httpd练习.md
需求说明
分别用httpd-2.2和httpd-2.4 实现以下功能:
两个虚拟主机,名字为
www.a.com
、www.b.org
。www.a.com
页面文件为/opt/a.com/htdocs,访问日志文件路径/var/log/httpd/a.com/access.log,错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。www.b.org
页面文件为/opt/b.org/htdocs,访问日志文件路径/var/log/httpd/b.org/access.log,错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。通过
www.a.com/server-status
输出其状态信息,且要求只允许提供账号的用户访问;wwww.a.com/server-status
只允许192.168.5.0/24 网络中的主机访问。同时为这两个虚拟主机提供https服务。
说明:测试中的httpd全部为yum安装,httpd-2.2会在CentOS 6中演示,httpd-2.4会在CentOS 7中演示。
httpd-2.2 配置
安装
安装可以使用yum安装也可以使用编译安装,但是CentOS 6中系统yum源默认的是httpd-2.2版本,这个需要注意。
#yum install -y httpd httpd-devel mod_ssl
ssl证书签署
以下操作是在CA机器上进行的操作。
生成CA证书
# yum install -y openssl openssl-devel
# cd /etc/pki/CA/
# (umask 077; openssl genrsa 2048 > private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:admin@example.com
# touch index.txt serial
# echo 01 > serial
a.com域名证书签署
# mkdir /opt/ssl/a.com -p
# (umask 077 ;openssl genrsa 2048 > a.key)
# openssl req -new -key a.key -out a.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:admin@a.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in a.csr -out a.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 28 08:05:37 2016 GMT
Not After : Nov 28 08:05:37 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = example
organizationalUnitName = ops
commonName = www.a.com
emailAddress = admin@a.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90
X509v3 Authority Key Identifier:
keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06
Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
签署b.org域名的证书
# mkdir /opt/ssl/b.org/
# cd /opt/ssl/b.org/
# (umask 077 ;openssl genrsa 2048 > b.key)
# openssl req -new -key b.key -out b.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.b.org
Email Address []:admin@b.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in b.csr -out b.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 28 08:12:01 2016 GMT
Not After : Nov 28 08:12:01 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = example
organizationalUnitName = ops
commonName = www.b.org
emailAddress = admin@b.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E
X509v3 Authority Key Identifier:
keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06
Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
复制证书到httpd主机
# scp -r /opt/ssl/* root@192.168.5.194:/etc/httpd/ssl/
注意httpd服务器上ssl目录的创建。
查看签署信息
# cat serial
03
# cat index.txt
V 171128080537Z 01 unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/emailAddress=admin@a.com
V 171128081201Z 02 unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/emailAddress=admin@b.org
httpd配置
以下操作是在httpd服务器上进行的操作。
# vim /etc/httpd/conf.d/www.conf
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
#CustomLog logs/a.com/access_log combined
CustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combined
ErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"
<Location /server-status>
SetHandler server-status
Order allow,Deny
Allow from 192.168.5
AuthType Basic
AuthName "a.com basic"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user bols
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.org
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combined
ErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"
#CustomLog logs/b.org/access_log combined
#ErrorLog logs/b.org/error_log
</VirtualHost>
<VirtualHost *:443>
ServerName www.b.org:443
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/b.org/access_ssl.log combined
ErrorLog /var/log/httpd/b.org/error_ssl.log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
</VirtualHost>
<VirtualHost *:443>
ServerName www.a.com:443
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/a.com/access_ssl.log combined
ErrorLog /var/log/httpd/a.com/error_ssl.log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
</VirtualHost>
测试
创建网站测试的文件
[root@db-02 ~]# cat /opt/a.com/htdocs/index.html
<h1>www.a.com</h1>
[root@db-02 ~]# cat /opt/b.org/htdocs/index.html
<h1>www.b.org</h1>
导入根证书
请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。
相关所需文件的创建
# mkdir /var/log/httpd/a.com/
# mkdir /var/log/httpd/b.org/
# /etc/init.d/httpd start
# htpasswd -cm /etc/httpd/conf/.htpasswd bols
测试
测试前请在hosts文件写入域名和想对应的解析IP:
# curl http://www.a.com/index.html
<h1>www.a.com</h1>
# curl http://www.b.org/index.html
<h1>www.b.org</h1>
# openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem
......
GET /index.html HTTP/1.1
Host:www.b.org
HTTP/1.1 200 OK
Date: Mon, 28 Nov 2016 09:58:20 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 23 Nov 2016 09:17:33 GMT
ETag: "2405e-13-541f45be79532"
Accept-Ranges: bytes
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8
<h1>www.b.org</h1>
closed
# openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem
......
GET /index.html HTTP/1.1
Host:www.a.com
HTTP/1.1 200 OK
Date: Mon, 28 Nov 2016 09:57:39 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 23 Nov 2016 09:17:04 GMT
ETag: "2405f-13-541f45a2f779e"
Accept-Ranges: bytes
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8
<h1>www.a.com</h1>
closed
[root@bid-02 ~]# curl -I --user bols:bols http://www.a.com/server-status
HTTP/1.1 200 OK
Date: Mon, 28 Nov 2016 11:05:37 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 2536
Connection: close
Content-Type: text/html; charset=ISO-8859-1
安装配置出现问题:
语法检测时出现警告
# httpd -t
httpd: apr_sockaddr_info_get() failed for db-02
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Syntax OK
首先第一个是httpd的配置文件中ServerName 没有指定:
# vim /etc/httpd/conf/httpd.conf +276
ServerName *:80
之后在检测开始报错:
# httpd -t
[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Syntax OK
这个是由于NameVirtualHost 没有指定:
vim /etc/httpd/conf/httpd.conf +991
NameVirtualHost *:80
NameVirtualHost *:443
配置日志滚动时出现滚动日志失败
原因:问题原因不清楚,但是解决方法是将日志文件使用绝对路径,不要使用相对路径。
httpd-2.4
安装
# yum install -y httpd httpd-devel mod_ssl
CA证书配置
ssl证书还是用于在CentOS 6系统中创建的,并把文件拷贝至/etc/httpd/ssl目录中,注意这个目录需要手动创建。
网站测试文件创建
# cat /opt/a.com/htdocs/index.html
<h1>www.a.com</h1>
# cat /opt/b.org/htdocs/index.html
<h1>www.b.org</h1>
认证文件创建
htpasswd 命令的使用请自行谷歌。
# htpasswd -cm /etc/httpd/conf/htpasswd bols
配置
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/a.com/access.log combined
ErrorLog /var/log/httpd/a.com/error.log
<Directory "/opt/a.com/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
<Location /server-status>
SetHandler server-status
Options None
AuthType Basic
AuthName "a.com basic"
AuthUserFile "/etc/httpd/conf/htpasswd"
Require user bols
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.org
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/b.org/access.log combined
ErrorLog /var/log/httpd/b.org/error.log
<Directory "/opt/b.org/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName www.b.org:443
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/b.org/access_ssl.log combined
ErrorLog /var/log/httpd/b.org/error_ssl.log
<Directory "/opt/b.org/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
</VirtualHost>
<VirtualHost *:443>
ServerName www.a.com:443
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/a.com/access_ssl.log combined
ErrorLog /var/log/httpd/a.com/error_ssl.log
<Directory "/opt/a.com/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
</VirtualHost>
测试
测试和CentOS 6中一样,测试的结果就不在贴出。
说明
在CentOS 7 中的配置和使用和CentOS 6有以下几个区别(个人总结):
启动httpd不在是用service命令而是使用systemctl命令。
任意目录下的页面只有显式授权才能被访问。
访问控制配置如下:
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all deny
授权指定来源的IP访问:Require ip IPADDR
拒绝指定来源的IP访问:Require not ip IPADDR
授权指定来源的主机访问:Require host HOSTNAME
拒绝指定来源的主机访问:Require not host HOSTNAME
关于日志滚动的说明:
httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。
日志滚动可以用rotatelogs 是httpd自带的日志滚动工具,自己测试在httpd-2.4中没有成功。
cronolog 是在epel源中的一个日志滚动工具,需要安装。
脚本控制滚动这个看自己业务需求进行写了。
httpd练习.md的更多相关文章
- httpd配置.md
httpd-2.2 配置 监听端口和IP 配置文件: Listen [IP:]PORT 省略IP表示为0.0.0.0 Listen指令可重复出现多次 修改监听socket,重启服务进程方可生效 可以监 ...
