Linux—搭建Apache(httpd)服务

来自云龙湖轮廓分明的月亮  金牌会员 | 2022-9-1 23:12:12 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 838|帖子 838|积分 2524

目录

1、httpd简介?

http是Apache超文本传输协议服务器的主程序。它是一个独立的后台进程,能够处理请求的子进程和线程。
http常用用的两个版本是httpd-2.2和httpd-2.4

  • CentOS6系列的默认httpd版本是httpd-2.2版本的rpm包
  • CentOS7系列的默认httpd版本是httpd-2.4版本的rpm包
2、httpd服务特点

名称特点高度模块化core + modules,核心加模块,想要什么功能添加什么模块;DSODynamic Shared Object,动态共享库;MPMMultipath processing Modules 多路处理模块。3、 httpd的工作模型


  • prefork:两级进程模型,父进程管理子进程,每个进程响应一个请求
  1. # 工作模型
  2. 一个主进程:
  3.     负责生成子进程及回收子进程
  4.     负责创建套接字、接受请求,并将其派发给某子进程进行处理
  5. n个子进程:
  6.     每个子进程处理一个请求
  8. # 注意:
  9. 会预先生成几个空闲进程,随时等待用于响应用户请求,最大不会超过1024个
复制代码

  • worker:三级进程模型,父进程管理子进程,子进程通过线程响应用户请求,每个线程处理一个用户请求
  1. # 工作模型
  2. 一个主进程:
  3.   负责生成子进程、创建套接字、接受请求,并将其派发给某子进程进行处理
  4. 多个子进程:
  5.   每个子进程负责生成多个线程
  6. 每个线程:
  7.   负责响应用户请求
复制代码

  • event:两级模型,父进程管理子进程,子进程通过事件驱动event-driven机制直接响应n个请求
  1. # 工作模型:
  2. 一个主进程:
  3.     负责生成子进程、创建套接字、接受请求,并将其派发给某子进程进行处理
  4. 子进程:
  5.     基于事件驱动机制直接响应多个请求
复制代码
4、httpd的配置文件

文件/目录对应的功能/var/log/httpd/access.log访问日志/var/log/httpd/error_log错误日志/var/www/html/站点文档目录/usr/lib64/httpd/modules/模块文件路径/etc/httpd/conf/httpd.conf主配置文件/etc/httpd/conf.modules.d/*.conf模块配置文件/etc/httpd/conf.d/*.conf辅助配置文件5、httpd自带的工具程序

工具功能htpasswdbasic认证基于文件实现时,用到的帐号密码生成工具apachectlhttpd自带的服务控制脚本,支持start,stop,restartapxs由httpd-devel包提供的,扩展httpd使用第三方模块的工具rotatelogs日志滚动工具suexec访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具abapache benchmark,httpd的压力测试工具6、httpd常用配置

6.1 安装httpd服务
  1. [root@localhost ~]# dnf install -y httpd                        //用dnf安装httpd服务
  2. [root@localhost ~]# systemctl status httpd                //服务默认是未开启的
  3. ● httpd.service - The Apache HTTP Server
  4.    Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>
  5.    Active: inactive (dead)
  6.      Docs: man:httpd.service(8)
  7. [root@localhost ~]# systemctl stop firewalld                //开启服务前关闭防火墙
  8. [root@localhost ~]# systemctl start httpd                //开启httpd服务
  9. [root@localhost ~]# systemctl status httpd                //查看服务是否开启成功
  10. ● httpd.service - The Apache HTTP Server
  11.    Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>
  12.    Active: active (running) since Thu 2022-07-21 21:16:35 CST; 14s ago
  13.      Docs: man:httpd.service(8)
  14. Main PID: 15207 (httpd)
  15.    Status: "Running, listening on: port 80"
  16.     Tasks: 213 (limit: 11202)
  17.    Memory: 24.8M
  18.    CGroup: /system.slice/httpd.service
  19.            ├─15207 /usr/sbin/httpd -DFOREGROUND
  20.            ├─15208 /usr/sbin/httpd -DFOREGROUND
  21.            ├─15209 /usr/sbin/httpd -DFOREGROUND
  22.            ├─15210 /usr/sbin/httpd -DFOREGROUND
  23.            └─15211 /usr/sbin/httpd -DFOREGROUND
复制代码
用浏览器输入IP地址打开httpdde测试页面

