項目實踐==虛擬主機及SSL通信（Blog 14）

 

1、建立httpd服務，要求：
(1) 提供兩個基于名稱的虛擬主機：
www1.stuX.com，頁面文件目錄為/web/vhosts/www1；錯誤日志為/var/log/httpd/www1/error_log，訪問日志為/var/log/httpd/www1/access_log；
www2.stuX.com，頁面文件目錄為/web/vhosts/www2；錯誤日志為/var/log/httpd/www2/error_log，訪問日志為/var/log/httpd/www2/access_log；
(2) 通過www1.stuX.com/server-status輸出其狀態信息，且要求只允許提供賬號的用戶訪問；
(3) www1不允許192.168.1.0/24網絡中的主機訪問；

2、為上面的第2個虛擬主機提供https服務，使得用戶可以通過https安全的訪問此web站點；
(1) 要求使用證書認證，證書中要求使用國家（CN），州（Beijing），城市（Beijing），組織為(MageEdu)；
(2) 設置部門為Ops, 主機名為www2.stuX.com；

1、（1）CentOS 6主機

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

# mkdir -pv /web/vhosts/www{1,2}
# mkdir /var/log/httpd/www{1,2}
# httpd -t
# service httpd restart

給出測試頁面：
# echo “www1.stuX.com” > /web/vhosts/www1/index.html
# echo “www2.stuX.com” > /web/vhosts/www2/index.html

在hosts文件中添加解析條目：
# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.16 www1.stuX.com www1
172.16.0.16 www2.stuX.com www2

測試訪問：
# curl http://www1
www1.stuX.com
# curl http://www2
www1.stuX.com

（2）輸出狀態頁面

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

提供賬號
# htpasswd -c -b -s /etc/conf.d/.htpasswd tom magedu
# htpasswd -b -s /etc/conf.d/.htpasswd jack magedu
# htpasswd -b -s /etc/conf.d/.htpasswd obama magedu
# cat /etc/conf.d/.htpasswd
tom:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
jack:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
obama:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=

# httpd -t
# service httpd restart
測試訪問
# curl –basic -u tom:magedu http://www1/server-status
# curl –basic -u jack:magedu http://www1/server-status

（3）www1不允許192.168.1.0/24網絡訪問

# vim /etc/conf.d/virtualhost.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Order allow,deny
Deny from 192.168.1.0/24
Allow from all
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www2.stuX.com
DocumentRoot “/web/vhosts/www2”
CustomLog logs/www2/access_log combined
ErrorLog logs/www2/error_log
</VirtualHost>

# httpd -t
# service httpd restart

2、（1）CentOS 6主機

# httpd -t -D DUMP_VHOSTS
*:80 is a NameVirtualHost
default server www1.stuX.com (/etc/httpd/conf.d/virtualhost.conf:2)
port 80 namevhost www1.stuX.com (/etc/httpd/conf.d/virtualhost.conf:2)
port 80 namevhost www2.stuX.com (/etc/httpd/conf.d/virtualhost.conf:23)

為第二個提供ssl，即是SSL的主機名同www2.stuX.com，且相同的DocumentRoot；

（2）在CA主機生成私鑰，自簽證書

# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:ca.stuX.com
Email Address []:

# touch /etc/pki/CA/index.txt
# echo 01 > /etc/pki/CA/serial

（3）在用到證書的主機生成私鑰，生成證書簽署請求

# mkdir /etc/httpd/ssl
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www2.stuX.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

（4）將請求可靠的發送到CA

# scp /etc/httpd/ssl/httpd.csr root@172.16.0.8:/tmp

（5）CA簽署請求

# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

（6）下載證書

# scp root@172.16.0.8:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl

（7）安裝mod_ssl模塊

# yum install mod_ssl

（8）配置ssl

# /etc/httpd/conf.d/ssl.conf
DocumentRoot “/web/vhosts/www2”
ServerName www2.stuX.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# httpd -t
# service httpd restart
# ss -tnl

（9）CA主機上測試連接

# openssl s_client -connect 172.16.0.16:443 -CAfile cacert.pem

Verify return code: 0 (ok)
—
GET /index.html HTTP/1.1
Host: 172.16.0.16

HTTP/1.1 200 OK
Date: Tue, 28 Nov 2017 15:35:40 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 28 Nov 2017 14:56:55 GMT
ETag: “e0006-e-55f0c3ae502c7”
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

www2.stuX.com
closed

2、（1）CentOS 7主機

# yum -y install httpd httpd-tools
# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
</VirtualHost>

# cp /etc/httpd/conf.d/www1.conf /etc/httpd/conf.d/www2.conf
# sed -i ‘s,www1,www2,g’ www2.conf
# mkdir -pv /web/vhosts/www{1,2}
# mkdir -v /var/log/httpd/www{1,2}
# httpd -t
# systemctl start httpd.service

