CentOS6服务管理之WEB-httpd用户认证控制和https在httpd上的实现
通过上面两篇博客
CentOS6服务管理之WEB-Apache httpd配置文件详解
我们学习了Apache httpd的基础知识,下面我们就可以通过设置用户认证和实现https加密传输的实验来配置httpd了,下面是本次实验的要求:
实验环境:
CentOS release6.6(Final) 1台
Windows XP 1台
IP地址:
172.16.31.31 www.stu31.com web服务器端
172.16.31.188 Windows XP 测试客户端
Windows XP 安装了chrom浏览器和系统自带的IE浏览器
软件版本:
httpd-2.2.15-39.el6.centos.x86_64
实验要求:
1、建立httpd服务器,要求:
提供两个基于名称的虚拟主机:
(a)www1.stu31.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.stu31.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.stu31.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(Henan)、城市(Zhengzhou)和组织(stu31);
(2)设置部门为tech,主机名为www2.stu31.com,邮箱为[email protected];
实验过程:
我们就通过rpm包的方式来安装httpd了,安装过程很简单;重要的是配置:
[root@www ~]# rpm-qa httpd
httpd-2.2.15-39.el6.centos.x86_64
1、建立httpd服务器(基于编译的方式进行),要求:
提供两个基于名称的虚拟主机:
(a)www1.stu31.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.stu31.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.stu31.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
一. 配置DNS服务器,为客户端提供域名解析服务。
主配置文件配置:
[root@www ~]# cat/etc/named.conf
//
// named.conf
//
// Provided by RedHat bind package to configure the ISC BIND named(8) DNS
// server as acaching only nameserver (as a localhost DNS resolver only).
//
// See/usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file"/var/named/data/named_stats.txt";
memstatistics-file"/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
/*bindkeys-file"/etc/named.iscdlv.key";
managed-keys-directory"/var/named/dynamic";
*/
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
zone "."IN {
type hint;
file "named.ca";
};
include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";
区域文件配置,加入stu31.com这个区域:
[[email protected]]# cat /etc/named.rfc1912.zones zone"stu31.com" IN { type master; file "stu31.com.zone"; };
区域解析库文件配置:
[root@www named]#cat stu31.com.zone $TTL 600 $ORIGIN stu31.com. @ IN SOA ns1.stu31.com. root.stu31.com. ( 2014121301 1H 5M 3D 6H) IN NS ns1.stu31.com. IN MX 5 mail ns1 IN A 172.16.31.31 www IN A 172.16.31.31 www1 IN A 172.16.31.31 www2 IN A 172.16.31.31 mail IN A 172.16.31.31 pop3 IN CNAME mail iamp4 IN CNAME mail
测试DNS服务器可用性:
二.Httpd服务器配置
创建网站目录及加入测试网页:
[root@www named]#mkdir -pv /web/vhosts/www1 [root@www named]#vim /web/vhosts/www1/index.html www1.stu31.com
[root@www named]#mkdir -pv /web/vhosts/www2 [root@www named]#vim /web/vhosts/www2/index.html www2.stu31.com
配置httpd的主配置文件/etc/httpd/conf/httpd.conf,我列出了主要配置:
[root@www named]#vim /etc/httpd/conf/httpd.conf
#DocumentRoot"/var/www/html"
NameVirtualHost 172.16.31.31:80
<VirtualHost172.16.31.31:80>
DocumentRoot /web/vhosts/www1
ServerName www1.stu31.com
ErrorLog "/var/log/httpd/www1.err"
CustomLog"/var/log/httpd/www1.access" combind
<Location/server-status>
SetHandler server-status
Authtype Basic
Authname "status area"
AuthUserFile /etc/httpd/users/.htpasswd
Require valid-user
</Location>
</VirtualHost>
<VirtualHost172.16.31.31:80>
DocumentRoot /web/vhosts/www2
ServerName www2.stu31.com
ErrorLog"/var/log/httpd/www2.err"
CustomLog"/var/log/httpd/www2.access" combind
</VirtualHost>
上面蓝色部分配置是用户认证配置,下面我们需要检查语法:
[root@www named]#httpd -t Syntax OK
针对用户认证配置,我们需要建立用户访问的认证用户文件:
[root@www named]#mkdir /etc/httpd/users [root@www named]# htpasswd-c -m /etc/httpd/users/.htpasswd status New password: Re-type newpassword: Adding passwordfor user status
完成后我们就可以启动httpd服务,来进行用户认证测试:
[root@www named]#service httpd restart Stoppinghttpd: [FAILED] Startinghttpd: [ OK ]
三.用户认证测试:
输入用户名和密码认证:
可以查看apache 服务器状态信息:
2、为上面的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(Henan)、城市(Zhengzhou)和组织(stu31);
(2)设置部门为tech,主机名为www2.stu31.com,邮件为[email protected];
HTTPS加密传输配置过程
(a) 建立私有CA认证服务器
