(8) 查看httpd是否已经监听在80端口。
[root@web ~]# ss -tnl | grep 80
LISTEN 0 128 :::80 :::*
(9) 测试。
9.1 测试status页面。
使用192.168.10.140的主机测试,如下。
[root@test1 ~]# elinks www1.itab.com/server-status
打开页面如下。
9.2 测试两个虚拟主机的页面。
同样使用192.168.10.140这台主机来测试,如下。
[root@test1 ~]# elinks www1.itab.com
访问www1.itab.com时,打开页面如下。
[root@test1 ~]# elinks www2.itab.com
访问www2.itab.com时,打开页面如下。
对于192.168.1.0/24网段的主机,则无法访问www1.itab.com,其打开页面如下。
(10) 现在为上面的的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点。
为了方便,这里通过建立私有CA来提供服务器证书。CA主机和Webf服务器主机如下:
CA主机:192.168.10.140
Web服务器主机:192.168.10.128
10.1 在CA主机(192.168.10.128上)建立私有CA
① CA生成私钥。
[root@test1 ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
② 生成自签证书。
[root@test1 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:iTab
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.itab.com
Email Address []:caadmin@itab.com
③ 为CA提供所需的目录及文件。
[root@test1 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@test1 ~]# touch /etc/pki/CA/{serial,index.txt}
[root@test1 ~]# echo 01 > /etc/pki/CA/serial
10.2 在Web服务器主机(192.168.10.128)上创建证书签署请求。
① Web服务器主机生成私钥。
[root@web ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
② Web服务器生成证书签署请求。
[root@web ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:iTab
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www2.itab.com
Email Address []:admin@itab.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
③ 通过可靠方式将证书签署请求发送给CA主机。这里为了演示方便,所以直接通过scp命令传送。
[root@web ~]# scp /etc/httpd/ssl/httpd.csr root@192.168.10.140:/tmp/
10.3 在CA主机(192.168.10.140)上签署证书请求。
① CA主机为Web服务器签证。
[root@test1 ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 21 13:50:38 2017 GMT
Not After : May 21 13:50:38 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = iTab
organizationalUnitName = Ops
commonName = www2.itab.com
emailAddress = admin@itab.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:0A:4A:B8:2C:67:8A:1C:68:D5:1E:F6:40:57:21:BD:48:75:D5:75
X509v3 Authority Key Identifier:
keyid:81:F9:59:3E:F7:7C:8C:A4:1A:6B:7F:6F:9E:4F:8B:A6:18:A5:20:30
Certificate is to be certified until May 21 13:50:38 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated