环境说明:
安装web服务器-httpd
[root@webHost ~]# yum -y install httpd
[root@webHost ~]# chkconfig --add httpd #设置开机自启
[root@webHost ~]# service httpd start
[root@webHost ~]# cd /etc/httpd/conf.d/
[root@webHost conf.d]# vim ../conf/httpd.conf #编辑主配置文件
#DocumentRoot "/var/www/html" #使用虚拟主机时,建议关闭Main Host配置。如实例,注释该行即可关闭默认主机配置
[root@webHost conf.d]# mkdir /web #创建站点根目录
[root@webHost conf.d]# echo "Hi, xiaomu." >> /web/index.html #创建首页文件
[root@webHost conf.d]# vim zhimajihua.conf #配置虚拟主机
NameVirtualHost *:80 #在httpd-2.2上,使用基于FQDN的虚拟主机,必须启用该项,否则将报错
<VirtualHost *:80>
ServerName www.zhimajihua.cn #定义主机名
DocumentRoot "/web" #定义网站根目录
Errorlog /var/log/httpd/error_log #定义错误日志
CustomLog /var/log/httpd/access_log common #定义访问日志及其日志级别 级别信息的配置信息在httpd.conf主配置文件中
</VirtualHost>
[root@webHost conf.d]# service httpd reload #重载配置
配置DNS解析服务器
[root@dnshost ~]# yum -y install bind
[root@dnshost ~]# systemctl enable named
[root@dnshost ~]# systemctl start named
[root@dnshost ~]# vim /etc/named.conf
options {
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
}
[root@dnshost ~]# vim /etc/named.rfc1912.zones
zone "zhimajihua.cn" IN {
type master;
file "zhimajihua.cn.zone";
allow-update { none;};
};
[root@dnshost ~]# named-checkconf
[root@dnshost ~]# cp -p /var/named/named.localhost /var/named/zhimajihua.cn.zone
[root@dnshost ~]# vim /var/named/zhimajihua.cn.zone
$TTL 1D
@ IN SOA dns admin.zhimajihua. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns
dns A 192.168.1.43
www A 192.168.1.19
[root@dnshost ~]# named-checkzone 'zhimajihua.cn' /var/named/zhimajihua.cn.zone
zone zhimajihua.cn/IN: loaded serial 0
OK
[root@dnshost ~]# rndc reload
server reload successful
配置客户端
[root@client ~]# vim /etc/resolv.conf
[root@client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search zhimajihua.cn
nameserver 192.168.1.43
如下图所示,浏览器正确返回站点信息。
配置https
实现https
的访问主要分为2步:SSL证书的申请及签署
-> web服务器端SSL的相关配置
注:CA相关请参考这篇文章。
[root@caHost ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
[root@caHost ~]# cd /etc/pki/CA/
[root@caHost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
[root@caHost CA]# touch index.txt
[root@caHost CA]# echo "01" > serial
[root@webHost conf.d]# mkdir ssl
[root@webHost conf.d]# (umask 066;openssl genrsa -out ssl/httpd.key 4096)
[root@webHost conf.d]# openssl req -new -key ssl/httpd.key -out ssl/httpd.csr
[root@webHost conf.d]# scp ssl/httpd.csr root@192.168.1.44:/etc/pki/CA
[root@caHost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
[root@caHost CA]# scp httpd.crt cacert.pem root@192.168.1.19:/etc/httpd/conf.d/ssl
[root@webHost conf.d]# tree ssl/ #如果上面操作无误,Web服务器端应有下面的4个文件
ssl/
├── cacert.pem #CA机构的证书
├── httpd.crt #Web站点的证书
├── httpd.csr #Web服务器端的证书请求文件
└── httpd.key #Web服务器的私钥文件
0 directories, 4 files
[root@webHost conf.d]# yum -y install mod_ssl #安装httpd的ssl模块
[root@webHost conf.d]# ll
total 28
-rw-r--r-- 1 root root 392 Mar 22 2017 README
drwxr-xr-x 2 root root 4096 Sep 29 14:38 ssl
-rw-r--r-- 1 root root 9465 Dec 9 2016 ssl.conf
-rw-r--r-- 1 root root 299 Dec 9 2016 welcome.conf
-rw-r--r-- 1 root root 199 Sep 29 14:07 zhimajihua.conf
[root@webHost conf.d]# vim ssl.conf #配置SSL
<VirtualHost *:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/web" #定义网站根目录
ServerName www.zhimajihua.cn:443 #定义主机名
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt #配置SSL证书路径
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key #配置私钥文件路径
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem #配置CA证书文件路径
[root@webHost conf.d]# httpd -t #httpd配置文件的语法检查
Syntax OK
[root@webHost conf.d]# service httpd reload #重载配置
Reloading httpd:
[root@webHost conf.d]# ss -ntl #查看443端口是否打开
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::443 :::*
但是,如果我们向要加密访问,需要手动输入https
前缀,因此,我们应该让其重定向,实现客户端的http
访问自动跳转到https
https
[root@webHost conf.d]# vim zhimajihua.conf
[root@webHost conf.d]# cat zhimajihua.conf
NameVirtualHost *:80
<VirtualHost *:80>
Redirect temp / https://www.zhimajihua.cn/
ServerName www.zhimajihua.cn
DocumentRoot "/web"
Errorlog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
</VirtualHost>
[root@webHost conf.d]# service httpd reload
Reloading httpd:
现在,即使客户端访问的是80端口,我们也可以通过302
自动跳转,为用户提供更加安全的浏览。