Shulou(Shulou.com)06/01 Report--

In the experiment, the web server address is 192.168.80.10 and the client address is 192.168.80.200.

The purpose of the experiment is to control the access of users to the web server.

[root@localhost] # yum-- disablerepo=*-- enablerepo=c6-media install httpd

Install the httpd service

To achieve authentication, change line 336 of / etc/httpd/conf/httpd.conf to "AllowOverride all"

Edit a description file named .htaccess in the / var/www/html/ directory, which must be in the site home directory, and edit the content as follows:

Authuserfile / var/www/.htpasswd

Authname "please in put your name and password"

Authtype basic

Require valid-user

The above is just an instruction file, and then you need to generate an account library file:

You need a tool htppasswd to generate it, which is in the / usr/bin/ directory

Execute this tool directly:

[root@localhost www] # htpasswd-c .htpasswd abc, then prompt for password 123 twice

Generate a file named .htpasswd in the current directory and write a user with the account number abc password 123

If you want to write a user again, you don't have to add-c, which means to create a new file.

[root@localhost html] # echo 'hello' > index.html

Create a static web page under the current directory with the name index.html and write the word "hello"

Restart the httpd service:

[root@localhost html] # service httpd restart

Then log in to http://192.168.80.10 in a pc browser with the same network segment as the local address

It is found that the account number and password need to be entered:

Enter account number: abc password: 123

After entering, you can see the following interface:

You can also restrict access to the source of the access address:

On lines 341 to 343 of / etc/httpd/conf/httpd.conf, modify as follows:

Only hosts with the address 192.168.80.200 are allowed to access, while other addresses are not accessible.

Order allow,deny

Allow from 192.168.80.200

Deny from any

Note: the order of allow and deny must be the same here.

I changed the address of the host to 192.168.80.201 and found that this site was no longer accessible:

And after changing the address back, you can continue to visit.

Next, I will use openssl in the linux system to install CA and issue CA:

[root@localhost html] # rpm-qa | grep openssl

First of all, check to see if apenssl is installed in the system. If not, you can install it yourself. I won't go into details here.

Access to / etc/pki/ PKI- Public key Infrastructure

Check the openssl.conf under / etc/pki/tls/, which is the configuration file for openssl:

[root@localhost tls] # vim openssl.cnf

View lines 40 to 53:

If some files / directories don't exist, create one yourself:

The files in the / etc/pki/CA directory on my system have these:

So take the following steps:

[root@localhost CA] # openssl genrsa 1024 > private/cakey.pem

Use openssl to generate a 1024 private key encrypted with the rsa encryption algorithm under the private directory of the current directory, and the file name is cakey.pem (this file name must be the same as the file name in openssl.conf)

[root@localhost CA] # chmod 600 private/cakey.pem

Because the private key is confidential, it can only be accessed by the administrator, so change its permissions.

At this point, you can modify the following in lines 128 to 139 of the file. This is to modify some default values to avoid entering a certificate every time a request is made. Of course, you may not enter it on your own when you request:

There are some other materials that need to be filled in here. (I fill in casually here):

[root@localhost CA] # openssl req-new-key private/cakey.pem-x509-out cacert.pem

Request to generate a certificate on which the public key is extracted from the private key. The certificate format is-x509 and the name is cacert.pem (this file name must be the same as the file name in openssl.conf)

The certificate has been successfully produced here:

The next step is to generate the private key of web:

[root@localhost CA] # mkdir-pv / etc/httpd/certs

Mkdir: created directory `/ etc/httpd/certs'

[root@localhost CA] # cd / etc/httpd/certs/

[root@localhost certs] # openssl genrsa 1024 > httpd.key

Generate a private key file for httpd.key.

[root@localhost certs] # chmod 600 httpd.key

Change of authority

Edit the openssl.conf file: modify lines 85 to 87 as follows:

Change match to optional

This allows people from all countries and units to request certificates.

[root@localhost certs] # openssl req-new-key httpd.key-out httpd.crq

Generate a request file named httpd.crq, which is not a private key file, so you don't need to add-x509

Once you have the request file, you can request a certificate based on the request file, and the resulting certificate name is httpd.cert:

[root@localhost certs] # openssl ca-in httpd.crq-out httpd.cert

At this point, look at the / etc/pki/CA/index.txt file and find that there is already one more record:

[root@localhost CA] # cat index.txt

Next, bind the web to the certificate:

At this point, a module is called: mod_ssl

If not, install a mod_ssl by yourself, and you will have a mod_ssl.so file after installation.

Under this directory:

[root@localhost CA] # vim / etc/httpd/conf.d/ssl.conf

Edit this file

Change line 105 to the SSLCertificateFile / etc/httpd/certs/httpd.cert specified certificate directory

Modify line 112 to the SSLCertificateKeyFile / etc/httpd/certs/httpd.key specified key directory

After restarting the httpd service, check the port and find that both the plaintext port and the encrypted port are open:

[root@localhost CA] # netstat-tupln | grep http

Then add a sentence to the hosts in the C:\ WINDOWS\ system32\ drivers\ etc directory in the host with the local ip address 192.168.80.200:

192.168.80.10 www.abc.com

This is to tell the host that the name of the address 192.168.80.10 is www.abc.com, then log in to http://www.abc.com and find that the certificate is not trusted:

Go to / etc/httpd/conf.d/ssl.conf and edit this file

[root@localhost CA] # vim / etc/httpd/conf.d/ssl.conf

Change line 120 to SSLCertificateChainFile / etc/pki/CA/cacert.pem

After entering the customer host, click install Certificate:

You can then see a certificate issued by abc.org.cn in Internet Properties, content, Certificate, trusted Root Certificate Authority:

Re-visit http://www.abc.com at this time

There is no prompt message, and the access is successful!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.