配置虚拟主机与https
文章目录
@[toc]一、配置虚拟主机1.准备工作2.配置相同IP不同端口3.配置不同IP相同端口4.配置不同域名5.设置访问控制二、配置https1.生成证书2.配置ssl3.http重定向至https
一、配置虚拟主机
httpd服务在实际应用中有这样一种场景;我们有一台服务器,但是想挂多个网站,按照上面的配置方式就无法实现。那么我们就可以通过配置虚拟主机的方式实现一个服务器上运行多个网站,每个网站都是一个虚拟主机;虚拟主机其实就是通过httpd服务访问同一个服务器上的不同站点。
虚拟主机有三类:
相同IP不同端口不同IP相同端口相同IP相同端口不同域名
注意:虚拟主机的配置可以写在主配置文件;也可以将配置写在扩展配置文件,扩展配置文件需要自行创建。
1.准备工作
[root@nfs-server ~]# dnf -y install httpd //安装httpd服务[root@nfs-server ~]# systemctl stop firewalld.service//临时关闭防火墙,立即生效[root@nfs-server ~]# systemctl disable firewalld.service[root@nfs-server ~]# setenforce 0[root@nfs-server ~]# systemctl restart httpd//启动httpd服务[root@nfs-server ~]# systemctl enable httpd //把httpd服务设置为开机自启Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
访问测试:
2.配置相同IP不同端口
//搜索vhost的模板文件[root@nfs-server ~]# find / -name "*vhosts.conf"/usr/share/doc/httpd/httpd-vhosts.conf//进入到可放置虚拟主机配置文件的目录[root@nfs-server ~]# cd /etc/httpd/conf.d///把模板文件拷贝至目录下[root@nfs-server conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf ./[root@nfs-server conf.d]# vim httpd-vhosts.conf[root@nfs-server conf.d]# cat httpd-vhosts.conf//配置内容如下<VirtualHost *:80> //指定该网站的IP地址与端口号DocumentRoot "/var/www/html/fj"//存放网页内容的根目录ServerName //指定域名ErrorLog "/var/log/httpd/fj_log/error_log"//错误日志文件位置CustomLog "/var/log/httpd/fj_log/access_log" common//访问日志文件位置</VirtualHost>Listen 82 //监听82端口<VirtualHost *:82>DocumentRoot "/var/www/html/tk"ServerName ErrorLog "/var/log/httpd/tk_log/error_log"CustomLog "/var/log/httpd/tk_log/access_log" common</VirtualHost>//创建两台虚拟主机网页内容存放的目录并把属主属组修改为apache[root@nfs-server conf.d]# cd /var/www/html/[root@nfs-server html]# ls[root@nfs-server html]# mkdir fj tkdrwxr-xr-x. 2 root root 6 Jul 22 14:56 fjdrwxr-xr-x. 2 root root 6 Jul 22 14:56 tk[root@nfs-server html]# chown -R apache.apache fj[root@nfs-server html]# chown -R apache.apache tk[root@nfs-server html]# lltotal 0drwxr-xr-x. 2 apache apache 6 Jul 22 14:56 fjdrwxr-xr-x. 2 apache apache 6 Jul 22 14:56 tk//获取网页内容[root@nfs-server html]# mv /root/feijiedazhan.zip ./ //把源码包移到网页存放目录[root@nfs-server html]# mv /root/坦克.zip ./[root@nfs-server html]# unzip feijiedazhan.zip ; unzip 坦克.zip //解压源码包[root@nfs-server html]# ls //查看解压出的目录和文件Battle_City feijiedazhan.zip fj HTML5全民飞机大战小游戏 tk 坦克.zip[root@nfs-server html]# mv HTML5全民飞机大战小游戏/* fj//将内容移到想存放的位置[root@nfs-server html]# mv Battle_City/* tk/[root@nfs-server html]# ls fjcss img index.html js[root@nfs-server html]# ls tkaudio css images index.html js//创建日志文件存放目录并把属主属组设置为apache[root@nfs-server html]# mkdir /var/log/httpd/{fj_log,tk_log}[root@nfs-server html]# ll /var/log/httpd/drwxr-xr-x. 2 root root 6 Jul 22 14:58 fj_logdrwxr-xr-x. 2 root root 6 Jul 22 14:58 tk_log[root@nfs-server html]# chown apache.apache /var/log/httpd/{fj_log,tk_log}[root@nfs-server html]# ll /var/log/httpd/drwxr-xr-x. 2 apache apache 6 Jul 22 14:58 fj_logdrwxr-xr-x. 2 apache apache 6 Jul 22 14:58 tk_log[root@nfs-server conf.d]# apachectl -t//检查语法Syntax OK[root@nfs-server conf.d]# systemctl restart httpd//重启服务生效配置文件
192.168.133.157:80
192.168.133.157:82
3.配置不同IP相同端口
//添加一个ip给虚拟主机使用[root@nfs-server conf.d]# ip addr add 192.168.133.158 dev eth0[root@nfs-server conf.d]# ip a s eth02: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:7c:f5:bf brd ff:ff:ff:ff:ff:ffinet 192.168.133.157/24 brd 192.168.133.255 scope global dynamic noprefixroute eth0valid_lft 1407sec preferred_lft 1407secinet 192.168.133.158/32 scope global eth0valid_lft forever preferred_lft forever//修改虚拟主机配置文件[root@nfs-server conf.d]# vim httpd-vhosts.conf[root@nfs-server conf.d]# cat httpd-vhosts.conf<VirtualHost 192.168.133.157:80>DocumentRoot "/var/www/html/dz"ServerName ErrorLog "/var/log/httpd/dz_log/error_log"CustomLog "/var/log/httpd/dz_log/access_log" common</VirtualHost><VirtualHost 192.168.133.158:80>DocumentRoot "/var/www/html/tk"ServerName ErrorLog "/var/log/httpd/tk_log/error_log"CustomLog "/var/log/httpd/tk_log/access_log" common</VirtualHost>//创建网页存放目录并设置属主属组为apache。创建日志存放目录并设置属主属组为apache。//由于第二个虚拟主机的网页存放目录和日志存放目录未作变动,这里不用创建[root@nfs-server conf.d]# mkdir /var/www/html/dz[root@nfs-server conf.d]# chown -R apache.apache /var/www/html/dz[root@nfs-server conf.d]# mkdir /var/log/httpd/dz_log[root@nfs-server conf.d]# chown -R apache.apache /var/log/httpd/dz_log/[root@nfs-server conf.d]# ll -d /var/www/html/dz ; ll -d /var/log/httpd/dz_log/drwxr-xr-x. 2 apache apache 6 Jul 22 15:29 /var/www/html/dzdrwxr-xr-x. 2 apache apache 6 Jul 22 15:29 /var/log/httpd/dz_log///检查语法,重启httpd服务生效配置[root@nfs-server conf.d]# apachectl -tSyntax OK[root@nfs-server conf.d]# systemctl restart httpd
192.168.133.157
192.168.133.158
4.配置不同域名
//由于做了先前的配置,这次只修改域名,其他的内容不作变动。[root@nfs-server conf.d]# vim httpd-vhosts.conf[root@nfs-server conf.d]# cat httpd-vhosts.conf<VirtualHost *:80>DocumentRoot "/var/www/html/dz"ServerName ErrorLog "/var/log/httpd/dz_log/error_log"CustomLog "/var/log/httpd/dz_log/access_log" common</VirtualHost><VirtualHost *:80>DocumentRoot "/var/www/html/tk"ServerName ErrorLog "/var/log/httpd/tk_log/error_log"CustomLog "/var/log/httpd/tk_log/access_log" common</VirtualHost>//检查语法,重启httpd服务生效配置文件[root@nfs-server conf.d]# apachectl -tSyntax OK[root@nfs-server conf.d]# systemctl restart httpd
注意:
由于该域名只能在局域网内使用,宿主机的浏览器无法识别该域名,把该域名添加进宿主机的本地dns解析文件里。
文件路径:C:\Windows\System32\drivers\etc\hosts
如果无法直接修改该文件,可以该文件移到桌面修改完再放回原本位置。
5.设置访问控制
访问控制法则:
IPADDR的类型:
IP:192.168.1.1Network/mask:192.168.1.0/255.255.255.0Network/Length:192.168.1.0/24Net:192.168
HOSTNAME的类型:
FQDN:特定主机的全名
DOMAIN:指定域内的所有主机
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
[root@nfs-server conf.d]# vim httpd-vhosts.conf//添加访问控制9行-14行[root@nfs-server conf.d]# cat httpd-vhosts.conf<VirtualHost *:80>DocumentRoot "/var/www/html/fj"ServerName ErrorLog "/var/log/httpd/fj_log/error_log"CustomLog "/var/log/httpd/fj_log/access_log" common<Directory /var/www/html/fj><RequireAll>Require all grantedRequire not ip 192.168.92.129</RequireAll></Directory></VirtualHost>//检查语法,重启服务[root@nfs-server conf.d]# apachectl -tSyntax OK[root@nfs-server conf.d]# systemctl restart httpd
