Httpd-2.2實現2個虛擬主機

Httpd-2.2實現2個虛擬主機：要求如下

a.

1.提供兩個基於名稱的虛擬主機www1,www2;有單獨的錯誤日誌和訪問日誌；

1.通過www1的/server-status提供httpd狀態信息，且僅允許tom用戶訪問；

2.www2不允許192.168.0.0/24網段的任意主機訪問；

b.

 爲上面的第2個虛擬主機提供https服務。

 

實現步驟：

1.創建兩個虛擬主機www1，www2的配置文件/etc/httpd/conf.d/vhostwww1.conf,/etc/httpd/conf.d/vhostwww2.conf,根目錄/var/www/html/www1,/var/www/html/www2及首頁文件indexwww1.html,indexwww2.html

[root@www ~]# mkdir /var/www/html/www{1,2}

[root@www ~]# echo www1 > /var/www/html/www1/indexwww1.html

[root@www ~]# echo www2 > /var/www/html/www1/indexwww2.html

[root@www ~]# cat /etc/httpd/conf.d/vhostwww1.conf

<VirtualHost 172.16.251.237:80>

    ServerName www1

    DocumentRoot "/var/www/html/www1"

    DirectoryIndex indexwww1.html

    ErrorLog logs/www1_error_log

    CustomLog logs/www1_access_log  combined

    <Location /server-status>

         SetHandler  server-status

         AuthType  basic

         AuthName  "httpd-2.2 status page"

        AuthUserFile /etc/httpd/user/.htpasswd

        require user tom

    </Location>

</VirtualHost>

 

   [root@www ~]# cat /etc/httpd/conf.d/vhostwww2.conf

<VirtualHost 172.16.251.237:80>

    ServerName www2

    DocumentRoot "/var/www/html/www2"

    DirectoryIndex indexwww2.html

    ErrorLog logs/www2_error_log

    CustomLog logs/www2_access_log combined

   <Directory /var/www/html/www2>

     Options None

     AllowOverride None

     Order deny,allow

     deny from 192.168.0.0/24

   </Directory>

</VirtualHost>

修改主配置文件：

Vim /etc/httpd/conf/httpd.conf

NameVirtualHost  172.16.251.237:80

創建認證虛擬用戶tom

Mkdir /etc/httpd/user

Htpasswd -m -c /etc/httpd/user/.htpasswd  tom  ---輸入兩次密碼即可。

 

 

 

爲虛擬機主機www2，提供https服務

安裝httpd-2.2的擴展模塊mod_ssl

Yum -y install mod_ssl

搭建私有CA，爲www2虛擬站點提供數字證書。

實驗環境：一臺centos6.7主機，即使CA，又是www2站點。

搭建CA配置：

  [root@www ~]# cd /etc /pki/CA

[root@www etc]# touch index.txt ---- 建立CA 數據庫文件

[root@www etc]# echo 01 > serial  

生成CA私鑰：

[root@www CA]# (umask 066;openssl genrsa -out private/cakey.pem 1024)

Generating RSA private key, 1024 bit long modulus

..............................................++++++

......................++++++

e is 65537 (0x10001)

[root@www CA]# ls -l private/cakey.pem

-rw-------. 1 root root 891 Jul 19 00:07 private/cakey.pem

生成CA的自簽證書：[root@www CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.crt

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:www.magedu.com        

Organizational Unit Name (eg, section) []:m19

Common Name (eg, your name or your server's hostname) []:www.wudang.com

Email Address []:[email protected]

 

Httpd的www2生成私鑰：[root@www CA]# mkdir /etc/httpd/ssl

 

[root@www CA]# (umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 1024)

Generating RSA private key, 1024 bit long modulus

.........................++++++

.++++++

e is 65537 (0x10001)

生成www2的證書申請：[root@www CA]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 356 -out /etc/httpd/ssl/httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing--------必須與CA的證書申請的內容一樣

Locality Name (eg, city) [Default City]:beijing-------必須與CA的證書申請的內容一樣

Organization Name (eg, company) [Default Company Ltd]:www.magedu.com---必須與CA的     證書申請的內容一樣

Organizational Unit Name (eg, section) []:m16

Common Name (eg, your name or your server's hostname) []:www.wudang.com   

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:------- 爲了安全加證書申請文件的口令

An optional company name []:

把生成的www2的證書申請傳給CA，申請驗證通過，頒發證書：

[root@www CA]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/httpd.crt  -days 365

Cp /etc/pki/CA/httpd.crt /etc/httpd/ssl/httpd.crt

www2虛擬站點證書拿到。

 

接下來配置mod_ssl模塊給httpd-2.2提供的配置文件

Vim /etc/httpd/conf.d/ssl.conf

    LoadModule ssl_module modules/mod_ssl.so

    Listen 443

<VirtualHost 172.16.251.237:443>

     DocumentRoot "/var/www/html/www2"

      ServerName www2:443

    ErrorLog logs/ssl_error_log

 

      TransferLog logs/ssl_access_log

       LogLevel warn

      SSLEngine on

       SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

     SSLCertificateFile /etc/httpd/ssl/httpd.crt

       </VirtualHost>

Service httpd reload  ---- 重載服務

  

www2 證書測試：

   Vim /etc/hosts

   172.16.251.237   www1  www2

1.    Openssl  s_client  -connect  www2:443 -CAfile /etc/pki/CA/cacert.crt

2. 把CA的證書，導入到瀏覽器中，然後訪問

   https://www2/indexwww2.html