# 練習(xí)題：分別使用httpd-2.2和httpd-2.4實(shí)現(xiàn)：

## 1、建立httpd服務(wù)，要求：

### （1）提供兩個(gè)基于名稱的虛擬主機(jī)：

#### www1.stux.com,頁面文件目錄為/web/vhosts/www1;錯(cuò)誤日志為/var/log/httpd/www1/error_log,訪問日志為/var/log/httpd/www1/access_log;

#### www2.stux.com,頁面文件目錄為/web/vhosts/www2;錯(cuò)誤日志為/var/log/httpd/www2/error_log,訪問日志為/var/log/httpd/www2/access_log;

### (2)通過www1.stux.com/server-status輸出其狀態(tài)信息，且要求只允許提供賬號的用戶訪問；

### （3）www1不允許IP為192.168.10.20的主機(jī)訪問；

## 2、為上面的第2個(gè)虛擬主機(jī)提供https服務(wù)，使得用戶可以通過https安全的訪問此web站點(diǎn)；

### （1）要求使用證書認(rèn)證，證書中要求使用國家（CN），州（Beijing）,城市（Beijing）,組織為（MagEdu）;

### （2）設(shè)置部門為Ops,主機(jī)名為www2.stux.com;

httpd2.4配置：

第一步：提供三臺服務(wù)器，一臺為IP192.168.10.30作為測試機(jī)，一臺IP為192.168.10.20作為httpd、DNS服務(wù)端，IP192.168.10.100作為CA機(jī)構(gòu)

安裝并啟動(dòng)httpd-2.4服務(wù)，關(guān)閉防火墻，防止端口被阻斷

?# yum -y install httpd

?# systemctl start httpd?

?# systemctl enable httpd?

# systemctl stop firewalld

創(chuàng)建目錄及文件

# mkdir -p /web/vhosts/www1/?

# mkdir -p /web/vhosts/www2/

# cd /var/log/httpd/

# mkdir {www1,www2}

# cd www1

# touch {error_log,access_log}

# cd ../www2

# touch {error_log,access_log}

分別創(chuàng)建兩個(gè)測試網(wǎng)頁頁面/web/vhosts/www1/index.html和/web/vhosts/www2/index.html

# vim /web/vhosts/www1/index.html

????<h1>www1.stux.com</h1>

# vim /web/vhosts/www2/index.html

????<h1>www2.stux.com</h1>

?創(chuàng)建用于httpd訪問認(rèn)證的用戶賬號密碼文件

# htpasswd -bc /tmp/passwd text1 text1? 創(chuàng)建一個(gè)文件，并且添加用戶名為text1 密碼為text1,默認(rèn)為MD5加密

# htpasswd -b /tmp/passwd text2 text2? ?添加用戶名text2,密碼text2,MD5加密

# htpasswd -b /tmp/passwd text3 text3? ? 添加用戶名text3,密碼text3，MD5加密

# cat /tmp/passwd

text1:$apr1$.n8kyAbr$HhkgNOBOnYSl4lVLsODmn.

text2:$apr1$WYHzv6AL$dTkFbeWaP3XMn6kaUvb0e1

text3:$apr1$NY3FzbAQ$.OsmtKj.4v2fbgGTzC64r.

在主配置文件中/etc/httpd/conf/httpd.conf中確保第56行Include conf.modules.d/*.conf和最后一行IncludeOptional conf.d/*.conf前面的#去掉，目的是讓主配置文件內(nèi)容包含這兩個(gè)路徑下的內(nèi)容，以免與模塊化修改配置文件；將第95行的 #ServerName www.example.com:80的#號注釋掉或者直接修改為“ServerName 主機(jī)名:端口”，目的是確保httpd -t配置檢查不報(bào)錯(cuò)。

# vim /etc/httpd/conf/httpd.conf?

注意：需要關(guān)閉SELinux，否則只能訪問默認(rèn)頁面：

# setenforce 0

# getenforce

Permissive

在/etc/httpd/conf.d/目錄下創(chuàng)建vhosts.conf文件為www1的配置文件；完成一下要求：

? ??#### www1.stux.com,頁面文件目錄為/web/vhosts/www1;錯(cuò)誤日志為/var/log/httpd/www1/error_log,訪問日志為/var/log/httpd/www1/access_log;

### (2)通過www1.stux.com/server-status輸出其狀態(tài)信息，且要求只允許提供賬號的用戶訪問；

（3）www1不允許IP為192.168.10.30的主機(jī)訪問；

# vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>

? ? ? ? ServerName www1.stux.com

? ? ? ? DocumentRoot "/web/vhosts/www1/"

? ? ? ? <Directory "/web/vhosts/www1/">

? ? ? ? ? ? ? ? Options None

? ? ? ? ? ? ? ? AllowOverride None

? ? ? ? ? ? ? ? <RequireAll>

? ? ? ? ? ? ? ? ? ? ? ? Require all granted

? ? ? ? ? ? ? ? ? ? ? ? Require not ip 192.168.10.30

? ? ? ? ? ? ? ? </RequireAll>

? ? ? ? </Directory>

? ? ? ? CustomLog "/var/log/httpd/www1/access_log" combined

? ? ? ? ErrorLog "/var/log/httpd/www1/error_log"

</VirtualHost>

<Location /server-status>

? ? ? ? SetHandler server-status

? ? ? ? <RequireAll>

? ? ? ? ? ? ? ? AuthType Basic

? ? ? ? ? ? ? ? AuthName "please input passwd"

? ? ? ? ? ? ? ? AuthUserFile "/etc/httpd/conf.d/.htpasswd"

? ? ? ? ? ? ? ? Require valid-user

? ? ? ? </RequireAll>

</Location>

在/etc/httpd/conf.d/目錄下創(chuàng)建vhosts2.conf文件為www1的配置文件；完成一下要求：

? ??#### www2.stux.com,頁面文件目錄為/web/vhosts/www2;錯(cuò)誤日志為/var/log/httpd/www2/error_log,訪問日志為/var/log/httpd/www2/access_log;

? ? # vim /etc/httpd/conf.d/vhosts2.conf

? ??<VirtualHost *:80>

? ? ? ? ServerName www2.stux.com

? ? ? ? DocumentRoot "/web/vhosts/www2/"

? ? ? ? <Directory "/web/vhosts/www2/">

? ? ? ? ? ? ? ? Options None

? ? ? ? ? ? ? ? AllowOverride None

? ? ? ? ? ? ? ? Require all granted

? ? ? ? </Directory>

? ? ? ? CustomLog "/var/log/httpd/www2/access_log" combined

? ? ? ? ErrorLog "/var/log/httpd/www2/error_log"

</VirtualHost>

安裝并配置DNS服務(wù)（這里為了省事直接用httpd服務(wù)所在的服務(wù)器做DNS服務(wù)），并將http客戶端的DNS指向?qū)?yīng)地址

# yum -y install bind

# systemctl start named

# systemctl enable named

# vim /etc/named.rfc1912.zones

zone "stux.com" IN {

? ? ? ? type master;

? ? ? ? file "stux.com.zone";

};

修改/etc/named.conf中監(jiān)聽的端口

options {

? ? ? ? listen-on port 53 { any;};? ? ?修改為any

? ? ? ? directory? ? ? "/var/named";

? ? ? ? dump-file? ? ? "/var/named/data/cache_dump.db";

? ? ? ? statistics-file "/var/named/data/named_stats.txt";

? ? ? ? memstatistics-file "/var/named/data/named_mem_stats.txt";

? ? ? ? recursing-file? "/var/named/data/named.recursing";

? ? ? ? secroots-file? "/var/named/data/named.secroots";

? ? ? ? allow-query? ? { any; };? ?修改為any

? ? ? ? /*

? ? ? ? - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

? ? ? ? - If you are building a RECURSIVE (caching) DNS server, you need to enable

? ? ? ? ? recursion.

? ? ? ? - If your recursive DNS server has a public IP address, you MUST enable access

? ? ? ? ? control to limit queries to your legitimate users. Failing to do so will

? ? ? ? ? cause your server to become part of large scale DNS amplification

? ? ? ? ? attacks. Implementing BCP38 within your network would greatly

? ? ? ? ? reduce such attack surface

? ? ? ? */

? ? ? ? recursion yes;

? ? ? ? dnssec-enable no;? ?測試時(shí)建議修改為no

? ? ? ? dnssec-validation no;?測試時(shí)建議修改為no

? ? ? ? /* Path to ISC DLV key */

? ? ? ? bindkeys-file "/etc/named.root.key";

? ? ? ? managed-keys-directory "/var/named/dynamic";

? ? ? ? pid-file "/run/named/named.pid";

建立并編輯區(qū)域數(shù)據(jù)文件，用于正向解析stux.com域中的域名

# vim /var/named/stux.com.zone

$TTL 3600

$ORIGIN stux.com.

@? ? ? IN? ? ? SOA? ? ns1.stux.com.? dnsadmin.stux.com.????(

? ? ? ? ? ? ? ? 2019122001

? ? ? ? ? ? ? ? 1H

? ? ? ? ? ? ? ? 10M

? ? ? ? ? ? ? ? 3D

? ? ? ? ? ? ? ? 1D????)

? ? ? ? IN? ? ? NS? ? ? ns1

? ? ? ? IN? ? ? MX 10? mx1

ns1? ? IN? ? ? A? ? ? 192.168.10.20

mx1? ? IN? ? ? A? ? ? 192.168.10.20

www1? ? IN? ? ? A? ? ? 192.168.10.20

www2? ? IN? ? ? A? ? ? 192.168.10.20

配置完后做語法檢查

named-checkzone stux.com /var/named/stux.com.zone

named-checkconf

權(quán)限及屬組修改

chgrp named /var/named/stux.com.zone

chmod o= /var/named/stux.com.zone

讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件

? ?rndc reload

?在CA服務(wù)器192.168.10.100上私建CA服務(wù)器，生成私鑰

# cd /etc/pki/CA/

# (umask 077; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 4096 bit long modulus

...++

.++

e is 65537 (0x10001)

# ll private/cakey.pem

-rw-------. 1 root root 3247 Dec 23 01:03 private/cakey.pem? ?

生成自簽證書

# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:ca.magedu.com

Email Address []:

為CA提供所需的目錄及文件（根據(jù)實(shí)際情況選擇是否要手動(dòng)創(chuàng)建）

# mkdir - pv /etc/pki/CA/{certs,crl,newcerts}

# touch index.txt? serial

# echo 01 > /etc/pki/CA/serial

要用到證書進(jìn)行安全通信的服務(wù)器，需要向CA請求簽署證書

? ??用到證書的主機(jī)生成私鑰：以httpd服務(wù)器自己訪問為例

# mkdir /etc/httpd/ssl/

# cd /etc/httpd/ssl/

# (umask 007; openssl genrsa -out httpd_key.pem 1024)

Generating RSA private key, 2048 bit long modulus

........................................+++

..+++

e is 65537 (0x10001)

# ll

total 4

-rw-rw----. 1 root root 1679 Dec 16 18:17 httpd_key.pem

# chmod 600 httpd_key.pem? ? ?確保權(quán)限為400或600，安全

生成證書簽署請求

# openssl req -new -key httpd_key.pem -out httpd_csr.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:www2.stux.com? ? 這里的主機(jī)名需要與鍵入瀏覽器的地址一致

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# ll

total 8

-rw-r--r--. 1 root root 1005 Dec 16 18:26 httpd_crt.pem

-rw-------. 1 root root 1679 Dec 16 18:17 httpd_key.pem

將請求發(fā)給CA主機(jī)

# scp httpd_csr.pem root@192.168.10.100:/tmp

The authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.

