環(huán)境準(zhǔn)備實(shí)驗(yàn)環(huán)境：?
主機(jī)IP描述192.168.5.181操作系統(tǒng)為CentOS7，安裝httpd2.4版本192.168.5.121操作系統(tǒng)為CentOS6，安裝httpd2.2版本，安裝MySQL數(shù)據(jù)庫(kù)192.168.5.180測(cè)試用Linux系統(tǒng)，安裝有curl工具192.168.5.190測(cè)試用Linux系統(tǒng)，安裝有curl工具192.168.5.182CA證書頒發(fā)機(jī)構(gòu)在兩臺(tái)主機(jī)上面先清空防火墻規(guī)則，關(guān)閉Selinux，然后用yum安裝httpd，在CentOS6上面，默認(rèn)的Base源里面是httpd2.2版本；在CentOS7上面，默認(rèn)的Base源里面是httpd2.4版本。?
$iptables-tfilter-F$setenforce0$yuminstallhttpd在CentOS7上面查看httpd版本：$yuminfohttpd|grep-iversionVersion:2.4.6在CentOS6上面查看httpd版本：$yuminfohttpd|grep-iversionVersion:2.2.15實(shí)驗(yàn)一：基于主機(jī)名稱的虛擬主機(jī)CentOS6, httpd2.2環(huán)境?
在/etc/httpd/conf.d/目錄下面添加一個(gè)新的配置項(xiàng)virtualhost.conf，編輯里面的內(nèi)容如下所示，添加NameVirtualHost指令，指明用192.168.5.121:80作為基于FQDN的虛擬主機(jī)，添加兩個(gè)VirtualHost配置段，分別使用www1.stuX.com和www2.stuX.com作為主機(jī)名?
分別給兩臺(tái)虛擬主機(jī)自定義日志功能：?
www1.stuX.com的訪問日志是/web/vhosts/www1/access_log?
www1.stuX.com的錯(cuò)誤日志是/web/vhosts/www1/error_log?
www2.stuX.com的訪問日志是/web/vhosts/www2/access_log?
www2.stuX.com的錯(cuò)誤日志是/web/vhosts/www2/error_log?
之后重啟httpd服務(wù)：?
$cat/etc/httpd/conf.d/virtualhost.confNameVirtualHost192.168.5.121:80<VirtualHost192.168.5.121:80>ServerNamewww1.stuX.comDocumentRoot"/web/vhosts/www1"LogFormat"%h%u%t\"%r\"%>s\"%{Referer}i\"\"%{User-Agent}i\""custom1CustomLog/web/vhosts/www1/access_logcustom1ErrorLog/web/vhosts/www1/error_log<Directory"/web/vhosts/www1">Orderallow,denyAllowfromall</Directory></VirtualHost><VirtualHost192.168.5.121:80>ServerNamewww2.stuX.comDocumentRoot"/web/vhosts/www2"LogFormat"%h%u%t\"%r\"%>s\"%{Referer}i\"\"%{User-Agent}i\""custom2CustomLog/web/vhosts/www2/access_logcustom2ErrorLog/web/vhosts/www2/error_log<Directory"/web/vhosts/www2">Orderallow,denyAllowfromall</Directory></VirtualHost>$servicehttpdstart創(chuàng)建/web/vhosts/www1和/web/vhosts/www2目錄，分別在目錄里面添加一個(gè)簡(jiǎn)單的測(cè)試頁(yè)面：?
$mkdir-p/web/vhosts/www{1,2}$echo"Thisiswww1.stuX.com">/web/vhosts/www1/index.html$echo"Thisiswww2.stuX.com">/web/vhosts/www2/index.htmlCentOS7, httpd2.4環(huán)境?
同樣在/etc/httpd/conf.d目錄下面添加一個(gè)新的配置項(xiàng)virtualhost.conf。與CentOS6不同的是，省略掉了NameVirtualHost指令，并且ACL權(quán)限的配置也發(fā)生了變化。使用www3.stuX.com和www4.stuX.com作為主機(jī)名。?
定義日志功能：?
www3.stuX.com的訪問日志是/web/vhosts/www3/access_log?
www3.stuX.com的錯(cuò)誤日志是/web/vhosts/www3/error_log?
www4.stuX.com的訪問日志是/web/vhosts/www4/access_log?
www4.stuX.com的錯(cuò)誤日志是/web/vhosts/www4/error_log?
