https和server-status配置案例
https和server-status配置案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
1 [root@yinzhengjie ~]# more /etc/pki/tls/openssl.cnf | grep countryName_default 2 #countryName_default = XX 3 countryName_default = CN ------>修改国家名字为中国 4 [root@yinzhengjie ~]# 5 [root@yinzhengjie ~]# more /etc/pki/tls/openssl.cnf | grep stateOrProvinceName_default 6 #stateOrProvinceName_default = Default Province 7 stateOrProvinceName_default = BeiJing ------->修改省份为北京 8 [root@yinzhengjie ~]# 9 [root@yinzhengjie ~]# more /etc/pki/tls/openssl.cnf | grep localityName_default 10 #localityName_default = Default City 11 localityName_default = Yizhuang Economic Development Zone ----->修改所在区域 12 [root@yinzhengjie ~]# 13 [root@yinzhengjie ~]# more /etc/pki/tls/openssl.cnf | grep 0.organizationName_default 14 #0.organizationName_default = Default Company Ltd 15 0.organizationName_default = Chinese Academy of Medical Sciences ---->修改你所在的单位 16 [root@yinzhengjie ~]# 17 [root@yinzhengjie ~]# 18 [root@yinzhengjie ~]# more /etc/pki/tls/openssl.cnf | grep organizationalUnitName_default 19 #organizationalUnitName_default = World Wide Web Pty Ltd 20 organizationalUnitName_default = LinuxOperation ------>修改你担任的职位 21 [root@yinzhengjie ~]# 22 [root@yinzhengjie CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem 23 You are about to be asked to enter information that will be incorporated 24 into your certificate request. 25 What you are about to enter is what is called a Distinguished Name or a DN. 26 There are quite a few fields but you can leave some blank 27 For some fields there will be a default value, 28 If you enter '.', the field will be left blank. 29 ----- 30 Country Name (2 letter code) [CN]: 31 State or Province Name (full name) [BeiJing]: 32 Locality Name (eg, city) [Yizhuang Economic Development Zone]: 33 Organization Name (eg, company) [Chinese Academy of Medical Sciences]: 34 Organizational Unit Name (eg, section) [LinuxOperation]: 35 Common Name (eg, your name or your server's hostname) []:ca.yinzhengjie.org.cn 36 Email Address []:caadmin@yinzhengjie.org.cn 37 You have new mail in /var/spool/mail/root 38 [root@yinzhengjie CA]# 39 [root@yinzhengjie CA]# ls 40 cacert.pem certs crl newcerts private 41 [root@yinzhengjie CA]# 42 [root@yinzhengjie CA]# touch index.txt serial crlnumber 43 [root@yinzhengjie CA]# echo 01 > serial 44 [root@yinzhengjie CA]# ls 45 cacert.pem certs crl crlnumber index.txt newcerts private serial 46 [root@yinzhengjie CA]#
1 [root@yinzhengjie ~]# cd /etc/httpd/conf 2 [root@yinzhengjie conf]# 3 [root@yinzhengjie conf]# mkdir ssl 4 [root@yinzhengjie conf]# cd ssl/ 5 [root@yinzhengjie ssl]# 6 [root@yinzhengjie ssl]# (umask 077;openssl genrsa 1024 > http.key) ----生成服务器的私钥 7 Generating RSA private key, 1024 bit long modulus 8 ..........++++++ 9 ...++++++ 10 e is 65537 (0x10001) 11 [root@yinzhengjie ssl]# 12 [root@yinzhengjie ssl]# ll 13 total 4 14 -rw-------. 1 root root 887 Oct 22 08:22 http.key 15 [root@yinzhengjie ssl]#
1 [root@yinzhengjie ssl]# openssl req -new -key http.key -out httpd.csr 2 You are about to be asked to enter information that will be incorporated 3 into your certificate request. 4 What you are about to enter is what is called a Distinguished Name or a DN. 5 There are quite a few fields but you can leave some blank 6 For some fields there will be a default value, 7 If you enter '.', the field will be left blank. 8 ----- 9 Country Name (2 letter code) [CN]: 10 State or Province Name (full name) [BeiJing]: 11 Locality Name (eg, city) [Yizhuang Economic Development Zone]: 12 Organization Name (eg, company) [Chinese Academy of Medical Sciences]: 13 Organizational Unit Name (eg, section) [LinuxOperation]: 14 Common Name (eg, your name or your server's hostname) []:www.yinzhengjie.org.cn 15 Email Address []:webadmin@yinzhengjie.org.cn 16 17 Please enter the following 'extra' attributes 18 to be sent with your certificate request 19 A challenge password []: ------>此处的密码可以设置为空,直接回车即可。 20 An optional company name []: 21 [root@yinzhengjie ssl]# 22 [root@yinzhengjie ssl]# ll 23 total 8 24 -rw-r--r--. 1 root root 814 Oct 22 08:27 httpd.csr 25 -rw-------. 1 root root 887 Oct 22 08:22 http.key 26 [root@yinzhengjie ssl]#
