三个虚拟主机,要求如下
vhost1: phpMyAdmin, 同时提供https服务;
vhost2: wordpress
配置过程:
一、配置vhost1
1、首先配置vhost1,先搭建私有CA
在172.16.20.242上搭建私有CA:(1) 创建私钥,公钥无需处理[root@ca ~]# cd /etc/pki/CA/[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus.....+++.......+++e is 65537 (0x10001)(2) 生成自签证书,填写相关证书信息[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus.....+++.......+++e is 65537 (0x10001)[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HubeiLocality Name (eg, city) [Default City]:HubeiOrganization Name (eg, company) [Default Company Ltd]:Gump LtdOrganizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.gump.comEmail Address []:caadmin@gump.com[root@ca CA]# // 需要注意的是,证书格式必须为pem格式(3)创建签署证书环境[root@ca CA]# touch /etc/pki/CA/index.txt[root@ca CA]# touch /etc/pki/CA/serial[root@ca CA]# echo 01 > /etc/pki/CA/serial
2、在web主机上生成证书请求,并发送证书请求到CA主机
在172.16.20.244生成证书请求:(1)生成密钥,并保存到应用此证书的服务的配置文件目录下[root@web ~]# mkdir /etc/httpd/ssl[root@web ~]# cd /etc/httpd/ssl[root@web ssl]# (umask 077;openssl genrsa -out httpd.key 2048)Generating RSA private key, 2048 bit long modulus..........+++....................................................................+++e is 65537 (0x10001)[root@web ssl]# lshttpd.key(2) 生成证书签署请求,填写相关信息需要注意的是,除了主机地址和邮箱地址,其它需要保持一致[root@web ssl]# openssl req -new -key httpd.key -out httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HubeiLocality Name (eg, city) [Default City]:HubeiOrganization Name (eg, company) [Default Company Ltd]:Gump LtdOrganizational Unit Name (eg, section) []:OpsCommon Name (eg, your name or your server's hostname) []:web.gump.comEmail Address []:webadmin@gump.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@web ssl]# lshttpd.csr httpd.key[root@web ssl]# scp httpd.csr root@172.16.20.242:/tmp/root@172.16.20.242's password: httpd.csr 100% 1050 1.0KB/s 00:00 [root@web ssl]#
3、签署证书请求,将证书请求发送回web主机
(1)签署证书请求[root@ca CA]# openssl ca -in /tmp/httpd.csr -out /tmp/web.gump.com.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 23 10:55:56 2017 GMT Not After : Aug 23 10:55:56 2018 GMT Subject: countryName = CN stateOrProvinceName = Hubei organizationName = Gump Ltd organizationalUnitName = Ops commonName = web.gump.com emailAddress = webadmin@gump.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7A:D2:B5:60:3D:13:27:33:C4:F5:02:DC:AC:44:BB:0F:F9:32:00:71 X509v3 Authority Key Identifier: keyid:5A:9A:54:2F:9C:91:3E:D6:BE:CC:22:68:50:C6:83:EB:23:AD:AC:AFCertificate is to be certified until Aug 23 10:55:56 2018 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@ca CA]# (2)将证书传回请求者[root@ca CA]# scp /tmp/web.gump.com.crt root@172.16.20.244:/etc/httpd/sslThe authenticity of host '172.16.20.244 (172.16.20.244)' can't be established.RSA key fingerprint is 5a:10:33:a2:bf:5b:06:82:25:01:fb:c2:74:93:34:95.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.16.20.244' (RSA) to the list of known hosts.root@172.16.20.244's password: web.gump.com.crt 100% 4595 4.5KB/s 00:00 [root@ca CA]#
4、配置httpd支持使用ssl
