|
一、业务需求Apache需要实现加密的基于用户身份认证的验证访问,来保证特定站点页面的安全。这里是需求的实现过程,请看如下分解。二、具体实现步骤:1、建立主目录及网页[root@test1 www]# mkdir virt1[root@test1 www]# lscgi-bin error html icons manual virt1[root@test1 www]# cd virt1[root@test1 virt1]# echo "welcomt to apache website">index.html[root@test1 virt1]# lsindex.html[root@test1 virt1]# cat index.htmlwelcomt to apache website2、使用apache自带的htpasswd工具生成密码文件来作为用户访问认证的来源格式:htpasswd options FilePath user -c :第一次创建时使用该选项 -m :将密码使用MD5加密存放 -D :从密码文件中删除用户[root@test1 conf]# htpasswd -cm .htpasswd aaaNew password:Re-type new password:Adding password for user aaa[root@test1 conf]# cat .htpasswdaaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1[root@test1 conf]# htpasswd -m .htpasswd bbbNew password:Re-type new password:Adding password for user bbb[root@test1 conf]# cat .htpasswdaaa:$apr1$hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1bbb:$apr1$QHr2Dpff$wMtQI74PcbNOMrY0mPgpa0[root@test1 conf]#如果是要删除用户#htpasswd -D .htpasswd aaa3、对指定的网页目录使用基本身份认证验证比如对test1.demo.com网站的访问需要基于用户认证验证配置apache的主配置文件:/etc/httpd/conf/httpd.confNameVirtualHost 192.168.1.123:80<VirtualHost 192.168.1.123:80> DocumentRoot /var/www/virt1 ServerName test1.demo.com ErrorLog logs/test1.demo.com-error.log <Directory /var/www/virt1> authName "realm" AuthType basic AuthUserFile /etc/httpd/conf/.htpasswd Require User aaa bbb </Directory></VirtualHost>[root@test1 virt1]# service httpd restartStopping httpd: [ OK ]Starting httpd: [ OK ]4、加密配置[root@test1 conf]# (umask 077;openssl genrsa -des3 -out server.key)Generating RSA private key, 512 bit long modulus....++++++++++++....++++++++++++e is 65537 (0x10001)Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:[root@test1 conf]# openssl req -new -key server.key -out server.csrEnter pass phrase for server.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:CNState or Province Name (full name) []:Locality Name (eg, city) [Beijing]:BeijingOrganization Name (eg, company) [Default Company Ltd]:TianliOrganizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:test1.demo.comEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@test1 conf]# openssl ca -in server.csr -out server.crtUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for /etc/pki/CA/private/my-ca.key:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 3 (0x3) Validity Not Before: Jan 31 05:37:44 2013 GMT Not After : Jan 31 05:37:44 2014 GMT Subject: countryName = CN stateOrProvinceName = Hebei organizationName = Default Company Ltd commonName = test1.demo.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: CB:3D:6E:BD:48:ED:BD:FE:39:BD:27:C5:B5:57:19:96:79:11:23:14 X509v3 Authority Key Identifier: keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62Certificate is to be certified until Jan 31 05:37:44 2014 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated将httpd.conf中的这一段复制放到ssl.conf中并修改和添加SSL认证语句NameVirtualHost 192.168.1.123:443<VirtualHost 192.168.1.123:443> DocumentRoot /var/www/virt1 SSLEngine on SSLCertificateFile /etc/httpd/conf/server.crt SSLCertificateKeyFile /etc/httpd/conf/server.key ServerName test1.demo.com ErrorLog logs/test1.demo.com-error.log <Directory /var/www/virt1> authName "realm" AuthType basic AuthUserFile /etc/httpd/conf/.htpasswd Require User aaa bbb </Directory></VirtualHost>注:需要将原httpd.conf文件中的这一段进行注释或屏蔽。 [root@test1 conf]# service httpd restartStopping httpd: [ OK ]Starting httpd: [Thu Jan 31 01:29:41 2013] [warn] NameVirtualHost 192.168.1.123:80 has no VirtualHostsApache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)Some of your private key files are encrypted for security reasons.In order to read them you have to provide the pass phrases.Server test1.demo.com:443 (RSA)Enter pass phrase:OK: Pass Phrase Dialog successful. [ OK ][root@test1 conf]#三、测试在FIREFOX中输入https://test1.demo.com进行浏览点击I Understand the Risks点击Add Exception点击Confirm Security Exception输入用户名和密码最后看到受保护页面内容
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