之后重啟httpd.service?
<VirtualHost192.168.5.181:80>ServerNamewww3.stuX.comDocumentRoot"/web/vhosts/www3"LogFormat"%h%u%t\"%r\"%>s\"%{Referer}i\"\"%{User-Agent}i\""custom3CustomLog/web/vhosts/www3/access_logcustom3ErrorLog/web/vhosts/www3/error_log<Directory"/web/vhosts/www3">OptionsNoneAllowOverrideNone<RequireAll>RequireallgrantedRequirenotip192.168.5.190</RequireAll></Directory></VirtualHost><VirtualHost192.168.5.181:80>ServerNamewww4.stuX.comDocumentRoot"/web/vhosts/www4"LogFormat"%h%u%t\"%r\"%>s\"%{Referer}i\"\"%{User-Agent}i\""custom4CustomLog/web/vhosts/www4/access_logcustom3ErrorLog/web/vhosts/www4/error_log<Directory"/web/vhosts/www4">OptionsNoneAllowOverrideNoneRequireallgranted</Directory></VirtualHost>創(chuàng)建/web/vhosts/www3和/web/vhosts/www4目錄，分別在目錄里面添加一個(gè)簡(jiǎn)單的測(cè)試頁(yè)面：?
$mkdir-p/web/vhosts/www{3,4}$echo"Thisiswww3.stuX.com">/web/vhosts/www3/index.html$echo"Thisiswww4.stuX.com">/web/vhosts/www4/index.html客戶端測(cè)試?
在客戶端配置/etc/hosts文件，用來(lái)解析主機(jī)名?
root@alternative:~#cat/etc/hosts|grep-iwww192.168.5.121www1.stuX.comwww2.stuX.com192.168.5.181www3.stuX.comwww4.stuX.com通過客戶端的測(cè)試，可以看到結(jié)果如下所示，完成了基于主機(jī)名的虛擬主機(jī)配置：?
root@alternative:~#curlhttp://www1.stuX.comThisiswww1.stuX.comroot@alternative:~#curlhttp://www2.stuX.comThisiswww2.stuX.comroot@alternative:~#curlhttp://www3.stuX.comThisiswww3.stuX.comroot@alternative:~#curlhttp://www4.stuX.comThisiswww4.stuX.com偽裝客戶端和跳轉(zhuǎn)地址root@alternative:~#curl-A"curltest"-e"http://www.baidu.com"http://www1.stuX.comThisiswww1.stuX.comroot@alternative:~#curl-A"curltest2"-e"http://www.sina.com"http://www2.stuX.comThisiswww2.stuX.comroot@alternative:~#curl-A"curltest3"-e"http://www.sohu.com"http://www3.stuX.comThisiswww3.stuX.comroot@alternative:~#curl-A"curltest4"-e"http://www.163.com"http://www4.stuX.comThisiswww4.stuX.com發(fā)起一些錯(cuò)誤的請(qǐng)求，用來(lái)檢測(cè)error_log是否生效root@alternative:~#curlhttp://www1.stuX.com/123<!DOCTYPEHTMLPUBLIC"-//IETF//DTDHTML2.0//EN"><html><head><title>404NotFound</title></head><body><h2>NotFound</h2><p>TherequestedURL/123wasnotfoundonthisserver.</p><hr><address>Apache/2.2.15(CentOS)Serveratwww1.stux.comPort80</address></body></html>root@alternative:~#curlhttp://www2.stuX.com/456<!DOCTYPEHTMLPUBLIC"-//IETF//DTDHTML2.0//EN"><html><head><title>404NotFound</title></head><body><h2>NotFound</h2><p>TherequestedURL/456wasnotfoundonthisserver.</p><hr><address>Apache/2.2.15(CentOS)Serveratwww2.stux.comPort80</address></body></html>root@alternative:~#curlhttp://www3.stuX.com/789<!DOCTYPEHTMLPUBLIC"-//IETF//DTDHTML2.0//EN"><html><head><title>404NotFound</title></head><body><h2>NotFound</h2><p>TherequestedURL/789wasnotfoundonthisserver.</p></body></html>root@alternative:~#curlhttp://www4.stuX.com/000<!DOCTYPEHTMLPUBLIC"-//IETF//DTDHTML2.0//EN"><html><head><title>404NotFound</title></head><body><h2>NotFound</h2><p>TherequestedURL/000wasnotfoundonthisserver.</p></body></html>查看一下訪問日志以及錯(cuò)誤日志：?
