时间:2020-02-21来源:系统城作者:电脑系统城
本次实验环境是redhat7.0系统,所有实验都来自《linux就该这么学》
apache程序是目前拥有很高市场占有率的web服务程序之一,其跨平台和安全性被认可且拥有快速、可靠、简单的API扩展,名字取自美国印第安人的土著语,寓意着拥有高超的作战策略和无穷的耐性。
[root@localhost ~]# yum install httpd -y
配置文件的位置
服务目录 | /etc/httpd |
---|---|
主配置文件 | /etc/httpd/conf/httpd.conf |
网站数据目录 | /var/www/html |
访问日志 | /var/log/httpd/access_log |
错误日志 | /var/log/httpd/error_log |
ServerRoot 服务目录
ServerAdmin 管理员邮箱
User 运行服务的用户
Group 运行服务的用户组
ServerName 网站服务器的域名
DocumentRoot 网站数据目录
Listen 监听的IP地址与端口号
DirectoryIndex 默认的索引页页面
ErrorLog 错误日志文件
CustomLog 访问日志文件
Timeout 网页超时时间,默认为300秒
[root@localhost ~]# mkdir /home/wwwroot
[root@localhost ~]# echo " This is my web" >/home/wwwroot/index.html
设置selinx安全上下文
# 查看httpd默认网站目录的值
[root@localhost ~]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# 将新建的网站目录设置相同的安全上下文值
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/*
# 重新加载生效
[root@localhost ~]# restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
semanager命令用于管理selinux的策略,“semanager [选项] [文件]”
-l 查询
-a 添加
-m 修改
-d 删除
119 DocumentRoot "/home/wwwroot"
120
121 #
122 # Relax access to content within /var/www.
123 #
124 <Directory "/home/wwwroot">
125 AllowOverride None
126 # Allow open access:
127 Require all granted
128 </Directory>
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
# 设置防火墙
[root@localhost ~]# firewall-cmd --permanent --add-service=http
success
[root@localhost ~]# firewall-cmd --permanent --add-service=https
success
[root@localhost ~]# firewall-cmd --reload
success
测试访问,如果不能访问,检查防火墙,selinux,网站目录有无数据页面
httpd服务程序提供的个人主页功能可以让系统内所有的用户在自己的家目录中管理个人的网站。
将17行注释掉(开启用户主页),将24行的注释删除(网站数据在用户家目录中的保存位置)
[root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf
15 # permissions).
16 #
17 #UserDir disabled
18
19 #
20 # To enable requests to /~user/ to serve the user's public_html
21 # directory, remove the "UserDir disabled" line above, and uncomment
22 # the following line instead:
23 #
24 UserDir public_html
25 </IfModule>
26
创建一个用户,设置权限,保证其他人也有权限读取目录内容
[root@localhost ~]# useradd developer
[root@localhost ~]# su - developer
[developer@localhost ~]$ mkdir public_html
[developer@localhost ~]$ echo "this is developer's home" >public_html/index.html
[developer@localhost ~]$ chmod -fR 755 /home/developer
该用户的网站数据目录本身就在家目录中,因此不用修改家目录的selinux的安全上下文。使用getsebool命名查看与http相关的selinux域的安全策略
[root@localhost ~]# getsebool -a |grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
# 开启 httpd_enable_homedir
[root@localhost ~]# setsebool -P httpd_enable_homedirs=on
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
# 设置防火墙
[root@localhost ~]# firewall-cmd --permanent --add-service=http
success
[root@localhost ~]# firewall-cmd --permanent --add-service=https
success
[root@localhost ~]# firewall-cmd --reload
success
测试访问
访问网站时,只有通过身份验证的用户才可以访问到网站的内容
使用htpasswd命令声场密码数据库,第一次创建需要使用 -c参数,之后再添加用户就不用了,格式 “htpasswd -c 存放密码的文件 用户名”,用户不需要是本地的系统用户。
[root@localhost ~]# htpasswd -c /etc/httpd/passwd user007
New password:
Re-type new password:
Adding password for user user007
修改配置文件,31-37行的配置参数
[root@localhost ~]# vim /etc/httpd/conf.d/userdir.conf
31 <Directory "/home/*/public_html">
32 AllowOverride all
33 authuserfile "/etc/httpd/passwd"
34 authname "please auth"
35 authtype basic
36 Require user user007
37 </Directory>
重启httpd
[root@localhost ~]# systemctl restart httpd
测试访问
输入用户user007 密码 redhat
使用虚拟网站功能,可以把一台服务器分割成多个“虚拟服务器”,部署多个不同的网站;有三种方式:
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
DEVICE=eno16777736
USERCTL=no
IPADDR1=192.168.137.10
PREFIX1=24
IPADDR2=192.168.137.20
FREPIX2=24
GATEWAY=192.168.137.2
DNS1=114.114.114.114
[root@localhost ~]# systemctl restart network
创建两个不同的网站目录,访问192.168.137.10时,看到的是“192.168.137.10”;访问192.168.137.20时,看到的是“192.168.137.20”
[root@localhost ~]# mkdir /home/wwwroot/10 -p
[root@localhost ~]# mkdir /home/wwwroot/20 -p
[root@localhost ~]# echo "192.168.137.10" >/home/wwwroot/10/index.html
[root@localhost ~]# echo "192.168.137.20" >/home/wwwroot/20/index.html
设置selinux的安全上下文
# 查看默认网站目录的值
[root@localhost ~]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# 设置新网站selinux安全上下文的值
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10/*
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/20
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/20/*
# 重新加载生效
[root@localhost ~]# restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0
restorecon reset /home/wwwroot/10 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/wwwroot/10/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/wwwroot/20 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/wwwroot/20/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
在倒数第二行添加一下内容:
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
<virtualhost 192.168.137.10>
documentroot "/home/wwwroot/10"
servername www.a.com
<directory "/home/wwwroot/10">
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.137.20>
documentroot "/home/wwwroot/20"
servername www.b.com
<directory "/home/wwwroot/20">
allowoverride none
require all granted
</directory>
</virtualhost>
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
# 设置防火墙
[root@localhost ~]# firewall-cmd --permanent --add-service=http
success
[root@localhost ~]# firewall-cmd --permanent --add-service=https
success
[root@localhost ~]# firewall-cmd --reload
success
测试访问
定义两个域名www.a.com和www.b.com。创建两个网站的目录,分别存放两个网站的数据
[root@localhost Desktop]# mkdir -p /home/wwwroot/a
[root@localhost Desktop]# mkdir -p /home/wwwroot/b
[root@localhost Desktop]# echo "a web" >/home/wwwroot/a/index.html
[root@localhost Desktop]# echo "b web" >/home/wwwroot/b/index.html
# 查看默认网站目录的值
[root@localhost Desktop]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# 设置新网站的selinux安全上下文的值
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/a
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/a/*
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/b
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/b/*
# 重新加载生效
[root@localhost Desktop]# restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/a context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/a/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/b context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/b/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
在配置文件的倒数第二行,添加以下内容
[root@localhost Desktop]# vim /etc/httpd/conf/httpd.conf
<virtualhost 192.168.137.10>
documentroot "/home/wwwroot/a"
servername www.a.com
<directory "/home/wwwroot/a">
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.137.10>
documentroot "/home/wwwroot/b"
servername www.b.com
<directory "/home/wwwroot/b">
allowoverride none
require all granted
</directory>
</virtualhost>
[root@localhost Desktop]# systemctl restart httpd
[root@localhost Desktop]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
# 设置防火墙
[root@localhost Desktop]# firewall-cmd --permanent --add-service=http
success
[root@localhost Desktop]# firewall-cmd --permanent --add-service=https
success
[root@localhost Desktop]# firewall-cmd --reload
success
在测试的客户端的/etc/hosts文件写入这两个网址的解析
[root@localhost Desktop]# vim /etc/hosts
192.168.137.10 www.a.com www.b.com
定义两个端口333和222端口,创建两个网站目录分别存放两个网站的数据
[root@localhost Desktop]# mkdir -p /home/wwwroot/333
[root@localhost Desktop]# mkdir -p /home/wwwroot/222
[root@localhost Desktop]# echo "333 web" >/home/wwwroot/111/index.html
[root@localhost Desktop]# echo "222 web" >/home/wwwroot/222/index.html
设置网站目录的selinux安全上下文值
# 查看默认网站目录的值
[root@localhost Desktop]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# 设置新网站的值
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/333
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/333/*
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/222
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/222/*
[root@localhost Desktop]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
# 重新加载生效
[root@localhost Desktop]# restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/333 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/333/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/222 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/222/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
将 333和222端口加入到selinux域测策略中,允许httpd监听这两个端口
[root@localhost Desktop]# semanage port -l|grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@localhost Desktop]# semanage port -a -t http_port_t -p tcp 222
[root@localhost Desktop]# semanage port -a -t http_port_t -p tcp 333
[root@localhost wwwroot]# vim /etc/httpd/conf/httpd.conf
listen 222
listen 333
<virtualhost 192.168.137.10:222>
documentroot "/home/wwwroot/222"
servername www.a.com
<directory "/home/wwwroot/222">
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.137.10:333>
documentroot "/home/wwwroot/333"
servername www.a.com
<directory "/home/wwwroot/333">
allowoverride none
require all granted
</directory>
</virtualhost>
[root@localhost wwwroot]# systemctl restart httpd
[root@localhost wwwroot]# systemctl enable htpd
Failed to issue method call: No such file or directory
[root@localhost wwwroot]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
# 设置防火墙
[root@localhost wwwroot]# firewall-cmd --permanent --add-service=http
success
[root@localhost wwwroot]# firewall-cmd --permanent --add-service=https
success
[root@localhost wwwroot]# firewall-cmd --permanent --add-port=222/tcp
success
[root@localhost wwwroot]# firewall-cmd --permanent --add-port=333/tcp
success
[root@localhost wwwroot]# firewall-cmd --reload
success
测试访问
2024-07-18
Centos 7 二进制安装配置 MariaDB数据库2024-07-18
Centos7默认firewalld防火墙使用命令大全2024-07-07
四种执行python系统命令的方法常用权限linux系统内有档案有三种身份 u:拥有者 g:群组 o:其他人这些身份对于文档常用的有下面权限:r:读权限,用户可以读取文档的内容,如用cat,more查看w:写权限,用户可以编辑文档x...
2024-07-07
然而,如果我们遵循通常的 WordPress 最佳实践,这些安全问题可以避免。在本篇中,我们会向你展示如何使用 WPSeku,一个 Linux 中的 WordPress 漏洞扫描器,它可以被用来找出你安装...
2024-07-03