开启辅助访问

Bo's Oracle Station

Bo's Oracle Station»社区 培训进行时(结课后图标变灰,但是欢迎继续发帖!) 4083-RHCE认证班第十八期 Httpd
返回列表 发新帖
查看: 2092|回复: 0

Httpd

[复制链接]
secoug

27

主题

27

帖子

183

积分

超级版主

Rank: 8Rank: 8

积分
183
发表于 2019-10-20 09:25:34 | 显示全部楼层 |阅读模式
本帖最后由 secoug 于 2019-10-20 11:35 编辑

在instructor名字服务器上,再加一个别名:
/var/named/chroot/var/named/example.com.zone
  1. alt                       IN CNAME   server3.example.com.
复制代码
把/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf拷到/etc/httpd/conf.d/,名字叫做vhosts.conf

  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/html"
  4.     ServerName server3.example.com
  5.     #ServerAlias www.dummy-host.example.com
  6.     #ErrorLog "/var/log/httpd/server3.example.com-error.log"
  7.     #CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
  8. </VirtualHost>


  11. <VirtualHost *:80>
  12.     #ServerAdmin webmaster@dummy-host.example.com
  13.     DocumentRoot "/var/www/virtual"
  14.     ServerName www3.example.com
  15.     #ServerAlias www.dummy-host.example.com
  16.     #ErrorLog "/var/log/httpd/server3.example.com-error.log"
  17.     #CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
  18. </VirtualHost>


  21. listen 8909

  23. <VirtualHost *:8909>
  24.     #ServerAdmin webmaster@dummy-host.example.com
  25.     DocumentRoot "/var/www/alt"
  26.     ServerName alt.example.com
  27.     #ServerAlias www.dummy-host.example.com
  28.     #ErrorLog "/var/log/httpd/server3.example.com-error.log"
  29.     #CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
  30. </VirtualHost>
复制代码
  1. [root@server3 ~]# semanage  port -l | grep http
  2. http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
  3. http_cache_port_t              udp      3130
  4. http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
  5. pegasus_http_port_t            tcp      5988
  6. pegasus_https_port_t           tcp      5989
  7. [root@server3 ~]# semanage port -l -C
  8. SELinux Port Type              Proto    Port Number

  10. http_port_t                    tcp      82
  11. [root@server3 ~]# systemctl restart httpd
  12. Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
  13. [root@server3 ~]# semanage port -a -t http_port_t -p tcp 8909
  14. [root@server3 ~]# semanage port -l -C                        
  15. SELinux Port Type              Proto    Port Number

  17. http_port_t                    tcp      82, 8909
复制代码
  1. [root@server3 ~]# firewall-cmd  --permanent --add-port=8909/tcp
  2. success
  3. [root@server3 ~]# firewall-cmd  --reload
  4. success
复制代码

如果要区分日志:
  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/html"
  4.     ServerName server3.example.com
  5.     #ServerAlias www.dummy-host.example.com
  6.     ErrorLog "/var/log/httpd/server3.example.com-error.log"
  7.     CustomLog "/var/log/httpd/server3.example.com-access.log" common
  8. </VirtualHost>


  11. <VirtualHost *:80>
  12.     #ServerAdmin webmaster@dummy-host.example.com
  13.     DocumentRoot "/var/www/virtual"
  14.     ServerName www3.example.com
  15.     #ServerAlias www.dummy-host.example.com
  16.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
  17.     CustomLog "/var/log/httpd/www3.example.com-access.log" common
  18. </VirtualHost>


  21. listen 8909

  23. <VirtualHost *:8909>
  24.     #ServerAdmin webmaster@dummy-host.example.com
  25.     DocumentRoot "/var/www/alt"
  26.     ServerName alt.example.com
  27.     #ServerAlias www.dummy-host.example.com
  28.     ErrorLog "/var/log/httpd/alt.example.com-error.log"
  29.     CustomLog "/var/log/httpd/alt.example.com-access.log" common
  30. </VirtualHost>
复制代码
如果所有的虚拟主机都一样要求对某一个地址或者某一个网段不能访问:

  1. firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.42/32 service name='http' reject'
复制代码
  1. firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.42/32 port port=8909  protocol=tcp   reject'
复制代码
  1. [root@server3 conf.d]# firewall-cmd  --reload
  2. success
复制代码
如果只要某个虚拟主机不能访问:
  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/virtual"

  5.         <Directory "/var/www/virtual">
  6.                 Options Indexes FollowSymLinks
  7.                 AllowOverride None
  8.                 <RequireAll>
  9.                  Require all granted
  10.                  Require not host desktop42.example.com
  11.                 </RequireAll>
  12.         </Directory>
  13.     ServerName www3.example.com
  14.     #ServerAlias www.dummy-host.example.com
  15.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
  16.     CustomLog "/var/log/httpd/www3.example.com-access.log" common
  17. </VirtualHost>
复制代码
上面的Require not host 这一定要写主机名:

  1. [root@server3 conf.d]# dig -x 192.168.0.42

  3. ; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -x 192.168.0.42
  4. ;; global options: +cmd
  5. ;; Got answer:
  6. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5225
  7. ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

  9. ;; OPT PSEUDOSECTION:
  10. ; EDNS: version: 0, flags:; udp: 4096
  11. ;; QUESTION SECTION:
  12. ;42.0.168.192.in-addr.arpa.     IN      PTR

  14. ;; ANSWER SECTION:
  15. 42.0.168.192.in-addr.arpa. 86400 IN     PTR     desktop42.example.com.