$tail-f/web/vhosts/www{1,2}/{access,error}_log==>/web/vhosts/www1/access_log<==192.168.5.180-[02/Jun/2017:14:46:24+0800]"GET/HTTP/1.1"200"-""curl/7.22.0(x86_64-pc-linux-gnu)libcurl/7.22.0OpenSSL/1.0.1zlib/1.2.3.4libidn/1.23librtmp/2.3"192.168.5.180-[02/Jun/2017:14:46:40+0800]"GET/123HTTP/1.1"404"-""curl/7.22.0(x86_64-pc-linux-gnu)libcurl/7.22.0OpenSSL/1.0.1zlib/1.2.3.4libidn/1.23librtmp/2.3"192.168.5.180-[02/Jun/2017:14:49:01+0800]"GET/HTTP/1.1"200"http://www.baidu.com""curltest"==>/web/vhosts/www1/error_log<==[FriJun0214:46:402017][error][client192.168.5.180]Filedoesnotexist:/web/vhosts/www1/123==>/web/vhosts/www2/access_log<==192.168.5.180-[02/Jun/2017:14:46:28+0800]"GET/HTTP/1.1"200"-""curl/7.22.0(x86_64-pc-linux-gnu)libcurl/7.22.0OpenSSL/1.0.1zlib/1.2.3.4libidn/1.23librtmp/2.3"192.168.5.180-[02/Jun/2017:14:46:52+0800]"GET/456HTTP/1.1"404"-""curl/7.22.0(x86_64-pc-linux-gnu)libcurl/7.22.0OpenSSL/1.0.1zlib/1.2.3.4libidn/1.23librtmp/2.3"192.168.5.180-[02/Jun/2017:14:49:16+0800]"GET/HTTP/1.1"200"http://www.sina.com""curltest2"==>/web/vhosts/www2/error_log<==[FriJun0214:46:522017][error][client192.168.5.180]Filedoesnotexist:/web/vhosts/www2/456實(shí)驗(yàn)二：協(xié)議登錄認(rèn)證對(duì)于httpd2.2版本的www1.stuX.com虛擬主機(jī)，以及httpd2.4版本的www3.stuX.com虛擬主機(jī)，分別添加狀態(tài)監(jiān)控頁(yè)面，并且利用第三方模塊mod_auth_mysql.so對(duì)用戶賬戶進(jìn)行認(rèn)證與授權(quán)。用戶賬戶存放在192.168.5.121這個(gè)節(jié)點(diǎn)的mysql服務(wù)器上面。認(rèn)證采用aes加密認(rèn)證。詳細(xì)配置方案，請(qǐng)參照其他博文。?
在mysql里面建立一個(gè)名為http_auth的數(shù)據(jù)庫(kù)，在該數(shù)據(jù)庫(kù)下建立一個(gè)名為mysql_auth的數(shù)據(jù)表，在表中添加兩個(gè)用戶，分別為admin和root，采用aes_encrypt函數(shù)對(duì)密碼進(jìn)行加密，加密用的salt分別為’hello’和’root’。如下所示：?
mysql>usehttp_auth;Databasechangedmysql>showtables;+---------------------+|Tables_in_http_auth|+---------------------+|mysql_auth|+---------------------+1rowinset(0.00sec)mysql>descmysql_auth;+-------------+----------+------+-----+---------+-------+|Field|Type|Null|Key|Default|Extra|+-------------+----------+------+-----+---------+-------+|user_name|char(30)|NO|PRI|NULL|||user_passwd|tinyblob|YES||NULL|||user_group|char(25)|YES||NULL|||salt|tinyblob|YES||NULL||+-------------+----------+------+-----+---------+-------+4rowsinset(0.01sec)mysql>select*frommysql_auth;+-----------+------------------+------------+-------+|user_name|user_passwd|user_group|salt|+-----------+------------------+------------+-------+|admin|?G°??P-S|admin|hello||root|???￥V′l?Gχ|admin|root|+-----------+------------------+------------+-------+2rowsinset(0.00sec)注：確保mysql開啟了用戶遠(yuǎn)程訪問的權(quán)限，在這里使用mysql的root@’%’用戶，開啟訪問數(shù)據(jù)庫(kù)的權(quán)限：grant all pribileges on *.* to root@'%' identified by 'root' with grant option?
CentOS6, httpd2.2環(huán)境?
將mod_auth_mysql.so模塊加載進(jìn)來(lái)，確保mod_auth_mysql.so模塊在操作系統(tǒng)中存在，并且在/etc/httpd/modules里面有副本，這樣便可以使用相對(duì)于ServerRoot的相對(duì)路徑來(lái)引用，在主配置文件/etc/httpd/conf/httpd.conf里面添加一行：?
LoadModulemysql_auth_modulemodules/mod_auth_mysql.so以實(shí)驗(yàn)一的virtualhost.conf文件為基礎(chǔ)，添加<Location>指令段開啟狀態(tài)頁(yè)面，并針對(duì)狀態(tài)頁(yè)面做基于用戶的協(xié)議認(rèn)證，添加權(quán)限控制的選項(xiàng)，如下所示：?
注：?針對(duì)mod_auth_mysql.so的配置指令，詳細(xì)請(qǐng)參照該模塊的文檔。?
注：這里的AuthBasicAuthoritative指令尤為重要，因?yàn)槭褂玫氖堑谌秸J(rèn)證模塊，如果不設(shè)定為Off的話，httpd將認(rèn)為該模塊為非法模塊從而無(wú)法使用。?
............<Location/status>SetHandlerserver-statusOrderdeny,allowAllowfromallAuthTypeBasicAuthBasicAuthoritativeOffAuthName"authlogin"AuthMySQLHost192.168.5.121AuthMySQLPort3306AuthMySQLUserrootAuthMySQLPasswordshrootAuthMySQLDBhttp_authAuthMySQLUserTablemysql_authAuthMySQLNameFielduser_nameAuthMySQLPasswordFielduser_passwdAuthMySQLEnableonAuthMySQLPwEncryptionaesAuthMySQLSaltFieldsaltrequirevalid-user</Location>............配置完畢之后，用service httpd restart命令重啟httpd服務(wù)。?
CentOS7, httpd2.4環(huán)境?
同樣需要將mod_auth_mysql.so添加進(jìn)來(lái)，確保mod_auth_mysql.so模塊在操作系統(tǒng)中存在，并且在/etc/httpd/modules里面有副本，這樣便可以使用相對(duì)于ServerRoot的相對(duì)路徑來(lái)引用。?
httpd2.4的模塊加載配置文件和上面的httpd2.2的模塊配置加載文件不同，需要在/etc/httpd/conf.modules.d目錄下面創(chuàng)建一個(gè)單獨(dú)的模塊加載配置文件，這里創(chuàng)建一個(gè)名字為10-mysql.conf的配置文件，在里面添加一行：?
LoadModulemysql_auth_modulemodules/mod_auth_mysql.so以實(shí)驗(yàn)一的virtualhost.conf文件為基礎(chǔ)，添加<Location>指令段開啟狀態(tài)頁(yè)面，并針對(duì)狀態(tài)頁(yè)面做基于用戶的協(xié)議認(rèn)證，添加權(quán)限控制的選項(xiàng)，如下所示：?
注：?針對(duì)mod_auth_mysql.so的配置指令，詳細(xì)請(qǐng)參照該模塊的文檔。?
注：這里的AuthBasicAuthoritative指令尤為重要，因?yàn)槭褂玫氖堑谌秸J(rèn)證模塊，如果不設(shè)定為Off的話，httpd將認(rèn)為該模塊為非法模塊從而無(wú)法使用。?
注：在httpd2.4里面，如果不顯式定義AuthUserFile，有可能會(huì)遇到認(rèn)證失敗的情況。因?yàn)槭褂胢ysql里面的數(shù)據(jù)進(jìn)行認(rèn)證，因此這里只需要指定文件系統(tǒng)的認(rèn)證文件為/dev/null即可。

了解更多網(wǎng)絡(luò)知識(shí)關(guān)注：http://www.vecloud.com/