ECDSA key fingerprint is SHA256:Ss9puEjAq4gLKA1kXy7EC/WoHUwQvSoc+Kvfb9LsMEE.

ECDSA key fingerprint is MD5:24:68:b3:56:47:64:b1:1a:f5:f3:74:5a:7b:8b:0a:89.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.10.100' (ECDSA) to the list of known hosts.

root@192.168.10.100's password:

httpd_csr.pem 100% 1005 1.0MB/s 00:00

在CA主機(jī)上簽署證書

# openssl ca -in /tmp/httpd_csr.pem -out /etc/pki/CA/certs/httpd_crt.pem

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

? ? ? ? Serial Number: 1 (0x1)

? ? ? ? Validity

? ? ? ? ? ? Not Before: Dec 23 06:39:57 2019 GMT

? ? ? ? ? ? Not After : Dec 22 06:39:57 2020 GMT

? ? ? ? Subject:

? ? ? ? ? ? countryName? ? ? ? ? ? ? = CN

? ? ? ? ? ? stateOrProvinceName? ? ? = Beijing

? ? ? ? ? ? organizationName? ? ? ? ? = MageEdu

? ? ? ? ? ? organizationalUnitName? ? = Ops

? ? ? ? ? ? commonName? ? ? ? ? ? ? ? = www2.stux.com

? ? ? ? X509v3 extensions:

? ? ? ? ? ? X509v3 Basic Constraints:

? ? ? ? ? ? ? ? CA:FALSE

? ? ? ? ? ? Netscape Comment:

? ? ? ? ? ? ? ? OpenSSL Generated Certificate

? ? ? ? ? ? X509v3 Subject Key Identifier:

? ? ? ? ? ? ? ? 24:61:06:4D:F9:47:F6:BA:06:2B:87:AC:FF:AC:E9:BE:1B:4D:61:4F

? ? ? ? ? ? X509v3 Authority Key Identifier:

? ? ? ? ? ? ? ? keyid:A2:16:B8:0A:86:A9:16:73:7A:20:98:BC:01:35:0E:6A:03:2C:E1:87

Certificate is to be certified until Dec 22 06:39:57 2020 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

# ll certs/

total 8

-rw-r--r--. 1 root root 5717 Dec 23 01:40 httpd_crt.pem

CA主機(jī)將簽好的證書發(fā)送給客戶端：

# scp certs/httpd_crt.pem root@192.168.10.20:/etc/httpd/ssl

The authenticity of host '192.168.10.20 (192.168.10.20)' can't be established.

ECDSA key fingerprint is e2:d4:22:10:8a:be:88:8f:83:d9:a8:a6:37:4b:2c:82.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.10.20' (ECDSA) to the list of known hosts.

root@192.168.10.20's password:

httpd_crt.pem? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 100% 5717? ? 5.6KB/s? 00:00

在httpd服務(wù)器配置http工作在https，查看是否有mod_ssl模塊

# httpd -M | grep ssl

# yum -y install mod_ssl

# httpd -M | grep ssl

ssl_module (shared)

編輯mod_ssl對應(yīng)的配置模塊

# vim /etc/httpd/conf.d/ssl.conf

對應(yīng)的證書修改為httpd服務(wù)器上的已經(jīng)經(jīng)過CA驗(yàn)證的證書以及私鑰路徑

修改對應(yīng)需要通過https訪問的域名和網(wǎng)頁路徑

登陸測試機(jī)192.168.10.30，將CA的證書復(fù)制測試機(jī)

# scp root@192.168.10.100:/etc/pki/CA/cacert.pem /tmp

在測試機(jī)192.168.10.30測試：

# openssl s_client -connect www2.stux.com:443 -CAfile /tmp/cacert.pem

結(jié)果