• 快速部署Apache服务静态网站


    该系列文章只是本人的学习笔记,文章中的文字描述提取自《Linux鸟哥私房菜》《Linux运维之道》等书中的重点内容,部分内容是在培训Linux运维时总结的笔记,化繁为简能够在工作中快速复习掌握重点,并不代表个人立场,但转载请加出处,并注明参考文献。

    Apache是世界使用排名第一的Web服务器软件.它可以运行在几乎所有广泛使用的计算机平台上,由于其跨平台和安全性被广泛使用,是最流行的Web服务器端软件之一.它快速、可靠并且可通过简单的API扩充,将Perl/Python等解释器编译到服务器中.同时Apache音译为阿帕奇,是北美印第安人的一个部落,叫阿帕奇族,在美国的西南部.也是一个基金会的名称、一种武装直升机等等.

    笔记内记录:Yum安装,在SeLinux开启状态下,实现身份认证,实现个人主页,实现虚拟主机等常用配置.

    配置Apache访问控制

    Apache可以基于原主机名,原IP地址,或原主机上的浏览器特征,对网站上的资源进行访问控制,它通过Allow指令允许某个主机访问服务器上的网站资源,通过Deny指令实现禁止访问,还可以给指定的页面添加密码认证.

    ◆基于用户名密码的认证◆

    作用:当我们打开指定网页时,会提示需要输入密码才能访问,这就是密码认证技术.

    1.通过Yum仓库快速安装apache服务程序.

    [root@localhost ~]# yum install -y apr apr-util httpd
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered with an entitlement server. You can use subscription-manager.
    Package apr-1.4.8-3.el7_4.1.x86_64 already installed and latest version
    Package apr-util-1.5.2-6.el7.x86_64 already installed and latest version
    Package httpd-2.4.6-80.el7.x86_64 already installed and latest version
    Nothing to do
    

    2.编辑Apache主配置文件,在相应的区域中加入以下标★语句.

    [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
    
    146     #
    147     # AllowOverride controls what directives may be placed in .htaccess files.
    148     # It can be "All", "None", or any combination of the keywords:
    149     #   Options FileInfo AuthConfig Limit
    150     #
    ★     AllowOverride all        #修改为 AllowOverride all
    152 
    153     #
    154     # Controls who can get stuff from this server.
    155     #
    

    3.在要添加认证的网页文件下创建 .htaccess 文件,并覆盖写入以下内容.

    [root@localhost ~]# echo "hello admin" > /var/www/html/index.html
    [root@localhost ~]# vim /var/www/html/.htaccess
    
    authname  "welcome to admin"                    #欢迎提示信息
    authtype basic                                  #认证类型
    authuserfile /var/www/html/login.psd            #认证文件存放位置
    require valid-user                              #除认证用户其他用户不允许登陆
    

    4.借助Apache的工具生成密码文件,此处的用户名密码就是访问网页时的号码.

    [root@localhost ~]# htpasswd -c /var/www/html/login.psd lyshark        #创建认证用户(覆盖)
    [root@localhost ~]# htpasswd -m /var/www/html/login.psd lyshark        #写入认证用户(追加)
    

    5.重启Apache服务,并访问页面测试即可.

    [root@localhost ~]# systemctl restart httpd
    

    ◆基于IP地址的身份认证◆

    作用:当我们打开指定网页时,会判断您的IP地址是允许访问还是拒绝访问,这就是基于IP的认证技术

    [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
    
    121 #
    122 # Relax access to content within /var/www.
    123 #
    124 <Directory "/var/www/html">
    125 
    126         Order allow,deny
    127         deny from 192.168.1.8          #允许和拒绝,只需要修改from前面字段.
    128         require all granted
    129 </Directory>
    130 
    131 # Further relax access to the default document root:
    

    ## 开启Apache个人主页

    如果想为每个系统独立的用户建立一个网站,通常情况先是基于虚拟主机的功能来部署多个网站,但是这样工作量实在太大,还好Apache为我们提供了个人主页功能,以下实验将实现给予不同的用户一个单独的网页空间,实现每个人可以有自己的空间,类似QQ空间.

    1.首先编辑配置文件,修改UserDir disabled注释掉本行,同时开启UserDir public_html,保存退出即可.

    [root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf
    
     14     # of a username on the system (depending on home directory
     15     # permissions).
     16     #
     17     # UserDir disabled           #注释掉本行
     18 
    ......
     20     # To enable requests to /~user/ to serve the user's public_html
     21     # directory, remove the "UserDir disabled" line above, and uncomment
     22     # the following line instead:
     23     # 
     24     UserDir public_html         #开启本行注释
     25 </IfModule>
    

    2.创建一个测试用户,并在其家目录创建一个public_html目录,设置相应的权限.

    [root@localhost ~]# useradd lyshark
    [root@localhost ~]# echo "123123" |passwd --stdin lyshark
    Changing password for user lyshark.
    passwd: all authentication tokens updated successfully.
    
    [root@localhost ~]# mkdir -p /home/lyshark/public_html
    [root@localhost ~]# echo "hello admin" > /home/lyshark/public_html/index.html
    [root@localhost ~]# chmod 755 -R /home/lyshark/
    

    3.紧接着我们配置SeLinux安全上下文.

    [root@localhost home]# ls -lZ
    drwxr-xr-x. lyshark lyshark unconfined_u:object_r:user_home_dir_t:s0 lyshark
    
    [root@localhost home]# ls -lZ /var/www/
    drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
    
    [root@localhost home]# yum provides semanage
    [root@localhost home]# yum install -y policycoreutils-python-2.5-22.el7.x86_64
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered with an entitlement server. You can use subscription-manager.
    Package policycoreutils-python-2.5-22.el7.x86_64 already installed and latest version
    Nothing to do
    
    [root@localhost home]# semanage fcontext -a -t httpd_sys_content_t /home/lyshark/
    [root@localhost home]# restorecon -Rv /home/lyshark/
    [root@localhost home]# restorecon -Rv /home/lyshark/*
    
    root@localhost home]# getsebool -a |grep httpd_enable
    httpd_enable_cgi --> on
    httpd_enable_ftp_server --> off
    httpd_enable_homedirs --> off
    [root@localhost home]# setsebool -P httpd_enable_homedirs=1
    [root@localhost home]# setsebool httpd_enable_homedirs=1
    

    4.重启Apache服务测试效果.

    [root@localhost ~]# systemctl restart httpd
    [root@localhost ~]# elinks http://192.168.1.10/~lyshark/
    

    配置Apache虚拟主机

    ◆基于IP的虚拟主机◆

    如果一台服务器有多个IP地址,而且每个IP地址与服务器上部署的每个网站对应,这样当用户请求访问不同的IP时,会访问到不同网站的页面资源,而且每个网站都有一个独立的IP地址,以下实验将实现在一台服务器上配置多个IP,搭建多个网站,每个网站使用一个IP地址.

    1.通过Yum仓库快速安装apache服务程序.

    [root@localhost ~]# yum install -y apr apr-util httpd
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered with an entitlement server. You can use subscription-manager.
    Package apr-1.4.8-3.el7_4.1.x86_64 already installed and latest version
    Package apr-util-1.5.2-6.el7.x86_64 already installed and latest version
    Package httpd-2.4.6-80.el7.x86_64 already installed and latest version
    Nothing to do
    

    2.首先在主IP地址上配置一个子接口.

    [root@localhost ~]# ifconfig ens32:0 192.168.1.20 netmask 255.255.255.0
    
    [root@localhost ~]# ifconfig
    ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.10  netmask 255.255.255.0  broadcast 192.168.1.255
            inet6 fe8::89c:d2d:cd5:b9ec  prefixlen 64  scopeid 0x20<link>
            ether 01:0c:89:b1:b7:be  txqueuelen 1000  (Ethernet)
            RX packets 1237  bytes 82607 (80.6 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 184  bytes 24411 (23.8 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    ens32:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
            ether 00:0c:29:b1:b1:be  txqueuelen 1000  (Ethernet)
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 196  bytes 16656 (16.2 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 196  bytes 16656 (16.2 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    

    3.在/var/www/html目录下创建连个子目录,分别对应两个IP地址.

    [root@localhost ~]# mkdir -p /var/www/html/vhost1
    [root@localhost ~]# mkdir -p /var/www/html/vhost2
    
    [root@localhost ~]# echo  "vhost 1" > /var/www/html/vhost1/index.html
    [root@localhost ~]# echo  "vhost 2" > /var/www/html/vhost2/index.html
    

    4.修改apache主配置文件,分别添加两个主机区域.

    [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
    
     76 # All of these directives may appear inside <VirtualHost> containers,
     77 # in which case these default settings will be overridden for the
     78 # virtual host being defined.
     79 #
     80 
     81 <VirtualHost 192.168.1.10:80>
     82         DocumentRoot /var/www/html/vhost1
     83         ServerName localhost
     84         <Directory /var/www/html/vhost1>
     85         AllowOverride None
     86         Require all granted
     87         </Directory>
     88 </VirtualHost>
     89 <VirtualHost 192.168.1.20:80>
     90         DocumentRoot /var/www/html/vhost2
     91         ServerName localhost
     92         <Directory /var/www/html/vhost2>
     93         AllowOverride None
     94         Require all granted
     95         </Directory>
     96 </VirtualHost>
     97
    

    5.重启一下apache服务,并访问测试即可.

    [root@localhost ~]# systemctl restart httpd
    
    [root@localhost ~]# curl 192.168.1.10
    vhost 1
    [root@localhost ~]# curl 192.168.1.20
    vhost 2
    

    ◆基于端口的虚拟主机◆

    基于端口的虚拟主机,可以让用户通过端口号,来访问服务器上的资源,在使用Apache配置虚拟网站时,基于端口的配置方式最为复杂,以下实验将实现在一台服务器上配置多个端口,搭建多个网站,每个网站使用一个端口.

    1.修改Apache主配置文件,修改两处位置.

    [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
    
     38 # Change this to Listen on specific IP addresses as shown below to 
     39 # prevent Apache from glomming onto all bound IP addresses.
     40 #
     41 #Listen 12.34.56.78:80
     42 Listen 80
     43 Listen 8080
    .....
     76 # All of these directives may appear inside <VirtualHost> containers,
     77 # in which case these default settings will be overridden for the
     78 # virtual host being defined.
     79 #
     80 
     81 <VirtualHost 192.168.1.10:80>
     82         DocumentRoot /var/www/html/vhost1
     83         ServerName localhost
     84         <Directory /var/www/html/vhost1>
     85         AllowOverride None
     86         Require all granted
     87         </Directory>
     88 </VirtualHost>
     89 <VirtualHost 192.168.1.10:8080>
     90         DocumentRoot /var/www/html/vhost2
     91         ServerName localhost
     92         <Directory /var/www/html/vhost2>
     93         AllowOverride None
     94         Require all granted
     95         </Directory>
     96 </VirtualHost>
    

    2.在/var/www/html目录下创建连个子目录,分别对应两个端口地址.

    [root@localhost ~]# mkdir -p /var/www/html/vhost1
    [root@localhost ~]# mkdir -p /var/www/html/vhost2
    
    [root@localhost ~]# echo  "vhost 1" > /var/www/html/vhost1/index.html
    [root@localhost ~]# echo  "vhost 2" > /var/www/html/vhost2/index.html
    

    3.重启一下apache服务,并访问测试即可.

    [root@localhost ~]# systemctl restart httpd
    
    [root@localhost ~]# curl 192.168.1.10:80
    vhost 1
    [root@localhost ~]# curl 192.168.1.10:8080
    vhost 2
    

    ◆基于域名的虚拟主机◆

    当服务器无法为每一个网站分配一个独立的IP的时候,可以尝试让Apache自动识别用户请求的域名,从而根据不同的域名请求来传输不同的内容,这里我们为了验证实验要手动搭建一个DNS解析,以下实验将实现在一台服务器上多个域名,搭建多个网站,每个网站使用一个域名.

    1.首先搭建DNS域名解析,模拟vhost1.com与vhost2.com两个网站域名.

    [root@localhost ~]# yum install -y bind bind-chroot
    Loaded plugins: product-id, search-disabled-repos, subscription-manager
    This system is not registered with an entitlement server. You can use subscription-manager.
    Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
    Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
    Nothing to do
    

    2.配置DNS解析,这里我们简单配置即可,有关DNS详细例子请查看其他相关文章.

    [root@localhost ~]# vim /etc/named.conf
    
     12 options {
     13         listen-on port 53 { any; };
     14         listen-on-v6 port 53 { ::1; };
     15         directory       "/var/named";
     16         dump-file       "/var/named/data/cache_dump.db";
     17         statistics-file "/var/named/data/named_stats.txt";
     18         memstatistics-file "/var/named/data/named_mem_stats.txt";
     19         allow-query     { any; };
    
    [root@localhost ~]# vim /etc/named.rfc1912.zones
    
     43 zone "vhost1.com" IN {
     44         type master;
     45         file "vhost1.com.zone";
     46         allow-update { none; };
     47 };
     48 zone "vhost2.com" IN {
     49         type master;
     50         file "vhost2.com.zone";
     51         allow-update { none; };
     52 };
    

    3.拷贝配置文件,并修改成以下模样,并重启Bind

    [root@localhost ~]# cp -a /var/named/named.localhost /var/named/vhost1.com.zone
    [root@localhost ~]# cp -a /var/named/named.localhost /var/named/vhost2.com.zone
    
    [root@localhost ~]# vim /var/named/vhost1.com.zone
    $TTL 1D
    @       IN SOA  dns.vhost1.com. rname.invalid. (
                                            0       ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
            NS      dns.vhost1.com.
    dns     A       127.0.0.1
    www     A       192.168.1.10
    
    [root@localhost ~]# vim /var/named/vhost2.com.zone
    $TTL 1D
    @       IN SOA  dns.vhost2.com. rname.invalid. (
                                            0       ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
            NS      dns.vhost2.com.
    dns     A       127.0.0.1
    www     A       192.168.1.10
    
    [root@localhost ~]# systemctl restart named
    

    4.修改Apache主配置文件,修改两处位置.