1 [root@yinzhengjie ssl]# openssl ca -in httpd.csr -out httpd.crt ----->进行CA签名生成一个证书。 2 Using configuration from /etc/pki/tls/openssl.cnf 3 Check that the request matches the signature 4 Signature ok 5 Certificate Details: 6 Serial Number: 2 (0x2) 7 Validity 8 Not Before: Oct 22 15:38:27 2017 GMT 9 Not After : Oct 22 15:38:27 2018 GMT 10 Subject: 11 countryName = CN 12 stateOrProvinceName = BeiJing 13 organizationName = Chinese Academy of Medical Sciences 14 organizationalUnitName = LinuxOperation 15 commonName = www.yinzhengjie.org.cn 16 emailAddress = webadmin@yinzhengjie.org.cn 17 X509v3 extensions: 18 X509v3 Basic Constraints: 19 CA:FALSE 20 Netscape Comment: 21 OpenSSL Generated Certificate 22 X509v3 Subject Key Identifier: 23 34:91:A0:33:0C:2C:FB:16:64:9D:E8:D7:1D:B5:10:84:F7:E5:40:6A 24 X509v3 Authority Key Identifier: 25 keyid:3E:ED:2C:12:AF:F5:98:40:31:01:E7:8F:51:39:0B:24:4C:ED:41:4B 26 27 Certificate is to be certified until Oct 22 15:38:27 2018 GMT (365 days) 28 Sign the certificate? [y/n]:y 29 30 31 1 out of 1 certificate requests certified, commit? [y/n]y 32 Write out database with 1 new entries 33 Data Base Updated 34 [root@yinzhengjie ssl]# 35 [root@yinzhengjie ssl]# ll 36 total 16 37 -rw-r--r--. 1 root root 4203 Oct 22 08:38 httpd.crt 38 -rw-r--r--. 1 root root 822 Oct 22 08:37 httpd.csr 39 -rw-------. 1 root root 887 Oct 22 08:37 http.key 40 [root@yinzhengjie ssl]#
1 [root@yinzhengjie ssl]# grep mod_ssl /etc/httpd/conf/httpd.conf ---->查看是否已经安装mod_ssl模块。 2 # (e.g. :80) if mod_ssl is being used, due to the nature of the 3 [root@yinzhengjie ssl]# 4 [root@yinzhengjie ssl]# grep mod_ssl /etc/httpd/conf.d/*.conf ----->去子目录也查一遍; 5 [root@yinzhengjie ssl]# 6 [root@yinzhengjie ssl]# yum -y install mod_ssl ----->安装mod_ssl模块; 7 [root@yinzhengjie ssl]# rpm -ql mod_ssl ------>查mod_ssl安装的文件; 8 /etc/httpd/conf.d/ssl.conf 9 /usr/lib64/httpd/modules/mod_ssl.so 10 /var/cache/mod_ssl 11 /var/cache/mod_ssl/scache.dir 12 /var/cache/mod_ssl/scache.pag 13 /var/cache/mod_ssl/scache.sem 14 [root@yinzhengjie ssl]#
1 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep DocumentRoot 2 DocumentRoot "/var/www/html" ---->设置网站的根目录 3 [root@yinzhengjie ssl]# 4 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep ServerName 5 ServerName www.yinzhengjie.org.cn:443 ------>设置主机名 6 [root@yinzhengjie ssl]# 7 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep ErrorLog 8 ErrorLog logs/ssl_error_log ------->定义错误日志路径 9 [root@yinzhengjie ssl]# 10 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep TransferLog 11 TransferLog logs/ssl_access_log ------->定义访问日志路径,注意,由于https是二进制格式的协议,因此和httpd的主配置文件定义访问日志的指令是不一样的哟 12 [root@yinzhengjie ssl]# 13 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep LogLevel | grep -v ^# 14 LogLevel warn --------->定义日志级别 15 [root@yinzhengjie ssl]# 16 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep SSLEngine 17 SSLEngine on --------->将SSL功能开启,启用基于SSL的虚拟主机; 18 [root@yinzhengjie ssl]# 19 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep SSLProtocol 20 SSLProtocol all -SSLv2 ---------->表示支持所有的SSL协议,处理-SSLv2版本,换句话说它就只剩下-SSLv3以及TLSv1啦。 21 [root@yinzhengjie ssl]# 22 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep SSLCipherSuite 23 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES ------>指定SSL的加密套件,注意,感叹号(!)表示不支持的算法,加号(+)表示支持加密算法。 