Httpd服務
一.目的:
1、建立httpd服務,要求:
(1)提供兩個基于名稱的虛拟主機www1, www2;有單獨的錯誤日志和通路日志;
(2)通過www1的/server-status提供狀态資訊,且僅允許tom使用者通路;
(3)www2不允許192.168.0.0/24網絡中任意主機通路;
2、為上面的第2個虛拟主機提供https服務;
二.大體流程概述
A.為https申請證書:需要自建證書Server
B.安裝Httpd
C.配置檔案使其達到上述要求
三.let’s begin inCentOS6.7 + Httpd2.2
A.證書
1.生成根證書 (根證書和密鑰放置路徑 由/etc/pki/tls/openssl.cnf 定義)
[loaclhost:~]yum install openssl
[localhost:~]cd /etc/pki/CA
[localhost:CA](umask 077;openssl genrsa –out private/cakey.pem 1024)
[localhost:CA] openssl req –x509 –new–key private/cakey.pem –out cacert.pem
[localhost:CA]touchindex.txt
[localhost:CA]echo“01”>serial
2.申請證書
[loaclhost:~](umask 077;openssl genrsa –out cakey.pem 1024)
[loaclhost:~]opensslreq –new –key cakey.pem –out cacertreq.pem
3.頒發證書
[loaclhost:~]openslca –in cacertreq.pem –out cacert.cer
B.安裝Httpd services
1.安裝httpd
[localhost:~]yuminstall httpd
[lcoalhost:~]ll/etc/httpd
Conf----------------------------------------------------主配置檔案conf/httpd.conf
conf.d--------------------------------------------------輔助配置檔案目錄(conf/httpd.conf--------------------------------------------------------------有”Include conf/*.conf“)
logs -> ../../var/log/httpd-------------------------日志目錄
modules -> ../../usr/lib64/httpd/modules----子產品目錄
run -> ../../var/run/httpd--------------------------放置pid檔案目錄
2.安裝mod_ssl
[lcoalhost:~]yuminstall mod_ssl
[localhost:~]rm–f /etc/httpd/conf.d/ssl.conf
C.配置檔案
1.配置主檔案:
[localhost:~]cat/etc/httpd/conf/httpd.conf
ServerTokens OS
ServerRoot /etc/httpd
KeepAlive On
KeepAliveTimeout10
Timeout 5
MaxKeepAliveRequests100
Includeconf.d/*.conf
PidFilerun/httpd.pid
DirectoryIndexindex.html index.php
TypesConfig/etc/mime.types
useCanonicalNameOff
User apache
Group apache
LogFormat"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-agent}i\"" combined
LogLevel warn
ErrorLoglogs/error_log
CustomLoglogs/acces_log combined
<Directory/>
Optionsnone
AllowOverridenone
Order Allow,Deny
AllowFrom All
</Directory>
SSLENGINE ON
SSLCertificateFile /root/cacert.cer
SSLCertificateKeyFile/root/cakey.pem
2.Modules配置檔案:
[localhost:~]cat /etc/httpd/conf.d/loadmodules
LoadModuleauth_basic_module modules/mod_auth_basic.so
LoadModuleauth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_modulemodules/mod_authn_file.so
LoadModuleauthn_alias_module modules/mod_authn_alias.so
LoadModuleauthn_anon_module modules/mod_authn_anon.so
LoadModuleauthn_dbm_module modules/mod_authn_dbm.so
LoadModuleauthn_default_module modules/mod_authn_default.so
LoadModuleauthz_host_module modules/mod_authz_host.so
LoadModuleauthz_user_module modules/mod_authz_user.so
LoadModuleauthz_owner_module modules/mod_authz_owner.so
LoadModuleauthz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_modulemodules/mod_authz_dbm.so
LoadModuleauthz_default_module modules/mod_authz_default.so
LoadModuleldap_module modules/mod_ldap.so
LoadModuleauthnz_ldap_module modules/mod_authnz_ldap.so
LoadModuleinclude_module modules/mod_include.so
LoadModulelog_config_module modules/mod_log_config.so
LoadModulelogio_module modules/mod_logio.so
LoadModuleenv_module modules/mod_env.so
LoadModuleext_filter_module modules/mod_ext_filter.so
LoadModulemime_magic_module modules/mod_mime_magic.so
LoadModule expires_modulemodules/mod_expires.so
LoadModuledeflate_module modules/mod_deflate.so
LoadModuleheaders_module modules/mod_headers.so
LoadModuleusertrack_module modules/mod_usertrack.so
LoadModulesetenvif_module modules/mod_setenvif.so
LoadModulemime_module modules/mod_mime.so
LoadModuledav_module modules/mod_dav.so
LoadModulestatus_module modules/mod_status.so
LoadModuleautoindex_module modules/mod_autoindex.so
LoadModuleinfo_module modules/mod_info.so
LoadModuledav_fs_module modules/mod_dav_fs.so
LoadModulevhost_alias_module modules/mod_vhost_alias.so
LoadModulenegotiation_module modules/mod_negotiation.so
LoadModuledir_module modules/mod_dir.so
LoadModuleactions_module modules/mod_actions.so
LoadModulespeling_module modules/mod_speling.so
LoadModuleuserdir_module modules/mod_userdir.so
LoadModulealias_module modules/mod_alias.so
LoadModulesubstitute_module modules/mod_substitute.so
LoadModulerewrite_module modules/mod_rewrite.so
LoadModuleproxy_module modules/mod_proxy.so
LoadModule proxy_balancer_modulemodules/mod_proxy_balancer.so
LoadModuleproxy_ftp_module modules/mod_proxy_ftp.so
LoadModuleproxy_http_module modules/mod_proxy_http.so
LoadModuleproxy_ajp_module modules/mod_proxy_ajp.so
LoadModuleproxy_connect_module modules/mod_proxy_connect.so
LoadModulecache_module modules/mod_cache.so
LoadModulesuexec_module modules/mod_suexec.so
LoadModuledisk_cache_module modules/mod_disk_cache.so
LoadModulecgi_module modules/mod_cgi.so
LoadModuleversion_module modules/mod_version.so
LoadModulessl_module modules/mod_ssl.so
<IfModuleprefork.c>
StartServers 5
MaxSpareServers 10
MinSPareServers 5
MaxRequestsPerChild 200
MaxClients 256
</IfModule>
<IfModuleworker.c>
StartServers 4
ThreadsPerChild 25
MaxSpareThreads 100
MinSpareThreads 50
MaxClients 1000
MaxRequestsPerChild 200
4.VirtualHost配置
[localhost:~]htpassword–c /etc/httpd/passwd tom
[localhost:~]cat/etc/httpd.conf.d/vhost1
Listen 443
NameVirtualHost172.16.0.202:443
<VirtualHost172.16.0.202:443>
ServerName www1
DocumentRoot /data/web/test/www1
ErrorLog /etc/httpd/logs/error_www1.log
CustomLog /etc/httpd/logs/acces_www1.log conbined
<Location /server-status>
SetHandler server-status
Options none
AllowOverride none
AuthType Basic
AuthName "AdminRequire"
AuthUserFile/etc/httpd/passwd
Require user tom
</Location>
</VirtualHost>
ServerName www2
DocumentRoot /data/web/test/www2
ErrorLog /etc/httpd/logs/error_www2.log
CustomLog/etc/httpd/logs/acces_www2.log combined
Order Allow,deny
Allow From 192.168.0
Deny From All
</VirtualHost>
在httpd2.4 中達到上述要求隻需注意:
- NameVirtualHost 不需要定義
2.Httpd2.2 基于IP通路控制使用Order allow,deny \n Allow From ALL
基于使用者使用Require user/group
![淺談使用Fiddler工具進行弱網測試[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)