职业技能大赛 linux模块 WEB配置

发布时间:2024年01月03日

基于端口部署站点

yum -y install httpd    //安装apache服务
vim /etc/httpd/conf/httpd.conf     //修改主配置文件
    //在末尾添加
    listen 8080   //添加监听端口
    <virtualhost 192.168.1.1:8080>    //不区分大小写,设置虚拟主机站点为192.168.1.1:8080
     	documentroot /var/www/8080     //设置虚拟主机站点对根目录
        servername 192.168.1.18080		//设置虚拟主机站点的服务器名称
    </virtualhost>
mkdir /var/www/8080     //创建虚拟主机站点对应根目录
echo "port:8080" > /var/www/8080/index.html  //创建虚拟主机站点测试页面
systemctl restart httpd    //重启apache服务
ss -lnt| grep 8080    //检查apache服务启动的端口

访问控制

vim /etc/httpd/conf/httpd.conf
    <virtualhost *:80>
        documentroot /var/www/chen
        servername www.sdskills.net
        <directory "/var/www/chen">
                authname "please input your password"
                authtype basic
                authuserfile "/var/www/passwd"
                require valid-user
        </directory>
	</virtualhost>
htpasswd -c /var/www/passwd xiaozhao
systemctl restart httpd

赛题(仅供参考)

http证书(如果证书请求的域名与服务器证书不匹配是没有绿色锁头的)

yum -y install openssl
mkdir /CA
cd /CA		//进入证书目录
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
openssl genrsa -out /CA/private/httpd.key 4096     //生成密钥
openssl req -new -key /CA/private/httpd.key -out /CA/certs/httpd.csr   //生成证书请求文件
openssl ca -keyfile private/cakey.pem -cert cacert.pem -in certs/httpd.csr -out httpd.crt    //根证书服务器颁发证书(web跟根证书服务器是同一台可以直接颁发)
示例:
Scp root@81.6.63.254:/etc/openvpn/server/ca.crt  /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.crt  /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.key  /etc/openvpn/
(要先配置ssh服务)
Scp -P 2222 root@81.6.63.254:/etc/openvpn/server/ca.crt  /etc/openvpn/
    //大写的P指定端口
    
openssl ca -revoke /csk-rootca/newcerts/01.pem  #吊销证书

web服务

useradd -d /data/share/htdocs/skills -s /sbin/nologin webuser  //这个要配合vsftp用
groupadd webuser   //新建组
useradd -m webuser -g webuser -s /bin/bash -d /home/webuser -u 443
useradd -r webuser   //建立系统用户-r   选择一种即可创建即可
vim /etc/httpd/conf/httpd.conf
    user webuser
    group webuser
vim /etc/httpd/conf.d/vithost.conf   //创建虚拟站点,在主站点建立也行,两者只能存在一
    <virtualhost *:80>
        redirect permanent / https://www.sdskills.net/
		redirect 301 "/" "https://www.sdskills.net"   //永久重定向,跟第一条一样意思,可写可不写
	</virtualhost>

	<virtualhost *:443> //这个centos可以不写因为443端口跳转不了
        redirect permanent / https://www.sdskills.net/
        sslengine on
        sslcertificatefile /CA/httpd.pem
        sslcertificatekeyfile /CA/httpd.key
	</virtualhost>

	<virtualhost *:443>
        servername www.sdskills.net
        documentroot /data/share/htdocs/skills/
        sslengine on
        sslcertificatefile /CA/httpd.pem
        sslcertificatekeyfile /CA/httpd.key
        <directory /data/share/htdocs/skills>
        	require all granted
        </directory>
        <directory /data/share/htdocs/skills/staff.html>
                authtype basic
                authname "This is the front page of sdskills's website."
                authuserfile "/etc/httppasswd"
                require valid-user
        </directory>
	</virtualhost>
mkdir /htdocs/skills -p
echo "This is the front page of skills's website." >> /htdocs/skills/index.html
echo "Staff Information" >> /htdocs/skills/staff.html     
cd /etc/
htpasswd -c httppasswd chen    //创建认证用户
//到这里基本完成,因为ssl功能不能开启
yum -y install mod_ssl    //安装ssl模块
setenforce 0    //还要关闭selinux
systemctl restart httpd   //启动成功
Scp /csk-rootca/csk-ca.pem 192.168.0.50:/root     //客户端获取证书文件     

部署phpMyAdmin

centos 7 默认php版本太低,需要升级才能安装主流的web应用
rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

yum install -y php71w php71w-cli php71w-common php71w-devel php71w-embedded php71w-fpm php71w-gd php71w-mbstring php71w-mysqlnd php71w-opcache php71w-pdo php71w-xml php71w-ldap php71w-mcrypt    //安装php7.1版本及各项模块
php -v    //查看php版本
yum list installed |grep php    //查看安装的PHP模块

vim index.php    //在web主目录生成测试php是否开启
    <?php phpinfo()?>   //显示php详细信息
vim /var/log/httpd/error_log    //查看http错误日志发现,无法识别php后缀语言
vim /etc/httpd/conf/httpd.conf    //修改http默认属性
	<IfModule dir_module>
    DirectoryIndex index.html *.php    //*.php 默认没有的  添加上去
	</IfModule>
//访问web网站,发现显示正常
yum -y install mariaDB-server  //安装数据库
systemctl start mariaDB-server    //开启数据库
yum -y install net-tool
netstat -tnlp | grep 3306     //查看数据库端口是否开启
Mysql_secure_installation    //数据库初始化
    //请输入当前root用户的密码,如果没有直接按回车,此root并非linux的root用户是mysql 的
    //是否设置root密码?
    //是否移除匿名用户?选择移除
    //禁止远程root登录?选择否
    //是否移除测试数据库?(建议先不移除)
    //是否重新加载权限表?选择y 因为刚刚更改了密码(当我们更改了mysql用户相关的信息之后建议去重载权限)
mysql -u 用户名 -p 密码     //登陆mysql
yum -y install lrzsz   //安装终端文件传输协议
tar -zxvf phpMyAdmin-5.0.4-all-languages.tar.gz -C /data/share/htdocs/skills/    //解压到web主目录
cd /data/share/htdocs/skills/
mv phpMyAdmin-5.0.4-all-languages   phpmyadmin   //重命名
//直接访问会出现会话问题
chmod -R 777 /var/lib/php/session/    //给php会话权限
//访问的时候输入数据库账号密码就可以登陆

比赛样题

yum -y install php mariadb-server.x86_64 php-mysql php-mbstring.x86_64   //安装环境
yum -y install lrzsz.x86_64      //安装上传程序
//将phpmyadmin安装包上传
mv /etc/phpMyAdmin-4.4.15.10-all-languages.tar.gz /data/share/htdocs/skills/   //移动到站点目录
cd /data/share/htdocs/skills/   //进入站点目录
tar -zxvf phpMyAdmin-4.4.15.10-all-languages.tar.gz    //解压
mv phpMyAdmin-4.4.15.10-all-languages phpmyadmin    //修改目录名称
systemctl restart mariadb.service    //开启数据库
mysql_secure_installation     //数据库初始化
 	//请输入当前root用户的密码,如果没有直接按回车,此root并非linux的root用户是mysql 的
    //是否设置root密码?
    //是否移除匿名用户?选择移除
    //禁止远程root登录?选择否
    //是否移除测试数据库?(建议先不移除)
    //是否重新加载权限表?选择y 因为刚刚更改了密码(当我们更改了mysql用户相关的信息之后建议去重载权限
systemctl restart mariadb.service   //重启数据库
systemctl restart httpd.service     //重启apache服务
//访问 www.sdskills.org/phpadmin/ 警告会话权限不足
vim /var/log/httpd/error_log    //查看http错误日志,没有发现问题
chmod -R 777 /var/lib/php/session/    //给php会话权限
//访问的时候输入数据库账号密码就可以登陆

UOSweb

提供www.skills.org;

skills公司的门户网站;

使用apache服务;

网页文件放在/htdocs/skills;

服务以用户webuser运行;

首页内容为“This is the front page of skills’s website.”;

/htdocs/sdskills/staff.html内容为“Staff Information”;

该页面需要员工的账号认证才能访问;

? 员工账号存储在ldap中,账号为zsuser、lsus

网站使用https协议;

SSL使用RServer颁发的证书, 颁发给:

C = org

ST = China

L = ShangDong

O = skills

OU = Operations Departments

org = *.skills.org

Rserver的CA证书路径:/CA/cacert.pem

签发数字证书,颁发者:

C = org;

O = Inc

OU = www.skills.org

org = skill Global Root CA

客户端访问https时应无浏览器(含终端)安全警告信息;

当用户使用http访问时自动跳转到https安全连接;

当用户使用skills.org或any.skills.org(any代表任意网址前缀)访问时,自动跳转到www.skills.org

apt -y install apache2    //安装apache服务
useradd -r webuser      //-r建立系统账号
vim /etc/apache2/apache2.conf
user webuser
group webuser      //以webuser用户运行

证书

apt -y install openssl
mkdir /CA
cp -rf /etc/ssl/* /CA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
cd /CA    #进入证书目录
openssl genrsa -out private/apache.key 4096     #生成密钥
openssl req -new -key private/httpd.key -out certs/apache.csr   #生成证书请求文件
openssl ca -keyfile private/cacert.pem -cert cacert.pem -in certs/apache.csr -out apache.crt    #根证书服务器颁发证书(web跟根证书服务器是同一台可以直接颁发)
示例:
Scp root@81.6.63.254:/etc/openvpn/server/ca.crt  /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.crt  /etc/openvpn/
Scp root@81.6.63.254:/etc/openvpn/server/client.key  /etc/openvpn/
(要先配置ssh服务)
    
openssl ca -revoke /csk-rootca/newcerts/01.pem  #吊销证书

修改apache目录及内容

mkdir /htdocs/skills -p
echo "This is the front page of skills's website." >> /htdocs/skills/index.html
echo "Staff Information" >> /htdocs/skills/staff.html

修改配置文件以及重定向应用

vim /etc/apache2/sites-enabled/000-default.conf  
	<virtualhost *:80>
        redirect permanent / https://www.skills.org/
	</virtualhost>
    
    <virtualhost *:443>
        redirect permanent / https://www.skills.org/
		sslengine ON
        sslcertificatefile /CA/apache.crt
        sslcertificatekeyfile /CA/apache.key
    </virtualhost>
            
    <virtualhost *:443>
        servername www.skills.org
        documentroot /htdocs/skills
        sslengine ON
        sslcertificatefile /CA/apache.crt
        sslcertificatekeyfile /CA/apache.key
        	<directory /htdocs/skills>
        		require all granted
        	</directory>
        	<directory /htdocs/skills/staff.html>   //本地认证
        		authtype basic
        		authname "login"
        		authuserfile "/var/passwd"
        		require valid-user
        	</directory>
    </virtualhost>

创建认证用户

htpasswd -c /var/passwd zsuser

重启服务并测试

a2enmod ssl    //启用ssl模块
systemctl restart apache2    //重启apache服务  

将证书拷贝到客户端上

scp /CA/cacert.pem root@10.10.100.2:/root

客户端

客户端需要手工信任证书,才有绿色锁头
客户端命令行测试
export CURL_CA_BUNDLE=/root/cacert.pem    //手工指定CAfile

[root@client home]# curl -I http://www.skills.org
HTTP/1.1 301 Moved Permanently
Date: Wed, 20 Jul 2022 03:18:50 GMT
Server: Apache/2.4.38 (Uos)
Location: https://www.skills.org/
Content-Type: text/html; charset=iso-8859-1

[root@client home]# curl -I https://www.skills.org
HTTP/1.1 200 OK
Date: Wed, 20 Jul 2022 03:18:52 GMT
Server: Apache/2.4.38 (Uos)
Last-Modified: Tue, 19 Jul 2022 08:38:02 GMT
ETag: "2c-5e424670ea44a"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

[root@client home]# curl -I http://any.skills.org
HTTP/1.1 301 Moved Permanently
Date: Wed, 20 Jul 2022 03:18:54 GMT
Server: Apache/2.4.38 (Uos)
Location: https://www.skills.org/
Content-Type: text/html; charset=iso-8859-1

ldap认证

yum -y install mod_ldap   //安装apache的ldap服务不然无法识别ldap模式,centos
A2enmod ldap authnz_ldap   //启用ldap模块与apache对接,UOS,debina
这个需要先把ldap服务搭建起来
		<directory /htdocs/skills/staff.html>
    		order deny,allow
    		deny from all
    		authname "ldap authentication"
    		authtype basic
    		authbasicprovider ldap
    		authldapurl ldap://192.168.10.4/ou=users,dc=chinaskills,dc=cn?uid
			require ldap-user wuusr lsusr zsuser
            satisfy any
        </directory>
文章来源:https://blog.csdn.net/qq2353177176/article/details/135362420
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。