[root@www named]# cd /etc/pki/CA/
#构建CA自有私钥文件
[root@www CA]# (umask 077; openssl genrsa-out private/cakey.pem 2048) Generating RSA private key, 2048 bit longmodulus ...............+++ ...........+++ e is 65537 (0x10001)
#生成自签署证书
[root@www CA]# openssl req -new -x509 -keyprivate/cakey.pem -out cacert.pem -days 3560 You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter ‘.‘, the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [DefaultCompany Ltd]:stu31 Organizational Unit Name (eg, section)[]:tech Common Name (eg, your name or your server‘shostname) []:www2.stu31.com Email Address []:[email protected]
#生成索引数据库文件
[root@www CA]# touch index.txt
#序列号文件创建
[root@www CA]# touch serial [root@www CA]# echo 01 >serial [root@www CA]# ls cacert.pem certs crl index.txt newcerts private serial
CA服务器建立完毕。
(b) 为httpd服务器生成证书
#httpd服务器生成私钥
[root@www CA]# mkdir /etc/httpd/certs [root@www CA]# cd /etc/httpd/certs [root@www certs]# (umask 077; opensslgenrsa -out httpd.key 2048) Generating RSA private key, 2048 bit longmodulus ...........................................................................................................................................................................................+++ .............................................................................................+++ e is 65537 (0x10001)
#生成证书签署请求文件
[root@www certs]# openssl req -new -keyhttpd.key -out httpd.csr -days 3650 You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter ‘.‘, the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [DefaultCompany Ltd]:stu31 Organizational Unit Name (eg, section)[]:tech Common Name (eg, your name or your server‘shostname) []:www2.stu31.com Email Address []:[email protected] Please enter the following ‘extra‘attributes to be sent with your certificate request A challenge password []: An optional company name []:
(c) 配置httpd服务使用数字证书
#CA服务器签署请求证书
[root@www certs]# ls httpd.csr httpd.key [root@www certs]# openssl ca -in httpd.csr-out httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches thesignature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 13 05:30:19 2014 GMT Not After : Dec 10 05:30:19 2024 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = stu31 organizationalUnitName = tech commonName =www2.stu31.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9A:84:73:63:C0:82:7F:45:21:9C:BA:2B:4C:FB:C3:87:7C:BA:63:58 X509v3 Authority Key Identifier: keyid:1C:57:C2:12:E4:D3:A6:4F:9A:7A:C6:53:7F:5B:7B:86:1E:75:0D:57 Certificate is to be certified until Dec 1005:30:19 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated
(d)配置https服务器加密传输
针对Apache httpd软件默认配置中:
httpd软件默认没有使用ssl模块,需要安装相应的模块程序包
[root@www certs]# yum install mod_ssl -y [root@www ~]# rpm -qa mod_ssl mod_ssl-2.2.15-39.el6.centos.x86_64
安装之后会在/etc/httpd/conf.d/目录下生成ssl.conf的配置文件,我们配置https就在此文件中配置:
[root@www conf.d]# ls mod_dnssd.conf README ssl.conf welcome.conf
配置ssl.conf文件,重要配置都在下面文件中了:
[root@www conf.d]#vim /etc/httpd/conf.d/ssl.conf LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost 172.16.31.31:443> DocumentRoot"/web/vhosts/www2" ServerNamewww2.stu31.com:443 SSLEngineon SSLCertificateFile/etc/httpd/certs/httpd.crt SSLCertificateKeyFile/etc/httpd/certs/httpd.key </VirtualHost>
测试文件语法:
[root@www conf.d]# httpd -t Syntax OK
重启httpd服务
[root@www conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
查看服务监听端口:
[root@www conf.d]# ss -tunl |grep 443 tcp LISTEN 0 128 :::443 :::*
到windows端进行测试:
先将CA服务器的证书安装进windows中;将cacert.pem发送到windows中,改名cacert.crt,安装证书:
使用chrom浏览器进行测试
实验完成!(*^__^*)
本文出自 “龙之守护” 博客,请务必保留此出处http://sohudrgon.blog.51cto.com/3088108/1589956
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
