练习题:分别使用httpd-2.2和httpd-2.4实现;

1、建立httpd服务,要求:
(1) 提供两个基于名称的虚拟主机:
www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1/error_log,访问日志为/var/log/httpd/www1/access_log;
www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2/error_log,访问日志为/var/log/httpd/www2/access_log;
(2) 通过www1.stuX.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
(3) www1不允许192.168.1.0/24网络中的主机访问;

2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1) 要求使用证书认证,证书中要求使用国家(CN),州(Beijing),城市(Beijing),组织为(MageEdu);
(2) 设置部门为Ops, 主机名为www2.stuX.com;

实验环境:httpd-2.2

[root@server-status localhost6]#vi /etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html"  
KeepAlive On

 

#在/etc/httpd/conf.d/下配置此文件
[root@conf.d localhost6]#cat virtuhost.conf
<VirtualHost 172.16.252.242:80>  #定义虚拟主机,同一个ip和port ServerName www1.stuX.com    #虚拟主机名,必须相同 DocumentRoot "/web/vhosts/www1"  #虚拟主机1的HTML存放处 <Directory "/web/vhosts/www1">  #定义控制访问 Options None AllowOverride None order allow,deny deny from 192.168.1.0/24  #拒绝此网段访问主机 allow from all </Directory> ErrorLog /var/log/httpd/www1/error_log  #错误日志 CustomLog /var/log/httpd/www2/access_log combined #访问日志
  <Location /server-status>   #status页面
        Options None
        AllowOverride None
        SetHandler server-status
        AuthType Basic
        AuthName "input id and passwd"
        AuthuserFile "/etc/httpd/conf/.htpasswd"
        Require user magedu
  </Location>

 

</VirtualHost>
<VirtualHost 172.16.252.242:80>
    ServerName www2.stuX.com
    DocumentRoot "/web/vhosts/www2"
  <Directory "/web/vhosts/www2">
        Options None
        AllowOverride None
        order allow,deny
        allow from all
  </Directory>
  ErrorLog /var/log/httpd/www2/error_log
  CustomLog /var/log/httpd/www2/access_log combined
</VirtualHost>

 

#用户认证的创建
htpasswd -c -m /etc/httpd/conf/.htpasswd magedu

 2、将服务器172.16.252.225配成CA机构:

]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 
> 
> )
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
..............++
e is 65537 (0x10001)

 

#自签证书
[root@www ~17:34:39]#openssl req -new -x509 -key /etc/pki/CA/private/\ > cakey.pem -out /etc/pki/CA/cacert.pem -days 36600 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:magedu.com Email Address []:
]#touch serial index.txt
]#echo 01 > serial

3、给虚拟主机2认证:


[root@~ localhost6]#mkdir -v /ca/ mkdir: created directory `/ca/' [root@~ localhost6]#(umask 077;openssl genrsa -out /ca/httpd.key 2048) Generating RSA private key, 2048 bit long modulus ..........................................+++ ..........................+++ e is 65537 (0x10001) [root@~ localhost6]#openssl req -new -key /ca/httpd.key -out /ca/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www2.stuX.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123 string is too short, it needs to be at least 4 bytes long A challenge password []:123456 An optional company name []:

 

#将公钥传给CA
[root@ca localhost6]#scp /ca/httpd.csr root@172.16.252.225:/etc/pki/CA/ The authenticity of host '172.16.252.225 (172.16.252.225)' can't be established. RSA key fingerprint is 0b:0e:e9:a5:c7:74:dc:22:e0:22:80:e9:a2:9c:4f:20. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Warning: Permanently added '172.16.252.225' (RSA) to the list of known hosts. root@172.16.252.225's password: httpd.csr 100% 1017 1.0KB/s 00:00

 

#在CA主机进行签证
[root@www CA17:52:01]#openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 24 09:53:16 2017 GMT Not After : Apr 24 09:53:16 2018 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = MageEdu commonName = www2.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 95:A1:28:9B:96:F7:30:40:B1:E4:DE:F3:9F:BD:37:6E:4C:B3:99:9C X509v3 Authority Key Identifier: keyid:0A:6C:39:63:F0:52:18:86:1B:F8:0B:DA:33:6E:35:79:8B:6A:7D:AD Certificate is to be certified until Apr 24 09:53:16 2018 GMT (365 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

 

#返回已签证书
[root@www certs18:01:36]#scp httpd.crt root@172.16.252.242:/ca/ root@172.16.252.242's password: httpd.crt 100% 5649 5.5KB/s 00:00

 将CA的公钥发送到Windows,改成.crt,并安转。