实验要求:
给openlab搭建网站:
1、基于域名www.openlab.com可以访问网站内容为welcome to openlab!!!
2、给该公司创建三个虚拟网站目录,分别显示学生信息、教学资料和缴费网站。
(基于www.openlab.com/student网站访问学生信息,www.openlab.com/data网站访问教学资料,基于www.openlab.com/money访问缴费网站)
3、学生信息网站只有song和tian两个人可以访问,其他网站所有用户能访问。
访问缴费网站实现数据加密基于https访问。
实验过程:
1、安装httpd包(http服务)和mod_ssl包(专门为Apache server提供密码保护)
[root@localhost conf.d]# yum install -y httpd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
上次元数据过期检查:0:23:32 前,执行于 2020年11月03日 星期二 16时30分44秒。
Package httpd-2.4.37-10.module+el8+2764+7127e69e.x86_64 is already installed.
依赖关系解决。
无需任何处理。
完毕!
[root@localhost conf.d]# yum install -y mod_ssl
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
上次元数据过期检查:0:02:33 前,执行于 2020年11月03日 星期二 16时30分44秒。
Package mod_ssl-1:2.4.37-10.module+el8+2764+7127e69e.x86_64 is already installed.
依赖关系解决。
无需任何处理。
完毕!
2、写虚拟主机配置文件
[root@localhost ~]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim vhost-openlab.conf
<VirtualHost 192.168.74.130:80> //虚拟主机模块(基于http访问)
DocumentRoot /www/http //网页文件主目录
ServerName www.openlab.com //主机名(此处为域名)
alias /student /openlab/student //别名
alias /data /openlab/data //别名
</VirtualHost>
<VirtualHost 192.168.74.130:443> //虚拟主机模块(基于https访问)
DocumentRoot /www/http //网页文件主目录
ServerName www.openlab.com //主机名(此处为域名)
alias /money /openlab/money //别名
SSLEngine on //SSL认证开启
SSLCertificateFile /etc/pki/tls/certs/zhengshu.crt //证书文件存放位置
SSLCertificateKeyFile /etc/pki/tls/certs/zhengshu.key //私钥文件存放位置
</VirtualHost>
<Directory /www/http> //目录模块(权限限定)
AllowOverride none //不允许覆盖
Require all granted //允许所有访问此目录
</Directory>
<Directory /openlab/student> //目录模块(权限限定)
AllowOverride none //不允许覆盖
Authtype basic //基本认证类型(账号)
Authname "Please login:" //提示信息(双引号内添加)
Authuserfile /etc/httpd/users //用户认证文件(有用户名和密码)
Require user song tian //允许访问服务器名单
</Directory>
<Directory /openlab/data> //目录模块(权限限定)
AllowOverride none //不允许覆盖
Require all granted //允许所有人访问服务器
</Directory>
<Directory /openlab/money> //目录模块(权限限定)
AllowOverride none //不允许覆盖
Require all granted //允许所有人访问服务器
</Directory>
3、制作证书
# /etc/pki/tls/certs/目录下需要有Makefile文件可自制证书
# rhel8上没有此文件,若需要可从rhel7上复制该文件
[root@localhost conf.d]# cd /etc/pki/tls/certs/
[root@localhost certs]# ll
总用量 20
lrwxrwxrwx. 1 root root 49 8月 13 2018 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 8月 13 2018 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 3952 10月 29 20:49 localhost.crt
-rw-r--r--. 1 root root 2388 10月 29 20:20 Makefile
-rw-r--r--. 1 root root 2236 11月 2 14:02 postfix.pem
[root@localhost certs]# make zhengshu.crt //制作名为zhengshu的证书
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > zhengshu.key
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................+++++
.......................+++++
e is 65537 (0x010001)
Enter pass phrase: //输入密码
Verifying - Enter pass phrase: //确认密码
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key zhengshu.key -x509 -days 365 -out zhengshu.crt -set_serial 0
Enter pass phrase for zhengshu.key: //与上述密码相同
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ZG //国家代码
State or Province Name (full name) []:SX //省份
Locality Name (eg, city) [Default City]:Xi'an //城市
Organization Name (eg, company) [Default Company Ltd]:openlab //公司名
Organizational Unit Name (eg, section) []:RHCE //部门或组织名
Common Name (eg, your name or your server's hostname) []:www.test.com //主机名
Email Address []:[email protected] //邮箱
4、创建用户
[root@localhost ~]# htpasswd -c /etc/httpd/users song //添加用户并将密码信息存入users目录下
New password:
Re-type new password:
Adding password for user song
[root@localhost ~]# htpasswd /etc/httpd/users tian //添加用户并将密码信息存入users目录下
New password:
Re-type new password:
Adding password for user tian
[root@localhost ~]# htpasswd /etc/httpd/users li //添加用户并将密码信息存入users目录下
New password:
Re-type new password:
Adding password for user li
[root@localhost ~]# htpasswd /etc/httpd/users zhao //添加用户并将密码信息存入users目录下
New password:
Re-type new password:
Adding password for user zhao
5、创建网页文件目录
[root@localhost ~]# mkdir -p /www/http
[root@localhost http]# mkdir -p /openlab/{student,data,money}
6、定义网页文件内容
[root@localhost conf.d]# echo welcome to openlab! > /www/http/index.html //网页文件主界面
[root@localhost http]# echo 学生信息 > /openlab/student/index.html //虚拟子目录:学生信息界面
[root@localhost http]# echo 教学资料 > /openlab/data/index.html //虚拟子目录:教学资料界面
[root@localhost http]# echo 缴费通道 > /openlab/money/index.html //虚拟子目录:缴费通道界面7、虚拟机缓存文件写入此域名解析条目(/etc/hosts)
[root@localhost http]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.74.130 www.openlab.com //添加此条信息8、本地主机缓存文件写入此域名解析条目(C:\Windows\System32\drivers\etc\hosts)
9、关闭防火墙和selinux安全机制
[root@localhost conf.d]# systemctl stop firewalld //关闭防火墙
[root@localhost conf.d]# setenforce 0 //关闭selinux
[root@localhost conf.d]# systemctl status firewalld //查看防火墙状态
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@localhost conf.d]# getenforce //查看selinux状态
Permissive
10、重启httpd服务
[root@localhost conf.d]# systemctl restart httpd
Enter TLS private key passphrase for www.openlab.com:443 (RSA) : ******
11、测试
①网页文件主界面
[root@localhost conf.d]# curl http://www.openlab.com
welcome to openlab!
②学生信息界面
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u song //song用户可访问
Enter host password for user 'song':
学生信息
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u tian //tian用户可访问
Enter host password for user 'tian':
学生信息
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u li //li用户被拒绝
Enter host password for user 'li':
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u zhao //zhao用户被拒绝
Enter host password for user 'zhao':
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
③教学资料界面
[root@localhost conf.d]# curl http://www.openlab.com/data/
教学资料 
④缴费通道界面
[root@localhost conf.d]# curl -k https://www.openlab.com/money/
缴费通道
实验完成!!!