|
tpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl
[root@RS1 ssl]# openssl genrsa -out httpd.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:rt
Organizational Unit Name (eg, section) []:alg
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:111@11.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# openssl x509 -req -days 365 -in httpd.csr -signkey httpd.key -out httpd.crt
Signature ok
subject=C = cn, ST = hb, L = wh, O = rt, OU = alg, CN = www.wxh.com, emailAddress = 111@11.com
Getting Private key
[root@RS1 ssl]# ls
httpd.crt httpd.csr httpd.key
[root@RS1 ssl]# vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@RS1 ~]# echo "RS1" > /var/www/html/index.html
[root@RS1 ~]# systemctl enable --now httpd
#检查https是否可用
[root@RS1 ssl]# curl -k https://192.168.111.142
RS1
[root@RS1 ssl]# scp /etc/httpd/ssl/* root@192.168.111.143:/root/
root@192.168.111.143's password:
httpd.crt 100% 1249 1.5MB/s 00:00
httpd.csr 100% 1021 1.4MB/s 00:00
httpd.key 100% 1679 2.0MB/s 00:00
RS2配置
#关闭防火墙和selinux
[root@RS2 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# systemctl disable --now firewalld
#RS2上配置内核参数
[root@RS2 ~]# vim /etc/sysctl.conf
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 ~]# sysctl -p
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
#配置VIP
[root@RS2 ~]# dnf -y install net-tools
[root@RS2 ~]# ifconfig lo 192.168.111.200/32 broadcast 192.168.111.200 netmask 255.255.255.255 up
#永久生效lo网卡配置
[root@RS2 ~]# echo "ifconfig lo 192.168.111.200/32 broadcast 192.168.111.200 netmask 255.255.255.255 up" >> /etc/rc.d/rc.local
[root@RS2 ~]# chmod +x /etc/rc.d/rc.local
#添加路由
[root@RS2 ~]# route add -host 192.168.111.200/32 dev lo
#安装httpd服务,然后配置好网站首页
[root@RS2 ~]# dnf -y install httpd mod_ssl
[root@RS2 ~]# vim /etc/httpd/conf.modules.d/00-base.conf
LoadModule ssl_module modules/mod_ssl.so
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@RS2 ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr httpd.key
[root@RS2 ~]# mv httpd.* /etc/httpd/ssl/
[root@RS2 ~]# ls /etc/httpd/ssl/
httpd.crt httpd.csr httpd.key
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@RS2 ~]# ech
|