Httpd
本帖最后由 secoug 于 2019-10-20 11:35 编辑在instructor名字服务器上,再加一个别名:
/var/named/chroot/var/named/example.com.zone
alt IN CNAME server3.example.com.把/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf拷到/etc/httpd/conf.d/,名字叫做vhosts.conf
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html"
ServerName server3.example.com
#ServerAlias www.dummy-host.example.com
#ErrorLog "/var/log/httpd/server3.example.com-error.log"
#CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/virtual"
ServerName www3.example.com
#ServerAlias www.dummy-host.example.com
#ErrorLog "/var/log/httpd/server3.example.com-error.log"
#CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost>
listen 8909
<VirtualHost *:8909>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/alt"
ServerName alt.example.com
#ServerAlias www.dummy-host.example.com
#ErrorLog "/var/log/httpd/server3.example.com-error.log"
#CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost>
# semanageport -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
# semanage port -l -C
SELinux Port Type Proto Port Number
http_port_t tcp 82
# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
# semanage port -a -t http_port_t -p tcp 8909
# semanage port -l -C
SELinux Port Type Proto Port Number
http_port_t tcp 82, 8909
# firewall-cmd--permanent --add-port=8909/tcp
success
# firewall-cmd--reload
success
如果要区分日志:
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html"
ServerName server3.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/server3.example.com-error.log"
CustomLog "/var/log/httpd/server3.example.com-access.log" common
</VirtualHost>
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/virtual"
ServerName www3.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www3.example.com-error.log"
CustomLog "/var/log/httpd/www3.example.com-access.log" common
</VirtualHost>
listen 8909
<VirtualHost *:8909>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/alt"
ServerName alt.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/alt.example.com-error.log"
CustomLog "/var/log/httpd/alt.example.com-access.log" common
</VirtualHost>如果所有的虚拟主机都一样要求对某一个地址或者某一个网段不能访问:
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.42/32 service name='http' reject'firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.42/32 port port=8909protocol=tcp reject'
# firewall-cmd--reload
success如果只要某个虚拟主机不能访问:
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/virtual"
<Directory "/var/www/virtual">
Options Indexes FollowSymLinks
AllowOverride None
<RequireAll>
Require all granted
Require not host desktop42.example.com
</RequireAll>
</Directory>
ServerName www3.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www3.example.com-error.log"
CustomLog "/var/log/httpd/www3.example.com-access.log" common
</VirtualHost>上面的Require not host 这一定要写主机名:
# dig -x 192.168.0.42
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -x 192.168.0.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5225
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;42.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
42.0.168.192.in-addr.arpa. 86400 IN PTR desktop42.example.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS instructor.example.com.
;; ADDITIONAL SECTION:
instructor.example.com. 86400 IN A 192.168.0.254
;; Query time: 103 msec
;; SERVER: 192.168.0.254#53(192.168.0.254)
;; WHEN: Sun Oct 20 10:15:46 CST 2019
;; MSG SIZErcvd: 130
把/etc/httpd/conf.d/welcome.conf改个名字:
或者写成网段:
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/virtual"
<Directory "/var/www/virtual">
Options Indexes FollowSymLinks
AllowOverride None
<RequireAll>
Require all granted
Require not host .example.com
</RequireAll>
</Directory>
ServerName www3.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www3.example.com-error.log"
CustomLog "/var/log/httpd/www3.example.com-access.log" common
</VirtualHost>
对服务器本机能够访问,而对外其他主机都不能访问的写法:
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html"
<Directory "/var/www/html/private">
Require all denied
Require local
</Directory>
ServerName server3.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/server3.example.com-error.log"
CustomLog "/var/log/httpd/server3.example.com-access.log" common
</VirtualHost>
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/virtual"
<Directory "/var/www/virtual">
Options Indexes FollowSymLinks
AllowOverride None
<RequireAll>
Require all granted
# Require not host .example.com
</RequireAll>
</Directory>
<Directory "/var/www/virtual/private">
Require all denied
Require local
</Directory>
ServerName www3.example.com
#ServerAlias www.dummy-host.example.com
ErrorLog "/var/log/httpd/www3.example.com-error.log"
------
没有CA, 自签证书,但是不是用现成的那一对(SomeOrganization),而是自己生成新的自签证书:
genkey --test server3.example.com
在instructor的/root/bin/gls-setup-gen-sslcerts
:
#
# certs archived in/etc/pki/tls/certs/serverX.crt
# certs published at /var/ftp/pub/materials/tls/certs/serverX.crt
#
# keys archive in /etc/pki/tls/private/serverX.key
# keys published at/var/ftp/pub/materials/tls/private/serverX.key
#
#######################################################################
SUBJ_PREFIX="/C=US/ST=North Carolina/L=Raleigh/O=Example, Inc."
DOMAIN="example.com"
PUBTLS=/var/ftp/pub/materials/tls
if [ -d $PUBTLS ]; then
echo WARNING: the directory $PUBTLS already exists, which is
echo probably not a good thing.To completely regenerate
echo student certs and keys, first remove the directory
echo $PUBTLS, then run this script.
echo
echo Bravely venturing on...
fi
mkdir -p $PUBTLS/{certs,private}
umask 077
<div>pushd /etc/pki/tls/certs</div><div>
</div><div>for i in $(seq 20); do</div><div> SERVER=server$i
SUBJECT="$SUBJ_PREFIX/CN=$SERVER.$DOMAIN"
KEY=../private/$SERVER.key</div><div> if [ -e $KEY ]; then
echo "key for $SERVER already exists.skipping."
continue
fi</div><div> openssl req -new -nodes -out $SERVER.csr -keyout $KEY -subj "$SUBJECT"</div><div> openssl ca -batch -in $SERVER.csr -out $SERVER.crt</div><div> ( cat $KEY; echo; cat $SERVER.crt ) > $SERVER.pem</div><div> install -m 644 $SERVER.crt $SERVER.pem $PUBTLS/certs
install -m 644 $KEY $PUBTLS/private</div><div> rm -f $SERVER.csr</div><div>done</div><div>popd
</div><div>
</div>
页:
[1]