Bo's Oracle Station

查看: 2104|回复: 0

Httpd

[复制链接]

27

主题

27

帖子

183

积分

超级版主

Rank: 8Rank: 8

积分
183
发表于 2019-10-20 09:25:34 | 显示全部楼层 |阅读模式
本帖最后由 secoug 于 2019-10-20 11:35 编辑

在instructor名字服务器上,再加一个别名:
/var/named/chroot/var/named/example.com.zone
  1. alt                       IN CNAME   server3.example.com.
复制代码
把/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf拷到/etc/httpd/conf.d/,名字叫做vhosts.conf

  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/html"
  4.     ServerName server3.example.com
  5.     #ServerAlias www.dummy-host.example.com
  6.     #ErrorLog "/var/log/httpd/server3.example.com-error.log"
  7.     #CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
  8. </VirtualHost>


  9. <VirtualHost *:80>
  10.     #ServerAdmin webmaster@dummy-host.example.com
  11.     DocumentRoot "/var/www/virtual"
  12.     ServerName www3.example.com
  13.     #ServerAlias www.dummy-host.example.com
  14.     #ErrorLog "/var/log/httpd/server3.example.com-error.log"
  15.     #CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
  16. </VirtualHost>


  17. listen 8909

  18. <VirtualHost *:8909>
  19.     #ServerAdmin webmaster@dummy-host.example.com
  20.     DocumentRoot "/var/www/alt"
  21.     ServerName alt.example.com
  22.     #ServerAlias www.dummy-host.example.com
  23.     #ErrorLog "/var/log/httpd/server3.example.com-error.log"
  24.     #CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
  25. </VirtualHost>
复制代码
  1. [root@server3 ~]# semanage  port -l | grep http
  2. http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
  3. http_cache_port_t              udp      3130
  4. http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
  5. pegasus_http_port_t            tcp      5988
  6. pegasus_https_port_t           tcp      5989
  7. [root@server3 ~]# semanage port -l -C
  8. SELinux Port Type              Proto    Port Number

  9. http_port_t                    tcp      82
  10. [root@server3 ~]# systemctl restart httpd
  11. Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
  12. [root@server3 ~]# semanage port -a -t http_port_t -p tcp 8909
  13. [root@server3 ~]# semanage port -l -C                        
  14. SELinux Port Type              Proto    Port Number

  15. http_port_t                    tcp      82, 8909
复制代码
  1. [root@server3 ~]# firewall-cmd  --permanent --add-port=8909/tcp
  2. success
  3. [root@server3 ~]# firewall-cmd  --reload
  4. success
复制代码

如果要区分日志:
  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/html"
  4.     ServerName server3.example.com
  5.     #ServerAlias www.dummy-host.example.com
  6.     ErrorLog "/var/log/httpd/server3.example.com-error.log"
  7.     CustomLog "/var/log/httpd/server3.example.com-access.log" common
  8. </VirtualHost>


  9. <VirtualHost *:80>
  10.     #ServerAdmin webmaster@dummy-host.example.com
  11.     DocumentRoot "/var/www/virtual"
  12.     ServerName www3.example.com
  13.     #ServerAlias www.dummy-host.example.com
  14.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
  15.     CustomLog "/var/log/httpd/www3.example.com-access.log" common
  16. </VirtualHost>


  17. listen 8909

  18. <VirtualHost *:8909>
  19.     #ServerAdmin webmaster@dummy-host.example.com
  20.     DocumentRoot "/var/www/alt"
  21.     ServerName alt.example.com
  22.     #ServerAlias www.dummy-host.example.com
  23.     ErrorLog "/var/log/httpd/alt.example.com-error.log"
  24.     CustomLog "/var/log/httpd/alt.example.com-access.log" common
  25. </VirtualHost>
复制代码
如果所有的虚拟主机都一样要求对某一个地址或者某一个网段不能访问:

  1. firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.42/32 service name='http' reject'
复制代码
  1. firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.42/32 port port=8909  protocol=tcp   reject'
复制代码
  1. [root@server3 conf.d]# firewall-cmd  --reload
  2. success
复制代码
如果只要某个虚拟主机不能访问:
  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/virtual"

  4.         <Directory "/var/www/virtual">
  5.                 Options Indexes FollowSymLinks
  6.                 AllowOverride None
  7.                 <RequireAll>
  8.                  Require all granted
  9.                  Require not host desktop42.example.com
  10.                 </RequireAll>
  11.         </Directory>
  12.     ServerName www3.example.com
  13.     #ServerAlias www.dummy-host.example.com
  14.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
  15.     CustomLog "/var/log/httpd/www3.example.com-access.log" common
  16. </VirtualHost>
复制代码
上面的Require not host 这一定要写主机名:

  1. [root@server3 conf.d]# dig -x 192.168.0.42

  2. ; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -x 192.168.0.42
  3. ;; global options: +cmd
  4. ;; Got answer:
  5. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5225
  6. ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

  7. ;; OPT PSEUDOSECTION:
  8. ; EDNS: version: 0, flags:; udp: 4096
  9. ;; QUESTION SECTION:
  10. ;42.0.168.192.in-addr.arpa.     IN      PTR

  11. ;; ANSWER SECTION:
  12. 42.0.168.192.in-addr.arpa. 86400 IN     PTR     desktop42.example.com.