二、配置https
https(全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 http 通道,在 http 的基础上通过传输加密和身份认证保证了传输过程的安全性。
1.生成证书
实现私有CA:
CA的配置文件:/etc/pki/tls/f
//CA生成一对密钥[root@nfs-server ~]# cd /etc/pki/[root@nfs-server pki]# mkdir CA[root@nfs-server pki]# cd CA/[root@nfs-server CA]# mkdir private[root@nfs-server CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)//CA生成自签署证书[root@nfs-server CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cn //国家State or Province Name (full name) []:hb //州\省份Locality Name (eg, city) [Default City]:wh//城市Organization Name (eg, company) [Default Company Ltd]:rt//公司Organizational Unit Name (eg, section) []:xy//职位Common Name (eg, your name or your server's hostname) []: //域名Email Address []:1@//邮箱//以上填写的信息可随意指定,只要后续签署证书时跟这里填写一致就行[root@nfs-server CA]# mkdir certs newcerts crl[root@nfs-server CA]# touch index.txt && echo 01 > serial//客户端生成密钥[root@nfs-server CA]# cd /etc/httpd && mkdir ssl && cd ssl[root@nfs-server ssl]# pwd/etc/httpd/ssl[root@nfs-server ssl]# (umask 077;openssl genrsa -out httpd.key 2048)//客户端生成证书签署请求//跟上述的CA生成的自签证书填写信息须一致[root@nfs-server ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csrIgnoring -days; not generating a certificateYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:hbLocality Name (eg, city) [Default City]:whOrganization Name (eg, company) [Default Company Ltd]:rtOrganizational Unit Name (eg, section) []:xyCommon Name (eg, your name or your server's hostname) []:Email Address []:1@Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: //直接回车不用管An optional company name []: //直接回车不用管//CA签署客户端提交上来的证书[root@nfs-server ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y[root@nfs-server ssl]# lshttpd.crt httpd.csr httpd.key
2.配置ssl
mod_ssl 模块可以实现https加密认证。
//查询httpd服务是否安装了ssl模块,如果没有就安装一个[root@nfs-server ~]# apachectl -M | grep ssl//安装ssl模块[root@nfs-server ~]# dnf -y install mod_ssl//重启服务,生效模块[root@nfs-server ~]# systemctl restart httpd[root@nfs-server conf.d]# pwd/etc/httpd/conf.d//找到这四行取消注释并修改网页内容的根路径和证书的路径[root@nfs-server conf.d]# vim ssl.confDocumentRoot "/var/www/html/fj"ServerName :443SSLCertificateFile /etc/httpd/ssl/httpd.crtSSLCertificateKeyFile /etc/httpd/ssl/httpd.key//检查语法,重启服务[root@nfs-server conf.d]# apachectl -tSyntax OK[root@nfs-server conf.d]# systemctl restart httpd
访问测试:
3.http重定向至https
站点配置为https后,在浏览器访问网站时如果不添加https协议,默认还是http,所以需要将访问http站点的请求转发至https。
//配置重定向的参数是第五行到第七行[root@nfs-server conf.d]# vim httpd-vhosts.conf[root@nfs-server conf.d]# cat httpd-vhosts.conf<VirtualHost 192.168.92.128:80>RewriteEngine onRewriteCond %{HTTPS} offRewriteRule ^(.*)$ $1 [L,R]DocumentRoot "/var/www/html/fj"ServerName ErrorLog "/var/log/httpd/fj_log/error_log"CustomLog "/var/log/httpd/fj_log/access_log" common<Directory /var/www/html/fj><RequireAll>Require all granted</RequireAll></Directory></VirtualHost>
