您好,登錄后才能下訂單哦!
實驗環境:
主機IP | 描述 |
---|---|
192.168.5.181 | 操作系統為CentOS7,安裝httpd2.4版本 |
192.168.5.121 | 操作系統為CentOS6,安裝httpd2.2版本,安裝MySQL數據庫 |
192.168.5.180 | 測試用Linux系統,安裝有curl工具 |
192.168.5.190 | 測試用Linux系統,安裝有curl工具 |
192.168.5.182 | CA證書頒發機構 |
在兩臺主機上面先清空防火墻規則,關閉Selinux,然后用yum安裝httpd,在CentOS6上面,默認的Base源里面是httpd2.2版本;在CentOS7上面,默認的Base源里面是httpd2.4版本。
$ iptables -t filter -F $ setenforce 0 $ yum install httpd 在CentOS7上面查看httpd版本: $ yum info httpd | grep -i version Version : 2.4.6 在CentOS6上面查看httpd版本: $ yum info httpd | grep -i version Version : 2.2.15
CentOS6, httpd2.2環境
在/etc/httpd/conf.d/目錄下面添加一個新的配置項virtualhost.conf,編輯里面的內容如下所示,添加NameVirtualHost指令,指明用192.168.5.121:80作為基于FQDN的虛擬主機,添加兩個VirtualHost配置段,分別使用www1.stuX.com和www2.stuX.com作為主機名
分別給兩臺虛擬主機自定義日志功能:
www1.stuX.com的訪問日志是/web/vhosts/www1/access_log
www1.stuX.com的錯誤日志是/web/vhosts/www1/error_log
www2.stuX.com的訪問日志是/web/vhosts/www2/access_log
www2.stuX.com的錯誤日志是/web/vhosts/www2/error_log
之后重啟httpd服務:
$ cat /etc/httpd/conf.d/virtualhost.conf NameVirtualHost 192.168.5.121:80 <VirtualHost 192.168.5.121:80> ServerName www1.stuX.com DocumentRoot "/web/vhosts/www1" LogFormat "%h %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" custom1 CustomLog /web/vhosts/www1/access_log custom1 ErrorLog /web/vhosts/www1/error_log <Directory "/web/vhosts/www1"> Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost 192.168.5.121:80> ServerName www2.stuX.com DocumentRoot "/web/vhosts/www2" LogFormat "%h %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" custom2 CustomLog /web/vhosts/www2/access_log custom2 ErrorLog /web/vhosts/www2/error_log <Directory "/web/vhosts/www2"> Order allow,deny Allow from all </Directory> </VirtualHost> $ service httpd start
創建/web/vhosts/www1和/web/vhosts/www2目錄,分別在目錄里面添加一個簡單的測試頁面:
$ mkdir -p /web/vhosts/www{1,2} $ echo "This is www1.stuX.com" > /web/vhosts/www1/index.html $ echo "This is www2.stuX.com" > /web/vhosts/www2/index.html
CentOS7, httpd2.4環境
同樣在/etc/httpd/conf.d目錄下面添加一個新的配置項virtualhost.conf。與CentOS6不同的是,省略掉了NameVirtualHost指令,并且ACL權限的配置也發生了變化。使用www3.stuX.com和www4.stuX.com作為主機名。
定義日志功能:
www3.stuX.com的訪問日志是/web/vhosts/www3/access_log
www3.stuX.com的錯誤日志是/web/vhosts/www3/error_log
www4.stuX.com的訪問日志是/web/vhosts/www4/access_log
www4.stuX.com的錯誤日志是/web/vhosts/www4/error_log
之后重啟httpd.service
<VirtualHost 192.168.5.181:80> ServerName www3.stuX.com DocumentRoot "/web/vhosts/www3" LogFormat "%h %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" custom3 CustomLog /web/vhosts/www3/access_log custom3 ErrorLog /web/vhosts/www3/error_log <Directory "/web/vhosts/www3"> Options None AllowOverride None <RequireAll> Require all granted Require not ip 192.168.5.190 </RequireAll> </Directory> </VirtualHost> <VirtualHost 192.168.5.181:80> ServerName www4.stuX.com DocumentRoot "/web/vhosts/www4" LogFormat "%h %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" custom4 CustomLog /web/vhosts/www4/access_log custom3 ErrorLog /web/vhosts/www4/error_log <Directory "/web/vhosts/www4"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
創建/web/vhosts/www3和/web/vhosts/www4目錄,分別在目錄里面添加一個簡單的測試頁面:
$ mkdir -p /web/vhosts/www{3,4} $ echo "This is www3.stuX.com" > /web/vhosts/www3/index.html $ echo "This is www4.stuX.com" > /web/vhosts/www4/index.html
客戶端測試
在客戶端配置/etc/hosts文件,用來解析主機名
root@alternative:~# cat /etc/hosts | grep -i www 192.168.5.121 www1.stuX.com www2.stuX.com 192.168.5.181 www3.stuX.com www4.stuX.com
