【RHCE】基于用户认证和TLS加密的HTTP服务（HTTPS）

一、创建用户账号

二、TLS加密

三、配置http服务子配置文件

四、创建访问http服务的文件夹以及输入重定向到文件

五、配置Linux本地仓库以及Windows下的本地仓库

六、基础操作

七、测试

一、创建用户账号

用户认证

# 创建两个账户
[root@localhost ~]# htpasswd -c /etc/httpd/zhanghao tom
New password: 
Re-type new password: 
Adding password for user tom
[root@localhost ~]# htpasswd /etc/httpd/zhanghao jerry
New password: 
Re-type new password: 
Adding password for user jerry
# 查看是否创建成功
[root@localhost ~]# tail /etc/httpd/zhanghao
tom:$apr1$2s/wloz6$G0SlGTKB62a4.2gJmy.AL.
jerry:$apr1$lOxB9Dtq$tOTaJ35Jtt8dWouHbjgWi1

二、TLS加密

1.下载mod_ssl

[root@localhost ~]# yum install mod_ssl -y

注意：下载软件，需要配置仓库和挂载，如有需要可以查看本人前面所写的文章

2.tls加密：

# 创建密钥
[root@localhost certs]# openssl genrsa -aes128 2048 > jiami.key
# 输入密码
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 创建证书
[root@localhost certs]# openssl req -utf8 -new -key jiami.key -x509 -days 100 -out jiami.crt
Enter pass phrase for jiami.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86              # 国家
State or Province Name (full name) []:shaanxi     # 省份
Locality Name (eg, city) [Default City]:xi'an     # 城市
Organization Name (eg, company) [Default Company Ltd]:rhce  # 组织
Organizational Unit Name (eg, section) []:peihua  # 组织单元
Common Name (eg, your name or your server's hostname) []:www.hehe.com # 主机名！！！
Email Address []:admin@hehe.com    # 邮箱

3.移动密钥位置

# 移动密钥位置
[root@localhost certs]# cd /etc/pki/tls/certs
# 密钥位置为/etc/pki/tls/private/jiami.key
[root@localhost certs]# mv jiami.key ../private/

4.修改/etc/httpd/conf.d/ssl.conf文件

SSLCertificateFile /etc/pki/tls/certs/jiami.crt
SSLCertificateKeyFile /etc/pki/tls/private/jiami.key

修改为自己创建的密钥和证书

三、配置http服务子配置文件

[root@localhost certs]# vim /etc/httpd/conf.d/vhost.conf 
# 重启服务时需要输入创建tls时的密码
[root@localhost certs]# systemctl restart httpd
🔐 Enter TLS private key passphrase for www.hehe.com:443 (RSA) : ******

文件内容：

<directory /www>
allowoverride none
require all granted
</directory>
# 用户认证
<directory /usr/local/secret>
authtype basic
authname "Please input your passwd: "
authuserfile /etc/httpd/zhanghao
require user tom jerry
</directory>
# tls加密，地址为自己的主机地址，端口为443代表https服务
<virtualhost 192.168.198.151:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/jiami.crt
SSLCertificateKeyFile /etc/pki/tls/private/jiami.key
documentroot /www/hehe
servername www.hehe.com
alias /hehe /usr/local/secret
</virtualhost>

重启http服务

systemctl restart httpd

四、创建访问http服务的文件夹以及输入重定向到文件

[root@localhost certs]# mkdir /www
[root@localhost certs]# mkdir /www/hehe
[root@localhost certs]# mkdir /usr/local/secret
[root@localhost certs]# echo hehe > /www/hehe/index.html
[root@localhost certs]# echo secret > /usr/local/secret/index.html

五、配置Linux本地仓库以及Windows下的本地仓库

1.Linux本地仓库（/etc/hosts）

[root@localhost certs]# vim /etc/hosts
192.168.198.151   www.hehe.com

2.配置Windows中的本地仓库

如果需要在浏览器中测试需要配置Windows本地仓库（C:\Windows\System32\drivers\etc\hosts）

2.1 win+r打开运行窗口

2.2ctrl+shift+enter，以管理员方式运行

2.3 输入"notepad"，会跳出记事本

2.4 打开文件

2.5 选择/windows/system32/drivers/etc/hosts

2.6 将代码加入到hosts文件中

192.168.198.151  www.hehe.com

六、基础操作

[root@localhost certs]# systemctl stop firewalld
[root@localhost certs]# setenforce 0
# 修改过子配置文件，都需要重启http服务，生效
[root@localhost certs]# systemctl restart httpd