Shulou(Shulou.com)06/03 Report--

Environmental preparation

Experimental environment:

Host IP describes 192.168.5.181 operating system as CentOS7, installs httpd2.4 version 192.168.5.121 operating system as CentOS6, installs httpd2.2 version, installs MySQL database 192.168.5.180 testing Linux system, installs curl tools 192.168.5.190 testing Linux system, installs curl tools 192.168.5.182CA certification authority

First clear the firewall rules on the two hosts, disable Selinux, and then install httpd with yum. On CentOS6, the default Base source is the httpd2.2 version; on CentOS7, the default Base source is the httpd2.4 version.

$iptables-t filter-F$ setenforce 0$ yum install httpd View httpd version on CentOS7: $yum info httpd | grep-I versionVersion: 2.4.6 View httpd version on CentOS6: $yum info httpd | grep-I versionVersion: 2.2.15 experiment 1: virtual host based on host name

CentOS6, httpd2.2 environment

Add a new configuration item virtualhost.conf under the / etc/httpd/conf.d/ directory, edit the contents as shown below, and add the NameVirtualHost directive, indicating that 192.168.5.121 NameVirtualHost 80 is used as the FQDN-based virtual host, and two VirtualHost configuration segments are added, using www1.stuX.com and www2.stuX.com as the hostname respectively

Customize the logging function for the two virtual hosts respectively:

The access log of www1.stuX.com is / web/vhosts/www1/access_log

The error log for www1.stuX.com is / web/vhosts/www1/error_log

The access log of www2.stuX.com is / web/vhosts/www2/access_log

The error log for www2.stuX.com is / web/vhosts/www2/error_log

Then restart the httpd service:

$cat / etc/httpd/conf.d/virtualhost.conf NameVirtualHost 192.168.5.121 ServerName www1.stuX.com DocumentRoot "/ web/vhosts/www1" LogFormat "% h% u% t\"% r\ "% > s\"% {Referer} I\ "\"% {User-Agent} I\ "" custom1 CustomLog / web/vhosts/www1/access_log custom1 ErrorLog / web/vhosts/www1/error_log Order allow " Deny Allow from all ServerName www2.stuX.com DocumentRoot "/ web/vhosts/www2" LogFormat "% h% u% t\"% r\ "% > s\"% {Referer} I\ "\"% {User-Agent} I\ "" custom2 CustomLog / web/vhosts/www2/access_log custom2 ErrorLog / web/vhosts/www2/error_log Order allow Deny Allow from all $service httpd start

Create the / web/vhosts/www1 and / web/vhosts/www2 directories and add a simple test page to the directory:

$mkdir-p / web/vhosts/www {1J 2} $echo "This is www1.stuX.com" > / web/vhosts/www1/index.html$ echo "This is www2.stuX.com" > / web/vhosts/www2/index.html

CentOS7, httpd2.4 environment

Also add a new configuration item, virtualhost.conf, under the / etc/httpd/conf.d directory. Unlike CentOS6, the NameVirtualHost directive is omitted, and the configuration of ACL permissions has changed. Use www3.stuX.com and www4.stuX.com as the hostname.

Define the logging function:

The access log of www3.stuX.com is / web/vhosts/www3/access_log

The error log for www3.stuX.com is / web/vhosts/www3/error_log

The access log of www4.stuX.com is / web/vhosts/www4/access_log

The error log for www4.stuX.com is / web/vhosts/www4/error_log

Restart httpd.service after that

ServerName www3.stuX.com DocumentRoot "/ web/vhosts/www3" LogFormat "% h% u% t\"% r\ "% > s\"% {Referer} I\ "\"% {User-Agent} I\ "" custom3 CustomLog / web/vhosts/www3/access_log custom3 ErrorLog / web/vhosts/www3/error_log Options None AllowOverride None Require all granted Require not ip 192.168.5.190 ServerName www4.stuX.com DocumentRoot "/ web/vhosts/www4" LogFormat "% h% u% t\"% r\ "% > s\"% {Referer} I\ "\"% {User-Agent} I\ "" custom4 CustomLog / web/ Vhosts/www4/access_log custom3 ErrorLog / web/vhosts/www4/error_log Options None AllowOverride None Require all granted

Create the / web/vhosts/www3 and / web/vhosts/www4 directories and add a simple test page to the directory:

$mkdir-p / web/vhosts/www {3jue 4} $echo "This is www3.stuX.com" > / web/vhosts/www3/index.html$ echo "This is www4.stuX.com" > / web/vhosts/www4/index.html

Client test

In the client configuration / etc/hosts file, which is used to resolve the host name

Root@alternative:~# cat / etc/hosts | grep-I www192.168.5.121 www1.stuX.com www2.stuX.com192.168.5.181 www3.stuX.com www4.stuX.com

Through the client test, you can see that the results are as follows, and the virtual host configuration based on the hostname is completed:

Root@alternative:~# curl http://www1.stuX.comThis is www1.stuX.comroot@alternative:~# curl http://www2.stuX.comThis is www2.stuX.comroot@alternative:~# curl http://www3.stuX.comThis is www3.stuX.comroot@alternative:~# curl http://www4.stuX.comThis is www4.stuX.com camouflage client and jump address root@alternative:~# curl-A "curl test"-e "http://www.baidu. Com "http://www1.stuX.comThis is www1.stuX.comroot@alternative:~# curl-A" curl test2 "- e" http://www.sina.com" http://www2.stuX.com This is www2.stuX.comroot@alternative:~# curl-A "curl test3"-e "http://www.sohu.com" http://www3.stuX.com This is www3.stuX.comroot@alternative:~# curl-A" curl test4 "- e "http://www.163.com" http://www4.stuX.com This is www4.stuX.com made some incorrect requests It is used to check whether error_log works or not. Root@alternative:~# curl http://www1.stuX.com/123404 Not FoundNot Found

The requested URL / 123 was not found on this server.

Apache/2.2.15 (CentOS) Server at www1.stux.com Port 80root@alternative:~# curl http://www2.stuX.com/456404 Not FoundNot Found

The requested URL / 456 was not found on this server.

Apache/2.2.15 (CentOS) Server at www2.stux.com Port 80root@alternative:~# curl http://www3.stuX.com/789404 Not FoundNot Found

The requested URL / 789 was not found on this server.

Root@alternative:~# curl http://www4.stuX.com/000404 Not FoundNot Found

The requested URL / 000 was not found on this server.

Check the access log and error log:

$tail-f / web/vhosts/www {1J 2} / {access,error} _ log== > / web/vhosts/www1/access_log / web/vhosts/www1/error_log / web/vhosts/www2/access_log / web/vhosts/www2/error_log use http_auth;Database changedmysql > show tables +-+ | Tables_in_http_auth | +-+ | mysql_auth | +-+ 1 row in set (0.00 sec) mysql > desc mysql_auth +-+ | Field | Type | Null | Key | Default | Extra | +- -+-+ | user_name | char (30) | NO | PRI | NULL | user_passwd | tinyblob | YES | | NULL | | user_group | char (25) | YES | | NULL | | salt | tinyblob | YES | | NULL | +-| -+ 4 rows in set (0.01sec) mysql > select * from mysql_auth +-+ | user_name | user_passwd | user_group | salt | +- + | admin |? G °? Pmurs | admin | hello | | root |? V'l?G χ | admin | root | +-+ 2 rows in set (0.00 sec)

Note: make sure that mysql enables remote access for users. Use root@'%' users of mysql here to enable access to the database: grant all pribileges on *. * to root@'%' identified by 'root' with grant option

CentOS6, httpd2.2 environment

Load the mod_auth_mysql.so module and make sure that the mod_auth_mysql.so module exists in the operating system and has a copy in / etc/httpd/modules, so that you can use the relative path relative to ServerRoot to reference and add a line to the main configuration file / etc/httpd/conf/httpd.conf:

LoadModule mysql_auth_module modules/mod_auth_mysql.so

Based on the virtualhost.conf file of experiment 1, add an instruction segment to open the status page, and do user-based protocol authentication for the status page, and add the option of permission control, as shown below:

Note: for the configuration instructions of mod_auth_mysql.so, please refer to the documentation of this module for details.

Note: the AuthBasicAuthoritative instruction here is particularly important because a third-party authentication module is used, and if it is not set to Off, httpd will consider the module to be illegal and cannot be used.

. SetHandler server-status Order deny Allow Allow from all AuthType Basic AuthBasicAuthoritative Off AuthName "auth login" AuthMySQLHost 192.168.5.121 AuthMySQLPort 3306 AuthMySQLUser root AuthMySQLPassword shroot AuthMySQLDB http_auth AuthMySQLUserTable mysql_auth AuthMySQLNameField user_name AuthMySQLPasswordField user_passwd AuthMySQLEnable on AuthMySQLPwEncryption aes AuthMySQLSaltField salt require valid-user.

Once configured, restart the httpd service with the service httpd restart command.

CentOS7, httpd2.4 environment

You also need to add mod_auth_mysql.so to ensure that the mod_auth_mysql.so module exists in the operating system and has a copy in / etc/httpd/modules so that it can be referenced using a relative path relative to ServerRoot.

The module loading configuration file of httpd2.4 is different from that of httpd2.2 above. You need to create a separate module loading configuration file under the / etc/httpd/conf.modules.d directory. Here, create a configuration file named 10-mysql.conf, and add a line to it:

LoadModule mysql_auth_module modules/mod_auth_mysql.so

Based on the virtualhost.conf file of experiment 1, add an instruction segment to open the status page, and do user-based protocol authentication for the status page, and add the option of permission control, as shown below:

Note: for the configuration instructions of mod_auth_mysql.so, please refer to the documentation of this module for details.

Note: the AuthBasicAuthoritative instruction here is particularly important because a third-party authentication module is used, and if it is not set to Off, httpd will consider the module to be illegal and cannot be used.

Note: in httpd2.4, if you do not explicitly define AuthUserFile, you may encounter authentication failure. Because the data in mysql is used for authentication, you only need to specify the authentication file of the file system as / dev/null.

SetHandler server-status AuthType Basic AuthBasicAuthoritative Off AuthName "auth login" AuthUserFile / dev/null AuthMySQLHost 192.168.5.121 AuthMySQLPort 3306 AuthMySQLUser root AuthMySQLPassword root AuthMySQLDB http_auth AuthMySQLUserTable mysql_auth AuthMySQLNameField user _ name AuthMySQLPasswordField user_passwd AuthMySQLEnable on AuthMySQLPwEncryption aes AuthMySQLSaltField salt Require valid-user

Client test

Since the page under test is a status status monitoring page, the GUI interface of Firefox is used for verification:

Type http://www1.stuX.com/status on the browser interface, pop up the authentication dialog box, and enter the admin user name and password, as shown in the following figure:

You can find that the login was successful, and the status page observed is as follows:

Http://www3.stuX.com/status is tested and logged in successfully, and the results are as follows:

Let's test the database shutdown and authentication errors with the curl command line tool.

Simulate some authentication errors and deliberately enter the wrong user name and password. The test results are as follows:

Root@alternative:~# curl-u admin:123 http://www1.stuX.com/status401 Authorization RequiredAuthorization Required

This server could not verify that youare authorized to access the documentrequested. Either you supplied the wrongcredentials (e.g.bad password), or yourbrowser doesn't understand how to supplythe credentials required.

Apache/2.2.15 (CentOS) Server at www1.stux.com Port 80root@alternative:~# curl-u 123 http://www3.stuX.com/status 401 UnauthorizedUnauthorized

This server could not verify that youare authorized to access the documentrequested. Either you supplied the wrongcredentials (e.g.bad password), or yourbrowser doesn't understand how to supplythe credentials required.

Close the mysql database above 192.168.5.121, test the authentication, and find that the authentication failed:

$service mysqld stoproot@alternative:~# curl-u admin:admin http://www3.stuX.com/status401 UnauthorizedUnauthorized

This server could not verify that youare authorized to access the documentrequested. Either you supplied the wrongcredentials (e.g.bad password), or yourbrowser doesn't understand how to supplythe credentials required.

Related error log file output:

[Sun Jun 04 19:23:22 2017] [error] [pid 16685] mod_auth_mysql.c: [client 192.168.5.180 client 55679] MySQL ERROR: Can't connect to MySQL server on '192.168.5.121' experiment 3: simple ACL Control based on IP

Configure simple authentication rules based on IP to:

192.168.5.180 this client cannot access www1.stuX.com

192.168.5.190 this client cannot access www3.stuX.com

CentOS6, httpd2.2 environment

Based on the virtualhost.conf configuration file of experiment 2, add Deny from to it, as follows:

Order allow,deny Allow from all Deny from 192.168.5.180/32

Restart the httpd service service httpd restart

Under the CentOS7 httpd2.4 environment

Based on the virtualhost.conf configuration file of experiment 2, add tags and configure IP access permissions, as shown below:

Options None AllowOverride None Require all granted Require not ip 192.168.5.190

Client test

Using the curl command to access the 192.168.5.180 machine, we found that the www1.stuX.com access failed and prompted a 403 Forbidden error, which proved that the access control was effective. Www3.stuX.com can be accessed normally.

Root@alternative:~# curl http://www1.stuX.com/index.html403 ForbiddenForbidden

You don't have permission to access / index.htmlon this server.

Apache/2.2.15 (CentOS) Server at www1.stux.com Port 80root@alternative:~# root@alternative:~# curl http://www3.stuX.com/index.htmlThis is www3.stuX.com

Using the curl command to access the 192.168.5.190 machine, we found that the www3.stuX.com access failed and prompted a 403 Forbidden error, which proved that the access control was effective. Www1.stuX.com can be accessed normally.

Root@ubuntu-node1:~# curl http://www3.stuX.com/index.html403 ForbiddenForbidden

You don't have permission to access / index.htmlon this server.

Root@ubuntu-node1:~# curl http://www1.stuX.com/index.htmlThis is www1.stuX.com Lab 4: https Service based on Virtual Host

Set up https services for www2.stuX.com and www4.stuX.com, respectively, and choose 192.168.5.182 as the CA.

First of all, the httpd2.2 server, httpd2.4 server, CA server and client need to be synchronized. If it is not synchronized, the time of the httpd server or client may be earlier than the valid start time of the CA root certificate, resulting in an error. Use the ntpdate command or ntpd service for time synchronization. For more information, please see the ntp service and configuration of linux.

CA generates root certificate

First, generate the private key:

$cd / etc/pki/CA$ (umask 077; openssl genrsa-out private/cakey.pem 2048) $ls-al private/total 4drwxmure. 2 root root 22 Jun 4 20:16. Drwxr-xr-x. 6 root root 57 Mar 20 06:43.-rw- 1 root root 1675 Jun 4 20:16 cakey.pem

Then generate a self-signed certificate from the private key:

$openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BJLocality Name (eg) City) [Default City]: BJOrganization Name (eg, company) [Default Company Ltd]: CAOrganizational Unit Name (eg, section) []: caexecCommon Name (eg, your name or your server's hostname) []: ca.caexec.comEmail Address []: $touch index.txt serial$ echo 01 > serial$ ls / etc/pki/CAcacert.pem certs crl index.txt newcerts private serial

The httpd2.2 server generates a certificate request and signs it to CA

First generate the private key

$mkdir / web/vhosts/www2/ssl$ cd / web/vhosts/www2/ssl/$ (umask 077; openssl genrsa-out www2.key 2048)

Generate a certificate request based on the private key

$openssl req-new-key www2.key-out www2.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BJLocality Name (eg, city) [Default City]: BJOrganization Name (eg) Company) [Default Company Ltd]: CAOrganizational Unit Name (eg, section) []: opsCommon Name (eg, your name or your server's hostname) []: www2.stuX.comEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

Send the certificate request to the CA server, sign it by CA, and return it to the httpd2.2 server after signing it.

$openssl ca-in www2.csr-out www2.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 4 14:23:12 2017 GMT Not After: Jun 4 14:23:12 2018 GMT Subject: countryName = CN stateOrProvinceName = BJ OrganizationName = CA organizationalUnitName = ops commonName = www2.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 99:13:92:93:B4:64:FF:15:70 6A:FF:6A:E0:C1:AA:E9:C1:28:13:47 X509v3 Authority Key Identifier: keyid:D0:3B:30:3D:AF:76:F3:47:7D:83:FA:F1:19:F9:1D:29:11:9C:42:E1Certificate is to be certified until Jun 4 14:23:12 2018 GMT (365days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yWrite out database with 1 new entriesData Base Updated

Make sure the mod_ssl module is installed on the httpd2.2 server, and if not, install it with yum install mod_ssl, or compile it.

$httpd-M | grep ssl ssl_module (shared) Syntax OK

Create a test page ssl.html

Echo "This is ssl page for www2.stuX.com." > / web/vhosts/www2/ssl.html

Configure a new one on top of the original virtualhost.conf file, provide https service, and configure the private key of the server and the certificate issued by CA. After configuration, restart the httpd service service httpd restart:

ServerName www2.stuX.com DocumentRoot "/ web/vhosts/www2" DirectoryIndex ssl.html ErrorLog / web/vhosts/www2/ssl_error_log LogLevel info TransferLog / web/vhosts/www2/ssl_access_log SSLEngine on SSLProtocol all-SSLv2 SSLCipherSuite default SSLCertificateFile / web/vhosts/www2/ssl/www2.crt SSLCertificateKeyFile / web/ Vhosts/www2/ssl/www2.key Order allow Deny Allow from all

The httpd2.4 server generates a certificate request and signs it to CA

Generate a private key

$mkdir / web/vhosts/www4/ssl$ cd / web/vhosts/www4/ssl/$ (umask 077; openssl genrsa-out www4.key 2048)

Generate a certificate request based on the private key

$openssl req-new-key www4.key-out www4.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BJLocality Name (eg, city) [Default City]: BJOrganization Name (eg) Company) [Default Company Ltd]: CAOrganizational Unit Name (eg, section) []: opsCommon Name (eg, your name or your server's hostname) []: www4.stuX.comEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

Send the certificate request to the CA server, sign it by CA, and return it to the httpd2.2 server after signing it.

$openssl ca-in www4.csr-out www4.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 4 16:14:45 2017 GMT Not After: Jun 4 16:14:45 2018 GMT Subject: countryName = CN stateOrProvinceName = BJ OrganizationName = CA organizationalUnitName = ops commonName = www4.stuX.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DE:84:D5:8C:11:7F:F8:C4:F4 26:49:A3:C2:0E:1A:07:62:00:06:8F X509v3 Authority Key Identifier: keyid:D0:3B:30:3D:AF:76:F3:47:7D:83:FA:F1:19:F9:1D:29:11:9C:42:E1Certificate is to be certified until Jun 4 16:14:45 2018 GMT (365days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yWrite out database with 1 new entriesData Base Updated

Make sure the mod_ssl module is installed on the httpd2.4 server, and if not, install it with yum install mod_ssl, or compile it.

$httpd-M | grep ssl ssl_module (shared)

Create a test page ssl.html

Echo "This is ssl page for www4.stuX.com." > / web/vhosts/www4/ssl.html

Configure a new one on top of the original virtualhost.conf file, provide https service, and configure the private key of the server and the certificate issued by CA. After configuration, restart the httpd service systemctl restart httpd.service:

ServerName www4.stuX.com DocumentRoot "/ web/vhosts/www4" DirectoryIndex ssl.html ErrorLog / web/vhosts/www4/ssl_error_log LogLevel info TransferLog / web/vhosts/www4/ssl_access_log SSLEngine on SSLProtocol all-SSLv2 SSLCipherSuite default SSLCertificateFile / web/vhosts/www4/ssl/www4.crt SSLCertificateKeyFile / web/ Vhosts/www4/ssl/www4.key Options None AllowOverride None Require all granted

Client test

Copy the self-signed certificate of the CA server to the client, test it with the curl tool, and access the https service pages of the httpd2.2 server and the httpd2.4 server respectively:

Root@alternative:~# curl-cacert cacert.pem https://www2.stuX.comThis is ssl page for www2.stuX.com.root@alternative:~# curl-cacert cacert.pem https://www4.stuX.comThis is ssl page for www4.stuX.com.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.