需求说明

分别用httpd-2.2和httpd-2.4 实现以下功能：

• 两个虚拟主机，名字为www.a.com、www.b.org。

• www.a.com 页面文件为/opt/a.com/htdocs，访问日志文件路径/var/log/httpd/a.com/access.log，错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。

• www.b.org 页面文件为/opt/b.org/htdocs，访问日志文件路径/var/log/httpd/b.org/access.log，错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。

• 通过www.a.com/server-status输出其状态信息，且要求只允许提供账号的用户访问；

• wwww.a.com/server-status只允许192.168.5.0/24 网络中的主机访问。

• 同时为这两个虚拟主机提供https服务。

说明：测试中的httpd全部为yum安装，httpd-2.2会在CentOS 6中演示，httpd-2.4会在CentOS 7中演示。

httpd-2.2 配置

安装

安装可以使用yum安装也可以使用编译安装，但是CentOS 6中系统yum源默认的是httpd-2.2版本，这个需要注意。

#yum install -y httpd httpd-devel mod_ssl

ssl证书签署

以下操作是在CA机器上进行的操作。

生成CA证书

# yum install -y openssl openssl-devel# cd /etc/pki/CA/#  (umask 077; openssl genrsa 2048 > private/cakey.pem)# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:exampleOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:www.example.com      Email Address []:admin@example.com#  touch index.txt serial# echo 01 > serial

a.com域名证书签署

# mkdir /opt/ssl/a.com -p# (umask 077 ;openssl genrsa 2048 > a.key)#  openssl req -new -key a.key -out a.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:example    Organizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:www.a.comEmail Address []:admin@a.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# openssl ca -in a.csr -out a.crtUsing configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Nov 28 08:05:37 2016 GMT            Not After : Nov 28 08:05:37 2017 GMT        Subject:            countryName               = CN            stateOrProvinceName       = ShangHai            organizationName          = example            organizationalUnitName    = ops            commonName                = www.a.com            emailAddress              = admin@a.com        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90            X509v3 Authority Key Identifier:                 keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

签署b.org域名的证书

# mkdir /opt/ssl/b.org/# cd /opt/ssl/b.org/# (umask 077 ;openssl genrsa 2048 > b.key)# openssl req -new -key b.key -out b.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:exampleOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:www.b.orgEmail Address []:admin@b.orgPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:#  openssl ca -in b.csr -out b.crtUsing configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 2 (0x2)        Validity            Not Before: Nov 28 08:12:01 2016 GMT            Not After : Nov 28 08:12:01 2017 GMT        Subject:            countryName               = CN            stateOrProvinceName       = ShangHai            organizationName          = example            organizationalUnitName    = ops            commonName                = www.b.org            emailAddress              = admin@b.org        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E            X509v3 Authority Key Identifier:                 keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

复制证书到httpd主机

# scp -r  /opt/ssl/* root@192.168.5.194:/etc/httpd/ssl/

注意httpd服务器上ssl目录的创建。

查看签署信息

# cat serial03# cat index.txtV   171128080537Z       01  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/emailAddress=admin@a.comV   171128081201Z       02  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/emailAddress=admin@b.org

httpd配置

以下操作是在httpd服务器上进行的操作。

# vim /etc/httpd/conf.d/www.conf
      
       ServerName www.a.comDocumentRoot "/opt/a.com/htdocs"DirectoryIndex index.html index.htm#CustomLog logs/a.com/access_log combinedCustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combinedErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"
       
        SetHandler server-statusOrder allow,DenyAllow from 192.168.5AuthType Basic AuthName "a.com basic"AuthUserFile "/etc/httpd/conf/.htpasswd"Require user bols
       
      
      
       ServerName www.b.orgDocumentRoot "/opt/b.org/htdocs"DirectoryIndex index.html index.htmCustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combinedErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"#CustomLog logs/b.org/access_log combined#ErrorLog logs/b.org/error_log
      
      
       ServerName www.b.org:443DocumentRoot "/opt/b.org/htdocs"DirectoryIndex index.html index.htmCustomLog /var/log/httpd/b.org/access_ssl.log combinedErrorLog /var/log/httpd/b.org/error_ssl.logSSLEngine OnSSLCertificateFile /etc/httpd/ssl/b.org/b.crtSSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
      
      
       ServerName www.a.com:443DocumentRoot "/opt/a.com/htdocs"DirectoryIndex index.html index.htmCustomLog /var/log/httpd/a.com/access_ssl.log combinedErrorLog /var/log/httpd/a.com/error_ssl.logSSLEngine OnSSLCertificateFile /etc/httpd/ssl/a.com/a.crtSSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
      

测试

• 创建网站测试的文件

[root@db-02 ~]# cat /opt/a.com/htdocs/index.html 
www.a.com
[root@db-02 ~]# cat /opt/b.org/htdocs/index.html 
www.b.org

• 导入根证书

请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。

• 相关所需文件的创建

# mkdir /var/log/httpd/a.com/# mkdir /var/log/httpd/b.org/# /etc/init.d/httpd start# htpasswd -cm /etc/httpd/conf/.htpasswd bols