6.2 访问控制法则

法则功能Require all granted允许所有主机访问Require all deny拒绝所有主机访问Require ip IPADDR授权指定来源地址的主机访问Require not ip IPADDR拒绝指定来源地址的主机访问Require host HOSTNAME授权指定来源主机名的主机访问Require not host HOSTNAME拒绝指定来源主机名的主机访问IPADDR的类型HOSTNAME的类型IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168FQDN:特定主机的全名 DOMAIN:指定域内的所有主机注意:httpd-2.4版本在配置文件加入Requirt才是默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
配置示例: 允许除了IP192.168.111.1以外的所有主机访问
  1. [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
  2. ......
  3. #
  4.     # Controls who can get stuff from this server.
  5.     #
  6.     Require all granted
  7. </Directory>
  8. <Directory "/var/www/html/Tanke">
  9.     <RequireAll>
  10.         Require not 192.168.111.1
  11.         Require all granted
  12.     </RequireAll>
  13. </Directory>
  14. #
  15. # DirectoryIndex: sets the file that Apache will serve if a directory
  16. # is requested.
  17. #
  18. ......
  19. [root@localhost ~]# httpd -t
  20. AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
  21. Syntax OK
  22. [root@localhost ~]# vim /etc/httpd/conf/httpd.conf                 //把#ServerName www.example.com:80前的#删掉
  23. #
  24. # ServerName gives the name and port that the server uses to identify itself.
  25. # This can often be determined automatically, but we recommend you specify
  26. # it explicitly to prevent problems during startup.
  27. #
  28. # If your host doesn't have a registered DNS name, enter its IP address here.
  29. #
  30. #ServerName www.example.com:80
  31. [root@localhost ~]# httpd -t
  32. Syntax OK
复制代码
6.3 虚拟主机

虚拟主机有三种:


  • 相同IP不同端口
  • 不同IP相同端口
  • 相同IP相同端口不同域名
httpd服务如何配置?

