3unit9

Red Hat System Administration III

###########################单元 九Apache web服务

一、Apache基本配置

安装apache软件包:

# yum install -y httpd httpd-manual

[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

启动apache服务:

# systemctl start httpd ; systemctl enable httpd

查看监听端口:

# ss -antlp |grep httpd

LISTEN 0 128 :::80 :::*

users:(("httpd",4347,4),("httpd",4346,4),("httpd",4345,4),("httpd",4344,4),("httpd",4343,4),("httpd",4342,4))

二、Apache主配置文件: /etc/httpd/conf/httpd.conf

ServerRoot "/etc/httpd" 用于指定Apache的运行目录

Listen 80 监听端口

User apache 运行apache程序的用户和组

Group apache

ServerAdmin root@localhost 管理员邮箱

DocumentRoot "/var/www/html" 网页文件的存放目录

<Directory "/var/www/html"> <Directory>语句块自定义目录权限

Require all granted

</Directory>

ErrorLog "logs/error_log" 错误日志存放位置

AddDefaultCharset UTF-8 默认支持的语言

IncludeOptional conf.d/*.conf 加载其它配置文件

DirectoryIndex index.html 默认主页名称

eg:

[root@httpserver httpd]# vim /etc/httpd/conf/httpd.conf

DocumentRoot "/www/html"

121 <Directory "/www/html">

122         # Order Deny,Allow

123         #Allow from 172.25.254.41

124         #Deny from All  

125         AllowOverride all  ##开启认证

126         Authuserfile /etc/httpd/passfile  ##配置基于用户的身份验证

127         Authname "Please input your name and password" ##认证输入

128         Authtype basic    ##认证方式基本认证

129         require valid-user ##合法用户能登陆

130         #Require all granted

131 </Directory>

 <IfModule dir_module>

174     DirectoryIndex test.html index.html

175 </IfModule>

[root@httpserver ~]# mkdir -p /www/html

[root@httpserver ~]# vim /www/html/test.html

[root@httpserver ~]# ll -Zd /www/html/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/html/

[root@httpserver ~]# ll -Zd /var/www/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/

[root@httpserver ~]# semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?' ##默认目录改变安全上下文   SElinux为enforcing状态，并且改变目录

[root@httpserver ~]# restorecon -RvvF /www/  ##重启

restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /www/html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /www/html/test.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

[root@httpserver ~]# systemctl restart httpd

[kiosk@foundation41 Desktop]$ vim /etc/hosts  ##在浏览器所在主机中设置

172.25.254.241 www.westos.com news.westos.com login.westos.com

三、虚拟主机

虚拟主机允许您从一个httpd服务器同时为多个网站提供服务。在本节中,我们将了解基于名称的虚拟主机其中多个主机名都指向同一个IP地址,但是Web服务器根据用于到达站点的主机名提供具有不

同内容的不同网站。

Example:

<virtualhost *:80>

servername wwwX.example.com

serveralias wwwX

documentroot /srv/wwwX.example.com/www

customlog "logs/wwwX.example.com.log" combined

</virtualhost>[root@foundation0 ~]# rht-pushcourse 50

Preparing to push to foundation50.ilt.example.com...

^C

/usr/local/bin/rht-pushcourse: connect: Network is unreachable

/usr/local/bin/rht-pushcourse: line 55: /dev/tcp/foundation50.ilt.example.com/22: Network is unreachable

[root@foundation0 ~]# vim /etc/resolv.conf

[root@foundation0 ~]# ping 172.25.254.50

PING 172.25.254.50 (172.25.254.50) 56(84) bytes of data.

^C

<directory /srv/wwwX.example.com/www>

require all granted

</directory>

1. <VirtualHost *:80>

...

</VirtualHost>

这是定义虚拟主机的块

2. ServerName wwwX.example.com

指定服务器名称。在使用基于名称的虚拟主机的情况下,此处的名称必须与客户端请求完全的匹配。

3. ServerAlias serverX wwwX wwwX.example.com

用于匹配的空格分隔的名称列表,如上面的ServerName

4. DocumentRoot /var/www/html

在<VirtualHost>块内部,指定从中提供内容的目录。

5. selinux标签

semanage fcontext -l[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

semanage fcontext -a -t httpd_sys_content_t “/directory(/.*)?”

restorecon -vvFR /directory

Demo:

建立网页发布目录,并设置selinux标签

# mkdir -p /srv/{default,www0.example.com}/www

# echo "coming soon" > /srv/default/www/index.html

# echo "www0" > /srv/www0.example.com/www/index.html

# restorecon -Rv /srv/

创建虚拟主机配置文件:

# cat /etc/httpd/conf.d/00-default-vhost.conf

<virtualhost _default_:80>

documentroot /srv/default/www

customlog "logs/default-vhost.log" combined

</virtualhost>

<directory /srv/default/www>

require all granted

</directory>

# cat 01-www0.example.com-vhost.conf

<virtualhost *:80>

servername www0.example.com

serveralias www0

documentroot /srv/www0.example.com/www

customlog "logs/www0.example.com.log" combined

</virtualhost>

<directory /srv/www0.example.com/[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

www>

require all granted

</directory>

启动apache服务

# systemctl start httpd ; systemctl enable httpd

eg:

[root@httpserver conf.d]# vim /etc/httpd/conf/httpd.conf

DocumentRoot "/www/html"

121 <Directory "/www/html">

122         require all granted

123 </Directory>

[root@httpserver conf.d]# vim /etc/httpd/conf.d/default.conf

1 <Virtualhost _default_:80>

  2         DocumentRoot "/www/html"

  3         customlog "logs/default.log" combined

  4 </Virtualhost>

  5 <Directory "/www/html">

  6         Require all granted

  7 </Directory>

[root@httpserver conf.d]# vim /etc/httpd/conf.d/news.conf

1 <Virtualhost *:80>[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

  2         ServerName news.westos.com

  3         DocumentRoot "/www/virtual/news/html"

  4         Customlog "logs/news.log" combined

  5 </Virtualhost>

  6 <Directory "/www/virtual/news/html">

  7         Require all granted

  8 </Directory>

[root@httpserver conf.d]# mkdir -p /www/virtual/news/html

[root@httpserver conf.d]# vim /www/virtual/news/html/test.html

1 news' page

[root@httpserver conf.d]# systemctl restart httpd

在浏览器所在的主机中：

[root@foundation41 Desktop]# vim /etc/hosts

172.25.254.241 www.westos.com news.westos.com

8配置基于用户的身份验证

Apache无格式文件用户身份验证

在此配置中,用户账户和密码存储在本地.htpasswd文件中。处于安全原因,该文件不能保存在网站的DocumentRoot中,而应保存在Web服务器不提供服务的一些目录中。特殊

的htpasswd命令用于在.htpasswd文件中管理用户。配置程序示例:

用两个账户创建Apache密码文件:

[root@serverX ~]# htpasswd -cm /etc/httpd/.htpasswd bob

[root@serverX ~]# htpasswd -m /etc/httpd/.htpasswd alice   ##-m不会覆盖刚所见的passwd文件

eg:

[root@httpserver html]# mkdir admin

[root@httpserver html]# vim test.html

[root@httpserver html]# cd /etc/httpd/

[root@httpserver httpd]# ls

conf  conf.d  conf.modules.d  logs  modules  run

[root@httpserver httpd]# htpasswd -cm passfile admin

New password:

Re-type new password:

Adding password for user admin

9

假设之前定义VirtualHost块,请将诸如以下内容添加至VirtualHost块:

<Directory /var/www/html>

AuthName “Secret Stuff”

AuthType basic

AuthUserFile /etc/httpd/.htpasswd

Require valid-user

</Directory>

重启apache服务,并使用Web浏览器测试访问,在弹出的对话框中输入上述用户名

和密码。

eg：新增站点news.westos.com

[root@httpserver ~]# cd /etc/httpd/conf.d

[root@httpserver conf.d]# vim news.conf  ##新增news站点

1 <Virtualhost *:80>  ##80端口

  2         ServerName news.westos.com

  3         DocumentRoot "/www/virtual/news/html"

  4         Customlog "logs/news.log" combined

  5 </Virtualhost>

  6 <Directory "/www/virtual/news/html">

  7         Require all granted

  8 </Directory>

[root@httpserver conf.d]# vim default.conf  ##默认站点

<Virtualhost _default_:80>

  2         DocumentRoot "/www/html"

  3         customlog "logs/default.log" combined

  4 </Virtualhost>

  5 <Directory "/www/html">

  6         Require all granted

  7 </Directory>

  8 <Directory "/www/html/cgi">

  9         Options +ExecCGI

 10         AddHandler cgi-script .cgi

 11 </Directory>

10配置HTTPS

11自定义自签名证书

如果加密的通信非常重要,而经过验证的身份不重要,管理员可以通过生成self-signed certificate来避免与认证机构进行交互所带来的复杂性。

使用genkey实用程序(通过crypto-utils软件包分发),生成自签名证书及其关联的私钥。为了简化起见,genkey将在“正确”的位置(/etc/pki/tls目录)创建证书及其关联的密钥。相应地,必须以授权用户(root)身份运行该实用程序。

生成自签名证书

1. 确保已安装crypto-utils软件包。

[root@server0 ~]# yum install crypto-utils mod_ssl

2. 调用genkey,同时为生成的文件指定唯一名称(例如,服务器的主机全名)。

--days可以指定证书有效期

[root@server0 ~]# genkey server0.example.com

 genkey www.westos.com

12记录生成的证书(server0.example.com.crt)和关联的私钥(server0.example.com.key)的位置

13继续使用对话框,并选择合适的密钥大小。(默认的2048位密钥为推荐值)

14在生成随机数时比较慢,敲键盘和移动鼠标可以加速

[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

15拒绝向认证机构(CA)发送证书请求(CSR)。拒绝加密私钥

选择no

16为服务器提供合适的身份。Common Name必须与服务器的主机全名完全匹配。

(注意,任何逗号都应使用前导反斜线[]进行转义)

17安装证书及其私钥

1. 确定已安装mod_ssl软件包。

[root@server0 ~]# yum install mod_ssl

2. 由于私钥是敏感信息,请确保其只被root用户读取。

[root@server0 ~]# ls -l /etc/pki/tls/private/server0.example.com.key

-r--------. 1 root root 1737 Dec 22 15:06 /etc/pki/tls/private/server0.example.com.key

3. 编辑/etc/httpd/conf.d/ssl.conf, 将SSLCertificateFile和SSLCertificateKeyFile指令设置为分别指

向X.509证书和密钥文件。

SSLCertificateFile /etc/pki/tls/certs/server0.example.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/server0.example.com.key

4. 重启Web服务器。

[root@server0 ~]# systemctl restart httpd

5. 如要进行确认,请使用https协议(https://serverX.example.com)通过Web客户端(如Firefox

)访问Web服务器。

Web客户端可能会发出它不认可证书发行者的警告。这种情况适用自签名证书。要求Web客户端

绕过证书认证。(对于Firefox,请选择“I Understand the Risks” [我了解风险]、“Add Exception” [

添加例外]和“Confirm Security Exception”[确认安全例外]。)

eg：

[root@httpserver conf.d]# vim /etc/httpd/conf.d/login.conf

  1 <Virtualhost *:443>  ##加密端口443

  2         ServerName login.westos.com

  3         DocumentRoot /www/virtual/login/html

  4         CustomLog "logs/login.log" combined  ##日志级别有四种，联合

  5         SSLEngine on

  6         SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key

  7         SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt

  8 </Virtualhost>

  9 <Directory "/www/virtual/login/html">

 10         Require all granted

 11 </Directory>

 12 <Virtualhost *:80> ##默认80端口

 13         ServerName login.westos.com

 14         RewriteEngine on

 15         RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

 16 </Virtualhost>

18网页重写

把所有80端口的请求全部重定向由https来处理

<Virtualhost *:80>

ServerName www0.example.com

RewriteEngine on

RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</Virtualhost>

19Example: /etc/httpd/conf.d/www0.conf

<VirtualHost *:443>

servername www0.example.com

documentroot /srv/www0/www

SSLEngine on

SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt

SSLCertificateFile /etc/pki/tls/certs/www0.crt

SSLCertificateKeyFile /etc/pki/tls/private/www0.key

<Directory "/srv/www0/www">

require all granted

</Directory>

</VirtualHost>

<VirtualHost *:80>

servername www0.example.com

rewriteengine on

rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</VirtualHost>

eg:

[root@httpserver conf.d]# vim login.conf

 <Virtualhost *:443>

  2         ServerName login.westos.com

  3         DocumentRoot /www/virtual/login/html

  4         CustomLog "logs/login.log" combined

  5         SSLEngine on[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

  6         SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key

  7         SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt

  8 </Virtualhost>

  9 <Directory "/www/virtual/login/html">

 10         Require all granted

 11 </Directory>

 12 <Virtualhost *:80>

 13         ServerName login.westos.com

 14         RewriteEngine on

 15         RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

 16 </Virtualhost>

20 CGI

通用网关接口(CGI)是网站上放置动态内容的最简单的方法。CGI脚本可用于许多目

的,但是谨慎控制使用哪个CGI脚本以及允许谁添加和运行这些脚本十分重要。编写质量差的CGI

脚本可能为外部攻击者提供了破坏网站及其内容安全性的途径。因此,在Web服务器级别和

SELinux策略级别,都存在用于限制CGI脚本使用的设置。

Example:

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">

AllowOverride None

Options None

Require all granted

</Directory>

# ll -dZ /var/www/cgi-bin/

drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/

eg:

cd /www/html/

mkdir cgi

cd cgi/

vim index.cgi

#!/usr/bin/perl

 print "Content-type: text/html ";

 print `date`;

chmod +x index.cgi

./index.cgi

 setenforce 0

ls -Zd /www/html/cgi/

 semanage fcontext -a -t "httpd_sys_content_t" '/www/html/cgi(/.*)?'

 restorecon -FvvR /www/html/cgi/

21php语言支持:

安装php软件包,其中包含mod_php模块:

# yum install -y php

模块配置文件: /etc/httpd/conf.d/php.conf

<FilesMatch .php$>

SetHandler application/x-httpd-php

</FilesMatch>

DirectoryIndex index.php

eg:

[root@httpserver html]# vim /www/html/index.php

<?

  2         phpinfo();

  3 ?>

在server0上构建php练习环境,此脚本会自动配置mariadb,并生成

/var/www/html/index.php动态网页:

# lab phpdb setup

安装php的数据库支持:

# yum install -y php-mysql

重启httpd服务后,测试网页是否访问正常.

注意当web服务器连接的数据库在远程时,需要改变Selinux:

# setsebool -P httpd_can_network_connect_db=1

# setsebool -P httpd_can_network_connect=1

(如果数据库的端口不是3306时,需要改此项)

eg:

[root@httpserver conf.d]# yum install php -y

file:///usr/share/doc/HTML/en-US/index.html

 yum install httpd-manual -y

22WSGI提供python语言支持:

安装mod_wsgi软件包:

# yum install -y mod_wsgi

执行脚本,会生成python测试文件/home/student/webapp.wsgi:

# lab webapp setup

在虚拟主机中加入以下参数:

<VirtualHost *:443>

servername webapp0.example.com

...

WSGIScriptAlias / /srv/webapp0/www/webapp.wsgi

...

</VirtualHost>

重启httpd服务,并在desktop0上测试:

# curl -k https://webapp0.example.com

lamp=linux+apache+mysql+php

Red Hat System Administration III

###########################单元 九Apache web服务

一、Apache基本配置

安装apache软件包:

# yum install -y httpd httpd-manual

[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

启动apache服务:

# systemctl start httpd ; systemctl enable httpd

查看监听端口:

# ss -antlp |grep httpd

LISTEN 0 128 :::80 :::*

users:(("httpd",4347,4),("httpd",4346,4),("httpd",4345,4),("httpd",4344,4),("httpd",4343,4),("httpd",4342,4))

二、Apache主配置文件: /etc/httpd/conf/httpd.conf

ServerRoot "/etc/httpd" 用于指定Apache的运行目录

Listen 80 监听端口

User apache 运行apache程序的用户和组

Group apache

ServerAdmin root@localhost 管理员邮箱

DocumentRoot "/var/www/html" 网页文件的存放目录

<Directory "/var/www/html"> <Directory>语句块自定义目录权限

Require all granted

</Directory>

ErrorLog "logs/error_log" 错误日志存放位置

AddDefaultCharset UTF-8 默认支持的语言

IncludeOptional conf.d/*.conf 加载其它配置文件

DirectoryIndex index.html 默认主页名称

eg:

[root@httpserver httpd]# vim /etc/httpd/conf/httpd.conf

DocumentRoot "/www/html"

121 <Directory "/www/html">

122         # Order Deny,Allow

123         #Allow from 172.25.254.41

124         #Deny from All  

125         AllowOverride all  ##开启认证

126         Authuserfile /etc/httpd/passfile  ##配置基于用户的身份验证

127         Authname "Please input your name and password" ##认证输入

128         Authtype basic    ##认证方式基本认证

129         require valid-user ##合法用户能登陆

130         #Require all granted

131 </Directory>

 <IfModule dir_module>

174     DirectoryIndex test.html index.html

175 </IfModule>

[root@httpserver ~]# mkdir -p /www/html

[root@httpserver ~]# vim /www/html/test.html

[root@httpserver ~]# ll -Zd /www/html/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/html/

[root@httpserver ~]# ll -Zd /var/www/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/

[root@httpserver ~]# semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?' ##默认目录改变安全上下文   SElinux为enforcing状态，并且改变目录

[root@httpserver ~]# restorecon -RvvF /www/  ##重启

restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /www/html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /www/html/test.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

[root@httpserver ~]# systemctl restart httpd

[kiosk@foundation41 Desktop]$ vim /etc/hosts  ##在浏览器所在主机中设置

172.25.254.241 www.westos.com news.westos.com login.westos.com

三、虚拟主机

虚拟主机允许您从一个httpd服务器同时为多个网站提供服务。在本节中,我们将了解基于名称的虚拟主机其中多个主机名都指向同一个IP地址,但是Web服务器根据用于到达站点的主机名提供具有不

同内容的不同网站。

Example:

<virtualhost *:80>

servername wwwX.example.com

serveralias wwwX

documentroot /srv/wwwX.example.com/www

customlog "logs/wwwX.example.com.log" combined

</virtualhost>[root@foundation0 ~]# rht-pushcourse 50

Preparing to push to foundation50.ilt.example.com...

^C

/usr/local/bin/rht-pushcourse: connect: Network is unreachable

/usr/local/bin/rht-pushcourse: line 55: /dev/tcp/foundation50.ilt.example.com/22: Network is unreachable

[root@foundation0 ~]# vim /etc/resolv.conf

[root@foundation0 ~]# ping 172.25.254.50

PING 172.25.254.50 (172.25.254.50) 56(84) bytes of data.

^C

<directory /srv/wwwX.example.com/www>

require all granted

</directory>

1. <VirtualHost *:80>

...

</VirtualHost>

这是定义虚拟主机的块

2. ServerName wwwX.example.com

指定服务器名称。在使用基于名称的虚拟主机的情况下,此处的名称必须与客户端请求完全的匹配。

3. ServerAlias serverX wwwX wwwX.example.com

用于匹配的空格分隔的名称列表,如上面的ServerName

4. DocumentRoot /var/www/html

在<VirtualHost>块内部,指定从中提供内容的目录。

5. selinux标签

semanage fcontext -l[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

semanage fcontext -a -t httpd_sys_content_t “/directory(/.*)?”

restorecon -vvFR /directory

Demo:

建立网页发布目录,并设置selinux标签

# mkdir -p /srv/{default,www0.example.com}/www

# echo "coming soon" > /srv/default/www/index.html

# echo "www0" > /srv/www0.example.com/www/index.html

# restorecon -Rv /srv/

创建虚拟主机配置文件:

# cat /etc/httpd/conf.d/00-default-vhost.conf

<virtualhost _default_:80>

documentroot /srv/default/www

customlog "logs/default-vhost.log" combined

</virtualhost>

<directory /srv/default/www>

require all granted

</directory>

# cat 01-www0.example.com-vhost.conf

<virtualhost *:80>

servername www0.example.com

serveralias www0

documentroot /srv/www0.example.com/www

customlog "logs/www0.example.com.log" combined

</virtualhost>

<directory /srv/www0.example.com/[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

www>

require all granted

</directory>

启动apache服务

# systemctl start httpd ; systemctl enable httpd

eg:

[root@httpserver conf.d]# vim /etc/httpd/conf/httpd.conf

DocumentRoot "/www/html"

121 <Directory "/www/html">

122         require all granted

123 </Directory>

[root@httpserver conf.d]# vim /etc/httpd/conf.d/default.conf

1 <Virtualhost _default_:80>

  2         DocumentRoot "/www/html"

  3         customlog "logs/default.log" combined

  4 </Virtualhost>

  5 <Directory "/www/html">

  6         Require all granted

  7 </Directory>

[root@httpserver conf.d]# vim /etc/httpd/conf.d/news.conf

1 <Virtualhost *:80>[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

  2         ServerName news.westos.com

  3         DocumentRoot "/www/virtual/news/html"

  4         Customlog "logs/news.log" combined

  5 </Virtualhost>

  6 <Directory "/www/virtual/news/html">

  7         Require all granted

  8 </Directory>

[root@httpserver conf.d]# mkdir -p /www/virtual/news/html

[root@httpserver conf.d]# vim /www/virtual/news/html/test.html

1 news' page

[root@httpserver conf.d]# systemctl restart httpd

在浏览器所在的主机中：

[root@foundation41 Desktop]# vim /etc/hosts

172.25.254.241 www.westos.com news.westos.com

8配置基于用户的身份验证

Apache无格式文件用户身份验证

在此配置中,用户账户和密码存储在本地.htpasswd文件中。处于安全原因,该文件不能保存在网站的DocumentRoot中,而应保存在Web服务器不提供服务的一些目录中。特殊

的htpasswd命令用于在.htpasswd文件中管理用户。配置程序示例:

用两个账户创建Apache密码文件:

[root@serverX ~]# htpasswd -cm /etc/httpd/.htpasswd bob

[root@serverX ~]# htpasswd -m /etc/httpd/.htpasswd alice   ##-m不会覆盖刚所见的passwd文件

eg:

[root@httpserver html]# mkdir admin

[root@httpserver html]# vim test.html

[root@httpserver html]# cd /etc/httpd/

[root@httpserver httpd]# ls

conf  conf.d  conf.modules.d  logs  modules  run

[root@httpserver httpd]# htpasswd -cm passfile admin

New password:

Re-type new password:

Adding password for user admin

9

假设之前定义VirtualHost块,请将诸如以下内容添加至VirtualHost块:

<Directory /var/www/html>

AuthName “Secret Stuff”

AuthType basic

AuthUserFile /etc/httpd/.htpasswd

Require valid-user

</Directory>

重启apache服务,并使用Web浏览器测试访问,在弹出的对话框中输入上述用户名

和密码。

eg：新增站点news.westos.com

[root@httpserver ~]# cd /etc/httpd/conf.d

[root@httpserver conf.d]# vim news.conf  ##新增news站点

1 <Virtualhost *:80>  ##80端口

  2         ServerName news.westos.com

  3         DocumentRoot "/www/virtual/news/html"

  4         Customlog "logs/news.log" combined

  5 </Virtualhost>

  6 <Directory "/www/virtual/news/html">

  7         Require all granted

  8 </Directory>

[root@httpserver conf.d]# vim default.conf  ##默认站点

<Virtualhost _default_:80>

  2         DocumentRoot "/www/html"

  3         customlog "logs/default.log" combined

  4 </Virtualhost>

  5 <Directory "/www/html">

  6         Require all granted

  7 </Directory>

  8 <Directory "/www/html/cgi">

  9         Options +ExecCGI

 10         AddHandler cgi-script .cgi

 11 </Directory>

10配置HTTPS

11自定义自签名证书

如果加密的通信非常重要,而经过验证的身份不重要,管理员可以通过生成self-signed certificate来避免与认证机构进行交互所带来的复杂性。

使用genkey实用程序(通过crypto-utils软件包分发),生成自签名证书及其关联的私钥。为了简化起见,genkey将在“正确”的位置(/etc/pki/tls目录)创建证书及其关联的密钥。相应地,必须以授权用户(root)身份运行该实用程序。

生成自签名证书

1. 确保已安装crypto-utils软件包。

[root@server0 ~]# yum install crypto-utils mod_ssl

2. 调用genkey,同时为生成的文件指定唯一名称(例如,服务器的主机全名)。

--days可以指定证书有效期

[root@server0 ~]# genkey server0.example.com

 genkey www.westos.com

12记录生成的证书(server0.example.com.crt)和关联的私钥(server0.example.com.key)的位置

13继续使用对话框,并选择合适的密钥大小。(默认的2048位密钥为推荐值)

14在生成随机数时比较慢,敲键盘和移动鼠标可以加速

[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

15拒绝向认证机构(CA)发送证书请求(CSR)。拒绝加密私钥

选择no

16为服务器提供合适的身份。Common Name必须与服务器的主机全名完全匹配。

(注意,任何逗号都应使用前导反斜线[]进行转义)

17安装证书及其私钥

1. 确定已安装mod_ssl软件包。

[root@server0 ~]# yum install mod_ssl

2. 由于私钥是敏感信息,请确保其只被root用户读取。

[root@server0 ~]# ls -l /etc/pki/tls/private/server0.example.com.key

-r--------. 1 root root 1737 Dec 22 15:06 /etc/pki/tls/private/server0.example.com.key

3. 编辑/etc/httpd/conf.d/ssl.conf, 将SSLCertificateFile和SSLCertificateKeyFile指令设置为分别指

向X.509证书和密钥文件。

SSLCertificateFile /etc/pki/tls/certs/server0.example.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/server0.example.com.key

4. 重启Web服务器。

[root@server0 ~]# systemctl restart httpd

5. 如要进行确认,请使用https协议(https://serverX.example.com)通过Web客户端(如Firefox

)访问Web服务器。

Web客户端可能会发出它不认可证书发行者的警告。这种情况适用自签名证书。要求Web客户端

绕过证书认证。(对于Firefox,请选择“I Understand the Risks” [我了解风险]、“Add Exception” [

添加例外]和“Confirm Security Exception”[确认安全例外]。)

eg：

[root@httpserver conf.d]# vim /etc/httpd/conf.d/login.conf

  1 <Virtualhost *:443>  ##加密端口443

  2         ServerName login.westos.com

  3         DocumentRoot /www/virtual/login/html

  4         CustomLog "logs/login.log" combined  ##日志级别有四种，联合

  5         SSLEngine on

  6         SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key

  7         SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt

  8 </Virtualhost>

  9 <Directory "/www/virtual/login/html">

 10         Require all granted

 11 </Directory>

 12 <Virtualhost *:80> ##默认80端口

 13         ServerName login.westos.com

 14         RewriteEngine on

 15         RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

 16 </Virtualhost>

18网页重写

把所有80端口的请求全部重定向由https来处理

<Virtualhost *:80>

ServerName www0.example.com

RewriteEngine on

RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</Virtualhost>

19Example: /etc/httpd/conf.d/www0.conf

<VirtualHost *:443>

servername www0.example.com

documentroot /srv/www0/www

SSLEngine on

SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt

SSLCertificateFile /etc/pki/tls/certs/www0.crt

SSLCertificateKeyFile /etc/pki/tls/private/www0.key

<Directory "/srv/www0/www">

require all granted

</Directory>

</VirtualHost>

<VirtualHost *:80>

servername www0.example.com

rewriteengine on

rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</VirtualHost>

eg:

[root@httpserver conf.d]# vim login.conf

 <Virtualhost *:443>

  2         ServerName login.westos.com

  3         DocumentRoot /www/virtual/login/html

  4         CustomLog "logs/login.log" combined

  5         SSLEngine on[root@httpclient ~]# firewall-cmd --permanent --add-service=http

success

[root@httpclient ~]# firewall-cmd --permanent --add-service=https

success

[root@httpclient ~]# firewall-cmd --reload

success

  6         SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key

  7         SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt

  8 </Virtualhost>

  9 <Directory "/www/virtual/login/html">

 10         Require all granted

 11 </Directory>

 12 <Virtualhost *:80>

 13         ServerName login.westos.com

 14         RewriteEngine on

 15         RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

 16 </Virtualhost>

20 CGI

通用网关接口(CGI)是网站上放置动态内容的最简单的方法。CGI脚本可用于许多目

的,但是谨慎控制使用哪个CGI脚本以及允许谁添加和运行这些脚本十分重要。编写质量差的CGI

脚本可能为外部攻击者提供了破坏网站及其内容安全性的途径。因此,在Web服务器级别和

SELinux策略级别,都存在用于限制CGI脚本使用的设置。

Example:

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">

AllowOverride None

Options None

Require all granted

</Directory>

# ll -dZ /var/www/cgi-bin/

drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/

eg:

cd /www/html/

mkdir cgi

cd cgi/

vim index.cgi

#!/usr/bin/perl

 print "Content-type: text/html ";

 print `date`;

chmod +x index.cgi

./index.cgi

 setenforce 0

ls -Zd /www/html/cgi/

 semanage fcontext -a -t "httpd_sys_content_t" '/www/html/cgi(/.*)?'

 restorecon -FvvR /www/html/cgi/

21php语言支持:

安装php软件包,其中包含mod_php模块:

# yum install -y php

模块配置文件: /etc/httpd/conf.d/php.conf

<FilesMatch .php$>

SetHandler application/x-httpd-php

</FilesMatch>

DirectoryIndex index.php

eg:

[root@httpserver html]# vim /www/html/index.php

<?

  2         phpinfo();

  3 ?>

在server0上构建php练习环境,此脚本会自动配置mariadb,并生成

/var/www/html/index.php动态网页:

# lab phpdb setup

安装php的数据库支持:

# yum install -y php-mysql

重启httpd服务后,测试网页是否访问正常.

注意当web服务器连接的数据库在远程时,需要改变Selinux:

# setsebool -P httpd_can_network_connect_db=1

# setsebool -P httpd_can_network_connect=1

(如果数据库的端口不是3306时,需要改此项)

eg:

[root@httpserver conf.d]# yum install php -y

file:///usr/share/doc/HTML/en-US/index.html

 yum install httpd-manual -y

22WSGI提供python语言支持:

安装mod_wsgi软件包:

# yum install -y mod_wsgi

执行脚本,会生成python测试文件/home/student/webapp.wsgi:

# lab webapp setup

在虚拟主机中加入以下参数:

<VirtualHost *:443>

servername webapp0.example.com

...

WSGIScriptAlias / /srv/webapp0/www/webapp.wsgi

...

</VirtualHost>

重启httpd服务,并在desktop0上测试:

# curl -k https://webapp0.example.com

lamp=linux+apache+mysql+php