通過客戶端的測試,可以看到結果如下所示,完成了基于主機名的虛擬主機配置:
root@alternative:~# curl http://www1.stuX.com This is www1.stuX.com root@alternative:~# curl http://www2.stuX.com This is www2.stuX.com root@alternative:~# curl http://www3.stuX.com This is www3.stuX.com root@alternative:~# curl http://www4.stuX.com This is www4.stuX.com 偽裝客戶端和跳轉地址 root@alternative:~# curl -A "curl test" -e "http://www.baidu.com" http://www1.stuX.com This is www1.stuX.com root@alternative:~# curl -A "curl test2" -e "http://www.sina.com" http://www2.stuX.com This is www2.stuX.com root@alternative:~# curl -A "curl test3" -e "http://www.sohu.com" http://www3.stuX.com This is www3.stuX.com root@alternative:~# curl -A "curl test4" -e "http://www.163.com" http://www4.stuX.com This is www4.stuX.com 發起一些錯誤的請求,用來檢測error_log是否生效 root@alternative:~# curl http://www1.stuX.com/123 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h2>Not Found</h2> <p>The requested URL /123 was not found on this server.</p> <hr> <address>Apache/2.2.15 (CentOS) Server at www1.stux.com Port 80</address> </body></html> root@alternative:~# curl http://www2.stuX.com/456 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h2>Not Found</h2> <p>The requested URL /456 was not found on this server.</p> <hr> <address>Apache/2.2.15 (CentOS) Server at www2.stux.com Port 80</address> </body></html> root@alternative:~# curl http://www3.stuX.com/789 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h2>Not Found</h2> <p>The requested URL /789 was not found on this server.</p> </body></html> root@alternative:~# curl http://www4.stuX.com/000 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h2>Not Found</h2> <p>The requested URL /000 was not found on this server.</p> </body></html>
查看一下訪問日志以及錯誤日志:
$ tail -f /web/vhosts/www{1,2}/{access,error}_log ==> /web/vhosts/www1/access_log <== 192.168.5.180 - [02/Jun/2017:14:46:24 +0800] "GET / HTTP/1.1" 200 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" 192.168.5.180 - [02/Jun/2017:14:46:40 +0800] "GET /123 HTTP/1.1" 404 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" 192.168.5.180 - [02/Jun/2017:14:49:01 +0800] "GET / HTTP/1.1" 200 "http://www.baidu.com" "curl test" ==> /web/vhosts/www1/error_log <== [Fri Jun 02 14:46:40 2017] [error] [client 192.168.5.180] File does not exist: /web/vhosts/www1/123 ==> /web/vhosts/www2/access_log <== 192.168.5.180 - [02/Jun/2017:14:46:28 +0800] "GET / HTTP/1.1" 200 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" 192.168.5.180 - [02/Jun/2017:14:46:52 +0800] "GET /456 HTTP/1.1" 404 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" 192.168.5.180 - [02/Jun/2017:14:49:16 +0800] "GET / HTTP/1.1" 200 "http://www.sina.com" "curl test2" ==> /web/vhosts/www2/error_log <== [Fri Jun 02 14:46:52 2017] [error] [client 192.168.5.180] File does not exist: /web/vhosts/www2/456
對于httpd2.2版本的www1.stuX.com虛擬主機,以及httpd2.4版本的www3.stuX.com虛擬主機,分別添加狀態監控頁面,并且利用第三方模塊mod_auth_mysql.so對用戶賬戶進行認證與授權。用戶賬戶存放在192.168.5.121這個節點的mysql服務器上面。認證采用aes加密認證。詳細配置方案,請參照其他博文。
在mysql里面建立一個名為http_auth的數據庫,在該數據庫下建立一個名為mysql_auth的數據表,在表中添加兩個用戶,分別為admin和root,采用aes_encrypt函數對密碼進行加密,加密用的salt分別為’hello’和’root’。如下所示:
mysql> use http_auth; Database changed mysql> show tables; +---------------------+ | Tables_in_http_auth | +---------------------+ | mysql_auth | +---------------------+ 1 row in set (0.00 sec) mysql> desc mysql_auth; +-------------+----------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+----------+------+-----+---------+-------+ | user_name | char(30) | NO | PRI | NULL | | | user_passwd | tinyblob | YES | | NULL | | | user_group | char(25) | YES | | NULL | | | salt | tinyblob | YES | | NULL | | +-------------+----------+------+-----+---------+-------+ 4 rows in set (0.01 sec) mysql> select * from mysql_auth; +-----------+------------------+------------+-------+ | user_name | user_passwd | user_group | salt | +-----------+------------------+------------+-------+ | admin | ?G°??P-S | admin | hello | | root |???¥V′l?Gχ | admin | root | +-----------+------------------+------------+-------+ 2 rows in set (0.00 sec)
注:確保mysql開啟了用戶遠程訪問的權限,在這里使用mysql的root@’%’用戶,開啟訪問數據庫的權限:grant all pribileges on *.* to root@'%' identified by 'root' with grant option
CentOS6, httpd2.2環境
將mod_auth_mysql.so模塊加載進來,確保mod_auth_mysql.so模塊在操作系統中存在,并且在/etc/httpd/modules里面有副本,這樣便可以使用相對于ServerRoot的相對路徑來引用,在主配置文件/etc/httpd/conf/httpd.conf里面添加一行:
LoadModule mysql_auth_module modules/mod_auth_mysql.so
以實驗一的virtualhost.conf文件為基礎,添加<Location>指令段開啟狀態頁面,并針對狀態頁面做基于用戶的協議認證,添加權限控制的選項,如下所示:
注: 針對mod_auth_mysql.so的配置指令,詳細請參照該模塊的文檔。
注:這里的AuthBasicAuthoritative指令尤為重要,因為使用的是第三方認證模塊,如果不設定為Off的話,httpd將認為該模塊為非法模塊從而無法使用。
...... ...... <Location /status> SetHandler server-status Order deny,allow Allow from all AuthType Basic AuthBasicAuthoritative Off AuthName "auth login" AuthMySQLHost 192.168.5.121 AuthMySQLPort 3306 AuthMySQLUser root AuthMySQLPassword shroot AuthMySQLDB http_auth AuthMySQLUserTable mysql_auth AuthMySQLNameField user_name AuthMySQLPasswordField user_passwd AuthMySQLEnable on AuthMySQLPwEncryption aes AuthMySQLSaltField salt require valid-user </Location> ...... ......
配置完畢之后,用service httpd restart
命令重啟httpd服務。
CentOS7, httpd2.4環境
同樣需要將mod_auth_mysql.so添加進來,確保mod_auth_mysql.so模塊在操作系統中存在,并且在/etc/httpd/modules里面有副本,這樣便可以使用相對于ServerRoot的相對路徑來引用。
httpd2.4的模塊加載配置文件和上面的httpd2.2的模塊配置加載文件不同,需要在/etc/httpd/conf.modules.d目錄下面創建一個單獨的模塊加載配置文件,這里創建一個名字為10-mysql.conf的配置文件,在里面添加一行:
LoadModule mysql_auth_module modules/mod_auth_mysql.so
以實驗一的virtualhost.conf文件為基礎,添加<Location>指令段開啟狀態頁面,并針對狀態頁面做基于用戶的協議認證,添加權限控制的選項,如下所示:
注: 針對mod_auth_mysql.so的配置指令,詳細請參照該模塊的文檔。
注:這里的AuthBasicAuthoritative指令尤為重要,因為使用的是第三方認證模塊,如果不設定為Off的話,httpd將認為該模塊為非法模塊從而無法使用。
注:在httpd2.4里面,如果不顯式定義AuthUserFile,有可能會遇到認證失敗的情況。因為使用mysql里面的數據進行認證,因此這里只需要指定文件系統的認證文件為/dev/null即可。
<Location /status> SetHandler server-status AuthType Basic AuthBasicAuthoritative Off AuthName "auth login" AuthUserFile /dev/null AuthMySQLHost 192.168.5.121 AuthMySQLPort 3306 AuthMySQLUser root AuthMySQLPassword root AuthMySQLDB http_auth AuthMySQLUserTable mysql_auth AuthMySQLNameField user_name AuthMySQLPasswordField user_passwd AuthMySQLEnable on AuthMySQLPwEncryption aes AuthMySQLSaltField salt Require valid-user </Location>
客戶端測試
由于被測試頁面為status狀態監控頁面,因此這里采用Firefox的GUI界面進行驗證:
在瀏覽器界面上面鍵入http://www1.stuX.com/status,彈出認證對話框,輸入admin用戶名以及密碼,如下圖所示:
可以發現登錄成功,觀察到的狀態頁面如下所示:
測試http://www3.stuX.com/status,亦登錄成功,效果如下所示:
下面用curl命令行工具測試一下數據庫關閉以及認證錯誤的情況。
模擬一些認證錯誤,故意輸入錯誤的用戶名和密碼,測試效果如下:
root@alternative:~# curl -u admin:123 http://www1.stuX.com/status <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h2>Authorization Required</h2> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache/2.2.15 (CentOS) Server at www1.stux.com Port 80</address> </body></html> root@alternative:~# curl -u 123:123 http://www3.stuX.com/status <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h2>Unauthorized</h2> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html>
