![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2018-08-26T20:44:40+09:00","","") #author("2018-08-26T20:46:19+09:00","","") [[CentOS7]] *バーチャルホスト設定(Apache) [#v4a060f6] 現在運用中の''Web''サーバーで、もうひとつ''Web''サイトを運用する。 ここでは、''Web''サーバー''Apache''のバーチャルホスト機能を使用して、以下に示す条件で2つの''Web''サイトを運用できるようにする。 -メイン''Web''サイトはhttp://hoge.com/ -追加する''Web''サイトはhttp://usage.com/ -メイン''Web''サイトのドキュメントルートは/var/www/html/hoge.com -追加する''Web''サイトのドキュメントルートは/var/www/html/usage.com -メイン''Web''サイトへのアクセスログは/var/log/httpd/access_log、/var/log/httpd/error_logに記録する -追加する''Web''サイトへのアクセスログは/var/log/httpd/usage.com-access_log、/var/log/httpd/usage.com-error_logに記録する *ドメイン名取得 [#z8ab895d] 追加する''Web''サイトのドメイン名を取得する。 *バーチャルホスト設定 [#k06a0b48] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# mkdir /var/www/html/usage.com &color(lime){← バーチャルホスト用ドキュメントルートディレクトリ作成};| |[root@localhost ~]# vi /etc/httpd/conf.d/virtualhost-00.conf &color(lime){← 未定義ホスト用バーチャルホスト設定ファイル作成};| |&color(lime){※バーチャルホスト未定義ホスト名でアクセス時にアクセスを拒否する}; &br; <VirtualHost _default_:80> &br; ServerName any &br; <Location /> &br; Require all denied &br; </Location> &br; </VirtualHost>| |[root@localhost ~]# vi /etc/httpd/conf.d/virtualhost-hoge.com.conf &color(lime){← メインホスト用バーチャルホスト設定ファイル作成};| |<VirtualHost *:80> &br; ServerName hoge.com &br; DocumentRoot /var/www/html/hoge.com &br; </VirtualHost>| |[root@localhost ~]# vi /etc/httpd/conf.d/virtualhost-usage.com.conf &color(lime){← 追加ホスト用バーチャルホスト設定ファイル作成};| |<VirtualHost *:80> &br; ServerName usage.com &br; DocumentRoot /var/www/html/usage.com &br; ErrorLog logs/usage.com-error_log &br; CustomLog logs/usage.com-access_log combined env=!no_log &br; </VirtualHost>| *Webサーバー再起動 [#j02d5aa6] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# systemctl restart httpd &color(lime){← Webサーバー再起移動};| *バーチャルホスト確認 [#had8d0e2] 外部からバーチャルホストにアクセスできるか確認する。 |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# echo test >> /var/www/html/usage.com/index.html &color(lime){← テストページ作成};| ''[[Free Monitoring Test Tools>http://www.websitepulse.com/help/tools.php?tab=http]]''の「''Select Test Type''」欄で「''Website Test''」を選択、「''Enter Test Target''」欄にサーバー名(例:http://usage.com)を入力して「''Perform Test''」ボタンを押下する。 以下のような結果が表示されればOK ----- Website test results &br; &br; URL tested: http://usage.com &br; Test performed from: New York, NY &br; Test performed at: 2017-04-28 15:28:14 (GMT +00:00) &br; Resolved As: XXX.XXX.XXX.XXX &br; Status: OK &color(blue){← OKを確認}; &br; Response Time: 0.786 sec &br; DNS: 0.393 sec &br; Connect: 0.185 sec &br; Redirect: 0.000 sec &br; First byte: 0.208 sec &br; Last byte: 0.000 sec &br; Size: 5 bytes &br; ----- |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# rm -f /var/www/html/usage.com/index.html &color(lime){← テストページ削除};| *暗号化通信用バーチャルホスト設定 &color(red){※[[Webサーバー間通信内容暗号化>Webサーバー間通信内容暗号化(Apache+mod_SSL+Certbot)]]を導入している場合のみ}; [#e73573f7] **サーバー証明書取得 [#xabf6bc1] 追加ホストについて、[[''Web''サーバー間通信内容暗号化(Apache+mod_SSL+Certbot)>Webサーバー間通信内容暗号化(Apache+mod_SSL+Certbot)]]の「■サーバー証明書取得」を実施。 **バーチャルホスト設定 [#jb3e1e6e] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/httpd/conf.d/virtualhost-hoge.com.conf &color(lime){← メインホスト用バーチャルホスト設定ファイル編集};| |<VirtualHost *:80> &br; ServerName hoge.com &br; DocumentRoot /var/www/html/hoge.com &br; </VirtualHost> &br; &color(lime){/etc/httpd/conf.d/ssl.confの<VirtualHost _default_:443>~</VirtualHost>をコピーしてここに貼り付ける}; &br; <VirtualHost &color(lime){*};:443> &color(lime){← *に変更}; &br; &br; DocumentRoot "/var/www/html/hoge.com" &color(lime){← メインホスト用ドキュメントルートを指定}; &br; ServerName hoge.com:443 &color(lime){← メインホストサーバー名を指定}; &br; &br; # Use separate log files for the SSL virtual host; note that LogLevel &br; # is not inherited from httpd.conf. &br; ErrorLog logs/error_log &br; CustomLog logs/access_log combined env=!no_log &br; LogLevel warn &br; &br; # SSL Engine Switch: &br; # Enable/Disable SSL for this virtual host. &br; SSLEngine on &br; &br; # SSL Protocol support: &br; # List the enable protocol levels with which clients will be able to &br; # connect. Disable SSLv2 access by default: &br; SSLProtocol all -SSLv2 -SSLv3 &br; &br; # SSL Cipher Suite: &br; # List the ciphers that the client is permitted to negotiate. &br; # See the mod_ssl documentation for a complete list. &br; SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4 &br; &br; # Speed-optimized SSL Cipher configuration: &br; # If speed is your main concern (on busy HTTPS servers e.g.), &br; # you might want to force clients to specific, performance &br; # optimized ciphers. In this case, prepend those ciphers &br; # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. &br; # Caveat: by giving precedence to RC4-SHA and AES128-SHA &br; # (as in the example below), most connections will no longer &br; # have perfect forward secrecy - if the server's key is &br; # compromised, captures of past or future traffic must be &br; # considered compromised, too. &br; SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+ \ &br; AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS &br; SSLHonorCipherOrder on &br; &br; # Server Certificate: &br; # Point SSLCertificateFile at a PEM encoded certificate. If &br; # the certificate is encrypted, then you will be prompted for a &br; # pass phrase. Note that a kill -HUP will prompt again. A new &br; # certificate can be generated using the genkey(1) command. &br; SSLCertificateFile /etc/letsencrypt/live/hoge.com/cert.pem &br; &br; # Server Private Key: &br; # If the key is not combined with the certificate, use this &br; # directive to point at the key file. Keep in mind that if &br; # you've both a RSA and a DSA private key you can configure &br; # both in parallel (to also allow the use of DSA ciphers, etc.) &br; SSLCertificateKeyFile /etc/letsencrypt/live/hoge.com/privkey.pem &br; &br; # Server Certificate Chain: &br; # Point SSLCertificateChainFile at a file containing the &br; # concatenation of PEM encoded CA certificates which form the &br; # certificate chain for the server certificate. Alternatively &br; # the referenced file can be the same as SSLCertificateFile &br; # when the CA certificates are directly appended to the server &br; # certificate for convinience. &br; SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem &br; &br; # Certificate Authority (CA): &br; # Set the CA certificate verification path where to find CA &br; # certificates for client authentication or alternatively one &br; # huge file containing all of them (file must be PEM encoded) &br; #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt &br; #SSLCACertificateFile /etc/pki/tls/certs/ca.pem &br; &br; # Client Authentication (Type): &br; # Client certificate verification type and depth. Types are &br; # none, optional, require and optional_no_ca. Depth is a &br; # number which specifies how deeply to verify the certificate &br; # issuer chain before deciding the certificate is not valid. &br; #SSLVerifyClient require &br; #SSLVerifyDepth 10 &br; &br; # Access Control: &br; # With SSLRequire you can do per-directory access control based &br; # on arbitrary complex boolean expressions containing server &br; # variable checks