用户认证的配置 (1)in the httpd.conf: AccessFileName .htaccess ......... Alias /download/ "/var/www/download/" <Directory "/var/www/download"> Options Indexes AllowOverride AuthConfig </Directory> (2) create a password file: /usr/local/apache2/bin/htpasswd -c /var/httpuser/passwords bearzhang (3)onfigure the server to request a password and tell the server which users are allowed access. vi /var/www/download/.htaccess: AuthType Basic AuthName "Restricted Files" AuthUserFile /var/httpuser/passwords Require user bearzhang #Require valid-user #all valid user 虚拟主机的配置 (1)基于IP地址的虚拟主机配置 Listen 80 <VirtualHost 172.20.30.40> DocumentRoot /www/example1 ServerName www.example1.com </VirtualHost> <VirtualHost 172.20.30.50> DocumentRoot /www/example2 ServerName www.example2.org </VirtualHost> (2) 基于IP和多端口的虚拟主机配置 Listen 172.20.30.40:80 Listen 172.20.30.40:8080 Listen 172.20.30.50:80 Listen 172.20.30.50:8080 <VirtualHost 172.20.30.40:80> DocumentRoot /www/example1-80 ServerName www.example1.com </VirtualHost> <VirtualHost 172.20.30.40:8080> DocumentRoot /www/example1-8080 ServerName www.example1.com </VirtualHost> <VirtualHost 172.20.30.50:80> DocumentRoot /www/example2-80 ServerName www.example1.org </VirtualHost> <VirtualHost 172.20.30.50:8080> DocumentRoot /www/example2-8080 ServerName www.example2.org </VirtualHost> (3)单个IP地址的服务器上基于域名的虚拟主机配置: # Ensure that Apache listens on port 80 Listen 80 # Listen for virtual host requests on all IP addresses NameVirtualHost *:80 <VirtualHost *:80> DocumentRoot /www/example1 ServerName www.example1.com ServerAlias example1.com. *.example1.com # Other directives here </VirtualHost> <VirtualHost *:80> DocumentRoot /www/example2 ServerName www.example2.org # Other directives here </VirtualHost> (4)在多个IP地址的服务器上配置基于域名的虚拟主机: Listen 80 # This is the "main" server running on 172.20.30.40 ServerName server.domain.com DocumentRoot /www/mainserver # This is the other address NameVirtualHost 172.20.30.50 <VirtualHost 172.20.30.50> DocumentRoot /www/example1 ServerName www.example1.com # Other directives here ... </VirtualHost> <VirtualHost 172.20.30.50> DocumentRoot /www/example2 ServerName www.example2.org # Other directives here ... </VirtualHost> (5)在不同的端口上运行不同的站点(基于多端口的服务器上配置基于域名的虚拟主机): Listen 80 Listen 8080 NameVirtualHost 172.20.30.40:80 NameVirtualHost 172.20.30.40:8080 <VirtualHost 172.20.30.40:80> ServerName www.example1.com DocumentRoot /www/domain-80 </VirtualHost> <VirtualHost 172.20.30.40:8080> ServerName www.example1.com DocumentRoot /www/domain-8080 </VirtualHost> <VirtualHost 172.20.30.40:80> ServerName www.example2.org DocumentRoot /www/otherdomain-80 </VirtualHost> <VirtualHost 172.20.30.40:8080> ServerName www.example2.org DocumentRoot /www/otherdomain-8080 </VirtualHost> (6)基于域名和基于IP的混合虚拟主机的配置: Listen 80 NameVirtualHost 172.20.30.40 <VirtualHost 172.20.30.40> DocumentRoot /www/example1 ServerName www.example1.com </VirtualHost> <VirtualHost 172.20.30.40> DocumentRoot /www/example2 ServerName www.example2.org </VirtualHost> <VirtualHost 172.20.30.40> DocumentRoot /www/example3 ServerName www.example3.net </VirtualHost> SSL加密的配置 首先在配置之前先来了解一些基本概念: 证书的概念:首先要有一个根证书,然后用根证书来签发服务器证书和客户证书,一般理解:服务器证书和客户证书是平级关系。SSL必须安装服务器证书来认证。 因此:在此环境中,至少必须有三个证书:根证书,服务器证书,客户端证书。 在生成证书之前,一般会有一个私钥,同时用私钥生成证书请求,再利用证书服务器的根证来签发证书。 SSL所使用的证书可以自己生成,也可以通过一个商业性CA(如Verisign 或 Thawte)签署证书。 签发证书的问题:如果使用的是商业证书,具体的签署方法请查看相关销售商的说明;如果是知己签发的证书,可以使用openssl自带的CA.sh脚本工具。 如果不为单独的客户端签发证书,客户端证书可以不用生成,客户端与服务器端使用相同的证书。 (1) conf/ssl.conf 配置文件中的主要参数配置如下: Listen 443 SSLPassPhraseDialog buildin #SSLPassPhraseDialog exec:/path/to/program SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache2/logs/ssl_mutex <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/usr/local/apache2/htdocs" ServerName www.example.com:443 ServerAdmin you@example.com ErrorLog /usr/local/apache2/logs/error_log TransferLog /usr/local/apache2/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key CustomLog /usr/local/apache2/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b" </VirtualHost> (2) 创建和使用自签署的证书: a.Create a RSA private key for your Apache server /usr/local/openssl/bin/openssl genrsa -des3 -out /usr/local/apache2/conf/ssl.key/server.key 1024 b. Create a Certificate Signing Request (CSR) /usr/local/openssl/bin/openssl req -new -key /usr/local/apache2/conf/ssl.key/server.key -out /usr/local/apache2/conf/ssl.key/server.csr c. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA /usr/local/openssl/bin/openssl req -x509 -days 365 -key /usr/local/apache2/conf/ssl.key/server.key -in /usr/local/apache2/conf/ssl.key/server.csr -out /usr/local/apache2/conf/ssl.crt/server.crt /usr/local/openssl/bin/openssl genrsa 1024 -out server.key /usr/local/openssl/bin/openssl req -new -key server.key -out server.csr /usr/local/openssl/bin/openssl req -x509 -days 365 -key server.key -in server.csr -out server.crt (3) 创建自己的CA(认证证书),并使用该CA来签署服务器的证书。 mkdir /CA cd /CA cp openssl-0.9.7g/apps/CA.sh /CA ./CA.sh -newca openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr cp server.csr newreq.pem ./CA.sh -sign cp newcert.pem /usr/local/apache2/conf/ssl.crt/server.crt cp server.key /usr/local/apache2/conf/ssl.key/ |
