题目要求
服务器AppSrv上的工作任务
4. APACHE2
安装apache服务;
服务以用户webuser系统用户运行;
全站点启用TLS访问,使用本机上的“CSK Global Root CA”颁发机构颁发,网站证书信息如下:
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = *.chinaskills.com
客户端访问https时应无浏览器(含终端)安全警告信息;
当用户使用http访问时自动跳转到https安全连接;
搭建www.chinaskills.cn站点;
网页文件放在StorgeSrv服务器上;
在StorageSrv上安装MriaDB,在本机上安装PHP,发布WordPress网站;
MariaDB数据库管理员信息:User: root/ Password: Chinaskill21!。
创建网站download.chinaskills.cn站点;
网页文件存放在StorageSrv服务器上;
在该站点的根目录下创建以下文件“test.mp3, test.mp4, test.pdf”,其中test.mp4文件的大小为100M,页面访问成功后能够列出目录所有文件。
作安全加固,在任何页面不会出现系统和WEB服务器版本信息。
项目实施
安装httpd以及ssl模块:
[root@appsrv ~]# yum install httpd mod_ssl php php-mbstring php-mysql mariadb-server -y
增加用户和修改物理内存大小:
[root@appsrv ~]# useradd -r webuser
[root@appsrv ~]# vim /etc/httpd/conf/httpd.conf
#修改66和67行
User webuser
Group webuser
[root@appsrv ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@appsrv ~]# vim /etc/systemd/system/multi-user.target.wants/httpd.service
第8行添加
memory_limit_in_bytes=500*1024*1024
#然后重启服务
[root@appsrv ~]# systemctl daemon-reload
[root@appsrv ~]# systemctl restart httpd.service
创建证书并申请:(还有一种方法就是还可以将证书给CA根证书机构(Rserver)去签发)
创建跟证书:
[root@appsrv ~]# vim /etc/pki/tls/openssl.cnf #修改 42 dir = /csk-rootca 50 certificate = $dir/csk-ca.pem
[root@appsrv ~]# mkdir /csk-rootca
[root@appsrv ~]# cp -rf /etc/pki/tls/* /csk-rootca/
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 >serial
[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]#
[root@appsrv csk-rootca]# openssl req -new -x509 -key ./private/cakey.pem -out csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:#CN
State or Province Name (full name) []:#China
Locality Name (eg, city) [Default City]:#BeiJing
Organization Name (eg, company) [Default Company Ltd]:#skills
Organizational Unit Name (eg, section) []:#Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
[root@appsrv csk-rootca]#
申请网站证书秘钥和请求证书:
[root@appsrv csk-rootca]# openssl genrsa -out httpd.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................+++
............+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.Country Name (2 letter code) [XX]:#CN
State or Province Name (full name) []:#China
Locality Name (eg, city) [Default City]:#BeiJing
Organization Name (eg, company) [Default Company Ltd]:#skills
Organizational Unit Name (eg, section) []:#Operations Departments
Common Name (eg, your name or your server's hostname) []:*.chinaskills.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@appsrv csk-rootca]#
给证书签名:
[root@appsrv csk-rootca]# openssl x509 -req -in httpd.csr -CA /csk-rootca/csk-ca.pem -CAkey /csk-rootca/private/cakey.pem -CAcreateserial -out httpd.crt
Signature ok
subject=/C=CN/ST=China/L=BeiJing/O=skills/OU=Operations Departments/CN=*.chinaskills.cn
Getting CA Private Key
[root@appsrv csk-rootca]#
挂载apache目录以及上传内容:
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# mkdir /webdata/
[root@appsrv csk-rootca]# mount -t nfs 192.168.100.200:/webdata /webdata
#查看挂载
[root@appsrv webdata]# df -h
文件系统 容量 已用 可用 已用% 挂载点
