快速部署Apache服務靜態網站

時間 2019-11-12

原文原文鏈接

Apache是世界使用排名第一的Web服務器軟件.它能夠運行在幾乎全部普遍使用的計算機平臺上,因爲其跨平臺和安全性被普遍使用,是最流行的Web服務器端軟件之一.它快速、可靠而且可經過簡單的API擴充,將Perl/Python等解釋器編譯到服務器中.同時Apache音譯爲阿帕奇,是北美印第安人的一個部落,叫阿帕奇族,在美國的西南部.也是一個基金會的名稱、一種武裝直升機等等.php

筆記內記錄：Yum安裝,在SeLinux開啓狀態下,實現身份認證,實現我的主頁,實現虛擬主機等經常使用配置.html

配置Apache訪問控制

Apache能夠基於原主機名,原IP地址,或原主機上的瀏覽器特徵,對網站上的資源進行訪問控制,它經過Allow指令容許某個主機訪問服務器上的網站資源,經過Deny指令實現禁止訪問,還能夠給指定的頁面添加密碼認證.python

◆基於用戶名密碼的認證◆

做用：當咱們打開指定網頁時,會提示須要輸入密碼才能訪問,這就是密碼認證技術.apache

1.經過Yum倉庫快速安裝apache服務程序.vim

[root@localhost ~]# yum install -y apr apr-util httpd
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package apr-1.4.8-3.el7_4.1.x86_64 already installed and latest version
Package apr-util-1.5.2-6.el7.x86_64 already installed and latest version
Package httpd-2.4.6-80.el7.x86_64 already installed and latest version
Nothing to do

2.編輯Apache主配置文件,在相應的區域中加入如下標★語句.瀏覽器

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

146     #
147     # AllowOverride controls what directives may be placed in .htaccess files.
148     # It can be "All", "None", or any combination of the keywords:
149     #   Options FileInfo AuthConfig Limit
150     #
★     AllowOverride all        #修改成 AllowOverride all
152 
153     #
154     # Controls who can get stuff from this server.
155     #

3.在要添加認證的網頁文件下建立 .htaccess 文件,並覆蓋寫入如下內容.安全

[root@localhost ~]# echo "hello admin" > /var/www/html/index.html
[root@localhost ~]# vim /var/www/html/.htaccess

authname  "welcome to admin"                    #歡迎提示信息
authtype basic                                  #認證類型
authuserfile /var/www/html/login.psd            #認證文件存放位置
require valid-user                              #除認證用戶其餘用戶不容許登錄

4.藉助Apache的工具生成密碼文件,此處的用戶名密碼就是訪問網頁時的號碼.bash

[root@localhost ~]# htpasswd -c /var/www/html/login.psd lyshark        #建立認證用戶(覆蓋)
[root@localhost ~]# htpasswd -m /var/www/html/login.psd lyshark        #寫入認證用戶(追加)

5.重啓Apache服務,並訪問頁面測試便可.服務器

[root@localhost ~]# systemctl restart httpd

◆基於IP地址的身份認證◆

做用：當咱們打開指定網頁時,會判斷您的IP地址是容許訪問仍是拒絕訪問,這就是基於IP的認證技術app

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

121 #
122 # Relax access to content within /var/www.
123 #
124 <Directory "/var/www/html">
125 
126         Order allow,deny
127         deny from 192.168.1.8          #容許和拒絕,只須要修改from前面字段.
128         require all granted
129 </Directory>
130 
131 # Further relax access to the default document root:

開啓Apache我的主頁

若是想爲每一個系統獨立的用戶創建一個網站,一般狀況先是基於虛擬主機的功能來部署多個網站,可是這樣工做量實在太大,還好Apache爲咱們提供了我的主頁功能,如下實驗將實現給予不一樣的用戶一個單獨的網頁空間,實現每一個人能夠有本身的空間,相似QQ空間.

1.首先編輯配置文件,修改UserDir disabled註釋掉本行,同時開啓UserDir public_html,保存退出便可.

[root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf

 14     # of a username on the system (depending on home directory
 15     # permissions).
 16     #
 17     # UserDir disabled           #註釋掉本行
 18 
......
 20     # To enable requests to /~user/ to serve the user's public_html
 21     # directory, remove the "UserDir disabled" line above, and uncomment
 22     # the following line instead:
 23     # 
 24     UserDir public_html         #開啓本行註釋
 25 </IfModule>

2.建立一個測試用戶,並在其家目錄建立一個public_html目錄,設置相應的權限.

[root@localhost ~]# useradd lyshark
[root@localhost ~]# echo "123123" |passwd --stdin lyshark
Changing password for user lyshark.
passwd: all authentication tokens updated successfully.

[root@localhost ~]# mkdir -p /home/lyshark/public_html
[root@localhost ~]# echo "hello admin" > /home/lyshark/public_html/index.html
[root@localhost ~]# chmod 755 -R /home/lyshark/

3.緊接着咱們配置SeLinux安全上下文.

[root@localhost home]# ls -lZ
drwxr-xr-x. lyshark lyshark unconfined_u:object_r:user_home_dir_t:s0 lyshark

[root@localhost home]# ls -lZ /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

[root@localhost home]# yum provides semanage
[root@localhost home]# yum install -y policycoreutils-python-2.5-22.el7.x86_64
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package policycoreutils-python-2.5-22.el7.x86_64 already installed and latest version
Nothing to do

[root@localhost home]# semanage fcontext -a -t httpd_sys_content_t /home/lyshark/
[root@localhost home]# restorecon -Rv /home/lyshark/
[root@localhost home]# restorecon -Rv /home/lyshark/*

root@localhost home]# getsebool -a |grep httpd_enable
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
[root@localhost home]# setsebool -P httpd_enable_homedirs=1
[root@localhost home]# setsebool httpd_enable_homedirs=1

4.重啓Apache服務測試效果.

[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# elinks http://192.168.1.10/~lyshark/

配置Apache虛擬主機

◆基於IP的虛擬主機◆

若是一臺服務器有多個IP地址,並且每一個IP地址與服務器上部署的每一個網站對應,這樣當用戶請求訪問不一樣的IP時,會訪問到不一樣網站的頁面資源,並且每一個網站都有一個獨立的IP地址,如下實驗將實如今一臺服務器上配置多個IP,搭建多個網站,每一個網站使用一個IP地址.

1.經過Yum倉庫快速安裝apache服務程序.

[root@localhost ~]# yum install -y apr apr-util httpd
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package apr-1.4.8-3.el7_4.1.x86_64 already installed and latest version
Package apr-util-1.5.2-6.el7.x86_64 already installed and latest version
Package httpd-2.4.6-80.el7.x86_64 already installed and latest version
Nothing to do

2.首先在主IP地址上配置一個子接口.

[root@localhost ~]# ifconfig ens32:0 192.168.1.20 netmask 255.255.255.0

[root@localhost ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.10  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe8::89c:d2d:cd5:b9ec  prefixlen 64  scopeid 0x20<link>
        ether 01:0c:89:b1:b7:be  txqueuelen 1000  (Ethernet)
        RX packets 1237  bytes 82607 (80.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 184  bytes 24411 (23.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens32:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 00:0c:29:b1:b1:be  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 196  bytes 16656 (16.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 196  bytes 16656 (16.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

3.在/var/www/html目錄下建立連個子目錄,分別對應兩個IP地址.

[root@localhost ~]# mkdir -p /var/www/html/vhost1
[root@localhost ~]# mkdir -p /var/www/html/vhost2

[root@localhost ~]# echo  "vhost 1" > /var/www/html/vhost1/index.html
[root@localhost ~]# echo  "vhost 2" > /var/www/html/vhost2/index.html

4.修改apache主配置文件,分別添加兩個主機區域.