  • 先在全局范围内找*vhosts.conf文件
  • 把*vhosts.conf文件复制到当前路径中
相同IP不同端口
  1. [root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
  2. ......
  3. <VirtualHost *:80>
  4.     DocumentRoot "/var/www/html/Tanke"
  5.     ServerName www.Tanke.com
  6.     ErrorLog "/var/log/httpd/www.Tanke1.com-error_log"
  7.     CustomLog "/var/log/httpd/www.Tanke1.com-access_log" common
  8. </VirtualHost>
  10. Listen 81
  11. <VirtualHost *:81>
  12.     DocumentRoot "/var/www/html/Feiji"
  13.     ServerName www.Feiji.com
  14.     ErrorLog "/var/log/httpd/www.Feiji1.com-error_log"
  15.     CustomLog "/var/log/httpd/www.Feiji1.com-access_log" common
  16. </VirtualHost>
  17. ......
  18. [root@localhost ~]# httpd -t
  19. Syntax OK
  20. [root@localhost ~]# systemctl restart httpd
  21. [root@localhost ~]# ss -anlt
  22. State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port  Process  
  23. LISTEN   0        128              0.0.0.0:22            0.0.0.0:*              
  24. LISTEN   0        128                    *:80                  *:*              
  25. LISTEN   0        128                    *:81                  *:*              
  26. LISTEN   0        128                 [::]:22               [::]:*   
复制代码
不同IP相同端口
  1. [root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
  2. ......
  3. <VirtualHost 192.168.111.135:80>
  4.     DocumentRoot "/var/www/html/Tanke"
  5.     ServerName www.Tanke.com
  6.     ErrorLog "/var/log/httpd/www.Tanke1.com-error_log"
  7.     CustomLog "/var/log/httpd/www.Tanke1.com-access_log" common
  8. </VirtualHost>
  10. <VirtualHost 192.168.111.136:80>
  11.     DocumentRoot "/var/www/html/Feiji"
  12.     ServerName www.Feiji.com
  13.     ErrorLog "/var/log/httpd/www.Feiji1.com-error_log"
  14.     CustomLog "/var/log/httpd/www.Feiji1.com-access_log" common
  15. </VirtualHost>
  16. ......
  17. [root@localhost ~]# httpd -t
  18. Syntax OK
  19. [root@localhost ~]# ip a                //查看是否存在IP192.168.111.136
  20. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  21.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  22.     inet 127.0.0.1/8 scope host lo
  23.        valid_lft forever preferred_lft forever
  24.     inet6 ::1/128 scope host
  25.        valid_lft forever preferred_lft forever
  26. 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
  27.     link/ether 00:0c:29:bb:22:82 brd ff:ff:ff:ff:ff:ff
  28.     inet 192.168.111.135/24 brd 192.168.111.255 scope global dynamic noprefixroute ens160
  29.        valid_lft 1537sec preferred_lft 1537sec
  30.     inet6 fe80::3d5c:b9d6:55f:48e9/64 scope link noprefixroute
  31.        valid_lft forever preferred_lft forever
  32. [root@localhost ~]# ip addr add 192.168.111.136/24 dev ens160                //添加IP
  33. [root@localhost ~]# ip a
  34. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  35.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  36.     inet 127.0.0.1/8 scope host lo
  37.        valid_lft forever preferred_lft forever
  38.     inet6 ::1/128 scope host
  39.        valid_lft forever preferred_lft forever
  40. 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
  41.     link/ether 00:0c:29:bb:22:82 brd ff:ff:ff:ff:ff:ff
  42.     inet 192.168.111.135/24 brd 192.168.111.255 scope global dynamic noprefixroute ens160
  43.        valid_lft 1463sec preferred_lft 1463sec
  44.     inet 192.168.111.136/24 scope global secondary ens160
  45.        valid_lft forever preferred_lft forever
  46.     inet6 fe80::3d5c:b9d6:55f:48e9/64 scope link noprefixroute
  47.        valid_lft forever preferred_lft forever
  48. [root@localhost ~]# systemctl restart httpd                //重启httpd服务
复制代码
相同IP相同端口不同域名
  1. [root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
  2. ......
  3. <VirtualHost *:80>
  4.     DocumentRoot "/var/www/html/Tanke"
  5.     ServerName www.Tanke.com
  6.     ErrorLog "/var/log/httpd/www.Tanke1.com-error_log"
  7.     CustomLog "/var/log/httpd/www.Tanke1.com-access_log" common
  8. </VirtualHost>
  10. <VirtualHost *:80>
  11.     DocumentRoot "/var/www/html/Feiji"
  12.     ServerName www.Feiji.com
  13.     ErrorLog "/var/log/httpd/www.Feiji1.com-error_log"
  14.     CustomLog "/var/log/httpd/www.Feiji1.com-access_log" common
  15. </VirtualHost>
  16. ......
  17. [root@localhost ~]# httpd -t
  18. Syntax OK
  19. [root@localhost ~]# systemctl restart httpd
复制代码
主机名解析
Linux 和MAC系统中修改 /etc/host
windows主机名解析 在C:\windows\system32\drivers\etc\hosts找到文件无法修改,需要把文件拖到桌面修改,添加解析,再放回原位
7、配置https步骤

https(全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 http 通道,在 http 的基础上通过传输加密和身份认证保证了传输过程的安全性。
1. mod_ssl模块

