htaccess验证与ssl加密

由于项目需要apache安全加固需要,需要访问用户验证,默认访问的是80端口

1.设置虚拟主机监控端口

root@10.1.1.200:apache2# cat ports.conf NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to <VirtualHost *:443> # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>

2.配置虚拟主机

root@10.1.1.200:sites-enabled# cat ossec <VirtualHost *:80> ServerAdmin root@localhost ServerName 10.1.1.200 DocumentRoot /var/www/ossec <Directory /var/www/ossec> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from 10.1.1.200 AuthType Basic #基础认证 AuthName "ossec system" #提示 AuthBasicProvider file AuthUserFile /etc/apache2/password/passwords #最好不要放在客户能访问的地方 Require valid-user #指定有效用户指代上面passswords 也可单独指定 </Directory> ErrorLog /var/log/apache2/ossec_error.log LogLevel warn CustomLog /var/log/apache2/ossec_access.log combined </VirtualHost>

也可将AllowOverride None,改为AllowOverride AuthConfig 这样可以把AuthType等内容从配置文件内容移到/var/www/ossec/.htaccess里(必须是这个文件),这样理论上不用重启,就可以生效密码,因为写在配置文件之外..htaccess放在的位置都需要认证.

3.生成用户数据库

root@10.1.1.200:sites-enabled# cd /etc/apache2/password/ root@10.1.1.200:password# ls passwords root@10.1.1.200:password# htpasswd -c /etc/apache2/password/passwords -c ossecadmin root@10.18.21.201:password# cat passwords ossecadmin:faarAgVTPHuXc 4.重启apache

root@10.1.1.200:~# /etc/init.d/apache2 restart

5.测试访问

如果这里我们还要ssl加密443端口访问,并且由于默认访问的是80端口,又不想用户输入https访问,其实有很多方法,这里我们可以在配置文件里做个跳转.

1.加载ssl和rewrite模块

root@10.1.1.200:mods-available# a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run \'/etc/init.d/apache2 restart\' to activate new configuration! root@10.1.1.200:mods-available# a2enmod rewrite Enabling module rewrite. Run \'/etc/init.d/apache2 restart\' to activate new configuration! 2.生成密钥

A.创建2048字节的Key文件:(期间会提示输入密码和确认密码)

#openssl genrsa -des3 -out server.key 2048 执行完后应该在当前目录中有一个server.key文件

B.查看创建的key文件:(不是必须)

#openssl rsa -noout -text -in server.key

C.创建pem文件:(不是必须)

#openssl rsa -in server.key -out server.key.unsecure

D.创建scr文件:(系统会向你索取一些信息,其中your nane 是网站域名，如：www.dave.com，其他填写的信息应该与这个域名的注册信息一致)

#openssl req -new -key server.key -out server.csr 执行完后应该在当前目录中有一个server.csr文件

E.创建crt文件:

#openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt 执行完后应该在当前目录中有一个server.crt文件

将生成的文件放入/etc/apache2/ssl

3.设置虚拟主机监控端口

root@10.1.1.200:apache2# cat ports.conf NameVirtualHost *:80 NameVirtualHost *:443 Listen 80 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to <VirtualHost *:443> # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>

4.配置虚拟主机

root@10.1.1.200:sites-enabled# vim ossec <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/ossec <Directory /var/www/ossec/> Options -Indexes FollowSymLinks AllowOverride None Order allow,deny allow from 10.1.1.200 AuthType Basic AuthName "ossec system" AuthBasicProvider file AuthUserFile /etc/apache2/password/passwords Require valid-user </Directory> ErrorLog /var/log/apache2/error.log LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SSLCACertificateFile /etc/apache2/ssl/server.crt #如果重启apa报错,注释即可 </VirtualHost> <VirtualHost *:80> ServerName 10.1.1.200 RewriteEngine On RewriteCond %{HTTP_HOST} ^10.1.1.200 [NC] RewriteRule ^/(.*)?$ https://10.1.1.200/$1 [L,R] </VirtualHost>

5.重启apache2

root@10.1.1.200:sites-enabled# /etc/init.d/apache2 restart Restarting web server: apache2apache2: Could not reliably determine the server\'s fully qualified domain name, using 10.1.1.200 for ServerName ... waiting apache2: Could not reliably determine the server\'s fully qualified domain name, using 10.1.1.200 for ServerName Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.1.1.200:443 (RSA) Enter pass phrase: 输入生成ssl密钥的密码则才能重启成功

root@10.1.1.200:sites-enabled# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::443 :::* LISTEN 562/apache2 tcp6 0 0 :::80 :::* LISTEN 562/apache2 这就带来一个问题,假如机器重启,apache服务ssl需要等待用户输入密码才能正常启动,否则机器一直处于提示等待状态.

以下方法可以解决apache重启时需要密码问题,简单来说也就是重启服务时让apa自动执行一个脚本输入密码.

root@10.1.1.200:mods-enabled# vim ssl.conf #SSLPassPhraseDialog builtin SSLPassPhraseDialog exec:/etc/apache2/ssl/key.sh root@10.1.1.200:ssl# vim key.sh #!/bin/bash echo \'password\' root@10.1.1.200:ssl# pwd /etc/apache2/ssl root@10.1.1.200:ssl# ls -l #注意权限755 -rwxr-xr-x 1 root root 26 2012-05-30 13:48 key.sh 再次重启apache,就不需要用户干预输入密码了

6 测试访问

点击继续浏览此网站,加入证书

输入正确的密码,即可自动跳到https.