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

 76 # All of these directives may appear inside <VirtualHost> containers,
 77 # in which case these default settings will be overridden for the
 78 # virtual host being defined.
 79 #
 80 
 81 <VirtualHost 192.168.1.10:80>
 82         DocumentRoot /var/www/html/vhost1
 83         ServerName localhost
 84         <Directory /var/www/html/vhost1>
 85         AllowOverride None
 86         Require all granted
 87         </Directory>
 88 </VirtualHost>
 89 <VirtualHost 192.168.1.20:80>
 90         DocumentRoot /var/www/html/vhost2
 91         ServerName localhost
 92         <Directory /var/www/html/vhost2>
 93         AllowOverride None
 94         Require all granted
 95         </Directory>
 96 </VirtualHost>
 97

5.重啓一下apache服務,並訪問測試便可.

[root@localhost ~]# systemctl restart httpd

[root@localhost ~]# curl 192.168.1.10
vhost 1
[root@localhost ~]# curl 192.168.1.20
vhost 2

◆基於端口的虛擬主機◆

基於端口的虛擬主機,可讓用戶經過端口號,來訪問服務器上的資源,在使用Apache配置虛擬網站時,基於端口的配置方式最爲複雜,如下實驗將實如今一臺服務器上配置多個端口,搭建多個網站,每一個網站使用一個端口.

1.修改Apache主配置文件,修改兩處位置.

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

 38 # Change this to Listen on specific IP addresses as shown below to 
 39 # prevent Apache from glomming onto all bound IP addresses.
 40 #
 41 #Listen 12.34.56.78:80
 42 Listen 80
 43 Listen 8080
.....
 76 # All of these directives may appear inside <VirtualHost> containers,
 77 # in which case these default settings will be overridden for the
 78 # virtual host being defined.
 79 #
 80 
 81 <VirtualHost 192.168.1.10:80>
 82         DocumentRoot /var/www/html/vhost1
 83         ServerName localhost
 84         <Directory /var/www/html/vhost1>
 85         AllowOverride None
 86         Require all granted
 87         </Directory>
 88 </VirtualHost>
 89 <VirtualHost 192.168.1.10:8080>
 90         DocumentRoot /var/www/html/vhost2
 91         ServerName localhost
 92         <Directory /var/www/html/vhost2>
 93         AllowOverride None
 94         Require all granted
 95         </Directory>
 96 </VirtualHost>

2.在/var/www/html目錄下建立連個子目錄,分別對應兩個端口地址.

[root@localhost ~]# mkdir -p /var/www/html/vhost1
[root@localhost ~]# mkdir -p /var/www/html/vhost2

[root@localhost ~]# echo  "vhost 1" > /var/www/html/vhost1/index.html
[root@localhost ~]# echo  "vhost 2" > /var/www/html/vhost2/index.html

3.重啓一下apache服務,並訪問測試便可.

[root@localhost ~]# systemctl restart httpd

[root@localhost ~]# curl 192.168.1.10:80
vhost 1
[root@localhost ~]# curl 192.168.1.10:8080
vhost 2

◆基於域名的虛擬主機◆

當服務器沒法爲每個網站分配一個獨立的IP的時候,能夠嘗試讓Apache自動識別用戶請求的域名,從而根據不一樣的域名請求來傳輸不一樣的內容,這裏咱們爲了驗證明驗要手動搭建一個DNS解析,如下實驗將實如今一臺服務器上多個域名,搭建多個網站,每一個網站使用一個域名.

1.首先搭建DNS域名解析,模擬vhost1.com與vhost2.com兩個網站域名.

[root@localhost ~]# yum install -y bind bind-chroot
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.配置DNS解析,這裏咱們簡單配置便可,有關DNS詳細例子請查看其餘相關文章.

