Apache 配置https虚拟主机
Posted Linux无限探索
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Apache 配置https虚拟主机相关的知识,希望对你有一定的参考价值。
# cd /usr/local/src/tarbag # wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz # tar xzvf httpd-2.2.21.tar.gz -C ../software # cd ../software/httpd-2.2.21 # ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all # make && make install # rm -rf /etc/init.d/httpd # cp /usr/local/apache/bin/apachectl /etc/init.d/httpd # sed -i \'2c#chkconfig: 35 85 15\' /etc/init.d/httpd # sed -i \'3c#description: apache\' /etc/init.d/httpd # chmod x /etc/init.d/httpd # chkconfig --add httpd # chkconfig httpd on # rm -rf /sbin/apachectl # ln -s /usr/local/apache/bin/apachectl /sbin
安装好apache后,第一时间生成证书,在生成证书之前先准备生成一个证书存放的目录
# cd /usr/local/apache/conf # mkdir ssl.key # cd ssl.key/
step.1
首先要生成服务器端的私钥(key文件)
# openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件,去除key文件口令的命令:
....................... ................................................. e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
step.2
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
# openssl req -new -key server.key -out server.csr
看到如下提示,并按照提示输入相关信息即可生成密钥
Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \'.\', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:FJ Locality Name (eg, city) [Newbury]:FZ Organization Name (eg, company) [My Company Ltd]:company Organizational Unit Name (eg, section) []:company Common Name (eg, your name or your server\'s hostname) []:ty Email Address []:ty@company.com Please enter the following \'extra\' attributes to be sent with your certificate request A challenge password []:company An optional company name []:company
如果要生成客户端证书,那么对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
这里就不做演示了,有兴趣的朋友可以去尝试下。
step.3
CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证.自己生成
# openssl req -new -key server.key -out server.csr
看到如下提示,输入密码,即可完成
Signature ok subject=/C=CN/ST=FJ/L=FZ/O=poppace/OU=poppace/CN=ty/emailAddress=ty@poppace.com Getting Private key Enter pass phrase for server.key:
为了安全起见要将证书相关文件的访问权限降到最低
# chmod 400 *
证书生成完毕,接下来可以配置apache了。
# vi /usr/local/apache/conf/httpd.conf
打开vhosts配置,跳转到447行和459行,取消掉Include conf/extra/httpd-vhosts.conf和Include conf/extra/httpd-ssl.conf之前的注释
# vi /usr/local/apache/conf/extra/httpd-vhosts.conf
特别需要注意443段的配置,可在httpd-ssl.conf中找到相关说明
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot "/data/www/" ServerName 192.168.1.201 <Directory /data/www/> Order allow,deny Allow from all Options -Indexes FollowSymLinks AllowOverride All </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot "/data/www/" ServerName 192.168.1.201:443 SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4 RSA: HIGH: MEDIUM: LOW: SSLv2: EXP: eNULL SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert" SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key" <FilesMatch ".(cgi|shtml|phtml|php)$"> SSLOptions StdEnvVars </FilesMatch> <Directory /data/www/> Order allow,deny Allow from all Options -Indexes FollowSymLinks AllowOverride All </Directory> BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost>
# vi /usr/local/apache/conf/extra/httpd-ssl.conf
搜索SSLCertificateFile
并将:(99行)SSLCertificateFile "/usr/local/apache/conf/server.crt"
改为:SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
搜索SSLCertificateKeyFile
并将:(107行)SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
改为:SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
# service httpd start Apache/2.2.21 mod_ssl/2.2.21 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.example.com:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful.
现在用浏览器访问下https://192.168.1.201,即大告大功。
本文来自博客园,作者:linux_pro,转载请注明原文链接:https://www.cnblogs.com/linuxpro/p/17374169.html
Apache 配置虚拟主机三种方式
复制于 https://www.cnblogs.com/xiaoqian1993/p/6063375.html
一、基于IP
1. 假设服务器有个IP地址为192.168.1.10,使用ifconfig在同一个网络接口eth0上绑定3个IP:
[[email protected] root]# ifconfig eth0:1 192.168.1.11 [[email protected] root]# ifconfig eth0:2 192.168.1.12 [[email protected] root]# ifconfig eth0:3 192.168.1.13
2. 修改hosts文件,添加三个域名与之一一对应:
192.168.1.11 www.test1.com 192.168.1.12 www.test2.com 192.168.1.13 www.test3.com
3. 建立虚拟主机存放网页的根目录,如在/www目录下建立test1、test2、test3文件夹,其中分别存放1.html、2.html、3.html
/www/test1/1.html /www/test2/2.html /www/test3/3.html
4. 在httpd.conf中将附加配置文件httpd-vhosts.conf包含进来,接着在httpd-vhosts.conf中写入如下配置:
<VirtualHost 192.168.1.11:80> ServerName www.test1.com DocumentRoot /www/test1/ <Directory "/www/test1"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow From All </Directory> </VirtualHost> <VirtualHost 192.168.1.12:80> ServerName www.test1.com DocumentRoot /www/test2/ <Directory "/www/test2"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow From All </Directory> </VirtualHost> <VirtualHost 192.168.1.13:80> ServerName www.test1.com DocumentRoot /www/test3/ <Directory "/www/test3"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow From All </Directory> </VirtualHost>
5. 大功告成,测试下每个虚拟主机,分别访问www.test1.com、www.test2.com、www.test3.com
二、基于主机名
1. 设置域名映射同一个IP,修改hosts:
192.168.1.10 www.test1.com 192.168.1.10 www.test2.com 192.168.1.10 www.test3.com
2. 跟上面一样,建立虚拟主机存放网页的根目录
/www/test1/1.html /www/test2/2.html /www/test3/3.html
下一步就是为你建立的每个虚拟主机设定<VirtualHost>配置块,<VirtualHost>的参数与NameVirtualHost指令的参数是一样的。每个<VirtualHost>定义块中,至少都会有一个ServerName指令来指定伺服哪个主机和一个DocumentRoot指令来说明这个主机的内容存在于文件系统的什么地方。
如果在现有的web服务器上增加虚拟主机,必须也为现存的主机建造一个<VirtualHost>定义块。其中ServerName和DocumentRoot所包含的内容应该与全局的保持一致,且要放在配置文件的最前面,扮演默认主机的角色。
NameVirtualHost *:80 <VirtualHost *:80> ServerName * DocumentRoot /www/ </VirtualHost> <VirtualHost *:80> ServerName www.test1.com DocumentRoot /www/test1/ <Directory "/www/test1"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:80> ServerName www.test2.com DocumentRoot /www/test2/ <Directory "/www/test2"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:80> ServerName www.test3.com DocumentRoot /www/test3/ <Directory "/www/test3"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost>
4. 大功告成,测试下每个虚拟主机,分别访问www.test1.com、www.test2.com、www.test3.com
三、基于端口
将原来的
Listen 80
改为
Listen 80
Listen 8080
2. 更改虚拟主机设置:
<VirtualHost 192.168.1.10:80>
DocumentRoot /var/www/test1/
ServerName www.test1.com
</VirtualHost>
<VirtualHost 192.168.1.10:8080>
DocumentRoot /var/www/test2
ServerName www.test2.com
</VirtualHost>
以上是关于Apache 配置https虚拟主机的主要内容,如果未能解决你的问题,请参考以下文章
运维学习之Apache的配置访问控制虚拟主机和加密访问https