  17. ;; AUTHORITY SECTION:
  18. 0.168.192.in-addr.arpa. 86400   IN      NS      instructor.example.com.

  20. ;; ADDITIONAL SECTION:
  21. instructor.example.com. 86400   IN      A       192.168.0.254

  23. ;; Query time: 103 msec
  24. ;; SERVER: 192.168.0.254#53(192.168.0.254)
  25. ;; WHEN: Sun Oct 20 10:15:46 CST 2019
  26. ;; MSG SIZE  rcvd: 130
复制代码






把/etc/httpd/conf.d/welcome.conf改个名字:


AAA.png
或者写成网段:
  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/virtual"

  5.         <Directory "/var/www/virtual">
  6.                 Options Indexes FollowSymLinks
  7.                 AllowOverride None
  8.                 <RequireAll>
  9.                  Require all granted
  10.                  Require not host .example.com
  11.                 </RequireAll>
  12.         </Directory>
  13.     ServerName www3.example.com
  14.     #ServerAlias www.dummy-host.example.com
  15.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
  16.     CustomLog "/var/log/httpd/www3.example.com-access.log" common
  17. </VirtualHost>
复制代码

对服务器本机能够访问,而对外其他主机都不能访问的写法:

  1. <VirtualHost *:80>
  2.     #ServerAdmin webmaster@dummy-host.example.com
  3.     DocumentRoot "/var/www/html"

  5.     <Directory "/var/www/html/private">
  6.                Require all denied
  7.                Require local
  8.     </Directory>
  9.     ServerName server3.example.com
  10.     #ServerAlias www.dummy-host.example.com
  11.     ErrorLog "/var/log/httpd/server3.example.com-error.log"
  12.     CustomLog "/var/log/httpd/server3.example.com-access.log" common
  13. </VirtualHost>


  16. <VirtualHost *:80>
  17.     #ServerAdmin webmaster@dummy-host.example.com
  18.     DocumentRoot "/var/www/virtual"

  20.         <Directory "/var/www/virtual">
  21.                 Options Indexes FollowSymLinks
  22.                 AllowOverride None
  23.                 <RequireAll>
  24.                  Require all granted
  25.                 # Require not host .example.com
  26.                 </RequireAll>
  27.         </Directory>

  29.         <Directory "/var/www/virtual/private">
  30.                Require all denied
  31.                Require local
  32.         </Directory>
  33.     ServerName www3.example.com
  34.     #ServerAlias www.dummy-host.example.com
  35.     ErrorLog "/var/log/httpd/www3.example.com-error.log"
复制代码

------
没有CA, 自签证书,但是不是用现成的那一对(SomeOrganization),而是自己生成新的自签证书:
  1. genkey   --test server3.example.com
复制代码



AAA.png


在instructor的/root/bin/gls-setup-gen-sslcerts
:
  1. #
  2. # certs archived in  /etc/pki/tls/certs/serverX.crt
  3. # certs published at /var/ftp/pub/materials/tls/certs/serverX.crt
  4. #
  5. # keys archive in    /etc/pki/tls/private/serverX.key
  6. # keys published at  /var/ftp/pub/materials/tls/private/serverX.key
  7. #
  8. #######################################################################

  10. SUBJ_PREFIX="/C=US/ST=North Carolina/L=Raleigh/O=Example, Inc."
  11. DOMAIN="example.com"

  13. PUBTLS=/var/ftp/pub/materials/tls

  15. if [ -d $PUBTLS ]; then
  16.         echo WARNING: the directory $PUBTLS already exists, which is
  17.         echo probably not a good thing.  To completely regenerate
  18.         echo student certs and keys, first remove the directory
  19.         echo $PUBTLS, then run this script.
  20.         echo
  21.         echo Bravely venturing on...
  22. fi

  24. mkdir -p $PUBTLS/{certs,private}

  26. umask 077
  27. <div>pushd /etc/pki/tls/certs</div><div>
  28. </div><div>for i in $(seq 20); do</div><div>        SERVER=server$i
  29.         SUBJECT="$SUBJ_PREFIX/CN=$SERVER.$DOMAIN"
  30.         KEY=../private/$SERVER.key</div><div>        if [ -e $KEY ]; then
  31.                 echo "key for $SERVER already exists.  skipping."
  32.                 continue
  33.         fi</div><div>        openssl req -new -nodes -out $SERVER.csr -keyout $KEY -subj "$SUBJECT"</div><div>        openssl ca -batch -in $SERVER.csr -out $SERVER.crt</div><div>        ( cat $KEY; echo; cat $SERVER.crt ) > $SERVER.pem</div><div>        install -m 644 $SERVER.crt $SERVER.pem $PUBTLS/certs
  34.         install -m 644 $KEY $PUBTLS/private</div><div>        rm -f $SERVER.csr</div><div>done</div><div>popd
  35. </div><div>
  36. </div>
复制代码









回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|Bo's Oracle Station   

GMT+8, 2024-11-21 16:57 , Processed in 0.055079 second(s), 27 queries .

快速回复 返回顶部 返回列表