and other lookup directives. The syntax is a &br; # mixture between C and Perl. See the mod_ssl documentation &br; # for more details. &br; #<Location /> &br; #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP | NULL)/ \ &br; # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ &br; # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ &br; # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ &br; # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ &br; # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ &br; #</Location> &br; &br; # SSL Engine Options: &br; # Set various options for the SSL engine. &br; # o FakeBasicAuth: &br; # Translate the client X.509 into a Basic Authorisation. This means that &br; # the standard Auth/DBMAuth methods can be used for access control. The &br; # user name is the `one line' version of the client's X.509 certificate. &br; # Note that no password is obtained from the user. Every entry in the user &br; # file needs this password: `xxj31ZMTZzkVA'. &br; # o ExportCertData: &br; # This exports two additional environment variables: SSL_CLIENT_CERT and &br; # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the &br; # server (always existing) and the client (only existing when client &br; # authentication is used). This can be used to import the certificates &br; # into CGI scripts. &br; # o StdEnvVars: &br; # This exports the standard SSL/TLS related `SSL_*' environment variables. &br; # Per default this exportation is switched off for performance reasons, &br; # because the extraction step is an expensive operation and is usually &br; # useless for serving static content. So one usually enables the &br; # exportation for CGI and SSI requests only. &br; # o StrictRequire: &br; # This denies access when "SSLRequireSSL" or "SSLRequire" applied even &br; # under a "Satisfy any" situation, i.e. when it applies access is denied &br; # and no other module can change it. &br; # o OptRenegotiate: &br; # This enables optimized SSL connection renegotiation handling when SSL &br; # directives are used in per-directory context. &br; #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire &br; <Files ~ "\.(cgi | shtml | phtml | php3?)$"> &br; SSLOptions +StdEnvVars &br; </Files> &br; <Directory "/var/www/cgi-bin"> &br; SSLOptions +StdEnvVars &br; </Directory> &br; &br; # SSL Protocol Adjustments: &br; # The safe and default but still SSL/TLS standard compliant shutdown &br; # approach is that mod_ssl sends the close notify alert but doesn't wait for &br; # the close notify alert from client. When you need a different shutdown &br; # approach you can use one of the following variables: &br; # o ssl-unclean-shutdown: &br; # This forces an unclean shutdown when the connection is closed, i.e. no &br; # SSL close notify alert is send or allowed to received. This violates &br; # the SSL/TLS standard but is needed for some brain-dead browsers. Use &br; # this when you receive I/O errors because of the standard approach where &br; # mod_ssl sends the close notify alert. &br; # o ssl-accurate-shutdown: &br; # This forces an accurate shutdown when the connection is closed, i.e. a &br; # SSL close notify alert is send and mod_ssl waits for the close notify &br; # alert of the client. This is 100% SSL/TLS standard compliant, but in &br; # practice often causes hanging connections with brain-dead browsers. Use &br; # this only for browsers where you know that their SSL implementation &br; # works correctly. &br; # Notice: Most problems of broken clients are also related to the HTTP &br; # keep-alive facility, so you usually additionally want to disable &br; # keep-alive for those clients, too. Use variable "nokeepalive" for this. &br; # Similarly, one has to force some clients to use HTTP/1.0 to workaround &br; # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and &br; # "force-response-1.0" for this. &br; BrowserMatch "MSIE [2-5]" \ &br; nokeepalive ssl-unclean-shutdown \ &br; downgrade-1.0 force-response-1.0 &br; &br; # Per-Server Logging: &br; # The home of a custom SSL log file. Use this when you want a &br; # compact non-error SSL logfile on a virtual host basis. &br; CustomLog logs/ssl_request_log \ &br; "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" &br; Header always set Strict-Transport-Security "max-age=15768000" &br; </VirtualHost>| |[root@localhost ~]# vi /etc/httpd/conf.d/virtualhost-usage.com.conf &color(lime){← 追加ホスト用バーチャルホスト設定ファイル編集};| |<VirtualHost *:80> &br; ServerName usage.com &br; DocumentRoot /var/www/html/usage.com &br; ErrorLog logs/usage.com-error_log &br; CustomLog logs/usage.com-access_log combined env=!no_log &br; </VirtualHost> &br; &color(lime){/etc/httpd/conf.d/ssl.confの<VirtualHost _default_:443>~</VirtualHost>をコピーしてここに貼り付けて下記のみ修正}; &br; <VirtualHost &color(lime){*};:443> &color(lime){← *に変更}; &br; DocumentRoot "/var/www/html/usage.com" &color(lime){← 追加ホスト用ドキュメントルートを指定}; &br; ServerName usage.com:443 &color(lime){← 追加ホストサーバー名を指定}; &br; ErrorLog logs/usage.com-error_log &color(lime){← 追加ホスト用エラーログファイル名を指定}; &br; CustomLog logs/usage.com-access_log combined env=!no_log &color(lime){← 追加ホスト用アクセスログファイル名を指定}; &br; SSLCertificateFile /etc/letsencrypt/live/usage.com/cert.pem &color(lime){← 追加ホスト用公開鍵を指定}; &br; SSLCertificateKeyFile /etc/letsencrypt/live/usage.com/privkey.pem &color(lime){← 追加ホスト用秘密鍵を指定}; &br; SSLCertificateChainFile /etc/letsencrypt/live/usage.com/chain.pem &color(lime){← 追加ホスト用中間証明書を指定};| |[root@localhost ~]# vi /etc/httpd/conf.d/ssl.conf &color(lime){← ''ssl.conf''編集};| |&color(lime){--削除(ここから)--}; &br; <VirtualHost _default_:443> &br; ・ &br; ・ &br; ・ &br; </VirtualHost> &br; &color(lime){--削除(ここまで)--};| *Webサーバー再起動 [#we7ef74e] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# systemctl restart httpd &color(lime){← Webサーバー再起移動};| *暗号化通信用バーチャルホスト確認 &color(red){※[[Webサーバー間通信内容暗号化>Webサーバー間通信内容暗号化(Apache+mod_SSL+Certbot)]]を導入している場合のみ}; [#he2db485] 外部からバーチャルホストに''HTTPS''でアクセスできるか確認する。 |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# echo test >> /var/www/html/usage.com/index.html &color(lime){← テストページ作成};| [[Free Monitoring Test Tools>http://www.websitepulse.com/help/tools.php?tab=http]]の「''Select Test Type''」欄で「''Website Test''」を選択、「''Enter Test Target''」欄にサーバー名(例https://usage.com)を入力して「''Perform Test''」ボタンを押下する。 以下のような結果が表示されればOK ----- Website test results &br; &br; URL tested: https://usage.com &br; Test performed from: New York, NY &br; Test performed at: 2017-04-28 15:28:14 (GMT +00:00) &br; Resolved As: XXX.XXX.XXX.XXX &br; Status: OK ← OKを確認 &br; Status: OK &color(blue){← OKを確認}; &br; Response Time: 0.786 sec &br; DNS: 0.393 sec &br; Connect: 0.185 sec &br; Redirect: 0.000 sec &br; First byte: 0.208 sec &br; Last byte: 0.000 sec &br; Size: 5 bytes &br; ----- |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# rm -f /var/www/html/usage.com/index.html &color(lime){← テストページ削除};| *内部向けDNSサーバーへドメイン名反映 [#p0619e35] [[''DNS''サーバー構築(''BIND'')>DNSサーバー構築(BIND)]]を参考に、追加した''Web''サイトのドメイン名(usage.com)の正引きゾーンデータベースを作成、''named.conf''へ作成した正引きゾーンデータベース情報を追加して、''DNS''サーバーへ反映する。 これで、内部からも、追加した''Web''サイトへドメイン名(usage.com)でアクセスできるようになる。