    [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
    
     76 # All of these directives may appear inside <VirtualHost> containers,
     77 # in which case these default settings will be overridden for the
     78 # virtual host being defined.
     79 #
     80 
     81 <VirtualHost *:80>
     82         DocumentRoot /var/www/html/vhost1
     83         ServerName www.vhost1.com
     84         <Directory /var/www/html/vhost1>
     85         AllowOverride None
     86         Require all granted
     87         </Directory>
     88 </VirtualHost>
     89 <VirtualHost *:80>
     90         DocumentRoot /var/www/html/vhost2
     91         ServerName www.vhost2.com
     92         <Directory /var/www/html/vhost2>
     93         AllowOverride None
     94         Require all granted
     95         </Directory>
     96 </VirtualHost>
    

    5.在/var/www/html目录下创建连个子目录,分别对应两个域名地址.

    [root@localhost ~]# mkdir -p /var/www/html/vhost1
    [root@localhost ~]# mkdir -p /var/www/html/vhost2
    
    [root@localhost ~]# echo  "vhost 1" > /var/www/html/vhost1/index.html
    [root@localhost ~]# echo  "vhost 2" > /var/www/html/vhost2/index.html
    

    6.重启一下apache服务,并访问测试即可.

    [root@localhost ~]# systemctl restart httpd
    
    [root@localhost ~]# curl www.vhost1.com
    vhost 1
    [root@localhost ~]# curl www.vhost2.com
    vhost 2
    

    配置Apache SSL加密

    在生产环境中,我们需要让我们的网站更加的安全,多数情况下我们会开启https的加密认证,来保证数据传输的安全性,下面实验将实现启动SSL证书,也就是https认证,端口为443.

    1.建立服务器私钥,过程中需要输入密码.

    [root@localhost ~]# openssl genrsa -des3 -out server.key 1024
    
    ----------------------------------------------------------------------------
    注释:
    		Genrsa –des3					#加密类型
    		-out	server.key				#输出文件
    		-1024						#加密长度
    ----------------------------------------------------------------------------
    

    2.建立证书,生成的csr文件交给CA签名后形成服务端自己的证书.

    [root@localhost ~]# openssl req -new -key server.key -out server.csr
    
    ----------------------------------------------------------------------------
    注释:
    		req -new 				#新建证书
    		-key server.key				#私钥文件
    		-out server.csr				#输出文件
    
    注:依次输入:国家 省 市 组织 机构 全称 EMAIL 是否要改变密码 是否改名称
    ----------------------------------------------------------------------------
    

    3.转化成证书,这一步由证书CA机构来做的,这里只是实验.

    [root@localhost ~]# openssl x509 -req -days 365 -sha256 -in server.csr -signkey server.key -out servernew.crt
    

    4.将生成的证书文件拷贝到/etc/http/conf目录下,并配置好权限.

    [root@localhost ~]# cp -a server.crt /etc/httpd/conf
    [root@localhost ~]# cp -a server.key /etc/httpd/conf
    

    5.创建一个配置文件,并写入以下内容,开启SSL的支持.

    [root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
    
    Listen 443 https
    SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
    SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
    SSLSessionCacheTimeout  300
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin
    <VirtualHost _default_:443>
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
    
    <Files ~ ".(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    
    BrowserMatch "MSIE [2-5]" 
             nokeepalive ssl-unclean-shutdown 
             downgrade-1.0 force-response-1.0
    
    CustomLog logs/ssl_request_log 
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
    
    </VirtualHost>
    

  • 相关阅读:
    python系列之
    php正则:匹配(),{},[]小括号,大括号,中括号里面的内容
    TCP、UDP以及HTTP的简单讲解
    Python Async/Await入门指南
    asyncio并发编程
    python中socket模块详解
    TCP和UDP的优缺点及区别
    网络通信 --> IO多路复用之select、poll、epoll详解
    异步IO和协程
    Python--多任务(多进程,多线程,协程)
  • 原文地址:https://www.cnblogs.com/LyShark/p/10229669.html
Copyright © 2020-2023  润新知