• 测试

测试前请在hosts文件写入域名和想对应的解析IP：

# curl  http://www.a.com/index.html
www.a.com
# curl  http://www.b.org/index.html
www.b.org
# openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem......GET /index.html HTTP/1.1Host:www.b.orgHTTP/1.1 200 OKDate: Mon, 28 Nov 2016 09:58:20 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Wed, 23 Nov 2016 09:17:33 GMTETag: "2405e-13-541f45be79532"Accept-Ranges: bytesContent-Length: 19Connection: closeContent-Type: text/html; charset=UTF-8
www.b.org
closed# openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem......GET /index.html HTTP/1.1Host:www.a.comHTTP/1.1 200 OKDate: Mon, 28 Nov 2016 09:57:39 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Wed, 23 Nov 2016 09:17:04 GMTETag: "2405f-13-541f45a2f779e"Accept-Ranges: bytesContent-Length: 19Connection: closeContent-Type: text/html; charset=UTF-8
www.a.com
closed[root@bid-02 ~]# curl -I --user bols:bols http://www.a.com/server-statusHTTP/1.1 200 OKDate: Mon, 28 Nov 2016 11:05:37 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 2536Connection: closeContent-Type: text/html; charset=ISO-8859-1

安装配置出现问题：

• 语法检测时出现警告

# httpd -thttpd: apr_sockaddr_info_get() failed for db-02httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedenceSyntax OK

首先第一个是httpd的配置文件中ServerName 没有指定：

# vim /etc/httpd/conf/httpd.conf +276ServerName *:80

之后在检测开始报错：

# httpd -t[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedenceSyntax OK

这个是由于NameVirtualHost 没有指定：

vim /etc/httpd/conf/httpd.conf +991NameVirtualHost *:80NameVirtualHost *:443

• 配置日志滚动时出现滚动日志失败

原因：问题原因不清楚，但是解决方法是将日志文件使用绝对路径，不要使用相对路径。

httpd-2.4

安装

# yum install -y httpd httpd-devel mod_ssl

CA证书配置

ssl证书还是用于在CentOS 6系统中创建的，并把文件拷贝至/etc/httpd/ssl目录中，注意这个目录需要手动创建。

网站测试文件创建

# cat /opt/a.com/htdocs/index.html 
www.a.com
# cat /opt/b.org/htdocs/index.html 
www.b.org

认证文件创建

htpasswd 命令的使用请自行谷歌。

# htpasswd -cm /etc/httpd/conf/htpasswd bols

配置

      
       ServerName www.a.comDocumentRoot "/opt/a.com/htdocs"DirectoryIndex index.html index.htmCustomLog /var/log/httpd/a.com/access.log  combinedErrorLog  /var/log/httpd/a.com/error.log
       
        Options NoneAllowOverride NoneRequire all granted 
       
       
        SetHandler server-statusOptions NoneAuthType Basic AuthName "a.com basic"AuthUserFile "/etc/httpd/conf/htpasswd"Require user bols
       
      
      
       ServerName www.b.orgDocumentRoot "/opt/b.org/htdocs"DirectoryIndex index.html index.htmCustomLog /var/log/httpd/b.org/access.log combinedErrorLog /var/log/httpd/b.org/error.log 
       
        Options NoneAllowOverride NoneRequire all granted 
       
      
      
       ServerName www.b.org:443DocumentRoot "/opt/b.org/htdocs"DirectoryIndex index.html index.htmCustomLog /var/log/httpd/b.org/access_ssl.log combinedErrorLog /var/log/httpd/b.org/error_ssl.log
       
        Options NoneAllowOverride NoneRequire all granted 
       SSLEngine OnSSLCertificateFile /etc/httpd/ssl/b.org/b.crtSSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
      
      
       ServerName www.a.com:443DocumentRoot "/opt/a.com/htdocs"DirectoryIndex index.html index.htmCustomLog /var/log/httpd/a.com/access_ssl.log combinedErrorLog /var/log/httpd/a.com/error_ssl.log
       
        Options NoneAllowOverride NoneRequire all granted 
       SSLEngine OnSSLCertificateFile /etc/httpd/ssl/a.com/a.crtSSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
      

测试

测试和CentOS 6中一样，测试的结果就不在贴出。

说明

在CentOS 7 中的配置和使用和CentOS 6有以下几个区别（个人总结）：

• 启动httpd不在是用service命令而是使用systemctl命令。

• 任意目录下的页面只有显式授权才能被访问。

• 访问控制配置如下：

  • 允许所有主机访问：Require all granted

  • 拒绝所有主机访问：Require all deny

  • 授权指定来源的IP访问：Require ip IPADDR

  • 拒绝指定来源的IP访问：Require not ip IPADDR

  • 授权指定来源的主机访问：Require host HOSTNAME

  • 拒绝指定来源的主机访问：Require not host HOSTNAME

关于日志滚动的说明：

• httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。

• 日志滚动可以用rotatelogs 是httpd自带的日志滚动工具，自己测试在httpd-2.4中没有成功。

• cronolog 是在epel源中的一个日志滚动工具，需要安装。

• 脚本控制滚动这个看自己业务需求进行写了。