配置基于主机名的虚拟主机及HTTPD 加密SSL配置以及HTTPS强制跳转

Posted hhjwqh

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了配置基于主机名的虚拟主机及HTTPD 加密SSL配置以及HTTPS强制跳转相关的知识,希望对你有一定的参考价值。

配置基于主机名的虚拟主机

 

1、先配置DNS

DNS 安装

yum install bind* -y

开户防火墙

iptables -A INPUT -p tcp --dport 53 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p tcp --sport 53 -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j ACCEPT

service iptables save

service iptables restart

拷贝配置文件

cp -a  /etc/named*  /var/named/chroot/etc/

cp -a  /var/named/d*  /var/named/named.*  /var/named/slaves/  /var/named/chroot/var/named/

 

cd  /var/named/chroot/etc/

vim named.conf

 

options {

        listen-on port 53 { 127.0.0.1; }; #127.0.0.1改成any

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { localhost; }; # localhost;改成any

        recursion yes;

 

        dnssec-enable yes;

        dnssec-validation yes;

 

        /* Path to ISC DLV key */

        bindkeys-file "/etc/named.iscdlv.key";

 

        managed-keys-directory "/var/named/dynamic";

};

 

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

        type hint;

        file "named.ca";

};

#创建三个站点hhj.cc, baidu.com, google.com

zone "hhj.cc" {

        type master;

        file "aa.zone";

};

zone "baidu.com" {

        type master;

        file "bb.zone";

};

zone "google.com"  {

        type master;

        file "cc.zone";

};

 

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

 

 

cd  /var/named/chroot/var/named

cp -a named.localhost  aa.zone

vim aa.zone

$TTL 1D

 

@       IN SOA  node1.hhj.cc.   root (

                                        11      ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      node1.hhj.cc.

node1   A       192.168.1.104

www     A       192.168.1.104

                          

cp -a named.localhost  bb.zone

vim aa.zone

$TTL 1D

 

@       IN SOA  node1.baidu.com.   root (

                                        11      ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      node1.baidu.com.

node1   A       192.168.1.104

www     A       192.168.1.104

        

cp -a named.localhost  bb.zone

vim cc.zone

$TTL 1D

 

@       IN SOA  node1.goole.com.   root (

                                        11      ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      node1.google.com.

node1   A       192.168.1.104

www     A       192.168.1.104

 

 

建立一个rndc.key文件

rndc-confgen -r /dev/urandom -a

 

重启服务

service named restart

 

2、配置虚拟主机

vim /etc/httpd/conf/httpd.conf

#NameVirtualHost *:80前的注释去掉

<VirtualHost *:81>

    DocumentRoot /baidu

    ServerName www.baidu.com

</VirtualHost>

<VirtualHost *:81>

    DocumentRoot /google

    ServerName www.google.com

</VirtualHost>

 

重启httpd服务

service httpd restart

修改上下文              

chcon -R  –reference=/var/www/html  /baidu/   /google/

 

HTTPS加密配置

1、 安装mod_ssl模块

yum  install mod_ssl -y

安装完后查看/etc/httpd/conf.d/

[[email protected] ~]#ls /etc/httpd/conf.d/

 

打开配置文件

[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf

 

LoadModule ssl_module modules/mod_ssl.so #加载mod_ssl.so模块

Listen 443           #监听端口默认443

SSLEngine on    #是开启SSL引擎

SSLCertificateFile /etc/pki/tls/certs/localhost.crt  #证书路径

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key   #私钥路径

 

进入/etc/pki/tls/certs/目录

[[email protected] ~]# cd /etc/pki/tls/certs/

[[email protected] certs]# ls

ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  make-dummy-cert  Makefile  renew-dummy-cert

使用openssl命令制作密钥和证书文件:

生成ca.key密钥:

# openssl genrsa -des3 -out ca.key -rand rand.dat 1024

创建ca.crt证书:

# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

 

[[email protected] certs]# make aa.crt    #制作数据签名

umask 77 ; \

       /usr/bin/openssl genrsa -aes128 2048 > aa.key

Generating RSA private key, 2048 bit long modulus

................................+++

...............................+++

e is 65537 (0x10001)

Enter pass phrase:        #输入密码

Verifying - Enter pass phrase:     #输入密码

umask 77 ; \

       /usr/bin/openssl req -utf8 -new -key aa.key -x509 -days 365 -out aa.crt -set_serial 0

Enter pass phrase for aa.key:      #输入密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SC

Locality Name (eg, city) [Default City]:CD

Organization Name (eg, company) [Default Company Ltd]:HHJ

Organizational Unit Name (eg, section) []:HHJ1984

Common Name (eg, your name or your server‘s hostname) []:RHCC

Email Address []:

[[email protected] certs]# ls

aa.crt  aa.key  ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  make-dummy-cert  Makefile  renew-dummy-cert

aa.crt  为生成证书,aa.key为私钥

将文件考到指定地方

[[email protected] certs]# cp aa.crt aa.key  /etc/httpd/conf/

配置/etc/httpd/conf.d/ssl.conf证书与私钥路径

vim /etc/httpd/conf.d/ssl.conf

 

SSLCertificateFile /etc/httpd/conf/aa.crt  #证书路径

SSLCertificateKeyFile /etc/httpd/conf/aa.key    #私钥路径

 

[[email protected] certs]# service httpd restart  #重启后就可以用HTTPS访问了

 

 

2、将数字签名只给某一个站点使用

[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf

SSLEngine off    #关闭SSL引擎

 

直接将配置放入虚拟主机下

<VirtualHost *:443>         #改为443

    DocumentRoot /baidu

ServerName www.baidu.com

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/localhost.crt  #证书路径

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key   #私钥路径

 

</VirtualHost>

 

再重启httpd

 

强制用户使用https来访问网站方法

/httpd.conf修改

vim  /etc/httpd/conf/httpd.conf

<VirtualHost 192.168.1.104:443>

    DocumentRoot /var/www/html

    ServerName www.hhj1984.cc

    ServerAlias www.hhj1984.cc. *.hhj1984.cc

    SSLEngine on

    SSLCertificateFile /etc/httpd/conf/ca.crt

    SSLCertificateKeyFile /etc/httpd/conf/ca.key

</VirtualHost>

<Directory "/var/www/html"> #站点所在目录

    Options Indexes FollowSymLinks

    AllowOverride All   #要求找.htacess配置文件

    Order allow,deny

    Allow from all

</Directory>

在/var/www/html下修改. htacess 没有则创建  #站点所在目录

<IfModule mod_rewrite.c>

    RewriteEngine on

    Rewritecond %{http_host} ^www.hhj1984.cc$ [nc]

    RewriteRule ^(.*)?$ https://www.hhj1984.cc/$1 [R=301,L]

    RewriteCond %{SERVER_PORT} !^443$

    RewriteRule ^(.*)?$ https://www.hhj1984.cc/$1 [R=301,L]

</IfModule>

~                                                                                                                                                                                                                                           

~              

 

以上是关于配置基于主机名的虚拟主机及HTTPD 加密SSL配置以及HTTPS强制跳转的主要内容,如果未能解决你的问题,请参考以下文章

apache

httpd2.2(centos6)配置认证登陆页面,基于文档认证(basic)虚拟主机专用配置及内置STATUS页面配置

Httpd访问控制虚拟主机网页压缩优化

用于将 ip 重定向到主机名的 Apache httpd.conf

Tomcat SSL加密与基于域名的虚拟主机

httpd-2.4实现虚拟主机访问控制及https功能