Httpd-2.2实现Https访问(CentOS 6.9)

用户1456517

发布于 2019-03-05 16:12:03

5700

发布于 2019-03-05 16:12:03

文章被收录于专栏：芝麻实验室芝麻实验室

环境说明：

DNS Server：192.168.1.43 (Centos 7)
CA Server ： 192.168.1.44 (Centos 6)
Web Server：192.168.1.19 (Centos 6)
Client Host： 192.168.1.20 (Centos 7)

安装web服务器-httpd

创建基于FQDN的虚拟主机

[root@webHost ~]# yum -y install httpd
[root@webHost ~]# chkconfig --add httpd  #设置开机自启
[root@webHost ~]# service httpd start
[root@webHost ~]# cd /etc/httpd/conf.d/
[root@webHost conf.d]# vim ../conf/httpd.conf  #编辑主配置文件
    #DocumentRoot "/var/www/html" #使用虚拟主机时，建议关闭Main Host配置。如实例，注释该行即可关闭默认主机配置
[root@webHost conf.d]# mkdir /web  #创建站点根目录
[root@webHost conf.d]# echo "Hi, xiaomu." >> /web/index.html  #创建首页文件
[root@webHost conf.d]# vim zhimajihua.conf  #配置虚拟主机
    NameVirtualHost *:80  #在httpd-2.2上，使用基于FQDN的虚拟主机，必须启用该项，否则将报错
    <VirtualHost *:80>
        ServerName www.zhimajihua.cn  #定义主机名
        DocumentRoot "/web"  #定义网站根目录
        Errorlog /var/log/httpd/error_log  #定义错误日志
        CustomLog /var/log/httpd/access_log common  #定义访问日志及其日志级别 级别信息的配置信息在httpd.conf主配置文件中
    </VirtualHost>
[root@webHost conf.d]# service httpd reload  #重载配置

配置DNS解析服务器

为了使用FQDN访问站点，我们需要搭建DNS解析服务器。详情的配置请参看这里。

[root@dnshost ~]# yum -y install bind
[root@dnshost ~]# systemctl enable named
[root@dnshost ~]# systemctl start named
[root@dnshost ~]# vim /etc/named.conf 
    options {
        //listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        }
[root@dnshost ~]# vim /etc/named.rfc1912.zones 
    zone "zhimajihua.cn" IN {
            type master;
            file "zhimajihua.cn.zone";
            allow-update { none;};
    };
[root@dnshost ~]# named-checkconf 
[root@dnshost ~]# cp -p /var/named/named.localhost /var/named/zhimajihua.cn.zone
[root@dnshost ~]# vim /var/named/zhimajihua.cn.zone 
    $TTL 1D
    @    IN SOA    dns admin.zhimajihua. (
                        0    ; serial
                        1D    ; refresh
                        1H    ; retry
                        1W    ; expire
                        3H )    ; minimum
    NS    dns
    dns   A     192.168.1.43
    www   A     192.168.1.19
[root@dnshost ~]# named-checkzone 'zhimajihua.cn' /var/named/zhimajihua.cn.zone 
zone zhimajihua.cn/IN: loaded serial 0
OK
[root@dnshost ~]# rndc reload
server reload successful

配置客户端

将客户端的DNS指向我们的DNS服务器

[root@client ~]# vim /etc/resolv.conf 
[root@client ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search zhimajihua.cn
nameserver 192.168.1.43

如下图所示，浏览器正确返回站点信息。

配置https

实现https的访问主要分为2步：SSL证书的申请及签署 -> web服务器端SSL的相关配置 注：CA相关请参考这篇文章。

自建CA

[root@caHost ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
[root@caHost ~]# cd /etc/pki/CA/
[root@caHost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
[root@caHost CA]# touch index.txt
[root@caHost CA]# echo "01" > serial

Web服务器端请求证书签署

[root@webHost conf.d]# mkdir ssl
[root@webHost conf.d]# (umask 066;openssl genrsa -out ssl/httpd.key 4096)
[root@webHost conf.d]# openssl req -new -key ssl/httpd.key -out ssl/httpd.csr 
[root@webHost conf.d]# scp ssl/httpd.csr root@192.168.1.44:/etc/pki/CA

CA颁发证书

[root@caHost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
[root@caHost CA]# scp httpd.crt cacert.pem root@192.168.1.19:/etc/httpd/conf.d/ssl

Web服务器端配置SSL访问

[root@webHost conf.d]# tree ssl/  #如果上面操作无误，Web服务器端应有下面的4个文件
ssl/
├── cacert.pem  #CA机构的证书
├── httpd.crt   #Web站点的证书
├── httpd.csr   #Web服务器端的证书请求文件
└── httpd.key   #Web服务器的私钥文件

0 directories, 4 files
[root@webHost conf.d]# yum -y install mod_ssl #安装httpd的ssl模块
[root@webHost conf.d]# ll
total 28
-rw-r--r-- 1 root root  392 Mar 22  2017 README
drwxr-xr-x 2 root root 4096 Sep 29 14:38 ssl
-rw-r--r-- 1 root root 9465 Dec  9  2016 ssl.conf
-rw-r--r-- 1 root root  299 Dec  9  2016 welcome.conf
-rw-r--r-- 1 root root  199 Sep 29 14:07 zhimajihua.conf
[root@webHost conf.d]# vim ssl.conf  #配置SSL
<VirtualHost *:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/web"  #定义网站根目录
ServerName www.zhimajihua.cn:443  #定义主机名
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt  #配置SSL证书路径

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key  #配置私钥文件路径

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem  #配置CA证书文件路径


[root@webHost conf.d]# httpd -t  #httpd配置文件的语法检查
Syntax OK
[root@webHost conf.d]# service httpd reload  #重载配置
Reloading httpd: 
[root@webHost conf.d]# ss -ntl  #查看443端口是否打开
State       Recv-Q Send-Q              Local Address:Port                Peer Address:Port 
LISTEN      0      128                            :::80                            :::*     
LISTEN      0      128                            :::22                            :::*     
LISTEN      0      128                             *:22                             *:*     
LISTEN      0      100                           ::1:25                            :::*     
LISTEN      0      100                     127.0.0.1:25                             *:*     
LISTEN      0      128                            :::443                           :::*

客户端测试(需事先导入CA证书颁发机构证书)

但是，如果我们向要加密访问，需要手动输入https前缀，因此，我们应该让其重定向，实现客户端的http访问自动跳转到https

配置自动跳转到https

[root@webHost conf.d]# vim zhimajihua.conf 
[root@webHost conf.d]# cat zhimajihua.conf 
NameVirtualHost *:80
<VirtualHost *:80>
    Redirect temp / https://www.zhimajihua.cn/    
    ServerName www.zhimajihua.cn
    DocumentRoot "/web"
    Errorlog /var/log/httpd/error_log  
    CustomLog /var/log/httpd/access_log common
</VirtualHost>
[root@webHost conf.d]# service httpd reload
Reloading httpd:

现在，即使客户端访问的是80端口，我们也可以通过302自动跳转，为用户提供更加安全的浏览。

本文参与腾讯云自媒体分享计划，分享自作者个人站点/博客。

原始发表：2017/09/29，如有侵权请联系 cloudcommunity@tencent.com 删除

dns