本次實驗環境是redhat7.0系統,全部實驗都來自《linux就該這麼學》
apache程序是目前擁有很高市場佔有率的web服務程序之一,其跨平臺和安全性被承認且擁有快速、可靠、簡單的API擴展,名字取自美國印第安人的土著語,寓意着擁有高超的做戰策略和無窮的耐性。html
[root@localhost ~]# yum install httpd -y
配置文件的位置linux
服務目錄 | /etc/httpd |
---|---|
主配置文件 | /etc/httpd/conf/httpd.conf |
網站數據目錄 | /var/www/html |
訪問日誌 | /var/log/httpd/access_log |
錯誤日誌 | /var/log/httpd/error_log |
ServerRoot 服務目錄
ServerAdmin 管理員郵箱
User 運行服務的用戶
Group 運行服務的用戶組
ServerName 網站服務器的域名
DocumentRoot 網站數據目錄
Listen 監聽的IP地址與端口號
DirectoryIndex 默認的索引頁頁面
ErrorLog 錯誤日誌文件
CustomLog 訪問日誌文件
Timeout 網頁超時時間,默認爲300秒web
[root@localhost ~]# mkdir /home/wwwroot [root@localhost ~]# echo " This is my web" >/home/wwwroot/index.html
設置selinx安全上下文數據庫
# 查看httpd默認網站目錄的值 [root@localhost ~]# ls -ldZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ # 將新建的網站目錄設置相同的安全上下文值 [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/* # 從新加載生效 [root@localhost ~]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
semanager命令用於管理selinux的策略,「semanager [選項] [文件]」apache
-l 查詢
-a 添加
-m 修改
-d 刪除vim
119 DocumentRoot "/home/wwwroot" 120 121 # 122 # Relax access to content within /var/www. 123 # 124 <Directory "/home/wwwroot"> 125 AllowOverride None 126 # Allow open access: 127 Require all granted 128 </Directory>
[root@localhost ~]# systemctl restart httpd [root@localhost ~]# systemctl enable httpd ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' # 設置防火牆 [root@localhost ~]# firewall-cmd --permanent --add-service=http success [root@localhost ~]# firewall-cmd --permanent --add-service=https success [root@localhost ~]# firewall-cmd --reload success
測試訪問,若是不能訪問,檢查防火牆,selinux,網站目錄有無數據頁面安全
httpd服務程序提供的我的主頁功能可讓系統內全部的用戶在本身的家目錄中管理我的的網站。服務器
將17行註釋掉(開啓用戶主頁),將24行的註釋刪除(網站數據在用戶家目錄中的保存位置)tcp
[root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf 15 # permissions). 16 # 17 #UserDir disabled 18 19 # 20 # To enable requests to /~user/ to serve the user's public_html 21 # directory, remove the "UserDir disabled" line above, and uncomment 22 # the following line instead: 23 # 24 UserDir public_html 25 </IfModule> 26
建立一個用戶,設置權限,保證其餘人也有權限讀取目錄內容ide
[root@localhost ~]# useradd developer [root@localhost ~]# su - developer [developer@localhost ~]$ mkdir public_html [developer@localhost ~]$ echo "this is developer's home" >public_html/index.html [developer@localhost ~]$ chmod -fR 755 /home/developer
該用戶的網站數據目錄自己就在家目錄中,所以不用修改家目錄的selinux的安全上下文。使用getsebool命名查看與http相關的selinux域的安全策略
[root@localhost ~]# getsebool -a |grep httpd httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off # 開啓 httpd_enable_homedir [root@localhost ~]# setsebool -P httpd_enable_homedirs=on
[root@localhost ~]# systemctl restart httpd [root@localhost ~]# systemctl enable httpd ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' # 設置防火牆 [root@localhost ~]# firewall-cmd --permanent --add-service=http success [root@localhost ~]# firewall-cmd --permanent --add-service=https success [root@localhost ~]# firewall-cmd --reload success
測試訪問
訪問網站時,只有經過身份驗證的用戶才能夠訪問到網站的內容
使用htpasswd命令聲場密碼數據庫,第一次建立須要使用 -c參數,以後再添加用戶就不用了,格式 「htpasswd -c 存放密碼的文件 用戶名」,用戶不須要是本地的系統用戶。
[root@localhost ~]# htpasswd -c /etc/httpd/passwd user007 New password: Re-type new password: Adding password for user user007
修改配置文件,31-37行的配置參數
[root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf 31 <Directory "/home/*/public_html"> 32 AllowOverride all 33 authuserfile "/etc/httpd/passwd" 34 authname "please auth" 35 authtype basic 36 Require user user007 37 </Directory>
重啓httpd
[root@localhost ~]# systemctl restart httpd
測試訪問
輸入用戶user007 密碼 redhat
使用虛擬網站功能,能夠把一臺服務器分割成多個「虛擬服務器」,部署多個不一樣的網站;有三種方式:
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736 TYPE=Ethernet BOOTPROTO=none ONBOOT=yes DEVICE=eno16777736 USERCTL=no IPADDR1=192.168.137.10 PREFIX1=24 IPADDR2=192.168.137.20 FREPIX2=24 GATEWAY=192.168.137.2 DNS1=114.114.114.114 [root@localhost ~]# systemctl restart network
建立兩個不一樣的網站目錄,訪問192.168.137.10時,看到的是「192.168.137.10」;訪問192.168.137.20時,看到的是「192.168.137.20」
[root@localhost ~]# mkdir /home/wwwroot/10 -p [root@localhost ~]# mkdir /home/wwwroot/20 -p [root@localhost ~]# echo "192.168.137.10" >/home/wwwroot/10/index.html [root@localhost ~]# echo "192.168.137.20" >/home/wwwroot/20/index.html
設置selinux的安全上下文
# 查看默認網站目錄的值 [root@localhost ~]# ls -ldZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ # 設置新網站selinux安全上下文的值 [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10 [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10/* [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/20 [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/20/* # 從新加載生效 [root@localhost ~]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0 restorecon reset /home/wwwroot/10 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 restorecon reset /home/wwwroot/10/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 restorecon reset /home/wwwroot/20 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 restorecon reset /home/wwwroot/20/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
在倒數第二行添加一下內容:
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf <virtualhost 192.168.137.10> documentroot "/home/wwwroot/10" servername www.a.com <directory "/home/wwwroot/10"> allowoverride none require all granted </directory> </virtualhost> <virtualhost 192.168.137.20> documentroot "/home/wwwroot/20" servername www.b.com <directory "/home/wwwroot/20"> allowoverride none require all granted </directory> </virtualhost>
[root@localhost ~]# systemctl restart httpd [root@localhost ~]# systemctl enable httpd ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' # 設置防火牆 [root@localhost ~]# firewall-cmd --permanent --add-service=http success [root@localhost ~]# firewall-cmd --permanent --add-service=https success [root@localhost ~]# firewall-cmd --reload success
測試訪問
定義兩個域名www.a.com和www.b.com。建立兩個網站的目錄,分別存放兩個網站的數據
[root@localhost Desktop]# mkdir -p /home/wwwroot/a [root@localhost Desktop]# mkdir -p /home/wwwroot/b [root@localhost Desktop]# echo "a web" >/home/wwwroot/a/index.html [root@localhost Desktop]# echo "b web" >/home/wwwroot/b/index.html
# 查看默認網站目錄的值 [root@localhost Desktop]# ls -ldZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ # 設置新網站的selinux安全上下文的值 [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/a [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/a/* [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/b [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/b/* # 從新加載生效 [root@localhost Desktop]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/a context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/a/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/b context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/b/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
在配置文件的倒數第二行,添加如下內容
[root@localhost Desktop]# vim /etc/httpd/conf/httpd.conf <virtualhost 192.168.137.10> documentroot "/home/wwwroot/a" servername www.a.com <directory "/home/wwwroot/a"> allowoverride none require all granted </directory> </virtualhost> <virtualhost 192.168.137.10> documentroot "/home/wwwroot/b" servername www.b.com <directory "/home/wwwroot/b"> allowoverride none require all granted </directory> </virtualhost>
[root@localhost Desktop]# systemctl restart httpd [root@localhost Desktop]# systemctl enable httpd ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' # 設置防火牆 [root@localhost Desktop]# firewall-cmd --permanent --add-service=http success [root@localhost Desktop]# firewall-cmd --permanent --add-service=https success [root@localhost Desktop]# firewall-cmd --reload success
在測試的客戶端的/etc/hosts文件寫入這兩個網址的解析
[root@localhost Desktop]# vim /etc/hosts 192.168.137.10 www.a.com www.b.com
定義兩個端口333和222端口,建立兩個網站目錄分別存放兩個網站的數據
[root@localhost Desktop]# mkdir -p /home/wwwroot/333 [root@localhost Desktop]# mkdir -p /home/wwwroot/222 [root@localhost Desktop]# echo "333 web" >/home/wwwroot/111/index.html [root@localhost Desktop]# echo "222 web" >/home/wwwroot/222/index.html
設置網站目錄的selinux安全上下文值
# 查看默認網站目錄的值 [root@localhost Desktop]# ls -ldZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ # 設置新網站的值 [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/333 [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/333/* [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/222 [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/222/* [root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot # 從新加載生效 [root@localhost Desktop]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/333 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/333/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/222 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/222/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
將 333和222端口加入到selinux域測策略中,容許httpd監聽這兩個端口
[root@localhost Desktop]# semanage port -l|grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 [root@localhost Desktop]# semanage port -a -t http_port_t -p tcp 222 [root@localhost Desktop]# semanage port -a -t http_port_t -p tcp 333
[root@localhost wwwroot]# vim /etc/httpd/conf/httpd.conf listen 222 listen 333 <virtualhost 192.168.137.10:222> documentroot "/home/wwwroot/222" servername www.a.com <directory "/home/wwwroot/222"> allowoverride none require all granted </directory> </virtualhost> <virtualhost 192.168.137.10:333> documentroot "/home/wwwroot/333" servername www.a.com <directory "/home/wwwroot/333"> allowoverride none require all granted </directory> </virtualhost>
[root@localhost wwwroot]# systemctl restart httpd [root@localhost wwwroot]# systemctl enable htpd Failed to issue method call: No such file or directory [root@localhost wwwroot]# systemctl enable httpd ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' # 設置防火牆 [root@localhost wwwroot]# firewall-cmd --permanent --add-service=http success [root@localhost wwwroot]# firewall-cmd --permanent --add-service=https success [root@localhost wwwroot]# firewall-cmd --permanent --add-port=222/tcp success [root@localhost wwwroot]# firewall-cmd --permanent --add-port=333/tcp success [root@localhost wwwroot]# firewall-cmd --reload success
測試訪問