mod_ssl 模块可以实现https加密认证。
  1. //安装mod_ssl模块
  2. [root@localhost ~]# dnf install -y mod_ssl
复制代码
a).CACA生成一对密钥
  1. [root@localhost ~]# mkdir /etc/pki/CA
  2. [root@localhost ~]# cd /etc/pki/CA
  3. [root@localhost CA]# mkdir private
  4. [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)                #生成密钥
  5. Generating RSA private key, 2048 bit long modulus (2 primes)
  6. ....+++++
  7. ....................................................+++++
  8. e is 65537 (0x010001)
  9. [root@localhost CA]# openssl rsa -in private/cakey.pem -pubout                #提取公钥
  10. writing RSA key
  11. -----BEGIN PUBLIC KEY-----
  12. MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2vmOLM61l3syZOvzhO3O
  13. 9YzRUTF8IuGVv3F2ASWfUuvYTwq9Q7C5xxqaCOSR73iieQU9mkrtv98a8AoY/Oyd
  14. 9fehZbrMxgDUFL7skcRxhYpacYeLfhnDlMLCU73ilVa4K2ZSm4MNLJ6DKDzgOozu
  15. wzOTNvvy7wrkHXyMDt4M0DOFc051sPwT4ncBQQKcHjDpi9A8iCAgWTbInNXvLjHg
  16. FV2E4HxPlhgzNwf99D01JJVK8qZSeL+aj0gYlmpBvh60czHfi28nqp8qqZocmUXf
  17. BDUHK27usf8s3Pmdi/9I1mwGYPOQoH/SzTC3ce9RTd2inzSaQCMdbZe7pmp4rPW2
  18. rwIDAQAB
  19. -----END PUBLIC KEY-----
复制代码
b). CA生成自签署证书
  1. [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365                #生成自签署证书
  2. You are about to be asked to enter information that will be incorporated
  3. into your certificate request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will be a default value,
  7. If you enter '.', the field will be left blank.
  8. -----
  9. Country Name (2 letter code) [XX]:cn
  10. State or Province Name (full name) []:hb
  11. Locality Name (eg, city) [Default City]:wh
  12. Organization Name (eg, company) [Default Company Ltd]:zsl
  13. Organizational Unit Name (eg, section) []:mxx
  14. Common Name (eg, your name or your server's hostname) []:www.Tanke1.com
  15. Email Address []:123@qq.com
  16. [root@localhost CA]# openssl x509 -text -in cacert.pem                #读出cacert.pem证书的内容
  17. Certificate:
  18.     Data:
  19.         Version: 3 (0x2)
  20.         Serial Number:
  21.             76:a0:c6:d4:e7:7a:4d:dc:21:1b:71:ba:25:8e:74:f3:1b:41:5b:2a
  22.         Signature Algorithm: sha256WithRSAEncryption
  23.         Issuer: C = cn, ST = hb, L = wh, O = zsl, OU = mxx, CN = www.Tanke1.com, emailAddress = 123@qq.com
  24.         Validity
  25.             Not Before: Jul 21 15:31:42 2022 GMT
  26.             Not After : Jul 21 15:31:42 2023 GMT
  27.         Subject: C = cn, ST = hb, L = wh, O = zsl, OU = mxx, CN = www.Tanke1.com, emailAddress = 123@qq.com
  28.         Subject Public Key Info:
  29.             Public Key Algorithm: rsaEncryption
  30.                 RSA Public-Key: (2048 bit)
  31.                 Modulus:
  32.                     00:da:f9:8e:2c:ce:b5:97:7b:32:64:eb:f3:84:ed:
  33.                     ce:f5:8c:d1:51:31:7c:22:e1:95:bf:71:76:01:25:
  34.                     9f:52:eb:d8:4f:0a:bd:43:b0:b9:c7:1a:9a:08:e4:
  35.                     91:ef:78:a2:79:05:3d:9a:4a:ed:bf:df:1a:f0:0a:
  36.                     18:fc:ec:9d:f5:f7:a1:65:ba:cc:c6:00:d4:14:be:
  37.                     ec:91:c4:71:85:8a:5a:71:87:8b:7e:19:c3:94:c2:
  38.                     c2:53:bd:e2:95:56:b8:2b:66:52:9b:83:0d:2c:9e:
  39.                     83:28:3c:e0:3a:8c:ee:c3:33:93:36:fb:f2:ef:0a:
  40.                     e4:1d:7c:8c:0e:de:0c:d0:33:85:73:4e:75:b0:fc:
  41.                     13:e2:77:01:41:02:9c:1e:30:e9:8b:d0:3c:88:20:
  42.                     20:59:36:c8:9c:d5:ef:2e:31:e0:15:5d:84:e0:7c:
  43.                     4f:96:18:33:37:07:fd:f4:3d:35:24:95:4a:f2:a6:
  44.                     52:78:bf:9a:8f:48:18:96:6a:41:be:1e:b4:73:31:
  45.                     df:8b:6f:27:aa:9f:2a:a9:9a:1c:99:45:df:04:35:
  46.                     07:2b:6e:ee:b1:ff:2c:dc:f9:9d:8b:ff:48:d6:6c:
  47.                     06:60:f3:90:a0:7f:d2:cd:30:b7:71:ef:51:4d:dd:
  48.                     a2:9f:34:9a:40:23:1d:6d:97:bb:a6:6a:78:ac:f5:
  49.                     b6:af
  50.                 Exponent: 65537 (0x10001)
  51.         X509v3 extensions:
  52.             X509v3 Subject Key Identifier:
  53.                 8F:33:2D:51:A9:40:12:AC:BA:56:09:42:A1:CC:38:E3:4C:2B:79:DF
  54.             X509v3 Authority Key Identifier:
  55.                 keyid:8F:33:2D:51:A9:40:12:AC:BA:56:09:42:A1:CC:38:E3:4C:2B:79:DF
  57.             X509v3 Basic Constraints: critical
  58.                 CA:TRUE
  59.     Signature Algorithm: sha256WithRSAEncryption
  60.          22:a1:8f:18:0d:53:a7:1f:59:41:cc:f1:b7:04:0e:9e:9c:23:
  61.          2b:ab:e7:47:d0:1c:39:de:e9:b4:99:72:44:ec:1d:40:7c:71:
  62.          73:d6:9c:98:d4:03:92:9a:5e:83:60:52:53:db:08:b9:e0:a0:
  63.          6b:98:7d:e5:13:0e:6a:3e:04:0f:0c:09:40:bb:1d:94:61:f8:
  64.          09:57:d2:d3:6e:32:b7:e5:02:ed:47:88:b7:3a:13:e9:a2:45:
  65.          0a:5d:b4:fd:40:96:fb:8f:0a:9d:8b:b4:a6:12:a4:14:b0:95:
  66.          ee:66:df:3f:3f:a1:bf:cd:e9:ad:7b:48:d5:67:11:4d:22:98:
  67.          4e:e3:b5:31:18:41:5d:ee:39:9f:ae:89:ba:69:76:11:3d:82:
  68.          37:09:02:69:3e:c2:26:c5:17:8e:97:a3:e4:10:bc:a2:8a:e3:
  69.          83:be:83:05:91:59:82:29:fa:34:d8:0d:31:7c:37:3e:28:48:
  70.          96:3c:04:38:d1:43:55:da:c5:de:65:ef:bb:3d:db:e8:66:50:
  71.          9f:7d:cf:77:4f:d9:55:c9:69:8e:c2:fa:ea:8f:8a:50:5a:c8:
  72.          da:b1:c5:50:60:fb:74:60:30:3c:01:ce:3e:c5:6c:f6:e2:04:
  73.          d1:ca:63:70:e8:84:90:b8:32:96:67:22:d2:7d:15:47:34:07:
  74.          c1:2a:47:70
  75. -----BEGIN CERTIFICATE-----
  76. MIIDzzCCAregAwIBAgIUdqDG1Od6TdwhG3G6JY508xtBWyowDQYJKoZIhvcNAQEL
  77. BQAwdzELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmhiMQswCQYDVQQHDAJ3aDEMMAoG
  78. A1UECgwDenNsMQwwCgYDVQQLDANteHgxFzAVBgNVBAMMDnd3dy5UYW5rZTEuY29t
  79. MRkwFwYJKoZIhvcNAQkBFgoxMjNAcXEuY29tMB4XDTIyMDcyMTE1MzE0MloXDTIz
  80. MDcyMTE1MzE0MlowdzELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmhiMQswCQYDVQQH
  81. DAJ3aDEMMAoGA1UECgwDenNsMQwwCgYDVQQLDANteHgxFzAVBgNVBAMMDnd3dy5U
  82. YW5rZTEuY29tMRkwFwYJKoZIhvcNAQkBFgoxMjNAcXEuY29tMIIBIjANBgkqhkiG
  83. 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2vmOLM61l3syZOvzhO3O9YzRUTF8IuGVv3F2
  84. ASWfUuvYTwq9Q7C5xxqaCOSR73iieQU9mkrtv98a8AoY/Oyd9fehZbrMxgDUFL7s
  85. kcRxhYpacYeLfhnDlMLCU73ilVa4K2ZSm4MNLJ6DKDzgOozuwzOTNvvy7wrkHXyM
  86. Dt4M0DOFc051sPwT4ncBQQKcHjDpi9A8iCAgWTbInNXvLjHgFV2E4HxPlhgzNwf9
  87. 9D01JJVK8qZSeL+aj0gYlmpBvh60czHfi28nqp8qqZocmUXfBDUHK27usf8s3Pmd
  88. i/9I1mwGYPOQoH/SzTC3ce9RTd2inzSaQCMdbZe7pmp4rPW2rwIDAQABo1MwUTAd
  89. BgNVHQ4EFgQUjzMtUalAEqy6VglCocw440wred8wHwYDVR0jBBgwFoAUjzMtUalA
  90. Eqy6VglCocw440wred8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
  91. AQEAIqGPGA1Tpx9ZQczxtwQOnpwjK6vnR9AcOd7ptJlyROwdQHxxc9acmNQDkppe
  92. g2BSU9sIueCga5h95RMOaj4EDwwJQLsdlGH4CVfS024yt+UC7UeItzoT6aJFCl20
  93. /UCW+48KnYu0phKkFLCV7mbfPz+hv83prXtI1WcRTSKYTuO1MRhBXe45n66Juml2
  94. ET2CNwkCaT7CJsUXjpej5BC8oorjg76DBZFZgin6NNgNMXw3PihIljwEONFDVdrF
  95. 3mXvuz3b6GZQn33Pd0/ZVclpjsL66o+KUFrI2rHFUGD7dGAwPAHOPsVs9uIE0cpj
  96. cOiEkLgylmci0n0VRzQHwSpHcA==
  97. -----END CERTIFICATE-----
  98. [root@localhost CA]# mkdir certs newcerts crl
  99. [root@localhost CA]# touch index.txt && echo 01 > serial
复制代码
c).客户端(例如httpd服务器)生成密钥
  1. [root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl
  2. [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
  3. Generating RSA private key, 2048 bit long modulus (2 primes)
  4. ...+++++
  5. ...........................................................................+++++
  6. e is 65537 (0x010001)
复制代码
d).客户端生成证书签署请求
  1. [root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
  2. Ignoring -days; not generating a certificate
  3. You are about to be asked to enter information that will be incorporated
  4. into your certificate request.
  5. What you are about to enter is what is called a Distinguished Name or a DN.
  6. There are quite a few fields but you can leave some blank
  7. For some fields there will be a default value,
  8. If you enter '.', the field will be left blank.
  9. -----
  10. Country Name (2 letter code) [XX]:cn
  11. State or Province Name (full name) []:hb
  12. Locality Name (eg, city) [Default City]:wh
  13. Organization Name (eg, company) [Default Company Ltd]:zsl
  14. Organizational Unit Name (eg, section) []:mxx
  15. Common Name (eg, your name or your server's hostname) []:www.Tanke1.com
  16. Email Address []:123@qq.com
  18. Please enter the following 'extra' attributes
  19. to be sent with your certificate request
  20. A challenge password []:
  21. An optional company name []:
复制代码
e).CA签署客户端提交上来的证书
  1. [root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Check that the request matches the signature
  4. Signature ok
  5. Certificate Details:
  6.         Serial Number: 1 (0x1)
  7.         Validity