- httpd安装.md
httpd 简介 httpd是由apache软件基金会开发的一款著名的web服务器软件.由于其开放源代码,并且拥有跨平台.功能强大.安全稳定等特性,而被广泛使用.早期httpd是在修修补补的基础上成长 ...
- [svc]linux常用手头命令-md版-2017年11月12日 12:31:56
相关代码 curl命令-网站如果3次不是200或301则报警 curl -o /dev/null -s -w "%{http_code}" baidu.com -k/--insec ...
- 好用的Markdown编辑器一览 readme.md 编辑查看
https://github.com/pandao/editor.md https://pandao.github.io/editor.md/examples/index.html Editor.md ...
- 解决apache启动错误"httpd:Could not reliably determine..."
启动apache遇到错误:httpd: Could not reliably determine the server's fully qualified domain name [root@serv ...
- Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details
thinkphp 在Apache上配置启用伪静态,重启Apache1 restart 竟然失败了,报错 Job for httpd.service failed because the control ...
- Apache主配置文件httpd.conf 详解
Apache的主配置文件:/etc/httpd/conf/httpd.conf 默认站点主目录:/var/www/html/ Apache服务器的配置信息全部存储在主配置文件/etc/httpd/co ...
- Linux httpd源码编译安装
# wget http://apache.fayea.com/httpd/httpd-2.2.31.tar.bz2 去官网下载源码包 # mv httpd-.tar.bz2 /usr/local/sr ...
- centos7 apache httpd安装和配置django项目
一.安装httpd服务 apache在centos7中是Apache HTTP server.如下对httpd的解释就是Apache HTTP Server.所以想安装apache其实是要安装http ...
随机推荐
- tet
施大峰[[昂司法部]]... [[分公司电饭煲]]
- php实现设计模式之 抽象工厂模式
<?php /*抽象工厂模式:提供一个创建一系统相关或相互依赖对象的接口,而无需指定它们具体的类 * 创建型模式 */ //抽象小米工厂,能制造小米一,小米二 abstract class mi ...
- ElasticSearch+NLog+Elmah实现Asp.Net分布式日志管理
本文将介绍使用NLOG.Elmah结合ElasticSearch实现分布式日志管理. 一.ElasticSearch简介 ElasticSearch是一个基于Lucene的搜索服务器.它提供了一个分布 ...
- 2、ASP.NET MVC入门到精通——Entity Framework入门
实体框架(Entity Framework)简介 简称EF 与ADO.NET关系 ADO.NET Entity Framework 是微软以 ADO.NET 为基础所发展出来的对象关系对应 (O/R ...
- JSTL标签功能集锦
1.<fmt:parseNumber integerOnly="true" value="2/3" /> 结果为0 功能:fmt:parseNumb ...
- Xdebug文档(七) 远程调试
Xdebug提示调试客户端接口与PHP运行相联系.该章节解释如何设置PHP与xdebug,并推荐一些客户端. 介绍 Xdebug的远程调试器允许你检查数据结构,交互式地穿过和调试你的代码.该协议已经开 ...
- 低调奢华 CSS3 transform-style 3D旋转
点击这里查看效果:http://keleyi.com/a/bjad/s89uo4t1.htm 效果图: CSS3 transform-style 属性 以下是代码: <!DOCTYPE html ...
- jQuery静态方法isPlainObject,isEmptyObject方法使用和源码分析
isPlainObject方法 测试对象是否是纯粹的对象(通过 "{}" 或者 "new Object" 创建的) 示例: //测试是否为纯粹的对象 jQuer ...
- jqueryAPI使用之选择器
好一段时间没有更新博文了.刚学习完JS基础知识后,也进入到了JQ的学习.为了能熟练掌握JQ的使用,最好的方法就是反复多练,讲JQ中的API的每个知识点都练习一遍.如果能做到这个,那么对JQ就没那么陌生 ...
- SE16N使用方案总结
SAP中直接修改表.视图的Tcode有SE16N和SM30. 另外,在EHP5版本及其更高的版本中,激活编辑功能是不被允许的,不过程序中是通过一个判断语句来限制的,可以通过将相关的判断值判断前加断点, ...