  13. ;; AUTHORITY SECTION:
  14. 0.168.192.in-addr.arpa. 86400   IN      NS      instructor.example.com.

  15. ;; ADDITIONAL SECTION:
  16. instructor.example.com. 86400   IN      A       192.168.0.254

  17. ;; Query time: 103 msec
  18. ;; SERVER: 192.168.0.254#53(192.168.0.254)
  19. ;; WHEN: Sun Oct 20 10:15:46 CST 2019
  20. ;; MSG SIZE  rcvd: 130
复制代码






把/etc/httpd/conf.d/welcome.conf改个名字:


AAA.png
或者写成网段:
  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/virtual"

  4.         <Directory "/var/www/virtual">
  5.                 Options Indexes FollowSymLinks
  6.                 AllowOverride None
  7.                 <RequireAll>
  8.                  Require all granted
  9.                  Require not host .example.com
  10.                 </RequireAll>
  11.         </Directory>
  12.     ServerName www3.example.com
  13.     #ServerAlias www.dummy-host.example.com
  14.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
  15.     CustomLog "/var/log/httpd/www3.example.com-access.log" common
  16. </VirtualHost>
复制代码

对服务器本机能够访问,而对外其他主机都不能访问的写法:

  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/html"

  4.     <Directory "/var/www/html/private">
  5.                Require all denied
  6.                Require local
  7.     </Directory>
  8.     ServerName server3.example.com
  9.     #ServerAlias www.dummy-host.example.com
  10.     ErrorLog "/var/log/httpd/server3.example.com-error.log"
  11.     CustomLog "/var/log/httpd/server3.example.com-access.log" common
  12. </VirtualHost>


  13. <VirtualHost *:80>
  14.     #ServerAdmin webmaster@dummy-host.example.com
  15.     DocumentRoot "/var/www/virtual"

  16.         <Directory "/var/www/virtual">
  17.                 Options Indexes FollowSymLinks
  18.                 AllowOverride None
  19.                 <RequireAll>
  20.                  Require all granted
  21.                 # Require not host .example.com
  22.                 </RequireAll>
  23.         </Directory>

  24.         <Directory "/var/www/virtual/private">
  25.                Require all denied
  26.                Require local
  27.         </Directory>
  28.     ServerName www3.example.com
  29.     #ServerAlias www.dummy-host.example.com
  30.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
复制代码

------
没有CA, 自签证书,但是不是用现成的那一对(SomeOrganization),而是自己生成新的自签证书:
  1. genkey   --test server3.example.com
复制代码



AAA.png


在instructor的/root/bin/gls-setup-gen-sslcerts
:
  1. #
  2. # certs archived in  /etc/pki/tls/certs/serverX.crt
  3. # certs published at /var/ftp/pub/materials/tls/certs/serverX.crt
  4. #
  5. # keys archive in    /etc/pki/tls/private/serverX.key
  6. # keys published at  /var/ftp/pub/materials/tls/private/serverX.key
  7. #
  8. #######################################################################

  9. SUBJ_PREFIX="/C=US/ST=North Carolina/L=Raleigh/O=Example, Inc."
  10. DOMAIN="example.com"

  11. PUBTLS=/var/ftp/pub/materials/tls

  12. if [ -d $PUBTLS ]; then
  13.         echo WARNING: the directory $PUBTLS already exists, which is
  14.         echo probably not a good thing.  To completely regenerate
  15.         echo student certs and keys, first remove the directory
  16.         echo $PUBTLS, then run this script.
  17.         echo
  18.         echo Bravely venturing on...
  19. fi

  20. mkdir -p $PUBTLS/{certs,private}

  21. umask 077
  22. <div>pushd /etc/pki/tls/certs</div><div>
  23. </div><div>for i in $(seq 20); do</div><div>        SERVER=server$i
  24.         SUBJECT="$SUBJ_PREFIX/CN=$SERVER.$DOMAIN"
  25.         KEY=../private/$SERVER.key</div><div>        if [ -e $KEY ]; then
  26.                 echo "key for $SERVER already exists.  skipping."
  27.                 continue
  28.         fi</div><div>        openssl req -new -nodes -out $SERVER.csr -keyout $KEY -subj "$SUBJECT"</div><div>        openssl ca -batch -in $SERVER.csr -out $SERVER.crt</div><div>        ( cat $KEY; echo; cat $SERVER.crt ) > $SERVER.pem</div><div>        install -m 644 $SERVER.crt $SERVER.pem $PUBTLS/certs
  29.         install -m 644 $KEY $PUBTLS/private</div><div>        rm -f $SERVER.csr</div><div>done</div><div>popd
  30. </div><div>
  31. </div>
复制代码









回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|Bo's Oracle Station   

GMT+8, 2024-12-4 01:09 , Processed in 0.043980 second(s), 27 queries .

快速回复 返回顶部 返回列表