24 [root@yinzhengjie ssl]# 25 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep SSLCertificateFile | grep -v ^# 26 SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt ------>指定WEB服务器端证书 27 [root@yinzhengjie ssl]# 28 [root@yinzhengjie ssl]# more /etc/httpd/conf.d/ssl.conf | grep SSLCertificateKeyFile 29 SSLCertificateKeyFile /etc/httpd/conf/ssl/http.key ------->指定WEB服务器的私钥 30 [root@yinzhengjie ssl]# 31 [root@yinzhengjie ssl]# httpd -t ---------->检查配置是否正确 32 httpd: apr_sockaddr_info_get() failed for yinzhengjie 33 httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName 34 Syntax OK -------->说明语法配置无误! 35 [root@yinzhengjie ssl]# 36 [root@yinzhengjie ssl]# service httpd restart ------->重启web服务。 37 Stopping httpd: [ OK ] 38 Starting httpd: httpd: apr_sockaddr_info_get() failed for yinzhengjie 39 httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName 40 [ OK ] 41 [root@yinzhengjie ssl]# 42 [root@yinzhengjie ssl]# ss -tnl | grep 443 ------->查看443端口是否正常监听 43 LISTEN 0 128 :::443 :::* 44 [root@yinzhengjie ssl]# 45 [root@yinzhengjie ~]# openssl s_client -connect www.yinzhengjie.org.cn:443 -CAfile /etc/pki/CA/cacert.pem ------->我们可以基于本地的命令行进行测试。当然也可以在客户端的浏览器测试,只不过需要安装证书。 46 [root@yinzhengjie ~]#
1 [root@yinzhengjie certs]# pwd 2 /etc/pki/tls/certs 3 [root@yinzhengjie certs]# make yinzhengjie.key 4 umask 77 ; \ 5 /usr/bin/openssl genrsa -aes128 2048 > yinzhengjie.key 6 Generating RSA private key, 2048 bit long modulus 7 ........................+++ 8 .......................................................................................+++ 9 e is 65537 (0x10001) 10 Enter pass phrase: ------>要求你输入密码,这里是强制你输入密码,不能为空! 11 Verifying - Enter pass phrase: ------>要求你重复上次输入的密码 12 [root@yinzhengjie certs]# 13 [root@yinzhengjie certs]# ll 14 total 1772 15 -rw-r--r--. 1 root root 786601 Jul 14 2014 ca-bundle.crt 16 -rw-r--r--. 1 root root 1005005 Jul 14 2014 ca-bundle.trust.crt 17 -rwxr-xr-x. 1 root root 610 Oct 15 2014 make-dummy-cert 18 -rw-r--r--. 1 root root 2242 Oct 15 2014 Makefile 19 -rwxr-xr-x. 1 root root 829 Oct 15 2014 renew-dummy-cert 20 -rw-------. 1 root root 1766 Oct 22 07:02 yinzhengjie.key 21 [root@yinzhengjie certs]#
1 [root@yinzhengjie certs]# make yinzhengjie.pem 2 umask 77 ; \ 3 PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ 4 PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ 5 /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \ 6 cat $PEM1 > yinzhengjie.pem ; \ 7 echo "" >> yinzhengjie.pem ; \ 8 cat $PEM2 >> yinzhengjie.pem ; \ 9 rm -f $PEM1 $PEM2 10 Generating a 2048 bit RSA private key 11 ..+++ 12 ......................................................................+++ 13 writing new private key to '/tmp/openssl.Ra7W2f' 14 ----- 15 You are about to be asked to enter information that will be incorporated 16 into your certificate request. 17 What you are about to enter is what is called a Distinguished Name or a DN. 18 There are quite a few fields but you can leave some blank 19 For some fields there will be a default value, 20 If you enter '.', the field will be left blank. 21 ----- 22 Country Name (2 letter code) [XX]: ------->一路回车即可,我们这里只是测试。 23 State or Province Name (full name) []: 24 Locality Name (eg, city) [Default City]: 25 Organization Name (eg, company) [Default Company Ltd]: 26 Organizational Unit Name (eg, section) []: 27 Common Name (eg, your name or your server's hostname) []: 28 Email Address []: 29 You have new mail in /var/spool/mail/root 30 [root@yinzhengjie certs]#
1 具体的配置参数可参考: 2 <Location /server-status> 3 SetHandler server-status 4 AuthType Basic 5 AuthName "Sever Status" 6 AuthUserFile /etc/httpd/conf/.ApachePassword 7 Require valid-user 8 Order deny,allow 9 Allow from all 10 </Location>
https和server-status配置案例相关推荐
- 5.5.35 - mysql 同步_MySQL 5.6.35主从同步配置案例
MySQL 5.6主从同步配置案例分享 本文环境 主库:Redhat 6.5 x64 192.168.1.180 mysql-5.6.35 备库:Redhat 6.5 x64 192.168.1.18 ...
