专栏首页芝麻实验室Httpd-2.2实现Https访问(CentOS 6.9)

Httpd-2.2实现Https访问(CentOS 6.9)

环境说明:

  • DNS Server:192.168.1.43 (Centos 7)
  • CA Server : 192.168.1.44 (Centos 6)
  • Web Server:192.168.1.19 (Centos 6)
  • Client Host: 192.168.1.20 (Centos 7)

安装web服务器-httpd

  • 创建基于FQDN的虚拟主机
[root@webHost ~]# yum -y install httpd
[root@webHost ~]# chkconfig --add httpd  #设置开机自启
[root@webHost ~]# service httpd start
[root@webHost ~]# cd /etc/httpd/conf.d/
[root@webHost conf.d]# vim ../conf/httpd.conf  #编辑主配置文件
    #DocumentRoot "/var/www/html" #使用虚拟主机时,建议关闭Main Host配置。如实例,注释该行即可关闭默认主机配置
[root@webHost conf.d]# mkdir /web  #创建站点根目录
[root@webHost conf.d]# echo "Hi, xiaomu." >> /web/index.html  #创建首页文件
[root@webHost conf.d]# vim zhimajihua.conf  #配置虚拟主机
    NameVirtualHost *:80  #在httpd-2.2上,使用基于FQDN的虚拟主机,必须启用该项,否则将报错
    <VirtualHost *:80>
        ServerName www.zhimajihua.cn  #定义主机名
        DocumentRoot "/web"  #定义网站根目录
        Errorlog /var/log/httpd/error_log  #定义错误日志
        CustomLog /var/log/httpd/access_log common  #定义访问日志及其日志级别 级别信息的配置信息在httpd.conf主配置文件中
    </VirtualHost>
[root@webHost conf.d]# service httpd reload  #重载配置

配置DNS解析服务器

  • 为了使用FQDN访问站点,我们需要搭建DNS解析服务器。详情的配置请参看这里
[root@dnshost ~]# yum -y install bind
[root@dnshost ~]# systemctl enable named
[root@dnshost ~]# systemctl start named
[root@dnshost ~]# vim /etc/named.conf 
    options {
        //listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        }
[root@dnshost ~]# vim /etc/named.rfc1912.zones 
    zone "zhimajihua.cn" IN {
            type master;
            file "zhimajihua.cn.zone";
            allow-update { none;};
    };
[root@dnshost ~]# named-checkconf 
[root@dnshost ~]# cp -p /var/named/named.localhost /var/named/zhimajihua.cn.zone
[root@dnshost ~]# vim /var/named/zhimajihua.cn.zone 
    $TTL 1D
    @    IN SOA    dns admin.zhimajihua. (
                        0    ; serial
                        1D    ; refresh
                        1H    ; retry
                        1W    ; expire
                        3H )    ; minimum
    NS    dns
    dns   A     192.168.1.43
    www   A     192.168.1.19
[root@dnshost ~]# named-checkzone 'zhimajihua.cn' /var/named/zhimajihua.cn.zone 
zone zhimajihua.cn/IN: loaded serial 0
OK
[root@dnshost ~]# rndc reload
server reload successful

配置客户端

  • 将客户端的DNS指向我们的DNS服务器
[root@client ~]# vim /etc/resolv.conf 
[root@client ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search zhimajihua.cn
nameserver 192.168.1.43

如下图所示,浏览器正确返回站点信息。

配置https

实现https的访问主要分为2步:SSL证书的申请及签署 -> web服务器端SSL的相关配置 注:CA相关请参考这篇文章

  • 自建CA
[root@caHost ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
[root@caHost ~]# cd /etc/pki/CA/
[root@caHost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
[root@caHost CA]# touch index.txt
[root@caHost CA]# echo "01" > serial
  • Web服务器端请求证书签署
[root@webHost conf.d]# mkdir ssl
[root@webHost conf.d]# (umask 066;openssl genrsa -out ssl/httpd.key 4096)
[root@webHost conf.d]# openssl req -new -key ssl/httpd.key -out ssl/httpd.csr 
[root@webHost conf.d]# scp ssl/httpd.csr root@192.168.1.44:/etc/pki/CA
  • CA颁发证书
[root@caHost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
[root@caHost CA]# scp httpd.crt cacert.pem root@192.168.1.19:/etc/httpd/conf.d/ssl
  • Web服务器端配置SSL访问
[root@webHost conf.d]# tree ssl/  #如果上面操作无误,Web服务器端应有下面的4个文件
ssl/
├── cacert.pem  #CA机构的证书
├── httpd.crt   #Web站点的证书
├── httpd.csr   #Web服务器端的证书请求文件
└── httpd.key   #Web服务器的私钥文件

