLog /var/log/httpd/b.org/error.log 
    <Directory "/opt/b.org/htdocs">
    Options None
    AllowOverride None
    Require all granted 
    </Directory>
    </VirtualHost>
    
    <VirtualHost *:443>
    ServerName www.b.org:443
    DocumentRoot "/opt/b.org/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog /var/log/httpd/b.org/access_ssl.log combined
    ErrorLog /var/log/httpd/b.org/error_ssl.log
    <Directory "/opt/b.org/htdocs">
    Options None
    AllowOverride None
    Require all granted 
    </Directory>
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
    SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
    </VirtualHost>
    
    <VirtualHost *:443>
    ServerName www.a.com:443
    DocumentRoot "/opt/a.com/htdocs"
    DirectoryIndex index.html index.htm
    CustomLog /var/log/httpd/a.com/access_ssl.log combined
    ErrorLog /var/log/httpd/a.com/error_ssl.log
    <Directory "/opt/a.com/htdocs">
    Options None
    AllowOverride None
    Require all granted 
    </Directory>
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
    SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
    </VirtualHost>
    

    测试

    测试和CentOS 6中一样,测试的结果就不在贴出。

    说明

    在CentOS 7 中的配置和使用和CentOS 6有以下几个区别(个人总结):

    • 启动httpd不在是用service命令而是使用systemctl命令。

    • 任意目录下的页面只有显式授权才能被访问。

    • 访问控制配置如下:

      • 允许所有主机访问:Require all granted

      • 拒绝所有主机访问:Require all deny

      • 授权指定来源的IP访问:Require ip IPADDR

      • 拒绝指定来源的IP访问:Require not ip IPADDR

      • 授权指定来源的主机访问:Require host HOSTNAME

      • 拒绝指定来源的主机访问:Require not host HOSTNAME

    关于日志滚动的说明:

    • httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。

    • 日志滚动可以用rotatelogs 是httpd自带的日志滚动工具,自己测试在httpd-2.4中没有成功。

    • cronolog 是在epel源中的一个日志滚动工具,需要安装。

    • 脚本控制滚动这个看自己业务需求进行写了。

  • 相关阅读:
    初见QT---信号和槽(二)
    初见QT---信号和槽
    Python的那些事---数据分析(一)---NumPy基础
    初见QT---创建QPushButton按钮
    初见QT---QT creator常见快捷键使用
    PHP 反射 Reflection
    python 代码求阶乘
    Python中的计时器对象
    python websocket 再线聊天室的 Demo
    Tornado创建一个web服务
  • 原文地址:https://www.cnblogs.com/cuchadanfan/p/6114877.html
Copyright © 2020-2023  润新知