devtmpfs 475M 0 475M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/mapper/centos-root 37G 1.6G 36G 5% /
/dev/sr0 4.4G 4.4G 0 100% /media/CentOS
/dev/sda1 1014M 138M 877M 14% /boot
tmpfs 98M 0 98M 0% /run/user/0
192.168.100.200:/webdata 37G 1.4G 36G 4% /webdata #得得这就是新挂载
#上传worpress压缩包到/webdata
#上传好之后查看
[root@appsrv webdata]# ls
test.mp3 wordpress-4.6.18.tar.gz
#进行解压
[root@appsrv webdata]# tar -zxf wordpress-4.6.18.tar.gz
#查看
[root@appsrv webdata]# ls
test.mp3 wordpress wordpress-4.6.18.tar.gz
#创建一个pdf文件
[root@appsrv webdata]# touch test.pdf
#执行
[root@appsrv webdata]# dd if=/dev/zero of=test.mp4 bs=100M count=1
记录了1+0 的读入
记录了1+0 的写出
104857600字节(105 MB)已复制,1.5661 秒,67.0 MB/秒
配置数据库连接:
#启动数据库服务
[root@appsrv ~]# systemctl restart mariadb
[root@appsrv ~]# systemctl enable mariadb.service
#登录数据库(初次没有密码)
[root@appsrv webdata]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.68-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database wordpress;
Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON . TO 'root'@'%' IDENTIFIED BY 'Chinaskill22!' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
创建虚拟主机文件:
[root@appsrv webdata]# vim /etc/httpd/conf.d/welcome.conf
#添加
<Virtualhost *:80>
redirect permanent / https://www.chinaskills.cn #http的跳转https(永久)
servername www.chinaskills.cn #访问域名
</Virtualhost><Virtualhost *:443>
servername www.chinaskills.cn
documentroot /webdata/wordpress
<directory /webdata/wordpress>
require all granted
</directory>
sslengine on
sslcertificatefile /csk-rootca/httpd.crt
sslcertificatekeyfile /csk-rootca/httpd.key
</Virtualhost><Virtualhost *:80>
redirect permanent / https://download.chinaskills.cn
servername download.chinaskills.cn
</Virtualhost>
<Virtualhost *:443>
servername download.chinaskills.cn
documentroot /webdata/download/
<directory /webdata/download/>
options indexes followsymlinks
require all granted
</directory>
sslengine on
sslcertificatefile /csk-rootca/httpd.crt
sslcertificatekeyfile /csk-rootca/httpd.key
</Virtualhost>
[root@appsrv ~]# htpasswd -c /var/passwd zsuser
New password: #ChinaSkill22!
Re-type new password: #ChinaSkill22!
Adding password for user zsuser
[root@appsrv ~]#
#删除默认主页
[root@appsrv webdata]# rm /etc/httpd/conf.d/welcome.conf
rm:是否删除普通文件 "/etc/httpd/conf.d/welcome.conf"?y
[root@appsrv webdata]# htpasswd -c /var/passwd zsuser
New password:
Re-type new password:
htpasswd: password verification error
[root@appsrv webdata]# htpasswd -c /var/passwd zsuser
New password:
Re-type new password:
Adding password for user zsuser
[root@appsrv webdata]#
重启服务:
[root@appsrv webdata]# systemctl restart httpd
将根证书拷贝到客户端上面:
[root@appsrv webdata]# scp /csk-rootca/csk-ca.pem root@192.168.0.190:/root
The authenticity of host '192.168.0.190 (192.168.0.190)' can't be established.
ECDSA key fingerprint is SHA256:7xsUDRDvnVsiuwjjjsuSbDksox+WpR/BOX8WZRIGOB0.
ECDSA key fingerprint is MD5:37:ed:a8:ff:8f:fd:46:a9:47:8d:20:38:1a:a0:05:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.190' (ECDSA) to the list of known hosts.
root@192.168.0.190's password:
csk-ca.pem 100% 1383 915.8KB/s 00:00
客户端IN配置: