第九单元 Apache web服务
一、Apache基本配置
1.安装apache软件包:# yum install -y httpd httpd-manual
2.启动apache服务:# systemctl start httpd ; systemctl enable httpd
3.查看监听端口:
# ss -antlp |grep httpd
LISTEN 0 128 :::80 :::*
users:(("httpd",4347,4),("httpd",4346,4),("httpd",4345,4),("httpd",4344,4),("httpd",4343,4),("httpd",4342,4))
4.Apache主配置文件: /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd" 用于指定Apache的运行目录
Listen 80 监听端口
User apache 运行apache程序的用户和组
Group apache
ServerAdmin root@localhost 管理员邮箱
DocumentRoot "/var/www/html" 网页文件的存放目录
<Directory "/var/www/html"> <Directory>语句块自定义目录权限
Require all granted
</Directory>
ErrorLog "logs/error_log" 错误日志存放位置
AddDefaultCharset UTF-8 默认支持的语言
IncludeOptional conf.d/*.conf 加载其它配置文件
DirectoryIndex index.html 默认主页名称
5.示例
1)httpd基本配置
[root@httpdesktop ~]# yum install httpd -y
[root@httpdesktop ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@httpdesktop ~]# firewall-cmd --permanent --add-service=http
success
[root@httpdesktop ~]# firewall-cmd --permanent --add-service=https
success
[root@httpdesktop ~]# firewall-cmd --reload
success
[root@httpdesktop ~]# systemctl start httpd
[root@httpdesktop ~]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@httpdesktop ~]# vim /var/www/html/index.html
[root@httpdesktop ~]# cat /var/www/html/index.html
hello linux!
[root@httpdesktop ~]#
2)httpd默认打开位置为/var/www/html/index.html修改为/www/html/test.html
[root@httpdesktop ~]# mkdir /www/html -p
[root@httpdesktop ~]# vim /www/html/test.html
[root@httpdesktop ~]# cat /www/html/test.html
hello testsuccess
[root@httpdesktop ~]# vim /etc/httpd/conf/httpd.conf
#120 DocumentRoot "/www/html"
#122 <Directory "/www/html">
#123 Require all granted
#124 </Directory>
#167 <IfModule dir_module>
#168 DirectoryIndex test.html
#169 </IfModule>
[root@httpdesktop ~]# systemctl restart httpd.service
[root@httpdesktop ~]# ls -Zd /www/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/
[root@httpdesktop ~]# ls -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
[root@httpdesktop ~]# semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'
[root@httpdesktop ~]# ls -Zd /www/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/
[root@httpdesktop ~]# restorecon -RvvF /www/
restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /www/html/test.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
[root@httpdesktop ~]# ls -Zd /www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /www/
[root@httpdesktop ~]#
#查看httpd日志
[root@httpdesktop ~]# cd /etc/httpd/logs/
[root@httpdesktop logs]# ls
access_log error_log
[root@httpdesktop logs]# vim error_log
[root@httpdesktop logs]# vim access_log
3)创建所有用户查看权限
[root@httpdesktop logs]# vim /etc/httpd/conf/httpd.conf
#122 <Directory "/www/html">
#123 Order Allow,Deny
#124 Allow from all
#125 Deny from 172.25.254.42
#126 Require all granted
#127 </Directory>
[root@httpdesktop logs]# systemctl restart httpd.service
[root@httpdesktop logs]# vim /etc/httpd/conf/httpd.conf
#122 <Directory "/www/html">
#123 Order Deny,Allow
#124 Allow from 172.25.254.42
#125 Deny from all
#126 Require all granted
#127 </Directory>
[root@httpdesktop logs]# systemctl restart httpd.service
二、虚拟主机
1.虚拟主机允许您从一个httpd服务器同时为多个网站提供服务。在本节中,我们将了解基于名称的虚拟主机其中多个主机名都指向同一个IP地址,但是Web服务器根据用于到达站点的主机名提供具有不同内容的不同网站。
Example:
<virtualhost *:80>
servername wwwX.example.com
serveralias wwwX
documentroot /srv/wwwX.example.com/www
customlog "logs/wwwX.example.com.log" combined
</virtualhost>
<directory /srv/wwwX.example.com/www>
require all granted
</directory>
1)<VirtualHost *:80>
...
</VirtualHost>
这是定义虚拟主机的块
2)ServerName wwwX.example.com--->指定服务器名称。在使用基于名称的虚拟主机的情况下,此处的名称必须与客户端请求完全的匹配。
3)ServerAlias serverX wwwX wwwX.example.com--->用于匹配的空格分隔的名称列表,如上面的ServerName
4)DocumentRoot /var/www/html--->在<VirtualHost>块内部,指定从中提供内容的目录。
5)selinux标签
semanage fcontext -l
semanage fcontext -a -t httpd_sys_content_t “/directory(/.*)?”
restorecon -vvFR /directory
2.Demo:
1)建立网页发布目录,并设置selinux标签:
# mkdir -p /srv/{default,www0.example.com}/www
# echo "coming soon" > /srv/default/www/index.html
# echo "www0" > /srv/www0.example.com/www/index.html
# restorecon -Rv /srv/
2)创建虚拟主机配置文件:
# cat /etc/httpd/conf.d/00-default-vhost.conf
<virtualhost _default_:80>
documentroot /srv/default/www
customlog "logs/default-vhost.log" combined
</virtualhost>
<directory /srv/default/www>
require all granted
</directory>
# cat 01-www0.example.com-vhost.conf
<virtualhost *:80>
servername www0.example.com
serveralias www0
documentroot /srv/www0.example.com/www
customlog "logs/www0.example.com.log" combined
</virtualhost>
<directory /srv/www0.example.com/www>
require all granted
</directory>
3)启动apache服务
# systemctl start httpd ; systemctl enable httpd
3.示例
[root@httpdesktop httpd]# exit
logout
Connection to 172.25.254.142 closed.
[kiosk@foundation42 Desktop]$ su -
Password:
Last login: Mon Apr 17 08:49:33 CST 2017 on pts/0
[root@foundation42 ~]# vim /etc/hosts
[root@foundation42 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.250 content.example.com
172.25.254.142 www.westos.com new.westos.com
[root@foundation42 ~]# exit
logout
[kiosk@foundation42 Desktop]$ ssh root@172.25.254.142 -X
root@172.25.254.142's password:
Last login: Sun Apr 16 21:35:29 2017 from 172.25.254.42
[root@httpdesktop ~]# cd /etc/httpd/conf.d/
[root@httpdesktop conf.d]# ls
autoindex.conf README userdir.conf welcome.conf
[root@httpdesktop conf.d]# vim default.conf
[root@httpdesktop conf.d]# cat default.conf
<virtualhost _default_:80>
documentroot "/www/html"
customlog "logs/default.log" combined
</virtualhost>
<directory "/www/html">
require all granted
</directory>
[root@httpdesktop conf.d]# cp default.conf news.conf -p
[root@httpdesktop conf.d]# ls
autoindex.conf default.conf news.conf README userdir.conf welcome.conf
[root@httpdesktop conf.d]# vim news.conf
[root@httpdesktop conf.d]# cat news.conf
<virtualhost *:80>
servername new.westos.com
documentroot "/www/virtual/news/html"
customlog "logs/news.log" combined
</virtualhost>
<directory "/www/virtual/news/html">
require all granted
</directory>
[root@httpdesktop httpd]# mkdir -p /www/virtual/news/html
[root@httpdesktop httpd]# vim /www/virtual/news/html/test.html
[root@httpdesktop httpd]# cat /www/virtual/news/html/test.html
news' page
[root@httpdesktop httpd]# systemctl restart httpd.service
[root@httpdesktop httpd]# vim /etc/httpd/conf/httpd.conf
#121 <Directory "/www/html">
#122 Require all granted
#123 </Directory>
[root@httpdesktop httpd]# systemctl restart httpd.service
[root@httpdesktop httpd]#
三、配置基于用户的身份验证
1.Apache无格式文件用户身份验证,在此配置中,用户账户和密码存储在本地.htpasswd文件中。处于安全原因,该文件不能保存在网站的DocumentRoot中,而应保存在Web服务器不提供服务的一些目录中。特殊的htpasswd命令用于在.htpasswd文件中管理用户
2.配置程序示例:
1)用两个账户创建Apache密码文件:
[root@serverX ~]# htpasswd -cm /etc/httpd/.htpasswd bob
[root@serverX ~]# htpasswd -m /etc/httpd/.htpasswd alice
2)假设之前定义VirtualHost块,请将诸如以下内容添加至VirtualHost块:
<Directory /var/www/html>
AuthName “Secret Stuff”
AuthType basic
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
3.重启apache服务,并使用Web浏览器测试访问,在弹出的对话框中输入上述用户名和密码
4.示例:
[root@httpdesktop logs]# cd /www/html/
[root@httpdesktop html]# ls
test.html
[root@httpdesktop html]# mkdir admin
[root@httpdesktop html]# ls
admin test.html
[root@httpdesktop html]# cd admin/
[root@httpdesktop admin]# vim test.html
[root@httpdesktop admin]# cat test.html
hello myworld
[root@httpdesktop admin]# cd /etc/httpd/
[root@httpdesktop httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@httpdesktop httpd]# htpasswd -cm passfile admin
New password:
Re-type new password:
Adding password for user admin
[root@httpdesktop httpd]# htpasswd -m passfile linux
New password:
Re-type new password:
Adding password for user linux
[root@httpdesktop httpd]# cat passfile
admin:$apr1$eY5WS3UC$8MQHgoiKmNBlwPZpmI3DL/
linux:$apr1$cDZbrIlY$Y5R.X6SeTWcvJDhr.ac.k.
[root@httpdesktop httpd]# vim /etc/httpd/conf/httpd.conf
#122 <Directory "/www/html">
#123 #Order Deny,Allow
#124 #Allow from 172.25.254.42
#125 #Deny from all
#126 #Require all granted
#127 AllowOverride all
#128 Authuserfile /etc/httpd/passfile
#129 Authname "Please input name and passwd"
#130 Authtype basic
#131 require valid-user
#132 </Directory>
[root@httpdesktop httpd]# systemctl restart httpd.service
[root@httpdesktop httpd]# vim /etc/httpd/conf/httpd.conf
#122 <Directory "/www/html">
#123 #Order Deny,Allow
#124 #Allow from 172.25.254.42
#125 #Deny from all
#126 #Require all granted
#127 AllowOverride all
#128 Authuserfile /etc/httpd/passfile
#129 Authname "Please input name and passwd"
#130 Authtype basic
#131 require user admin
#132 </Directory>
[root@httpdesktop httpd]# systemctl restart httpd.service
四、自定义自签名证书
1.如果加密的通信非常重要,而经过验证的身份不重要,管理员可以通过生成self-signed certificate来避免与认证机构进行交互所带来的复杂性。使用genkey实用程序(通过crypto-utils软件包分发),生成自签名证书及其关联的私钥。为了简化起见,genkey将在“正确”的位置(/etc/pki/tls目录)创建证书及其关联的密钥。相应地,必须以授权用户(root)身份运行该实用程序。
2.生成自签名证书
1)确保已安装crypto-utils软件包。
[root@server0 ~]# yum install crypto-utils mod_ssl
2)调用genkey,同时为生成的文件指定唯一名称(例如,服务器的主机全名)。 --days可以指定证书有效期
[root@server0 ~]# genkey server0.example.com
3.安装证书及其私钥
1)确定已安装mod_ssl软件包。
[root@server0 ~]# yum install mod_ssl
2)由于私钥是敏感信息,请确保其只被root用户读取。
[root@server0 ~]# ls -l /etc/pki/tls/private/server0.example.com.key
-r--------. 1 root root 1737 Dec 22 15:06 /etc/pki/tls/private/server0.example.com.key
3)编辑/etc/httpd/conf.d/ssl.conf, 将SSLCertificateFile和SSLCertificateKeyFile指令设置为分别指向X.509证书和密钥文件。
SSLCertificateFile /etc/pki/tls/certs/server0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/server0.example.com.key
4)重启Web服务器。
[root@server0 ~]# systemctl restart httpd
5)如要进行确认,请使用https协议(https://serverX.example.com)通过Web客户端(如Firefox)访问Web服务器。Web客户端可能会发出它不认可证书发行者的警告。这种情况适用自签名证书。要求Web客户端绕过证书认证。(对于Firefox,请选择“I Understand the Risks” [我了解风险]、“Add Exception” [添加例外]和“Confirm Security Exception”[确认安全例外]。)
6)示例:
[root@httpdesktop html]# yum install crypto-utils -y
[root@httpdesktop html]# yum install mod_ssl -y
[root@httpdesktop html]# cd /etc/httpd/conf.d/
[root@httpdesktop conf.d]# ls
autoindex.conf manual.conf php.conf ssl.conf welcome.conf
default.conf news.conf README userdir.conf
[root@httpdesktop conf.d]# netstat -antlpe | grep httpd
tcp6 0 0 :::80 :::* LISTEN 0 114842 1142/httpd
[root@httpdesktop conf.d]# systemctl restart httpd.service
[root@httpdesktop conf.d]# netstat -antlpe | grep httpd
tcp6 0 0 :::443 :::* LISTEN 0 132080 2160/httpd
tcp6 0 0 :::80 :::* LISTEN 0 132068 2160/httpd
[root@httpdesktop conf.d]# genkey www.westos.com
/usr/bin/keyutil -c makecert -g 1024 -s "CN=www.westos.com, OU=linux, O=westos, L=xi'an, ST=shannxi, C=CN" -v 1 -a -z /etc/pki/tls/.rand.2176 -o /etc/pki/tls/certs/www.westos.com.crt -k /etc/pki/tls/private/www.westos.com.key
cmdstr: makecert
cmd_CreateNewCert
command: makecert
keysize = 1024 bits
subject = CN=www.westos.com, OU=linux, O=westos, L=xi'an, ST=shannxi, C=CN
valid for 1 months
random seed from /etc/pki/tls/.rand.2176
output will be written to /etc/pki/tls/certs/www.westos.com.crt
output key written to /etc/pki/tls/private/www.westos.com.key
Generating key. This may take a few moments...
Made a key
Opened tmprequest for writing
/usr/bin/keyutil Copying the cert pointer
Created a certificate
Wrote 882 bytes of encoded data to /etc/pki/tls/private/www.westos.com.key
Wrote the key to:
/etc/pki/tls/private/www.westos.com.key
[root@httpdesktop conf.d]# vim /etc/httpd/conf.d/ssl.conf
#101 SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt
#109 SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key
[root@httpdesktop conf.d]# systemctl restart httpd.service
[root@httpdesktop conf.d]#
4.网页重写
1)把所有80端口的请求全部重定向由https来处理
<Virtualhost *:80>
ServerName www0.example.com
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</Virtualhost>
2)Example: /etc/httpd/conf.d/www0.conf
<VirtualHost *:443>
servername www0.example.com
documentroot /srv/www0/www
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
SSLCertificateFile /etc/pki/tls/certs/www0.crt
SSLCertificateKeyFile /etc/pki/tls/private/www0.key
<Directory "/srv/www0/www">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
servername www0.example.com
rewriteengine on
rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
3)示例:
[root@httpdesktop ~]# ls
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
[root@httpdesktop ~]# cd /etc/httpd/conf.d/
[root@httpdesktop conf.d]# ls
autoindex.conf manual.conf php.conf ssl.conf userdir.conf
default.conf news.conf README tmprequest welcome.conf
[root@httpdesktop conf.d]# cp -p news.conf login.conf
[root@httpdesktop conf.d]# vim login.conf
[root@httpdesktop conf.d]# cat login.conf
<virtualhost *:443>
servername login.westos.com
documentroot "/www/virtual/login/html"
customlog "logs/login.log" combined
SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key
SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt
SSLEngine on
</virtualhost>
<directory "/www/virtual/login/html">
require all granted
</directory>
<Virtualhost *:80>
ServerName login.westos.com
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</Virtualhost>
[root@httpdesktop conf.d]# systemctl restart httpd.service
[root@httpdesktop conf.d]# mkdir -p /www/virtual/login/html
[root@httpdesktop conf.d]# vim /www/virtual/login/html/test.html
[root@httpdesktop conf.d]# cat /www/virtual/login/html/test.html
login.com
[root@httpdesktop conf.d]# systemctl restart httpd.service
五、CGI
1.通用网关接口(CGI)是网站上放置动态内容的最简单的方法。CGI脚本可用于许多目的,但是谨慎控制使用哪个CGI脚本以及允许谁添加和运行这些脚本十分重要。编写质量差的CGI脚本可能为外部攻击者提供了破坏网站及其内容安全性的途径。因此,在Web服务器级别和SELinux策略级别,都存在用于限制CGI脚本使用的设置。
1)Example:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
# ll -dZ /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
2)示例:
[root@httpdesktop html]# ls
admin index.php test.html
[root@httpdesktop html]# mkdir cgi
[root@httpdesktop html]# ls
admin cgi index.php test.html
[root@httpdesktop html]# yum install httpd-manual -y
[root@httpdesktop html]# ls
admin cgi index.php test.html
[root@httpdesktop html]# systemctl restart httpd.service
[root@httpdesktop html]# vim /etc/httpd/conf/httpd.conf
#178 <IfModule dir_module>
#179 DirectoryIndex test.html index.html
#180 </IfModule>
[root@httpdesktop html]# systemctl restart httpd.service
[root@httpdesktop html]# cd cgi/
[root@httpdesktop cgi]# ls
[root@httpdesktop cgi]# vim index.cgi
[root@httpdesktop cgi]# cat index.cgi
#!/usr/bin/perl
print "Content-type: text/html ";
print `date`;
[root@httpdesktop cgi]# chmod +x index.cgi
[root@httpdesktop cgi]# ./index.cgi
Content-type: text/html
Mon Apr 17 01:56:55 EDT 2017
[root@httpdesktop cgi]# vim /etc/httpd/conf.d/default.conf
[root@httpdesktop cgi]# cat /etc/httpd/conf.d/default.conf
<virtualhost _default_:80>
documentroot "/www/html"
customlog "logs/default.log" combined
</virtualhost>
<directory "/www/html">
require all granted
</directory>
<Directory "/www/html/cgi">
Options +ExecCGI
AddHandler cgi-script .cgi
</Directory>
[root@httpdesktop cgi]# systemctl restart httpd.service
[root@httpdesktop cgi]# semanage fcontext -l | grep http
[root@httpdesktop cgi]# ls -Zd /www/html/cgi/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /www/html/cgi/
[root@httpdesktop cgi]# semanage fcontext -a -t "httpd_sys_script_exec_t" '/www/html/cgi(/.*)?'
[root@httpdesktop cgi]# restorecon -FvvR /www/html/cgi
restorecon reset /www/html/cgi context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
restorecon reset /www/html/cgi/index.cgi context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
[root@httpdesktop cgi]# cd /www/html/
[root@httpdesktop html]# vim /etc/httpd/conf/httpd.conf
#178 <IfModule dir_module>
#179 DirectoryIndex test.html index.html index.cgi
#180 </IfModule>
[root@httpdesktop html]# systemctl restart httpd.service
2.php语言支持:
1)安装php软件包,其中包含mod_php模块:
# yum install -y php
2)模块配置文件: /etc/httpd/conf.d/php.conf
<FilesMatch .php$>
SetHandler application/x-httpd-php
</FilesMatch>
DirectoryIndex index.php
3)在server0上构建php练习环境,此脚本会自动配置mariadb,并生成/var/www/html/index.php动态网页:
# lab phpdb setup
4)安装php的数据库支持:
# yum install -y php-mysql
5)重启httpd服务后,测试网页是否访问正常.
PS:当web服务器连接的数据库在远程时,需要改变Selinux:
# setsebool -P httpd_can_network_connect_db=1
# setsebool -P httpd_can_network_connect=1
(如果数据库的端口不是3306时,需要改此项)
6)示例:
[root@httpdesktop ~]# cd /www/html/
[root@httpdesktop html]# ls
admin test.html
[root@httpdesktop html]# vim index.php
[root@httpdesktop html]# vim /etc/hosts
[root@httpdesktop html]# yum install php -y
[root@httpdesktop html]# systemctl restart httpd.service
3.WSGI提供python语言支持:
1)安装mod_wsgi软件包:
# yum install -y mod_wsgi
2)执行脚本,会生成python测试文件/home/student/webapp.wsgi:
# lab webapp setup
3)在虚拟主机中加入以下参数:
<VirtualHost *:443>
servername webapp0.example.com
...
WSGIScriptAlias / /srv/webapp0/www/webapp.wsgi
...
</VirtualHost>
4)重启httpd服务,并在desktop0上测试:
# curl -k https://webapp0.example.com