yum -y install httpd //安装apache服务
vim /etc/httpd/conf/httpd.conf //修改主配置文件
//在末尾添加
listen 8080 //添加监听端口
<virtualhost 192.168.1.1:8080> //不区分大小写,设置虚拟主机站点为192.168.1.1:8080
documentroot /var/www/8080 //设置虚拟主机站点对根目录
servername 192.168.1.1:8080 //设置虚拟主机站点的服务器名称
</virtualhost>
mkdir /var/www/8080 //创建虚拟主机站点对应根目录
echo "port:8080" > /var/www/8080/index.html //创建虚拟主机站点测试页面
systemctl restart httpd //重启apache服务
ss -lnt| grep 8080 //检查apache服务启动的端口
vim /etc/httpd/conf/httpd.conf
<virtualhost *:80>
documentroot /var/www/chen
servername www.sdskills.net
<directory "/var/www/chen">
authname "please input your password"
authtype basic
authuserfile "/var/www/passwd"
require valid-user
</directory>
</virtualhost>
htpasswd -c /var/www/passwd xiaozhao
systemctl restart httpd
yum -y install openssl
mkdir /CA
cd /CA //进入证书目录
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
openssl genrsa -out /CA/private/httpd.key 4096 //生成密钥
openssl req -new -key /CA/private/httpd.key -out /CA/certs/httpd.csr //生成证书请求文件
openssl ca -keyfile private/cakey.pem -cert cacert.pem -in certs/httpd.csr -out httpd.crt //根证书服务器颁发证书(web跟根证书服务器是同一台可以直接颁发)
示例:
Scp root@81.6.63.254:/etc/openvpn/server/ca.crt /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.crt /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.key /etc/openvpn/
(要先配置ssh服务)
Scp -P 2222 root@81.6.63.254:/etc/openvpn/server/ca.crt /etc/openvpn/
//大写的P指定端口
openssl ca -revoke /csk-rootca/newcerts/01.pem #吊销证书
useradd -d /data/share/htdocs/skills -s /sbin/nologin webuser //这个要配合vsftp用
groupadd webuser //新建组
useradd -m webuser -g webuser -s /bin/bash -d /home/webuser -u 443
useradd -r webuser //建立系统用户-r 选择一种即可创建即可
vim /etc/httpd/conf/httpd.conf
user webuser
group webuser
vim /etc/httpd/conf.d/vithost.conf //创建虚拟站点,在主站点建立也行,两者只能存在一
<virtualhost *:80>
redirect permanent / https://www.sdskills.net/
redirect 301 "/" "https://www.sdskills.net" //永久重定向,跟第一条一样意思,可写可不写
</virtualhost>
<virtualhost *:443> //这个centos可以不写因为443端口跳转不了
redirect permanent / https://www.sdskills.net/
sslengine on
sslcertificatefile /CA/httpd.pem
sslcertificatekeyfile /CA/httpd.key
</virtualhost>
<virtualhost *:443>
servername www.sdskills.net
documentroot /data/share/htdocs/skills/
sslengine on
sslcertificatefile /CA/httpd.pem
sslcertificatekeyfile /CA/httpd.key
<directory /data/share/htdocs/skills>
require all granted
</directory>
<directory /data/share/htdocs/skills/staff.html>
authtype basic
authname "This is the front page of sdskills's website."
authuserfile "/etc/httppasswd"
require valid-user
</directory>
</virtualhost>
mkdir /htdocs/skills -p
echo "This is the front page of skills's website." >> /htdocs/skills/index.html
echo "Staff Information" >> /htdocs/skills/staff.html
cd /etc/
htpasswd -c httppasswd chen //创建认证用户
//到这里基本完成,因为ssl功能不能开启
yum -y install mod_ssl //安装ssl模块
setenforce 0 //还要关闭selinux
systemctl restart httpd //启动成功
Scp /csk-rootca/csk-ca.pem 192.168.0.50:/root //客户端获取证书文件
centos 7 默认php版本太低,需要升级才能安装主流的web应用
rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install -y php71w php71w-cli php71w-common php71w-devel php71w-embedded php71w-fpm php71w-gd php71w-mbstring php71w-mysqlnd php71w-opcache php71w-pdo php71w-xml php71w-ldap php71w-mcrypt //安装php7.1版本及各项模块
php -v //查看php版本
yum list installed |grep php //查看安装的PHP模块
vim index.php //在web主目录生成测试php是否开启
<?php phpinfo()?> //显示php详细信息
vim /var/log/httpd/error_log //查看http错误日志发现,无法识别php后缀语言
vim /etc/httpd/conf/httpd.conf //修改http默认属性
<IfModule dir_module>
DirectoryIndex index.html *.php //*.php 默认没有的 添加上去
</IfModule>
//访问web网站,发现显示正常
yum -y install mariaDB-server //安装数据库
systemctl start mariaDB-server //开启数据库
yum -y install net-tool
netstat -tnlp | grep 3306 //查看数据库端口是否开启
Mysql_secure_installation //数据库初始化
//请输入当前root用户的密码,如果没有直接按回车,此root并非linux的root用户是mysql 的
//是否设置root密码?
//是否移除匿名用户?选择移除
//禁止远程root登录?选择否
//是否移除测试数据库?(建议先不移除)
//是否重新加载权限表?选择y 因为刚刚更改了密码(当我们更改了mysql用户相关的信息之后建议去重载权限)
mysql -u 用户名 -p 密码 //登陆mysql
yum -y install lrzsz //安装终端文件传输协议
tar -zxvf phpMyAdmin-5.0.4-all-languages.tar.gz -C /data/share/htdocs/skills/ //解压到web主目录
cd /data/share/htdocs/skills/
mv phpMyAdmin-5.0.4-all-languages phpmyadmin //重命名
//直接访问会出现会话问题
chmod -R 777 /var/lib/php/session/ //给php会话权限
//访问的时候输入数据库账号密码就可以登陆
yum -y install php mariadb-server.x86_64 php-mysql php-mbstring.x86_64 //安装环境
yum -y install lrzsz.x86_64 //安装上传程序
//将phpmyadmin安装包上传
mv /etc/phpMyAdmin-4.4.15.10-all-languages.tar.gz /data/share/htdocs/skills/ //移动到站点目录
cd /data/share/htdocs/skills/ //进入站点目录
tar -zxvf phpMyAdmin-4.4.15.10-all-languages.tar.gz //解压
mv phpMyAdmin-4.4.15.10-all-languages phpmyadmin //修改目录名称
systemctl restart mariadb.service //开启数据库
mysql_secure_installation //数据库初始化
//请输入当前root用户的密码,如果没有直接按回车,此root并非linux的root用户是mysql 的
//是否设置root密码?
//是否移除匿名用户?选择移除
//禁止远程root登录?选择否
//是否移除测试数据库?(建议先不移除)
//是否重新加载权限表?选择y 因为刚刚更改了密码(当我们更改了mysql用户相关的信息之后建议去重载权限
systemctl restart mariadb.service //重启数据库
systemctl restart httpd.service //重启apache服务
//访问 www.sdskills.org/phpadmin/ 警告会话权限不足
vim /var/log/httpd/error_log //查看http错误日志,没有发现问题
chmod -R 777 /var/lib/php/session/ //给php会话权限
//访问的时候输入数据库账号密码就可以登陆
提供www.skills.org;
skills公司的门户网站;
使用apache服务;
网页文件放在/htdocs/skills;
服务以用户webuser运行;
首页内容为“This is the front page of skills’s website.”;
/htdocs/sdskills/staff.html内容为“Staff Information”;
该页面需要员工的账号认证才能访问;
? 员工账号存储在ldap中,账号为zsuser、lsus
网站使用https协议;
SSL使用RServer颁发的证书, 颁发给:
C = org
ST = China
L = ShangDong
O = skills
OU = Operations Departments
org = *.skills.org
Rserver的CA证书路径:/CA/cacert.pem
签发数字证书,颁发者:
C = org;
O = Inc
OU = www.skills.org
org = skill Global Root CA
客户端访问https时应无浏览器(含终端)安全警告信息;
当用户使用http访问时自动跳转到https安全连接;
当用户使用skills.org或any.skills.org(any代表任意网址前缀)访问时,自动跳转到www.skills.org。
apt -y install apache2 //安装apache服务
useradd -r webuser //-r建立系统账号
vim /etc/apache2/apache2.conf
user webuser
group webuser //以webuser用户运行
apt -y install openssl
mkdir /CA
cp -rf /etc/ssl/* /CA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
cd /CA #进入证书目录
openssl genrsa -out private/apache.key 4096 #生成密钥
openssl req -new -key private/httpd.key -out certs/apache.csr #生成证书请求文件
openssl ca -keyfile private/cacert.pem -cert cacert.pem -in certs/apache.csr -out apache.crt #根证书服务器颁发证书(web跟根证书服务器是同一台可以直接颁发)
示例:
Scp root@81.6.63.254:/etc/openvpn/server/ca.crt /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.crt /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.key /etc/openvpn/
(要先配置ssh服务)
openssl ca -revoke /csk-rootca/newcerts/01.pem #吊销证书
mkdir /htdocs/skills -p
echo "This is the front page of skills's website." >> /htdocs/skills/index.html
echo "Staff Information" >> /htdocs/skills/staff.html
vim /etc/apache2/sites-enabled/000-default.conf
<virtualhost *:80>
redirect permanent / https://www.skills.org/
</virtualhost>
<virtualhost *:443>
redirect permanent / https://www.skills.org/
sslengine ON
sslcertificatefile /CA/apache.crt
sslcertificatekeyfile /CA/apache.key
</virtualhost>
<virtualhost *:443>
servername www.skills.org
documentroot /htdocs/skills
sslengine ON
sslcertificatefile /CA/apache.crt
sslcertificatekeyfile /CA/apache.key
<directory /htdocs/skills>
require all granted
</directory>
<directory /htdocs/skills/staff.html> //本地认证
authtype basic
authname "login"
authuserfile "/var/passwd"
require valid-user
</directory>
</virtualhost>
htpasswd -c /var/passwd zsuser
a2enmod ssl //启用ssl模块
systemctl restart apache2 //重启apache服务
scp /CA/cacert.pem root@10.10.100.2:/root
客户端需要手工信任证书,才有绿色锁头
客户端命令行测试
export CURL_CA_BUNDLE=/root/cacert.pem //手工指定CAfile
[root@client home]# curl -I http://www.skills.org
HTTP/1.1 301 Moved Permanently
Date: Wed, 20 Jul 2022 03:18:50 GMT
Server: Apache/2.4.38 (Uos)
Location: https://www.skills.org/
Content-Type: text/html; charset=iso-8859-1
[root@client home]# curl -I https://www.skills.org
HTTP/1.1 200 OK
Date: Wed, 20 Jul 2022 03:18:52 GMT
Server: Apache/2.4.38 (Uos)
Last-Modified: Tue, 19 Jul 2022 08:38:02 GMT
ETag: "2c-5e424670ea44a"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html
[root@client home]# curl -I http://any.skills.org
HTTP/1.1 301 Moved Permanently
Date: Wed, 20 Jul 2022 03:18:54 GMT
Server: Apache/2.4.38 (Uos)
Location: https://www.skills.org/
Content-Type: text/html; charset=iso-8859-1
yum -y install mod_ldap //安装apache的ldap服务不然无法识别ldap模式,centos
A2enmod ldap authnz_ldap //启用ldap模块与apache对接,UOS,debina
这个需要先把ldap服务搭建起来
<directory /htdocs/skills/staff.html>
order deny,allow
deny from all
authname "ldap authentication"
authtype basic
authbasicprovider ldap
authldapurl ldap://192.168.10.4/ou=users,dc=chinaskills,dc=cn?uid
require ldap-user wuusr lsusr zsuser
satisfy any
</directory>