笺注:这是在 Apache2.2+MySQL5.6+PHP5.6+phpMyAdmin+GLPI 的基础上进行的。
域名跳转:
访问ww.zhuohua.store、zhuohua.store都会自动跳转到
http://www.zhuohua.store
修改Apache的主配置文件:
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf
文件最后追加:(下面这命令有一句可以了,不要重复添加)
NameVirtualHost *:80
#添加一个基于域名的虚拟主机www.zhuohua.store:
<VirtualHost *:80>
DocumentRoot /var/www/html/www.zhuohua.store
ServerName www.zhuohua.store
ServerAlias ww.zhuohua.store zhuohua.store
###域名跳转的代码:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.zhuohua.store$
RewriteRule ^/(.*)$ http://www.zhuohua.store/$1 [R=301,L]
</IfModule>
###域名跳转的代码
DirectoryIndex index.html index.htm index.php
ErrorLog logs/www.zhuohua.store-error_log
CustomLog logs/www.zhuohua.store-access_log combined
<Directory /var/www/html/www.zhuohua.store>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
如下图:
######
给站点创建文件存放目录、首页文件:
cd /var/www/html/
mkdir -p www.zhuohua.store
echo 'www.zhuohua.store' > ./www.zhuohua.store/index.html
重启Apache:
[root@localhost ~]# service httpd restart
停止 httpd:[确定]
正在启动 httpd:[确定]
Windows客户端通过浏览器测试,在没有DNS服务器解析域名的情况下,可以在文件hosts里绑定:
C:\WINDOWS\system32\drivers\etc\hosts
记得设置文件hosts的权限:
输入以下三个网址中的任何一个,效果都一样:
http://www.zhuohua.store
http://ww.zhuohua.store
http://zhuohua.store
############
############
Apache防盗链:
修改Apache的主配置文件:
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf
添加防盗链的配置代码:
SetEnvIfNoCase Referer "http://www.zhuohua.store" local_ref
SetEnvIfNoCase Referer "http://www.baidu.com" local_ref
SetEnvIfNoCase Referer "http://baidu.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(gif|jpg|png|jpeg|flv|swf|rar|zip)">
Order allow,deny
Allow from env=local_ref
</filesmatch>
如下图:
注释:
http://www.zhuohua.store、http://baidu.com、http://www.baidu.com 为允许文件链出的网站域名白名单;
gif|jpg|png|jpeg|flv|swf|rar|zip 为防盗链文件类型,可自定义
重启Apache:
[root@localhost ~]# service httpd restart
停止 httpd:[确定]
正在启动 httpd:[确定]
记得创建测试文件:
[root@localhost ~]# echo '111' > /var/www/html/www.zhuohua.store/1.gif
[root@localhost ~]# echo '222' > /var/www/html/www.zhuohua.store/2.doc
防盗链测试:
被允许的网站域名引用指定类型的文件正常:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.zhuohua.store/1.gif" www.zhuohua.store/1.gif
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 21:41:53 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Jul 2018 21:40:37 GMT
ETag: "1c0644-4-5703347ff4042"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: image/gif
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/1.gif" www.zhuohua.store/1.gif
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 21:42:55 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Jul 2018 21:40:37 GMT
ETag: "1c0644-4-5703347ff4042"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: image/gif
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://baidu.com/1.gif" www.zhuohua.store/1.gif
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 21:43:18 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Jul 2018 21:40:37 GMT
ETag: "1c0644-4-5703347ff4042"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: image/gif
未被允许的网站域名引用指定类型的文件不正常:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.com/1.gif" www.zhuohua.store/1.gif
HTTP/1.1 403 Forbidden
Date: Wed, 04 Jul 2018 21:44:08 GMT
Server: Apache/2.2.15 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1
由于没有对doc文件类型进行限制,所以doc文件没有防盗链功能:
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.baidu.com/2.doc" www.zhuohua.store/2.doc
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 21:45:01 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Jul 2018 21:40:43 GMT
ETag: "1c0645-4-57033485de2d3"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: application/msword
[root@localhost ~]# curl -x127.0.0.1:80 -I -e "http://www.aaa.com/2.doc" www.zhuohua.store/2.doc
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 21:45:29 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Jul 2018 21:40:43 GMT
ETag: "1c0645-4-57033485de2d3"
Accept-Ranges: bytes
Content-Length: 4
Connection: close
Content-Type: application/msword
############
############
Apache配置SSL:
笺注:
以下生成一对自定义的SSL证书,方法与生成的证书,在Apache和Nginx是通用的。
[root@localhost ~]# cd /etc/httpd/conf/
[root@localhost conf]# openssl genrsa -des3 -out tmp.key
Generating RSA private key, 1024 bit long modulus
........++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: #输入自定义的密码
Verifying - Enter pass phrase for tmp.key: #输入自定义的密码
把tmp.key转换成zhuohua.key:
[root@localhost conf]# openssl rsa -in tmp.key -out zhuohua.key
Enter pass phrase for tmp.key: #输入自定义的密码
writing RSA key
[root@localhost conf]# rm -rf tmp.key
生成CSR文件:
[root@localhost conf]# openssl req -new -key zhuohua.key -out zhuohua.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:zhuohua
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost conf]#
生成CRT证书文件:
[root@localhost conf]# openssl x509 -req -days 365 -in zhuohua.csr -signkey zhuohua.key -out zhuohua.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua
Getting Private key
生成的SSL证书文件:
防火墙配置:(TCP 443)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
现在防火墙不需要打开TCP 80 端口了:
sed -i '/80/d' /etc/sysconfig/iptables
service iptables restart
[root@localhost ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Jul 5 05:52:07 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:232]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 5 05:52:07 2018
需要安装openssl和Apache的ssl模块:
[root@localhost ~]# yum -y install openssl mod_ssl
测试:
[root@localhost ~]# which openssl
/usr/bin/openssl
[root@localhost ~]# find / -name "*ssl.conf"
/etc/httpd/conf.d/ssl.conf
修改Apache的主配置文件:
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf
NameVirtualHost *:443 #改为443,这命令有一句即可,不要重复添加
<VirtualHost *:443> #基于域名的虚拟主机的端口号改为443
添加以下代码:
SSLEngine on
SSLCertificateFile /etc/httpd/conf/zhuohua.crt
SSLCertificateKeyFile /etc/httpd/conf/zhuohua.key
如下图:
注释:域名跳转的代码也要改一下。
重启Apache:
[root@localhost ~]# service httpd restart
停止 httpd:[确定]
正在启动 httpd:[确定]
客户端使用QQ浏览器远程测试:
https://www.zhuohua.store/
备注:有警告是因为此证书是自己制作的,并没有得到浏览器的认可,但不影响访问和加密。
继续访问即可:
笺注:配置了SSL后,依然支持域名跳转:
https://ww.zhuohua.store/
https://zhuohua.store/
相关文章:
Apache2.4域名跳转+防盗链+SSL
Zabbix使用SNMP监控Oracle Linux6 |