0 directories, 4 files
[root@webHost conf.d]# yum -y install mod_ssl #安装httpd的ssl模块
[root@webHost conf.d]# ll
total 28
-rw-r--r-- 1 root root  392 Mar 22  2017 README
drwxr-xr-x 2 root root 4096 Sep 29 14:38 ssl
-rw-r--r-- 1 root root 9465 Dec  9  2016 ssl.conf
-rw-r--r-- 1 root root  299 Dec  9  2016 welcome.conf
-rw-r--r-- 1 root root  199 Sep 29 14:07 zhimajihua.conf
[root@webHost conf.d]# vim ssl.conf  #配置SSL
<VirtualHost *:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/web"  #定义网站根目录
ServerName www.zhimajihua.cn:443  #定义主机名
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt  #配置SSL证书路径

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key  #配置私钥文件路径

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem  #配置CA证书文件路径


[root@webHost conf.d]# httpd -t  #httpd配置文件的语法检查
Syntax OK
[root@webHost conf.d]# service httpd reload  #重载配置
Reloading httpd: 
[root@webHost conf.d]# ss -ntl  #查看443端口是否打开
State       Recv-Q Send-Q              Local Address:Port                Peer Address:Port 
LISTEN      0      128                            :::80                            :::*     
LISTEN      0      128                            :::22                            :::*     
LISTEN      0      128                             *:22                             *:*     
LISTEN      0      100                           ::1:25                            :::*     
LISTEN      0      100                     127.0.0.1:25                             *:*     
LISTEN      0      128                            :::443                           :::*   
  • 客户端测试(需事先导入CA证书颁发机构证书)

但是,如果我们向要加密访问,需要手动输入https前缀,因此,我们应该让其重定向,实现客户端的http访问自动跳转到https

  • 配置自动跳转到https
[root@webHost conf.d]# vim zhimajihua.conf 
[root@webHost conf.d]# cat zhimajihua.conf 
NameVirtualHost *:80
<VirtualHost *:80>
    Redirect temp / https://www.zhimajihua.cn/    
    ServerName www.zhimajihua.cn
    DocumentRoot "/web"
    Errorlog /var/log/httpd/error_log  
    CustomLog /var/log/httpd/access_log common
</VirtualHost>
[root@webHost conf.d]# service httpd reload
Reloading httpd: 

现在,即使客户端访问的是80端口,我们也可以通过302自动跳转,为用户提供更加安全的浏览。


本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Tomcat集群部署

    用户1456517
  • 【基础篇】Tomcat基础

    用户1456517
  • HTTPD 基础篇

    # echo "192.168.1.128 t1.zhimajihua.cn t2.zhimajihua.cn" >> /etc/hosts

    用户1456517
  • 【leetcode刷题】T112-验证二叉搜索树

    节点的左子树只包含小于当前节点的数。节点的右子树只包含大于当前节点的数。所有左子树和右子树自身必须也是二叉搜索树。

    木又AI帮
  • Golang Leetcode 235. Lowest Common Ancestor of a Binary Search Tree.go

    版权声明:原创勿转 https://blog.csdn.net/anakinsun/article/details/89043473

    anakinsun
  • k8s采坑记 - 解决二进制安装环境下证书过期问题

    当你的kubernetes报错:certificate has expired or is not yet valid,可以通过命令:openssl x509 ...

    justmine
  • MySQL之mysqladmin客户端

    在我们日常操作中,drop操作应该谨慎一些,可以看到,mysql也友好的给出了提醒。

    AsiaYe
  • Golang leetcode 513. Find Bottom Left Tree Value.go

    版权声明:原创勿转 https://blog.csdn.net/anakinsun/article/details/89175648

    anakinsun
  • 如何正确配置 Ubuntu 14.04 服务器?

    本文将介绍在云厂商购买 Ubuntu 服务器之后,为了确保服务器的安全,开发者应该要做的一些配置。完成本文的操作之后,服务器的安全性将得到更好的保障。

    EarlGrey
  • Centos7搭设无网络ntp时钟服务器

    在有些机房部署服务器的时候,服务器是处于无网络区域的。此时,每台服务器的时钟并不准确,各自运行时间。

    Devops海洋的渔夫

扫码关注云+社区

领取腾讯云代金券