[root@localhost ~]# vim /etc/named.conf

 12 options {
 13         listen-on port 53 { any; };
 14         listen-on-v6 port 53 { ::1; };
 15         directory       "/var/named";
 16         dump-file       "/var/named/data/cache_dump.db";
 17         statistics-file "/var/named/data/named_stats.txt";
 18         memstatistics-file "/var/named/data/named_mem_stats.txt";
 19         allow-query     { any; };

[root@localhost ~]# vim /etc/named.rfc1912.zones

 43 zone "vhost1.com" IN {
 44         type master;
 45         file "vhost1.com.zone";
 46         allow-update { none; };
 47 };
 48 zone "vhost2.com" IN {
 49         type master;
 50         file "vhost2.com.zone";
 51         allow-update { none; };
 52 };

3.拷貝配置文件,並修改爲如下模樣,並重啓Bind

[root@localhost ~]# cp -a /var/named/named.localhost /var/named/vhost1.com.zone
[root@localhost ~]# cp -a /var/named/named.localhost /var/named/vhost2.com.zone

[root@localhost ~]# vim /var/named/vhost1.com.zone
$TTL 1D
@       IN SOA  dns.vhost1.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.vhost1.com.
dns     A       127.0.0.1
www     A       192.168.1.10

[root@localhost ~]# vim /var/named/vhost2.com.zone
$TTL 1D
@       IN SOA  dns.vhost2.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.vhost2.com.
dns     A       127.0.0.1
www     A       192.168.1.10

[root@localhost ~]# systemctl restart named

4.修改Apache主配置文件,修改兩處位置.

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

 76 # All of these directives may appear inside <VirtualHost> containers,
 77 # in which case these default settings will be overridden for the
 78 # virtual host being defined.
 79 #
 80 
 81 <VirtualHost *:80>
 82         DocumentRoot /var/www/html/vhost1
 83         ServerName www.vhost1.com
 84         <Directory /var/www/html/vhost1>
 85         AllowOverride None
 86         Require all granted
 87         </Directory>
 88 </VirtualHost>
 89 <VirtualHost *:80>
 90         DocumentRoot /var/www/html/vhost2
 91         ServerName www.vhost2.com
 92         <Directory /var/www/html/vhost2>
 93         AllowOverride None
 94         Require all granted
 95         </Directory>
 96 </VirtualHost>

5.在/var/www/html目錄下建立連個子目錄,分別對應兩個域名地址.

[root@localhost ~]# mkdir -p /var/www/html/vhost1
[root@localhost ~]# mkdir -p /var/www/html/vhost2

[root@localhost ~]# echo  "vhost 1" > /var/www/html/vhost1/index.html
[root@localhost ~]# echo  "vhost 2" > /var/www/html/vhost2/index.html

6.重啓一下apache服務,並訪問測試便可.

[root@localhost ~]# systemctl restart httpd

[root@localhost ~]# curl www.vhost1.com
vhost 1
[root@localhost ~]# curl www.vhost2.com
vhost 2

配置Apache SSL加密

在生產環境中,咱們須要讓咱們的網站更加的安全,多數狀況下咱們會開啓https的加密認證,來保證數據傳輸的安全性,下面實驗將實現啓動SSL證書,也就是https認證,端口爲443.

1.創建服務器私鑰,過程當中須要輸入密碼.

[root@localhost ~]# openssl genrsa -des3 -out server.key 1024

----------------------------------------------------------------------------
註釋：
        Genrsa –des3                    #加密類型
        -out    server.key              #輸出文件
        -1024                       #加密長度
----------------------------------------------------------------------------

2.創建證書,生成的csr文件交給CA簽名後造成服務端本身的證書.

[root@localhost ~]# openssl req -new -key server.key -out server.csr

----------------------------------------------------------------------------
註釋：
        req -new                #新建證書
        -key server.key             #私鑰文件
        -out server.csr             #輸出文件

注：依次輸入：國家 省 市 組織 機構 全稱 EMAIL 是否要改變密碼 是否更名稱
----------------------------------------------------------------------------

3.轉化成證書,這一步由證書CA機構來作的,這裏只是實驗.

[root@localhost ~]# openssl x509 -req -days 365 -sha256 -in server.csr -signkey server.key -out servernew.crt

4.將生成的證書文件拷貝到/etc/http/conf目錄下,並配置好權限.

[root@localhost ~]# cp -a server.crt /etc/httpd/conf
[root@localhost ~]# cp -a server.key /etc/httpd/conf

5.建立一個配置文件,並寫入如下內容,開啓SSL的支持.

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>