实验图:
1.配ip
[[email protected] ~]# ifconfig eth0:0 192.168.2.101
[[email protected] ~]# ifconfig eth0:1 192.168.2.102
[[email protected] ~]# ifconfig |less
eth0 Link encap:Ethernet HWaddr 00:0C:29:10:D7:4F
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe10:d74f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1130 errors:0 dropped:0 overruns:0 frame:0
TX packets:632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:115940 (113.2 KiB) TX bytes:94183 (91.9 KiB)
Interrupt:19 Base address:0x2000
eth0:0 Link encap:Ethernet HWaddr 00:0C:29:10:D7:4F
inet addr:192.168.2.101 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:19 Base address:0x2000
eth0:1 Link encap:Ethernet HWaddr 00:0C:29:10:D7:4F
inet addr:192.168.2.102 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:19 Base address:0x2000
2.编写区域声明文件
[[email protected] ~]# vim /var/named/chroot/etc/named.rfc1912.zones
31 zone "com" IN {
32 type master;
33 file "com.zone";
34 allow-update { none; };
35 };
3.配置区域文件
[[email protected] ~]# cd /var/named/chroot/var/named/
[[email protected] named]# cp -a gjp.com.zone com.zone
[[email protected] named]# vim lzw.com.zone
[[email protected] named]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
4.手动创建对应的目录及网页文件
[[email protected] named]# mkdir /var/www/tec
[[email protected] named]# echo "tecnology" >index.html
[[email protected] named]# mkdir /var/www/mkt
[[email protected] named]# echo "market" >index.html
5.Apache 配置
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf //http主配置文件
[[email protected] ~]# cd /etc/httpd/conf.d/ //前提ssl已安装
[[email protected] conf.d]# vim ssl.conf 从81 行开始
6.产生**,服务器证书,CA证书
[[email protected] httpd]# cd /etc/httpd/certs //创建以下目录
[[email protected] certs]# openssl genrsa 1024 >tec.key
[[email protected] certs]# openssl req -new -key tec.key -out tec.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province (full name) [He Nan]:
Locality Name (eg, city) [zhengzhou]:
Organizational(eg, company) [My Company oLtd]:xcu
Organizational Unit Name (eg, section) []:xc.js
Common Name (eg, your name or your server's hostname) []:www.xcu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] certs]# openssl ca -in tec.csr -out tec.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Aug 22 07:59:00 2012 GMT
Not After : Aug 22 07:59:00 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = He Nan
organizationName = xcu
organizationalUnitName = xc.js
commonName = www.xcu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 28:77:6A:48:96:1C:F1:39:78:36:3A:B7:E4:17:4B:DF:14:BA:9B:F4
X509v3 Authority Key Identifier: keyid:5A:B6:BD:F1:BF:55:93:52:15:58:72:84:48:09:6B:B1:3E:AC:0F:A9
Certificate is to be certified until Aug 22 07:59:00 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] certs]# openssl genrsa 1024 > mkt.key
Generating RSA private key, 1024 bit long modulus
............................++++++
..................................................................++++++
e is 65537 (0x10001)
[[email protected] certs]# openssl req -new -key mkt.key -out mkt.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province (full name) [He Nan]:
Locality Name (eg, city) [zhengzhou]:
Organizational(eg, company) [My Company oLtd]:hngcxy
Organizational Unit Name (eg, section) []:dc
Common Name (eg, your name or your server's hostname) []:www.engineer.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] certs]# openssl ca -in mkt.csr -out mkt.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Aug 22 08:04:18 2012 GMT
Not After : Aug 22 08:04:18 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = He Nan
organizationName = hngcxy
organizationalUnitName = dc
commonName = www.engineer.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A7:A2:BA:66:88:CA:8B:F4:DB:46:28:27:06:81:D5:F1:1A:1D:3B:02
X509v3 Authority Key Identifier:
keyid:5A:B6:BD:F1:BF:55:93:52:15:58:72:84:48:09:6B:B1:3E:AC:0F:A9
Certificate is to be certified until Aug 22 08:04:18 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
测试:
测试机ip:192.168.2.10
所有主机监听此端口
[[email protected] tec]# vim /etc/httpd/conf/httpd.conf
[[email protected] tec]# vim /etc/httpd/conf.d/ssl.conf
把Listen 80 修改以下:
明文访问正常
但不能密文访问
密文都能成功访问
开一台虚拟机,测试DNS
注意:访问时存在缓存,需用以下命令清理:ipconfig /flushdns [ipconfig /displaydns查看
DNS 使用的区域配置文件
转载于:https://blog.51cto.com/guojiping/972255