(1)查看当前web主机是否已安装mod_ssl模块,如果没有安装,则必须先安装mod_ssl模块(2)配置ssl配置文件[root@web ssl]# vim /etc/httpd/conf.d/ssl.conf修改如下选项:<VirtuaHost 172.16.20.244:443>// 因为ssl会话是基于IP地址建立的,若有多个IP地址,则需指定地址,若只有一个地址,则无需修改,保持"*"即可;DocumentRoot "/www/htdocs"// 此目录为虚拟主机vhost1的中心目录,即网页文件存放位置ServerName web.gump.com:443// 当前主机名ErrorLog /logs/pma_error_log// 错误日志存放位置Transferlog logs/pma_access_log// 访问日志存放目录SSLCertificateFile /etc/httpd/ssl/web.gump.com.crt// 服务器证书存放目录SSlCertificateKeyFile /etc/httpd/ssl/httpd.key// 证书私钥存放目录(3)配置phpMyadmin网页文件[root@localhost ~]# mkdir -pv /www/htdocs/vhosts{1,2,3}[root@localhost ~]# unzip phpMyAdmin-4.0.10.20-all-languages.zip[root@localhost ~]# cp phpMyAdmin-4.0.10.20-all-languages /www/htdocs/vhosts1/[root@localhost ~]# ln -sv phpMyAdmin-4.0.10.20-all-languages pma(4)配置httpd.conf[root@localhost conf]# vim httpd.confServerName Localhost:80DocumentRoot "/www/htdocs"<Directory "/www/htdocs"> // Directory 指定的目录要和DocumentRoot一致(5)配置虚拟主机配置文件[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhost1.conf<VirtualHost 172.16.20.244:80> ServerAdmin web.gump.com DocumentRoot "/www/htdocs" <Directory "/www/htdocs/vhosts1/pma"> Options None AllowOverride None Require all granted </Directory></VirtualHost>[root@localhost ~]# systemctl reload httpd.service查看配置效果
二、配置虚拟主机2
1、配置虚拟主机2的配置文件[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhost2.conf<VirtualHost 172.16.20.245:80> ServerAdmin web2.gump.com DocumentRoot "/www/htdocs" <Directory "/www/htdocs/vhosts2"> Options None AllowOverride None Require all granted </Directory></VirtualHost>2、为虚拟主机2配置IP地址由于是虚拟机,没有多张网卡使用ip命令添加地址达到多IP效果[root@localhost ~]# ip addr add 172.16.20.245/24 dev ens33[root@localhost ~]# ip addr show dev ens33[root@localhost ~]# ip add show dev ens332: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:44:e2:e3 brd ff:ff:ff:ff:ff:ff inet 172.16.20.244/24 brd 172.16.20.255 scope global ens33 valid_lft forever preferred_lft forever inet 172.16.20.245/24 scope global secondary ens33 valid_lft forever preferred_lft forever inet6 fe80::d846:2237:6188:97fe/64 scope link tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::a0de:8503:69c8:5595/64 scope link tentative dadfailed valid_lft forever preferred_lft forever inet6 fe80::9a1a:88f0:c9cf:41bd/64 scope link tentative dadfailed valid_lft forever preferred_lft forever3、配置虚拟主机2的网页文件[root@localhost ~]# unzip wordpress-4.7.4-zh_CH.zip[root@localhost ~]# cp wordpress /www/htdocs/vhosts2/4、配置虚拟主机2的wordpress的配置文件[root@localhost ~]# mysqlMariaDB [(none)]> CREATE DATABASE mydb1;MariaDB [(none)]> exit// 连接wordpress必须要配置正确的数据库及用户名密码,所以需要实现创建好数据库[root@localhost ~]# cd /www/htdocs/vhost2/wordpress[root@localhost ~]# cp wp-config-sample.php wp-config.php[root@localhost ~]# vim wp-config.phpdefine('DB_NAME','mydb1'); // 数据库为事先创建好的mydb1define('DB_USER','root'); // 用户名为rootdefine('DB_PASSWORD',''); // root密码默认为空5、查看配置效果
写的比较潦草,如有遗漏错误和争议之处,欢迎大家的批评指正和讨论,谢谢。
httpd.2.4虚拟主机配置测试
原文地址:http://blog.51cto.com/11367661/2047992