3unit9
Red Hat System Administration IIIphp
###########################單元 九Apache web服務html
1、Apache基本配置python
安裝apache軟件包:mysql
# yum install -y httpd httpd-manuallinux
[root@httpclient ~]# firewall-cmd --permanent --add-service=httpios
successweb
[root@httpclient ~]# firewall-cmd --permanent --add-service=httpssql
success數據庫
[root@httpclient ~]# firewall-cmd --reloadapache
success
啓動apache服務:
# systemctl start httpd ; systemctl enable httpd
查看監聽端口:
# ss -antlp |grep httpd
LISTEN 0 128 :::80 :::*
users:(("httpd",4347,4),("httpd",4346,4),("httpd",4345,4),("httpd",4344,4),("httpd",4343,4),("httpd",4342,4))
2、Apache主配置文件: /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd" 用於指定Apache的運行目錄
Listen 80 監聽端口
User apache 運行apache程序的用戶和組
Group apache
ServerAdmin root@localhost 管理員郵箱
DocumentRoot "/var/www/html" 網頁文件的存放目錄
<Directory "/var/www/html"> <Directory>語句塊自定義目錄權限
Require all granted
</Directory>
ErrorLog "logs/error_log" 錯誤日誌存放位置
AddDefaultCharset UTF-8 默認支持的語言
IncludeOptional conf.d/*.conf 加載其它配置文件
DirectoryIndex index.html 默認主頁名稱
eg:
[root@httpserver httpd]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/www/html"
121 <Directory "/www/html">
122 # Order Deny,Allow
123 #Allow from 172.25.254.41
124 #Deny from All
125 AllowOverride all ##開啓認證
126 Authuserfile /etc/httpd/passfile ##配置基於用戶的身份驗證
127 Authname "Please input your name and password" ##認證輸入
128 Authtype basic ##認證方式基本認證
129 require valid-user ##合法用戶能登錄
130 #Require all granted
131 </Directory>
<IfModule dir_module>
174 DirectoryIndex test.html index.html
175 </IfModule>
[root@httpserver ~]# mkdir -p /www/html
[root@httpserver ~]# vim /www/html/test.html
[root@httpserver ~]# ll -Zd /www/html/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/html/
[root@httpserver ~]# ll -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
[root@httpserver ~]# semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?' ##默認目錄改變安全上下文 SElinux爲enforcing狀態,而且改變目錄
[root@httpserver ~]# restorecon -RvvF /www/ ##重啓
restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/html/test.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
[root@httpserver ~]# systemctl restart httpd
[kiosk@foundation41 Desktop]$ vim /etc/hosts ##在瀏覽器所在主機中設置
172.25.254.241 www.westos.com news.westos.com login.westos.com
3、虛擬主機
虛擬主機容許您從一個httpd服務器同時爲多個網站提供服務。在本節中,咱們將瞭解基於名稱的虛擬主機其中多個主機名都指向同一個IP地址,可是Web服務器根據用於到達站點的主機名提供具備不
同內容的不一樣網站。
Example:
<virtualhost *:80>
servername wwwX.example.com
serveralias wwwX
documentroot /srv/wwwX.example.com/www
customlog "logs/wwwX.example.com.log" combined
</virtualhost>[root@foundation0 ~]# rht-pushcourse 50
Preparing to push to foundation50.ilt.example.com...
^C
/usr/local/bin/rht-pushcourse: connect: Network is unreachable
/usr/local/bin/rht-pushcourse: line 55: /dev/tcp/foundation50.ilt.example.com/22: Network is unreachable
[root@foundation0 ~]# vim /etc/resolv.conf
[root@foundation0 ~]# ping 172.25.254.50
PING 172.25.254.50 (172.25.254.50) 56(84) bytes of data.
^C
<directory /srv/wwwX.example.com/www>
require all granted
</directory>
1. <VirtualHost *:80>
...
</VirtualHost>
這是定義虛擬主機的塊
2. ServerName wwwX.example.com
指定服務器名稱。在使用基於名稱的虛擬主機的狀況下,此處的名稱必須與客戶端請求徹底的匹配。
3. ServerAlias serverX wwwX wwwX.example.com
用於匹配的空格分隔的名稱列表,如上面的ServerName
4. DocumentRoot /var/www/html
在<VirtualHost>塊內部,指定從中提供內容的目錄。
5. selinux標籤
semanage fcontext -l[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
semanage fcontext -a -t httpd_sys_content_t 「/directory(/.*)?」
restorecon -vvFR /directory
Demo:
創建網頁發佈目錄,並設置selinux標籤
# mkdir -p /srv/{default,www0.example.com}/www
# echo "coming soon" > /srv/default/www/index.html
# echo "www0" > /srv/www0.example.com/www/index.html
# restorecon -Rv /srv/
建立虛擬主機配置文件:
# cat /etc/httpd/conf.d/00-default-vhost.conf
<virtualhost _default_:80>
documentroot /srv/default/www
customlog "logs/default-vhost.log" combined
</virtualhost>
<directory /srv/default/www>
require all granted
</directory>
# cat 01-www0.example.com-vhost.conf
<virtualhost *:80>
servername www0.example.com
serveralias www0
documentroot /srv/www0.example.com/www
customlog "logs/www0.example.com.log" combined
</virtualhost>
<directory /srv/www0.example.com/[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
www>
require all granted
</directory>
啓動apache服務
# systemctl start httpd ; systemctl enable httpd
eg:
[root@httpserver conf.d]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/www/html"
121 <Directory "/www/html">
122 require all granted
123 </Directory>
[root@httpserver conf.d]# vim /etc/httpd/conf.d/default.conf
1 <Virtualhost _default_:80>
2 DocumentRoot "/www/html"
3 customlog "logs/default.log" combined
4 </Virtualhost>
5 <Directory "/www/html">
6 Require all granted
7 </Directory>
[root@httpserver conf.d]# vim /etc/httpd/conf.d/news.conf
1 <Virtualhost *:80>[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
2 ServerName news.westos.com
3 DocumentRoot "/www/virtual/news/html"
4 Customlog "logs/news.log" combined
5 </Virtualhost>
6 <Directory "/www/virtual/news/html">
7 Require all granted
8 </Directory>
[root@httpserver conf.d]# mkdir -p /www/virtual/news/html
[root@httpserver conf.d]# vim /www/virtual/news/html/test.html
1 news' page
[root@httpserver conf.d]# systemctl restart httpd
在瀏覽器所在的主機中:
[root@foundation41 Desktop]# vim /etc/hosts
172.25.254.241 www.westos.com news.westos.com
8配置基於用戶的身份驗證
Apache無格式文件用戶身份驗證
在此配置中,用戶帳戶和密碼存儲在本地.htpasswd文件中。處於安全緣由,該文件不能保存在網站的DocumentRoot中,而應保存在Web服務器不提供服務的一些目錄中。特殊
的htpasswd命令用於在.htpasswd文件中管理用戶。配置程序示例:
用兩個帳戶建立Apache密碼文件:
[root@serverX ~]# htpasswd -cm /etc/httpd/.htpasswd bob
[root@serverX ~]# htpasswd -m /etc/httpd/.htpasswd alice ##-m不會覆蓋剛所見的passwd文件
eg:
[root@httpserver html]# mkdir admin
[root@httpserver html]# vim test.html
[root@httpserver html]# cd /etc/httpd/
[root@httpserver httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@httpserver httpd]# htpasswd -cm passfile admin
New password:
Re-type new password:
Adding password for user admin
9
假設以前定義VirtualHost塊,請將諸如如下內容添加至VirtualHost塊:
<Directory /var/www/html>
AuthName 「Secret Stuff」
AuthType basic
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
重啓apache服務,並使用Web瀏覽器測試訪問,在彈出的對話框中輸入上述用戶名
和密碼。
eg:新增站點news.westos.com
[root@httpserver ~]# cd /etc/httpd/conf.d
[root@httpserver conf.d]# vim news.conf ##新增news站點
1 <Virtualhost *:80> ##80端口
2 ServerName news.westos.com
3 DocumentRoot "/www/virtual/news/html"
4 Customlog "logs/news.log" combined
5 </Virtualhost>
6 <Directory "/www/virtual/news/html">
7 Require all granted
8 </Directory>
[root@httpserver conf.d]# vim default.conf ##默認站點
<Virtualhost _default_:80>
2 DocumentRoot "/www/html"
3 customlog "logs/default.log" combined
4 </Virtualhost>
5 <Directory "/www/html">
6 Require all granted
7 </Directory>
8 <Directory "/www/html/cgi">
9 Options +ExecCGI
10 AddHandler cgi-script .cgi
11 </Directory>
10配置HTTPS
11自定義自簽名證書
若是加密的通訊很是重要,而通過驗證的身份不重要,管理員能夠經過生成self-signed certificate來避免與認證機構進行交互所帶來的複雜性。
使用genkey實用程序(經過crypto-utils軟件包分發),生成自簽名證書及其關聯的私鑰。爲了簡化起見,genkey將在「正確」的位置(/etc/pki/tls目錄)建立證書及其關聯的密鑰。相應地,必須以受權用戶(root)身份運行該實用程序。
生成自簽名證書
1. 確保已安裝crypto-utils軟件包。
[root@server0 ~]# yum install crypto-utils mod_ssl
2. 調用genkey,同時爲生成的文件指定惟一名稱(例如,服務器的主機全名)。
--days能夠指定證書有效期
[root@server0 ~]# genkey server0.example.com
genkey www.westos.com
12記錄生成的證書(server0.example.com.crt)和關聯的私鑰(server0.example.com.key)的位置
13繼續使用對話框,並選擇合適的密鑰大小。(默認的2048位密鑰爲推薦值)
14在生成隨機數時比較慢,敲鍵盤和移動鼠標能夠加速
[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
15拒絕向認證機構(CA)發送證書請求(CSR)。拒絕加密私鑰
選擇no
16爲服務器提供合適的身份。Common Name必須與服務器的主機全名徹底匹配。
(注意,任何逗號都應使用前導反斜線[\]進行轉義)
17安裝證書及其私鑰
1. 肯定已安裝mod_ssl軟件包。
[root@server0 ~]# yum install mod_ssl
2. 因爲私鑰是敏感信息,請確保其只被root用戶讀取。
[root@server0 ~]# ls -l /etc/pki/tls/private/server0.example.com.key
-r--------. 1 root root 1737 Dec 22 15:06 /etc/pki/tls/private/server0.example.com.key
3. 編輯/etc/httpd/conf.d/ssl.conf, 將SSLCertificateFile和SSLCertificateKeyFile指令設置爲分別指
向X.509證書和密鑰文件。
SSLCertificateFile /etc/pki/tls/certs/server0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/server0.example.com.key
4. 重啓Web服務器。
[root@server0 ~]# systemctl restart httpd
5. 如要進行確認,請使用https協議(https://serverX.example.com)經過Web客戶端(如Firefox
)訪問Web服務器。
Web客戶端可能會發出它不承認證書發行者的警告。這種狀況適用自簽名證書。要求Web客戶端
繞過證書認證。(對於Firefox,請選擇「I Understand the Risks」 [我瞭解風險]、「Add Exception」 [
添加例外]和「Confirm Security Exception」[確認安全例外]。)
eg:
[root@httpserver conf.d]# vim /etc/httpd/conf.d/login.conf
1 <Virtualhost *:443> ##加密端口443
2 ServerName login.westos.com
3 DocumentRoot /www/virtual/login/html
4 CustomLog "logs/login.log" combined ##日誌級別有四種,聯合
5 SSLEngine on
6 SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key
7 SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt
8 </Virtualhost>
9 <Directory "/www/virtual/login/html">
10 Require all granted
11 </Directory>
12 <Virtualhost *:80> ##默認80端口
13 ServerName login.westos.com
14 RewriteEngine on
15 RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
16 </Virtualhost>
18網頁重寫
把全部80端口的請求所有重定向由https來處理
<Virtualhost *:80>
ServerName www0.example.com
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</Virtualhost>
19Example: /etc/httpd/conf.d/www0.conf
<VirtualHost *:443>
servername www0.example.com
documentroot /srv/www0/www
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
SSLCertificateFile /etc/pki/tls/certs/www0.crt
SSLCertificateKeyFile /etc/pki/tls/private/www0.key
<Directory "/srv/www0/www">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
servername www0.example.com
rewriteengine on
rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
eg:
[root@httpserver conf.d]# vim login.conf
<Virtualhost *:443>
2 ServerName login.westos.com
3 DocumentRoot /www/virtual/login/html
4 CustomLog "logs/login.log" combined
5 SSLEngine on[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
6 SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key
7 SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt
8 </Virtualhost>
9 <Directory "/www/virtual/login/html">
10 Require all granted
11 </Directory>
12 <Virtualhost *:80>
13 ServerName login.westos.com
14 RewriteEngine on
15 RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
16 </Virtualhost>
20 CGI
通用網關接口(CGI)是網站上放置動態內容的最簡單的方法。CGI腳本可用於許多目
的,可是謹慎控制使用哪一個CGI腳本以及容許誰添加和運行這些腳本十分重要。編寫質量差的CGI
腳本可能爲外部攻擊者提供了破壞網站及其內容安全性的途徑。所以,在Web服務器級別和
SELinux策略級別,都存在用於限制CGI腳本使用的設置。
Example:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
# ll -dZ /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
eg:
cd /www/html/
mkdir cgi
cd cgi/
vim index.cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print `date`;
chmod +x index.cgi
./index.cgi
setenforce 0
ls -Zd /www/html/cgi/
semanage fcontext -a -t "httpd_sys_content_t" '/www/html/cgi(/.*)?'
restorecon -FvvR /www/html/cgi/
21php語言支持:
安裝php軟件包,其中包含mod_php模塊:
# yum install -y php
模塊配置文件: /etc/httpd/conf.d/php.conf
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
DirectoryIndex index.php
eg:
[root@httpserver html]# vim /www/html/index.php
<?
2 phpinfo();
3 ?>
在server0上構建php練習環境,此腳本會自動配置mariadb,並生成
/var/www/html/index.php動態網頁:
# lab phpdb setup
安裝php的數據庫支持:
# yum install -y php-mysql
重啓httpd服務後,測試網頁是否訪問正常.
注意當web服務器鏈接的數據庫在遠程時,須要改變Selinux:
# setsebool -P httpd_can_network_connect_db=1
# setsebool -P httpd_can_network_connect=1
(若是數據庫的端口不是3306時,須要改此項)
eg:
[root@httpserver conf.d]# yum install php -y
file:///usr/share/doc/HTML/en-US/index.html
yum install httpd-manual -y
22WSGI提供python語言支持:
安裝mod_wsgi軟件包:
# yum install -y mod_wsgi
執行腳本,會生成python測試文件/home/student/webapp.wsgi:
# lab webapp setup
在虛擬主機中加入如下參數:
<VirtualHost *:443>
servername webapp0.example.com
...
WSGIScriptAlias / /srv/webapp0/www/webapp.wsgi
...
</VirtualHost>
重啓httpd服務,並在desktop0上測試:
# curl -k https://webapp0.example.com
lamp=linux+apache+mysql+php
Red Hat System Administration III
###########################單元 九Apache web服務
1、Apache基本配置
安裝apache軟件包:
# yum install -y httpd httpd-manual
[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
啓動apache服務:
# systemctl start httpd ; systemctl enable httpd
查看監聽端口:
# ss -antlp |grep httpd
LISTEN 0 128 :::80 :::*
users:(("httpd",4347,4),("httpd",4346,4),("httpd",4345,4),("httpd",4344,4),("httpd",4343,4),("httpd",4342,4))
2、Apache主配置文件: /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd" 用於指定Apache的運行目錄
Listen 80 監聽端口
User apache 運行apache程序的用戶和組
Group apache
ServerAdmin root@localhost 管理員郵箱
DocumentRoot "/var/www/html" 網頁文件的存放目錄
<Directory "/var/www/html"> <Directory>語句塊自定義目錄權限
Require all granted
</Directory>
ErrorLog "logs/error_log" 錯誤日誌存放位置
AddDefaultCharset UTF-8 默認支持的語言
IncludeOptional conf.d/*.conf 加載其它配置文件
DirectoryIndex index.html 默認主頁名稱
eg:
[root@httpserver httpd]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/www/html"
121 <Directory "/www/html">
122 # Order Deny,Allow
123 #Allow from 172.25.254.41
124 #Deny from All
125 AllowOverride all ##開啓認證
126 Authuserfile /etc/httpd/passfile ##配置基於用戶的身份驗證
127 Authname "Please input your name and password" ##認證輸入
128 Authtype basic ##認證方式基本認證
129 require valid-user ##合法用戶能登錄
130 #Require all granted
131 </Directory>
<IfModule dir_module>
174 DirectoryIndex test.html index.html
175 </IfModule>
[root@httpserver ~]# mkdir -p /www/html
[root@httpserver ~]# vim /www/html/test.html
[root@httpserver ~]# ll -Zd /www/html/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/html/
[root@httpserver ~]# ll -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
[root@httpserver ~]# semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?' ##默認目錄改變安全上下文 SElinux爲enforcing狀態,而且改變目錄
[root@httpserver ~]# restorecon -RvvF /www/ ##重啓
restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/html/test.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
[root@httpserver ~]# systemctl restart httpd
[kiosk@foundation41 Desktop]$ vim /etc/hosts ##在瀏覽器所在主機中設置
172.25.254.241 www.westos.com news.westos.com login.westos.com
3、虛擬主機
虛擬主機容許您從一個httpd服務器同時爲多個網站提供服務。在本節中,咱們將瞭解基於名稱的虛擬主機其中多個主機名都指向同一個IP地址,可是Web服務器根據用於到達站點的主機名提供具備不
同內容的不一樣網站。
Example:
<virtualhost *:80>
servername wwwX.example.com
serveralias wwwX
documentroot /srv/wwwX.example.com/www
customlog "logs/wwwX.example.com.log" combined
</virtualhost>[root@foundation0 ~]# rht-pushcourse 50
Preparing to push to foundation50.ilt.example.com...
^C
/usr/local/bin/rht-pushcourse: connect: Network is unreachable
/usr/local/bin/rht-pushcourse: line 55: /dev/tcp/foundation50.ilt.example.com/22: Network is unreachable
[root@foundation0 ~]# vim /etc/resolv.conf
[root@foundation0 ~]# ping 172.25.254.50
PING 172.25.254.50 (172.25.254.50) 56(84) bytes of data.
^C
<directory /srv/wwwX.example.com/www>
require all granted
</directory>
1. <VirtualHost *:80>
...
</VirtualHost>
這是定義虛擬主機的塊
2. ServerName wwwX.example.com
指定服務器名稱。在使用基於名稱的虛擬主機的狀況下,此處的名稱必須與客戶端請求徹底的匹配。
3. ServerAlias serverX wwwX wwwX.example.com
用於匹配的空格分隔的名稱列表,如上面的ServerName
4. DocumentRoot /var/www/html
在<VirtualHost>塊內部,指定從中提供內容的目錄。
5. selinux標籤
semanage fcontext -l[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
semanage fcontext -a -t httpd_sys_content_t 「/directory(/.*)?」
restorecon -vvFR /directory
Demo:
創建網頁發佈目錄,並設置selinux標籤
# mkdir -p /srv/{default,www0.example.com}/www
# echo "coming soon" > /srv/default/www/index.html
# echo "www0" > /srv/www0.example.com/www/index.html
# restorecon -Rv /srv/
建立虛擬主機配置文件:
# cat /etc/httpd/conf.d/00-default-vhost.conf
<virtualhost _default_:80>
documentroot /srv/default/www
customlog "logs/default-vhost.log" combined
</virtualhost>
<directory /srv/default/www>
require all granted
</directory>
# cat 01-www0.example.com-vhost.conf
<virtualhost *:80>
servername www0.example.com
serveralias www0
documentroot /srv/www0.example.com/www
customlog "logs/www0.example.com.log" combined
</virtualhost>
<directory /srv/www0.example.com/[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
www>
require all granted
</directory>
啓動apache服務
# systemctl start httpd ; systemctl enable httpd
eg:
[root@httpserver conf.d]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/www/html"
121 <Directory "/www/html">
122 require all granted
123 </Directory>
[root@httpserver conf.d]# vim /etc/httpd/conf.d/default.conf
1 <Virtualhost _default_:80>
2 DocumentRoot "/www/html"
3 customlog "logs/default.log" combined
4 </Virtualhost>
5 <Directory "/www/html">
6 Require all granted
7 </Directory>
[root@httpserver conf.d]# vim /etc/httpd/conf.d/news.conf
1 <Virtualhost *:80>[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
2 ServerName news.westos.com
3 DocumentRoot "/www/virtual/news/html"
4 Customlog "logs/news.log" combined
5 </Virtualhost>
6 <Directory "/www/virtual/news/html">
7 Require all granted
8 </Directory>
[root@httpserver conf.d]# mkdir -p /www/virtual/news/html
[root@httpserver conf.d]# vim /www/virtual/news/html/test.html
1 news' page
[root@httpserver conf.d]# systemctl restart httpd
在瀏覽器所在的主機中:
[root@foundation41 Desktop]# vim /etc/hosts
172.25.254.241 www.westos.com news.westos.com
8配置基於用戶的身份驗證
Apache無格式文件用戶身份驗證
在此配置中,用戶帳戶和密碼存儲在本地.htpasswd文件中。處於安全緣由,該文件不能保存在網站的DocumentRoot中,而應保存在Web服務器不提供服務的一些目錄中。特殊
的htpasswd命令用於在.htpasswd文件中管理用戶。配置程序示例:
用兩個帳戶建立Apache密碼文件:
[root@serverX ~]# htpasswd -cm /etc/httpd/.htpasswd bob
[root@serverX ~]# htpasswd -m /etc/httpd/.htpasswd alice ##-m不會覆蓋剛所見的passwd文件
eg:
[root@httpserver html]# mkdir admin
[root@httpserver html]# vim test.html
[root@httpserver html]# cd /etc/httpd/
[root@httpserver httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@httpserver httpd]# htpasswd -cm passfile admin
New password:
Re-type new password:
Adding password for user admin
9
假設以前定義VirtualHost塊,請將諸如如下內容添加至VirtualHost塊:
<Directory /var/www/html>
AuthName 「Secret Stuff」
AuthType basic
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
重啓apache服務,並使用Web瀏覽器測試訪問,在彈出的對話框中輸入上述用戶名
和密碼。
eg:新增站點news.westos.com
[root@httpserver ~]# cd /etc/httpd/conf.d
[root@httpserver conf.d]# vim news.conf ##新增news站點
1 <Virtualhost *:80> ##80端口
2 ServerName news.westos.com
3 DocumentRoot "/www/virtual/news/html"
4 Customlog "logs/news.log" combined
5 </Virtualhost>
6 <Directory "/www/virtual/news/html">
7 Require all granted
8 </Directory>
[root@httpserver conf.d]# vim default.conf ##默認站點
<Virtualhost _default_:80>
2 DocumentRoot "/www/html"
3 customlog "logs/default.log" combined
4 </Virtualhost>
5 <Directory "/www/html">
6 Require all granted
7 </Directory>
8 <Directory "/www/html/cgi">
9 Options +ExecCGI
10 AddHandler cgi-script .cgi
11 </Directory>
10配置HTTPS
11自定義自簽名證書
若是加密的通訊很是重要,而通過驗證的身份不重要,管理員能夠經過生成self-signed certificate來避免與認證機構進行交互所帶來的複雜性。
使用genkey實用程序(經過crypto-utils軟件包分發),生成自簽名證書及其關聯的私鑰。爲了簡化起見,genkey將在「正確」的位置(/etc/pki/tls目錄)建立證書及其關聯的密鑰。相應地,必須以受權用戶(root)身份運行該實用程序。
生成自簽名證書
1. 確保已安裝crypto-utils軟件包。
[root@server0 ~]# yum install crypto-utils mod_ssl
2. 調用genkey,同時爲生成的文件指定惟一名稱(例如,服務器的主機全名)。
--days能夠指定證書有效期
[root@server0 ~]# genkey server0.example.com
genkey www.westos.com
12記錄生成的證書(server0.example.com.crt)和關聯的私鑰(server0.example.com.key)的位置
13繼續使用對話框,並選擇合適的密鑰大小。(默認的2048位密鑰爲推薦值)
14在生成隨機數時比較慢,敲鍵盤和移動鼠標能夠加速
[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
15拒絕向認證機構(CA)發送證書請求(CSR)。拒絕加密私鑰
選擇no
16爲服務器提供合適的身份。Common Name必須與服務器的主機全名徹底匹配。
(注意,任何逗號都應使用前導反斜線[\]進行轉義)
17安裝證書及其私鑰
1. 肯定已安裝mod_ssl軟件包。
[root@server0 ~]# yum install mod_ssl
2. 因爲私鑰是敏感信息,請確保其只被root用戶讀取。
[root@server0 ~]# ls -l /etc/pki/tls/private/server0.example.com.key
-r--------. 1 root root 1737 Dec 22 15:06 /etc/pki/tls/private/server0.example.com.key
3. 編輯/etc/httpd/conf.d/ssl.conf, 將SSLCertificateFile和SSLCertificateKeyFile指令設置爲分別指
向X.509證書和密鑰文件。
SSLCertificateFile /etc/pki/tls/certs/server0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/server0.example.com.key
4. 重啓Web服務器。
[root@server0 ~]# systemctl restart httpd
5. 如要進行確認,請使用https協議(https://serverX.example.com)經過Web客戶端(如Firefox
)訪問Web服務器。
Web客戶端可能會發出它不承認證書發行者的警告。這種狀況適用自簽名證書。要求Web客戶端
繞過證書認證。(對於Firefox,請選擇「I Understand the Risks」 [我瞭解風險]、「Add Exception」 [
添加例外]和「Confirm Security Exception」[確認安全例外]。)
eg:
[root@httpserver conf.d]# vim /etc/httpd/conf.d/login.conf
1 <Virtualhost *:443> ##加密端口443
2 ServerName login.westos.com
3 DocumentRoot /www/virtual/login/html
4 CustomLog "logs/login.log" combined ##日誌級別有四種,聯合
5 SSLEngine on
6 SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key
7 SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt
8 </Virtualhost>
9 <Directory "/www/virtual/login/html">
10 Require all granted
11 </Directory>
12 <Virtualhost *:80> ##默認80端口
13 ServerName login.westos.com
14 RewriteEngine on
15 RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
16 </Virtualhost>
18網頁重寫
把全部80端口的請求所有重定向由https來處理
<Virtualhost *:80>
ServerName www0.example.com
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</Virtualhost>
19Example: /etc/httpd/conf.d/www0.conf
<VirtualHost *:443>
servername www0.example.com
documentroot /srv/www0/www
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
SSLCertificateFile /etc/pki/tls/certs/www0.crt
SSLCertificateKeyFile /etc/pki/tls/private/www0.key
<Directory "/srv/www0/www">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
servername www0.example.com
rewriteengine on
rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
eg:
[root@httpserver conf.d]# vim login.conf
<Virtualhost *:443>
2 ServerName login.westos.com
3 DocumentRoot /www/virtual/login/html
4 CustomLog "logs/login.log" combined
5 SSLEngine on[root@httpclient ~]# firewall-cmd --permanent --add-service=http
success
[root@httpclient ~]# firewall-cmd --permanent --add-service=https
success
[root@httpclient ~]# firewall-cmd --reload
success
6 SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key
7 SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt
8 </Virtualhost>
9 <Directory "/www/virtual/login/html">
10 Require all granted
11 </Directory>
12 <Virtualhost *:80>
13 ServerName login.westos.com
14 RewriteEngine on
15 RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
16 </Virtualhost>
20 CGI
通用網關接口(CGI)是網站上放置動態內容的最簡單的方法。CGI腳本可用於許多目
的,可是謹慎控制使用哪一個CGI腳本以及容許誰添加和運行這些腳本十分重要。編寫質量差的CGI
腳本可能爲外部攻擊者提供了破壞網站及其內容安全性的途徑。所以,在Web服務器級別和
SELinux策略級別,都存在用於限制CGI腳本使用的設置。
Example:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
# ll -dZ /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
eg:
cd /www/html/
mkdir cgi
cd cgi/
vim index.cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print `date`;
chmod +x index.cgi
./index.cgi
setenforce 0
ls -Zd /www/html/cgi/
semanage fcontext -a -t "httpd_sys_content_t" '/www/html/cgi(/.*)?'
restorecon -FvvR /www/html/cgi/
21php語言支持:
安裝php軟件包,其中包含mod_php模塊:
# yum install -y php
模塊配置文件: /etc/httpd/conf.d/php.conf
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
DirectoryIndex index.php
eg:
[root@httpserver html]# vim /www/html/index.php
<?
2 phpinfo();
3 ?>
在server0上構建php練習環境,此腳本會自動配置mariadb,並生成
/var/www/html/index.php動態網頁:
# lab phpdb setup
安裝php的數據庫支持:
# yum install -y php-mysql
重啓httpd服務後,測試網頁是否訪問正常.
注意當web服務器鏈接的數據庫在遠程時,須要改變Selinux:
# setsebool -P httpd_can_network_connect_db=1
# setsebool -P httpd_can_network_connect=1
(若是數據庫的端口不是3306時,須要改此項)
eg:
[root@httpserver conf.d]# yum install php -y
file:///usr/share/doc/HTML/en-US/index.html
yum install httpd-manual -y
22WSGI提供python語言支持:
安裝mod_wsgi軟件包:
# yum install -y mod_wsgi
執行腳本,會生成python測試文件/home/student/webapp.wsgi:
# lab webapp setup
在虛擬主機中加入如下參數:
<VirtualHost *:443>
servername webapp0.example.com
...
WSGIScriptAlias / /srv/webapp0/www/webapp.wsgi
...
</VirtualHost>
重啓httpd服務,並在desktop0上測試:
# curl -k https://webapp0.example.com
lamp=linux+apache+mysql+php
-
每一个你不满意的现在,都有一个你没有努力的曾经。