  8.             Not Before: Jul 21 15:35:07 2022 GMT
  9.             Not After : Jul 21 15:35:07 2023 GMT
  10.         Subject:
  11.             countryName               = cn
  12.             stateOrProvinceName       = hb
  13.             organizationName          = zsl
  14.             organizationalUnitName    = mxx
  15.             commonName                = www.Tanke1.com
  16.             emailAddress              = 123@qq.com
  17.         X509v3 extensions:
  18.             X509v3 Basic Constraints:
  19.                 CA:FALSE
  20.             Netscape Comment:
  21.                 OpenSSL Generated Certificate
  22.             X509v3 Subject Key Identifier:
  23.                 EA:D9:52:5A:E7:84:C2:09:1A:15:5B:4D:F2:77:23:F0:1D:C1:F9:D0
  24.             X509v3 Authority Key Identifier:
  25.                 keyid:8F:33:2D:51:A9:40:12:AC:BA:56:09:42:A1:CC:38:E3:4C:2B:79:DF
  27. Certificate is to be certified until Jul 21 15:35:07 2023 GMT (365 days)
  28. Sign the certificate? [y/n]:y
  31. 1 out of 1 certificate requests certified, commit? [y/n]y
  32. Write out database with 1 new entries
  33. Data Base Updated
复制代码
2. 在ssl.conf 中配置证书的位置
  1. [root@localhost ~]# cd /etc/httpd/conf.d/
  2. [root@localhost conf.d]# vim ssl.conf
  3. ......
  4. //把#DocumentRoot "/var/www/html/Feiji"
  5. #ServerName www.Feiji1.com:443#号删除并指定其使用目录路径
  6. <VirtualHost _default_:443>
  8. # General setup for the virtual host, inherited from global configuration
  9. DocumentRoot "/var/www/html/Feiji"
  10. ServerName www.Feiji1.com:443
  12. //配置证书的路径
  13. SSLCertificateFile /etc/httpd/ssl/httpd.crt
  15. #   Server Private Key:
  16. #   If the key is not combined with the certificate, use this
  17. #   directive to point at the key file.  Keep in mind that if
  18. #   you've both a RSA and a DSA private key you can configure
  19. #   both in parallel (to also allow the use of DSA ciphers, etc.)
  20. #   ECC keys, when in use, can also be configured in parallel
  21. SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
  22. ......
复制代码
3. 检查配置文件是否有语法错误
  1. [root@localhost conf.d]# httpd -t
  2. Syntax OK
复制代码
4. 重启服务
  1. [root@localhost conf.d]# systemctl restart httpd
  2. [root@localhost conf.d]# ss -anlt
  3. State      Recv-Q     Send-Q           Local Address:Port           Peer Address:Port     Process     
  4. LISTEN     0          128                    0.0.0.0:22                  0.0.0.0:*                    
  5. LISTEN     0          128                          *:443                       *:*                    
  6. LISTEN     0          128                          *:80                        *:*                    
  7. LISTEN     0          128                       [::]:22                     [::]:*
复制代码


免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

来自云龙湖轮廓分明的月亮

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表