- 在Sun Enterprise Server上配置SCSI磁带机
在Sun Enterprise Server上配置SCSI磁带机 不是每一个运行 Solaris Operating System 的地方都拥有备份解决方案的资源,它们甚至不需要这些资源,这些备份解决 ...
- nexus-3.6.0-02-unix.tar.gz安装(Centos下),maven setting.xml配置案例,项目root的pom.xml配置,parent-pom的pom.xml配置案例
1.下载nexus 进入:http://www.sonatype.org/nexus/downloads/ 说明: [OSS = Open Source Software,开源软件 – 免费] [FR ...
- 【ORACLE 高可用】ORACLE STREAM 基于用户的流复制配置 案例
基于用户的流复制配置 案例 主数据库: 操作系统:REDHAT 5 IP地址:192.168.10.87 数据库:Oracle 11.2.0.3 ORACLE_SID:DB1 Global_name: ...
- 网络工程师学习参考资料路由器配置案例分析
网络工程师学习参考资料路由器配置案例分析 2006-08-30 23:01:00 标签:配置 路由器 案例 网络工程师 [推送到技术圈] INTERNET共享资源的方式越来越多,就大多数而言,DDN专 ...
- Cisco pix或asa如何防止内网用户乱改ip配置案例
在pix或asa如何防止内网用户乱改ip配置案例 防止内网用户乱该ip地址,用户 只能用给定的ip,如果改ip地址,则无法访问网络资源. 例如:做了下述配置后(arp inside 10.64.64. ...
- nginx安装、nginx前端配置、后端配置、前后端分离配置、https支持(ssl配置)、负载均衡配置、nginx location详解
nginx配置 一.nginx安装 二.nginx配置 仅前端配置 仅后端配置 前后分离配置(1) 前后分离配置(2) 前后不分离配置 https/ssl配置 负载均衡配置 数据压缩配置 三.完整ng ...
- Docker高级篇之Mysql主从复制、Redis集群扩容缩容配置案例详解
Docker之Mysql主从复制.Redis集群扩容缩容配置案例 1. 安装mysql主从复制 1.1 新建主服务器容器实例3307 1.2 进入/mydata/mysql-master/conf目录 ...
- CHAPTER 3 Web Server - httpd配置(二)
Web Server - httpd配置二 3.1 httpd配置 3.1.1 基于用户的访问控制 3.1.2 basic认证配置示例 1. 添加用户 2. 添加网页文件 3. 定义安全域 4. 修改 ...
最新文章
- leetcode 226. Invert Binary Tree
- 计算机系中学生的自我鉴定,中学生毕业自我鉴定
- python秒数转化为时间用户jianpang_Python中文转为拼音
- 室内使用酒精消毒的时候一定要注意开窗!!!
- 简单案例:unittest+HTMLTestRunner实现生成测试报告
- 不可不知的:iOS开发的22个诡异技巧
- 全宇宙首本 VS Code 中文书,来了!
- Petapoco使用SQLite的异常问题
- python 且_Pyface库:一个基于pyqt、pyside、wx且简化的python的GUI
- 聚焦开源技术 第八届开源云黑客松活动举办在即
- 27 log4j2发送Syslog日志出现乱码错误
- 【2022最新】最新桌面CPU显卡天梯图
- 记录linux deploy如何进行分区安装centos7
- DNS服务器安装(linux)
- 知识树 = 系统思维 + 外接大脑
- python绘制彩色地震剖面断层解释_断层在地震剖面上的反映及解释
- 利用“3 of 9 barcode”字体实现一维条形码(只支持英文等ASCII字符)
- 五行顺口溜_纳音五行口诀
- 如何甄选出一个优秀的软件供应商?by彭文华
- Synchronized原理(偏向锁篇)
热门文章
- 历史客人-报表记录信息
- 六式建站浅见,和大家一起分享,不足之处还望斧正。
- JavaScript中对象的构造方法
- Vue3导入Vue-router报错:Uncaught SyntaxError: The requested module does not provide
- 前端(六)——CSS之浮动和定位
- 扑克牌比大小c语言,算了算学了有一个月c语言了,写了个扑克牌程序
- 编程之美系列之三——计算1的个数
- socket缓冲区以及阻塞模式详解
- 整理:C++中sprintf()函数的使用详解
- linux关于文件夹的知识,Ubuntu 7.10 系统文件夹相关知识