建立httpd服務,要求:
(1) 提供兩個基于名稱的虛拟主機www1, www2;有單獨的錯誤日志和通路日志;
(2) 通過www1的/server-status提供狀态資訊,且僅允許tom使用者通路;
(3) www2不允許192.168.0.0/24網絡中任意主機通路;
2、為上面的第2個虛拟主機提供https服務;
在三台主機伺服器安裝軟體包:
[root@zyx ~]# yum -y install httpd mod_ssl
[root@zyx1 ~]# yum -y install httpd mod_ssl
[root@zyx2~]# yum -y install bind
搭建私有DNS服務和私有CA服務:
私有DNS服務域名“ppp.com"
DNS主配置檔案:/etc/named.conf
options {
directory "/var/named";
listen-on port 53 { localhost; };
allow-recursion { 172.16.0.0/16; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com" IN {
type master;
file "test.com.zone";
ppp.com域的資料庫檔案:/var/named/ppp.com.zone
$TTL 1D@ IN SOA ns1.ppp.com. root.ppp.com. (
1D
1H
1W
3H )
NS ns1
ns1 A 172.16.9.72
ca A 172.16.9.72
websrv1 A 172.16.9.61
www1 CNAME websrv1
www2 CNAME websrv1
websrv2 A 172.16.9.71
www3 CNAME websrv2
www4 CNAME websrv2
啟動服務:[root@zyx]# systemctl startnamed.service
建立CA:
定制CA :
vim /etc/pki/tls/openssl.cnf
(1)cd /etc/pki/CA;touch index.txt資料庫檔案;echo 01 > serial
生成私鑰:
(umask 066;openssl genrsa -out private/cakey.pem 1025)
建立CA:
openssl rep -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
省略此步驟。。。。。
檢視證書檔案:
(1)openssl x509 -in cacert.pem -noout -text
(2)cd /etc/pki/tls/private
(3)umask 066;openssl genrsa -out httpd.key 2048 )
(4) cd /etc/pki/tls/
(5)openssl req -new -key private/httpd.key -out certs/httpd.csr -days
申請證書
..填資訊跟CA一緻:
(1)scp certs/httpd.csr 0.0.0.0:/etc/pki/CA/newcerts
(2)openssl ca -in httpd.csr -out httpd.crt -dats 365
(3)cp 01.pem ../certs/
(4)scp httpd.crt 0.0.0.0:/etc/pki/tls/certs 證書 c