# echo “<h1>www1.stuX.com</h1>” > /web/vhosts/www1/index.html
# echo “<h1>www2.stuX.com</h1>” > /web/vhosts/www2/index.html

# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.7 www1.stuX.com www1
172.16.0.7 www2.stuX.com www2

# curl http://www1.stuX.com
<h1>www1.stuX.com</h1>
# curl http://www2.stuX.com
<h1>www2.stuX.com</h1>

（2）為www1提供狀態頁面
# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
Require all granted
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>

# htpasswd -c -b -m /etc/httpd/conf.d/.htpasswd tom magedu
# htpasswd -b -s /etc/httpd/conf.d/.htpasswd jack magedu
# htpasswd -b -s /etc/httpd/conf.d/.htpasswd obama magedu

# cat /etc/httpd/conf.d/.htpasswd
tom:$apr1$uehD6ESz$6HCTYDjx60M.SNLEHNQZO0
jack:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=
obama:{SHA}AAXfhrY/nwrcGaafjs69saZnPt4=

# httpd -t
# systemctl restart httpd.service
#
# curl –basic -u tom:magedu http://www1.stuX.com/index.html

（3）不允許192.168.0.1/24網絡內的主機訪問www1

# vim /etc/httpd/conf.d/www1.conf
<VirtualHost 172.16.0.7:80>
ServerName www1.stuX.com
DocumentRoot “/web/vhosts/www1”
<Directory “/web/vhosts/www1”>
Options None
AllowOverride None
<RequireAll>
Require not ip 192.168.0.1/24
Require all granted
</RequireAll>
</Directory>
CustomLog logs/www1/access_log combined
ErrorLog logs/www1/error_log
<Location /server-status>
SetHandler server-status
AuthType basic
AuthName “VIP”
AuthUserFile “conf.d/.htpasswd”
Require valid-user
</Location>
</VirtualHost>
# httpd -t
# systemctl restart httpd.service

 

CentOS 7

2、
在已建CA上，申請證書；
（1）生成私鑰及請求

# mkdir -v /etc/httpd/ssl/
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www2.stuX.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# scp /etc/httpd/ssl/httpd.csr root@172.16.0.8:/tmp/

（2）CA簽署請求

吊銷上一個主機的證書
# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
# echo 01 > crlnumber
# openssl ca -gencrl -out /etc/pki/CA/crl/httpd.crl
# openssl crl -in /etc/pki/CA/crl/httpd.crl -noout -text

# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

# scp root@172.16.0.8:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl

（3）安裝配置SSL

# yum -y install mod_ssl

# httpd -t -D DUMP_VHOSTS
172.16.0.7:80 is a NameVirtualHost
default server www1.stuX.com (/etc/httpd/conf.d/www1.conf:1)
port 80 namevhost www1.stuX.com (/etc/httpd/conf.d/www1.conf:1)
port 80 namevhost www2.stuX.com (/etc/httpd/conf.d/www2.conf:1)
*:443 is a NameVirtualHost
default server localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)

# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot “/web/vhosts/www2”
ServerName www2.stuX.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

# httpd -t
# systemctl restart httpd.service

（4）在CA主機訪問

# openssl s_client -connect 172.16.0.7:443 -CAfile /etc/pki/CA/cacert.pem

Start Time: 1512215742
Timeout : 300 (sec)
Verify return code: 0 (ok)
—
GET /index.html HTTP/1.1
Host: 172.16.0.7

HTTP/1.1 403 Forbidden
Date: Sat, 02 Dec 2017 11:50:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Content-Length: 212
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don’t have permission to access /index.html
on this server.</p>
</body></html>

（5）配置SSL授權目錄

# vim /etc/httpd/conf.d/ssl.conf
<Directory “/web/vhosts/www2”>
Options None
AllowOverride None
Require all granted
</Directory>

（6）在CA主機訪問

# openssl s_client -connect 172.16.0.7:443 -CAfile /etc/pki/CA/cacert.pem

# httpd -t
# systemctl restart httpd.service

Start Time: 1512215937
Timeout : 300 (sec)
Verify return code: 0 (ok)
—
GET /index.html HTTP/1.1
Host: 172.16.0.7

HTTP/1.1 200 OK
Date: Sat, 02 Dec 2017 11:53:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Last-Modified: Sat, 02 Dec 2017 11:23:09 GMT
ETag: “17-55f59b5bd19a3”
Accept-Ranges: bytes
Content-Length: 23
Content-Type: text/html; charset=UTF-8

<h1>www2.stuX.com</h1>