基于ip的虚拟站点（https）

一、作业要求

主站点      http://www.zz.com    192.168.145.100         站点主目录      /var/www/html

技术部站点  https://tec.zz.com     192.168.145.101 站点主目录      /var/www/tec

市场部站点  https://mkt.zz.com    192.168.145.102 站点主目录      /var/www/mkt

二、拓扑图 三、配置

站点配置 首先我们要确定已经搭建dns服务器，web服务器和CA.可以从上面几篇博文进行搭建和安全设置。

实现多个ip

[root@localhost ~]# ifconfig eth0:0 192.168.145.101

[root@localhost ~]# ifconfig eth0:1 192.168.145.102

[root@localhost ~]# ifconfig

eth0     Link encap:Ethernet  HWaddr 00:0C:29:1B:E2:73           

inet addr:192.168.145.100  Bcast:192.168.145.255  Mask:255.255.255.0          

inet6 addr: fe80::20c:29ff:fe1b:e273/64 Scope:Link         

  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1         

  RX packets:7181 errors:0 dropped:0 overruns:0 frame:0          

TX packets:4888 errors:0 dropped:0 overruns:0 carrier:0          

collisions:0 txqueuelen:1000          

RX bytes:620809 (606.2 KiB)  TX bytes:705252 (688.7 KiB)          

Interrupt:67 Base address:0x2000

eth0:0    Link encap:Ethernet  HWaddr 00:0C:29:1B:E2:73         

   inet addr:192.168.145.101  Bcast:192.168.145.255  Mask:255.255.255.0         

  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          

Interrupt:67 Base address:0x2000

eth0:1    Link encap:Ethernet  HWaddr 00:0C:29:1B:E2:73          

  inet addr:192.168.145.102  Bcast:192.168.145.255  Mask:255.255.255.0          

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1        

   Interrupt:67 Base address:0x2000

lo        Link encap:Local Loopback            inet addr:127.0.0.1  Mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host         

  UP LOOPBACK RUNNING  MTU:16436  Metric:1        

   RX packets:1803 errors:0 dropped:0 overruns:0 frame:0          

TX packets:1803 errors:0 dropped:0 overruns:0 carrier:0          

collisions:0 txqueuelen:0          

RX bytes:2949156 (2.8 MiB)  TX bytes:2949156 (2.8 MiB)

[root@localhost named]# cd /var/named/chroot/etc/

[root@localhostetc]#vim named.rfc1912.zones 创建站点主目录。主站点已经有了。创建主页面。供测试用。

root@localhost etc]# mkdir  /var/www/tec

[root@localhost etc]# mkdir  /var/www/mkt

[root@localhost etc]# cd  /var/www/tec

[root@localhost tec]# echo "welcome to tec"  >index.html

[root@localhost tec]# cd  /var/www/mkt

[root@localhost mkt]# echo "welcome to mkt"  >index.html

[root@localhost mkt]# vim  /etc/httpd/conf/httpd.conf 下面将进行站点证书发放。 上次的CA搭建已经完成，直接申请证书。还需要安装mod_ssl 包。上次环境已经安装。 如果是不同的站点。我们需要做自己的私钥。

[root@localhost html]# cd  /etc/httpd/certs/

[root@localhost certs]# openssl genrsa 1024 >tec_httpd.key

Generating RSA private key, 1024 bit long modulus ..............................................++++++ .............................++++++ e is 65537 (0x10001)

[root@localhost certs]# openssl req -new -key tec_httpd.key -out tec_httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [My Company Ltd]:zz.com

Organizational Unit Name (eg, section) []:tec

Common Name (eg, your name or your server's hostname) []:tec.zz.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: An optional company name []:

[root@localhost certs]# openssl ca -in tec_httpd.csr -out tec_httpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:        

Serial Number: 2 (0x2)        

Validity            

Not Before: Aug 11 11:15:01 2012 GMT            

Not After : Aug 11 11:15:01 2013 GMT        

Subject:            

countryName               = CN           

  stateOrProvinceName       = BEIJING            

organizationName          = zz.com            

organizationalUnitName    = tec            

commonName                = tec.zz.com        

X509v3 extensions:            

X509v3 Basic Constraints:             

    CA:FALSE          

   Netscape Comment:               

  OpenSSL Generated Certificate            

X509v3 Subject Key Identifier:                               AA:38:0C:7F:6A:6D:88:6E:EE:5A:F5:BF:D7:C7:C5:8D:4E:92:AE:85        

     X509v3 Authority Key Identifier:                 keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8

Certificate is to be certified until Aug 11 11:15:01 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries Data Base Updated

[root@localhost certs]#

[root@localhost certs]# openssl genrsa 1024 >mkt_httpd.key

Generating RSA private key, 1024 bit long modulus ...............++++++ ................++++++ e is 65537 (0x10001)

[root@localhost certs]# openssl req -new -key mkt_httpd.key -out mkt_httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

SHANGHAI Locality Name (eg, city) [BEIJING]:shanghai

Organization Name (eg, company) [My Company Ltd]:zz.com

Organizational Unit Name (eg, section) []:mkt

Common Name (eg, your name or your server's hostname) []:mkt.zz.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@localhost certs]# openssl ca -in mkt_httpd.csr -out mkt_httpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 3 (0x3)        

Validity            

Not Before: Aug 11 11:17:32 2012 GMT            

Not After : Aug 11 11:17:32 2013 GMT        

Subject:            

countryName               = CN            

stateOrProvinceName       = SHANGHAI            

organizationName          = zz.com            

organizationalUnitName    = mkt            

commonName                = mkt.zz.com        

X509v3 extensions:            

X509v3 Basic Constraints:                

CA:FALSE            

Netscape Comment:                

OpenSSL Generated Certificate            

X509v3 Subject Key Identifier:                 0C:0B:21:28:85:86:58:FB:52:5D:A0:29:BB:38:B9:60:09:32:C7:38            

X509v3 Authority Key Identifier:                 keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8

Certificate is to be certified until Aug 11 11:17:32 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries Data Base Updated

为了安全考虑，修改权限。

[root@localhost certs]# chmod 600 *   

[root@localhost certs]# ll

总计 36

-rw------- 1 root root 3053 08-11 16:54 httpd.cert

-rw------- 1 root root  643 08-11 16:53 httpd.csr

-rw------- 1 root root  887 08-11 16:51 httpd.key

-rw------- 1 root root 3066 08-11 22:58 mkt_httpd.cert

-rw------- 1 root root  651 08-11 22:58 mkt_httpd.csr

-rw------- 1 root root  887 08-11 22:57 mkt_httpd.key

-rw------- 1 root root 3061 08-11 22:56 tec_httpd.cert

-rw------- 1 root root  647 08-11 22:55 tec_httpd.csr

-rw------- 1 root root  891 08-11 22:53 tec_httpd.key

需要指明证书文件所在目录 [root@localhost conf.d]# vim ssl.conf

 

四、测试

 

改写监听端口。使用户不能通过http 访问https网站