练习题:分别使用httpd-2.2和httpd-2.4实现;
1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
(2) 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
(3) www1不允许192.168.1.0/24网络中的主机访问;
2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1) 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MageEdu);
(2) 设置部门为Ops, 主机名为www2.stuX.com;
实验环境:httpd-2.2
[root@server-status localhost6]#vi /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html" KeepAlive On
#在/etc/httpd/conf.d/下配置此文件
[root@conf.d localhost6]#cat virtuhost.conf <VirtualHost 172.16.252.242:80> #定义虚拟主机,同一个ip和port ServerName www1.stuX.com #虚拟主机名,必须相同 DocumentRoot "/web/vhosts/www1" #虚拟主机1的HTML存放处 <Directory "/web/vhosts/www1"> #定义控制访问 Options None AllowOverride None order allow,deny deny from 192.168.1.0/24 #拒绝此网段访问主机 allow from all </Directory> ErrorLog /var/log/httpd/www1/error_log #错误日志 CustomLog /var/log/httpd/www2/access_log combined #访问日志
<Location /server-status> #status页面 Options None AllowOverride None SetHandler server-status AuthType Basic AuthName "input id and passwd" AuthuserFile "/etc/httpd/conf/.htpasswd" Require user magedu </Location>
</VirtualHost> <VirtualHost 172.16.252.242:80> ServerName www2.stuX.com DocumentRoot "/web/vhosts/www2" <Directory "/web/vhosts/www2"> Options None AllowOverride None order allow,deny allow from all </Directory> ErrorLog /var/log/httpd/www2/error_log CustomLog /var/log/httpd/www2/access_log combined </VirtualHost>
#用户认证的创建
htpasswd -c -m /etc/httpd/conf/.htpasswd magedu
2、将服务器172.16.252.225配成CA机构:
]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 > > ) Generating RSA private key, 4096 bit long modulus ............................................................................................................................................................................................++ ..............++ e is 65537 (0x10001)
#自签证书
[root@www ~17:34:39]#openssl req -new -x509 -key /etc/pki/CA/private/\ > cakey.pem -out /etc/pki/CA/cacert.pem -days 36600 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:magedu.com Email Address []:
]#touch serial index.txt
]#echo 01 > serial
3、给虚拟主机2认证:
[root@~ localhost6]#mkdir -v /ca/ mkdir: created directory `/ca/' [root@~ localhost6]#(umask 077;openssl genrsa -out /ca/httpd.key 2048) Generating RSA private key, 2048 bit long modulus ..........................................+++ ..........................+++ e is 65537 (0x10001) [root@~ localhost6]#openssl req -new -key /ca/httpd.key -out /ca/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www2.stuX.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123 string is too short, it needs to be at least 4 bytes long A challenge password []:123456 An optional company name []:
#将公钥传给CA
[root@ca localhost6]#scp /ca/httpd.csr root@172.16.252.225:/etc/pki/CA/ The authenticity of host '172.16.252.225 (172.16.252.225)' can't be established. RSA key fingerprint is 0b:0e:e9:a5:c7:74:dc:22:e0:22:80:e9:a2:9c:4f:20. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Warning: Permanently added '172.16.252.225' (RSA) to the list of known hosts. root@172.16.252.225's password: httpd.csr 100% 1017 1.0KB/s 00:00
#在CA主机进行签证
[root@www CA17:52:01]#openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 24 09:53:16 2017 GMT Not After : Apr 24 09:53:16 2018 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = MageEdu commonName = www2.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 95:A1:28:9B:96:F7:30:40:B1:E4:DE:F3:9F:BD:37:6E:4C:B3:99:9C X509v3 Authority Key Identifier: keyid:0A:6C:39:63:F0:52:18:86:1B:F8:0B:DA:33:6E:35:79:8B:6A:7D:AD Certificate is to be certified until Apr 24 09:53:16 2018 GMT (365 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
#返回已签证书
[root@www certs18:01:36]#scp httpd.crt root@172.16.252.242:/ca/ root@172.16.252.242's password: httpd.crt 100% 5649 5.5KB/s 00:00
将CA的公钥发送到Windows,改成.crt,并安转。