在192.168.5.121上面關閉mysql數據庫,再測試認證,發現認證失敗:
$ service mysqld stop root@alternative:~# curl -u admin:admin http://www3.stuX.com/status <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h2>Unauthorized</h2> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html>
相關的錯誤日志文件輸出:
[Sun Jun 04 19:23:22 2017] [error] [pid 16685] mod_auth_mysql.c(521): [client 192.168.5.180:55679] MySQL ERROR: Can't connect to MySQL server on '192.168.5.121' (111)
配置基于IP的簡單認證規則,使得:
192.168.5.180這臺客戶端無法訪問www1.stuX.com
192.168.5.190這臺客戶端無法訪問www3.stuX.com
CentOS6, httpd2.2環境下
在實驗二的virtualhost.conf配置文件基礎上,在<Directory “/web/vhosts/www1”>里面添加Deny from
,如下所示:
<Directory "/web/vhosts/www1"> Order allow,deny Allow from all Deny from 192.168.5.180/32 </Directory>
重啟httpd服務service httpd restart
CentOS7 httpd2.4環境下
在實驗二的virtualhost.conf配置文件的基礎上,在<Directory “/web/vhosts/www3”>里面添加<RequireAll>標簽,并配置IP訪問權限,如下所示:
<Directory "/web/vhosts/www3"> Options None AllowOverride None <RequireAll> Require all granted Require not ip 192.168.5.190 </RequireAll> </Directory>
客戶端測試
在192.168.5.180這臺機器上面用curl命令訪問,發現www1.stuX.com訪問失敗,提示403 Forbidden錯誤,證明訪問控制生效。www3.stuX.com可以正常訪問。
root@alternative:~# curl http://www1.stuX.com/index.html <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h2>Forbidden</h2> <p>You don't have permission to access /index.html on this server.</p> <hr> <address>Apache/2.2.15 (CentOS) Server at www1.stux.com Port 80</address> </body></html> root@alternative:~# root@alternative:~# curl http://www3.stuX.com/index.html This is www3.stuX.com
在192.168.5.190這臺機器上面用curl命令訪問,發現www3.stuX.com訪問失敗,提示403 Forbidden錯誤,證明訪問控制生效。www1.stuX.com可以正常訪問。
root@ubuntu-node1:~# curl http://www3.stuX.com/index.html <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h2>Forbidden</h2> <p>You don't have permission to access /index.html on this server.</p> </body></html> root@ubuntu-node1:~# curl http://www1.stuX.com/index.html This is www1.stuX.com
分別為www2.stuX.com和www4.stuX.com建立https服務,選用192.168.5.182這臺機器作為CA。
首先需要將httpd2.2服務器、httpd2.4服務器、CA服務器、客戶端進行時間同步,如果不同步的話,有可能會出現httpd服務器或者客戶端的時間要早于CA根證書的有效起始時間,從而導致錯誤。使用ntpdate
命令或者ntpd
服務進行時間同步,詳細步驟請參照linux的ntp服務及配置。
CA生成根證書
首先生成私鑰:
$ cd /etc/pki/CA $ (umask 077; openssl genrsa -out private/cakey.pem 2048) $ ls -al private/ total 4 drwx------. 2 root root 22 Jun 4 20:16 . drwxr-xr-x. 6 root root 57 Mar 20 06:43 .. -rw------- 1 root root 1675 Jun 4 20:16 cakey.pem
然后通過私鑰生成自簽名證書:
$ openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:CA Organizational Unit Name (eg, section) []:caexec Common Name (eg, your name or your server's hostname) []:ca.caexec.com Email Address []: $ touch index.txt serial $ echo 01 > serial $ ls /etc/pki/CA cacert.pem certs crl index.txt newcerts private serial
httpd2.2服務器生成證書請求并到CA簽名
首先生成私鑰
$ mkdir /web/vhosts/www2/ssl $ cd /web/vhosts/www2/ssl/ $ (umask 077; openssl genrsa -out www2.key 2048)
根據私鑰生成證書申請請求
$ openssl req -new -key www2.key -out www2.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:CA Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www2.stuX.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
將證書申請請求發送到CA服務器上面,CA進行簽名,簽完之后再返回給httpd2.2服務器
$ openssl ca -in www2.csr -out www2.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 4 14:23:12 2017 GMT Not After : Jun 4 14:23:12 2018 GMT Subject: countryName = CN stateOrProvinceName = BJ organizationName = CA organizationalUnitName = ops commonName = www2.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 99:13:92:93:B4:64:FF:15:70:6A:FF:6A:E0:C1:AA:E9:C1:28:13:47 X509v3 Authority Key Identifier: keyid:D0:3B:30:3D:AF:76:F3:47:7D:83:FA:F1:19:F9:1D:29:11:9C:42:E1 Certificate is to be certified until Jun 4 14:23:12 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
確保httpd2.2服務器上面安裝有mod_ssl模塊,如果沒有的話,用yum install mod_ssl
安裝,或者編譯安裝。
$ httpd -M | grep ssl ssl_module (shared) Syntax OK
創建一個測試頁面ssl.html
echo "This is ssl page for www2.stuX.com." > /web/vhosts/www2/ssl.html
在原有的virtualhost.conf文件上面配置一個新的<VirtualHost>,提供https服務,并將服務器私鑰和CA簽發的證書配置上去,配置完畢之后,重啟httpd服務service httpd restart
:
<VirtualHost 192.168.5.121:443> ServerName www2.stuX.com DocumentRoot "/web/vhosts/www2" DirectoryIndex ssl.html ErrorLog /web/vhosts/www2/ssl_error_log LogLevel info TransferLog /web/vhosts/www2/ssl_access_log SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /web/vhosts/www2/ssl/www2.crt SSLCertificateKeyFile /web/vhosts/www2/ssl/www2.key <Directory "/web/vhosts/www2"> Order allow,deny Allow from all </Directory> </VirtualHost>
httpd2.4服務器生成證書請求并到CA簽名
生成私鑰
$ mkdir /web/vhosts/www4/ssl $ cd /web/vhosts/www4/ssl/ $ (umask 077; openssl genrsa -out www4.key 2048)
根據私鑰生成證書申請請求
$ openssl req -new -key www4.key -out www4.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:CA Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www4.stuX.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
將證書申請請求發送到CA服務器上面,CA進行簽名,簽完之后再返回給httpd2.2服務器
$ openssl ca -in www4.csr -out www4.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 4 16:14:45 2017 GMT Not After : Jun 4 16:14:45 2018 GMT Subject: countryName = CN stateOrProvinceName = BJ organizationName = CA organizationalUnitName = ops commonName = www4.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DE:84:D5:8C:11:7F:F8:C4:F4:26:49:A3:C2:0E:1A:07:62:00:06:8F X509v3 Authority Key Identifier: keyid:D0:3B:30:3D:AF:76:F3:47:7D:83:FA:F1:19:F9:1D:29:11:9C:42:E1 Certificate is to be certified until Jun 4 16:14:45 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
確保httpd2.4服務器上面安裝有mod_ssl模塊,如果沒有的話,用yum install mod_ssl
安裝,或者編譯安裝。
$ httpd -M | grep ssl ssl_module (shared)
創建一個測試頁面ssl.html
echo "This is ssl page for www4.stuX.com." > /web/vhosts/www4/ssl.html
在原有的virtualhost.conf文件上面配置一個新的<VirtualHost>,提供https服務,并將服務器私鑰和CA簽發的證書配置上去,配置完畢之后,重啟httpd服務systemctl restart httpd.service
:
<VirtualHost 192.168.5.181:443> ServerName www4.stuX.com DocumentRoot "/web/vhosts/www4" DirectoryIndex ssl.html ErrorLog /web/vhosts/www4/ssl_error_log LogLevel info TransferLog /web/vhosts/www4/ssl_access_log SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /web/vhosts/www4/ssl/www4.crt SSLCertificateKeyFile /web/vhosts/www4/ssl/www4.key <Directory "/web/vhosts/www4"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
客戶端測試
將CA服務器的自簽名證書拷貝到客戶端上面,用curl工具進行測試,分別訪問httpd2.2服務器和httpd2.4服務器的https服務頁面:
root@alternative:~# curl --cacert cacert.pem https://www2.stuX.com This is ssl page for www2.stuX.com. root@alternative:~# curl --cacert cacert.pem https://www4.stuX.com This is ssl page for www4.stuX.com.
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。