Linux云自动化运维第十五课

时间:2021-08-01 21:52:12

第九单元 Apache web服务

 

一、Apache基本配置

 

1.安装apache软件包:# yum install -y httpd httpd-manual

2.启动apache服务:# systemctl start httpd ; systemctl enable httpd

3.查看监听端口:

# ss -antlp |grep httpd

LISTEN 0 128 :::80 :::*

users:(("httpd",4347,4),("httpd",4346,4),("httpd",4345,4),("httpd",4344,4),("httpd",4343,4),("httpd",4342,4))

4.Apache主配置文件: /etc/httpd/conf/httpd.conf

ServerRoot "/etc/httpd" 用于指定Apache的运行目录

Listen 80 监听端口

User apache 运行apache程序的用户和组

Group apache

ServerAdmin root@localhost 管理员邮箱

DocumentRoot "/var/www/html" 网页文件的存放目录

<Directory "/var/www/html"> <Directory>语句块自定义目录权限

Require all granted

</Directory>

ErrorLog "logs/error_log" 错误日志存放位置

AddDefaultCharset UTF-8 默认支持的语言

IncludeOptional conf.d/*.conf 加载其它配置文件

DirectoryIndex index.html 默认主页名称

5.示例

1)httpd基本配置

[root@httpdesktop ~]# yum install httpd -y

[root@httpdesktop ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

[root@httpdesktop ~]# firewall-cmd --permanent --add-service=http

success

[root@httpdesktop ~]# firewall-cmd --permanent --add-service=https

success

[root@httpdesktop ~]# firewall-cmd --reload

success

[root@httpdesktop ~]# systemctl start httpd

[root@httpdesktop ~]# systemctl enable httpd

ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

[root@httpdesktop ~]# vim /var/www/html/index.html

[root@httpdesktop ~]# cat /var/www/html/index.html

hello linux!

[root@httpdesktop ~]#

2)httpd默认打开位置为/var/www/html/index.html修改为/www/html/test.html

[root@httpdesktop ~]# mkdir /www/html -p

[root@httpdesktop ~]# vim /www/html/test.html

[root@httpdesktop ~]# cat /www/html/test.html

hello testsuccess

[root@httpdesktop ~]# vim /etc/httpd/conf/httpd.conf

#120 DocumentRoot "/www/html"

#122 <Directory "/www/html">

#123     Require all granted

#124 </Directory>

#167 <IfModule dir_module>

#168     DirectoryIndex test.html

#169 </IfModule>

[root@httpdesktop ~]# systemctl restart httpd.service

[root@httpdesktop ~]# ls -Zd /www/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/

[root@httpdesktop ~]# ls -Zd /var/www/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/

[root@httpdesktop ~]# semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'

[root@httpdesktop ~]# ls -Zd /www/

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /www/

[root@httpdesktop ~]# restorecon -RvvF /www/

restorecon reset /www context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /www/html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /www/html/test.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

[root@httpdesktop ~]# ls -Zd /www/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /www/

[root@httpdesktop ~]#

#查看httpd日志

[root@httpdesktop ~]# cd /etc/httpd/logs/

[root@httpdesktop logs]# ls

access_log  error_log

[root@httpdesktop logs]# vim error_log

[root@httpdesktop logs]# vim access_log

3)创建所有用户查看权限

[root@httpdesktop logs]# vim /etc/httpd/conf/httpd.conf

#122 <Directory "/www/html">

#123         Order Allow,Deny

#124         Allow from all

#125         Deny from 172.25.254.42

#126         Require all granted

#127 </Directory>

[root@httpdesktop logs]# systemctl restart httpd.service

[root@httpdesktop logs]# vim /etc/httpd/conf/httpd.conf

#122 <Directory "/www/html">

#123         Order Deny,Allow

#124         Allow from 172.25.254.42

#125         Deny from all

#126         Require all granted

#127 </Directory>

[root@httpdesktop logs]# systemctl restart httpd.service

 

二、虚拟主机

 

1.虚拟主机允许您从一个httpd服务器同时为多个网站提供服务。在本节中,我们将了解基于名称的虚拟主机其中多个主机名都指向同一个IP地址,但是Web服务器根据用于到达站点的主机名提供具有不同内容的不同网站。

Example:

<virtualhost *:80>

servername wwwX.example.com

serveralias wwwX

documentroot /srv/wwwX.example.com/www

customlog "logs/wwwX.example.com.log" combined

</virtualhost>

<directory /srv/wwwX.example.com/www>

require all granted

</directory>

1)<VirtualHost *:80>

  ...

  </VirtualHost>

  这是定义虚拟主机的块

2)ServerName wwwX.example.com--->指定服务器名称。在使用基于名称的虚拟主机的情况下,此处的名称必须与客户端请求完全的匹配。

3)ServerAlias serverX wwwX wwwX.example.com--->用于匹配的空格分隔的名称列表,如上面的ServerName

4)DocumentRoot /var/www/html--->在<VirtualHost>块内部,指定从中提供内容的目录。

5)selinux标签

semanage fcontext -l

semanage fcontext -a -t httpd_sys_content_t “/directory(/.*)?”

restorecon -vvFR /directory

2.Demo:

1)建立网页发布目录,并设置selinux标签:

# mkdir -p /srv/{default,www0.example.com}/www

# echo "coming soon" > /srv/default/www/index.html

# echo "www0" > /srv/www0.example.com/www/index.html

# restorecon -Rv /srv/

2)创建虚拟主机配置文件:

# cat /etc/httpd/conf.d/00-default-vhost.conf

<virtualhost _default_:80>

documentroot /srv/default/www

customlog "logs/default-vhost.log" combined

</virtualhost>

<directory /srv/default/www>

require all granted

</directory>

# cat 01-www0.example.com-vhost.conf

<virtualhost *:80>

servername www0.example.com

serveralias www0

documentroot /srv/www0.example.com/www

customlog "logs/www0.example.com.log" combined

</virtualhost>

<directory /srv/www0.example.com/www>

require all granted

</directory>

3)启动apache服务

# systemctl start httpd ; systemctl enable httpd

3.示例

[root@httpdesktop httpd]# exit

logout

Connection to 172.25.254.142 closed.

[kiosk@foundation42 Desktop]$ su -

Password:

Last login: Mon Apr 17 08:49:33 CST 2017 on pts/0

[root@foundation42 ~]# vim /etc/hosts

[root@foundation42 ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

172.25.254.250 content.example.com

172.25.254.142 www.westos.com new.westos.com

[root@foundation42 ~]# exit

logout

[kiosk@foundation42 Desktop]$ ssh root@172.25.254.142 -X

root@172.25.254.142's password:

Last login: Sun Apr 16 21:35:29 2017 from 172.25.254.42

[root@httpdesktop ~]# cd /etc/httpd/conf.d/

[root@httpdesktop conf.d]# ls

autoindex.conf  README  userdir.conf  welcome.conf

[root@httpdesktop conf.d]# vim default.conf

[root@httpdesktop conf.d]# cat default.conf

<virtualhost _default_:80>

documentroot "/www/html"

customlog "logs/default.log" combined

</virtualhost>

<directory "/www/html">

require all granted

</directory>

[root@httpdesktop conf.d]# cp default.conf news.conf -p

[root@httpdesktop conf.d]# ls

autoindex.conf  default.conf  news.conf  README  userdir.conf  welcome.conf

[root@httpdesktop conf.d]# vim news.conf

[root@httpdesktop conf.d]# cat news.conf

<virtualhost *:80>

servername new.westos.com

documentroot "/www/virtual/news/html"

customlog "logs/news.log" combined

</virtualhost>

<directory "/www/virtual/news/html">

require all granted

</directory>

[root@httpdesktop httpd]# mkdir -p /www/virtual/news/html

[root@httpdesktop httpd]# vim /www/virtual/news/html/test.html

[root@httpdesktop httpd]# cat /www/virtual/news/html/test.html

news' page

[root@httpdesktop httpd]# systemctl restart httpd.service

[root@httpdesktop httpd]# vim /etc/httpd/conf/httpd.conf

#121 <Directory "/www/html">

#122     Require all granted

#123 </Directory>

[root@httpdesktop httpd]# systemctl restart httpd.service

[root@httpdesktop httpd]#

 

三、配置基于用户的身份验证

 

1.Apache无格式文件用户身份验证,在此配置中,用户账户和密码存储在本地.htpasswd文件中。处于安全原因,该文件不能保存在网站的DocumentRoot中,而应保存在Web服务器不提供服务的一些目录中。特殊的htpasswd命令用于在.htpasswd文件中管理用户

2.配置程序示例:

1)用两个账户创建Apache密码文件:

[root@serverX ~]# htpasswd -cm /etc/httpd/.htpasswd bob

[root@serverX ~]# htpasswd -m /etc/httpd/.htpasswd alice

2)假设之前定义VirtualHost块,请将诸如以下内容添加至VirtualHost块:

<Directory /var/www/html>

AuthName “Secret Stuff”

AuthType basic

AuthUserFile /etc/httpd/.htpasswd

Require valid-user

</Directory>

3.重启apache服务,并使用Web浏览器测试访问,在弹出的对话框中输入上述用户名和密码

4.示例:

[root@httpdesktop logs]# cd /www/html/

[root@httpdesktop html]# ls

test.html

[root@httpdesktop html]# mkdir admin

[root@httpdesktop html]# ls

admin  test.html

[root@httpdesktop html]# cd admin/

[root@httpdesktop admin]# vim test.html

[root@httpdesktop admin]# cat test.html

hello myworld

[root@httpdesktop admin]# cd /etc/httpd/

[root@httpdesktop httpd]# ls

conf  conf.d  conf.modules.d  logs  modules  run

[root@httpdesktop httpd]# htpasswd -cm passfile admin

New password:

Re-type new password:

Adding password for user admin

[root@httpdesktop httpd]# htpasswd -m passfile linux

New password:

Re-type new password:

Adding password for user linux

[root@httpdesktop httpd]# cat passfile

admin:$apr1$eY5WS3UC$8MQHgoiKmNBlwPZpmI3DL/

linux:$apr1$cDZbrIlY$Y5R.X6SeTWcvJDhr.ac.k.

[root@httpdesktop httpd]# vim /etc/httpd/conf/httpd.conf

#122 <Directory "/www/html">

#123         #Order Deny,Allow

#124         #Allow from 172.25.254.42

#125         #Deny from all

#126         #Require all granted

#127         AllowOverride all

#128         Authuserfile /etc/httpd/passfile

#129         Authname "Please input name and passwd"

#130         Authtype basic

#131         require valid-user

#132 </Directory>

[root@httpdesktop httpd]# systemctl restart httpd.service

[root@httpdesktop httpd]# vim /etc/httpd/conf/httpd.conf

#122 <Directory "/www/html">

#123         #Order Deny,Allow

#124         #Allow from 172.25.254.42

#125         #Deny from all

#126         #Require all granted

#127         AllowOverride all

#128         Authuserfile /etc/httpd/passfile

#129         Authname "Please input name and passwd"

#130         Authtype basic

#131         require user admin

#132 </Directory>

[root@httpdesktop httpd]# systemctl restart httpd.service

 

四、自定义自签名证书

 

1.如果加密的通信非常重要,而经过验证的身份不重要,管理员可以通过生成self-signed certificate来避免与认证机构进行交互所带来的复杂性。使用genkey实用程序(通过crypto-utils软件包分发),生成自签名证书及其关联的私钥。为了简化起见,genkey将在“正确”的位置(/etc/pki/tls目录)创建证书及其关联的密钥。相应地,必须以授权用户(root)身份运行该实用程序。

2.生成自签名证书

1)确保已安装crypto-utils软件包。

[root@server0 ~]# yum install crypto-utils mod_ssl

2)调用genkey,同时为生成的文件指定唯一名称(例如,服务器的主机全名)。 --days可以指定证书有效期

[root@server0 ~]# genkey server0.example.com

3.安装证书及其私钥

1)确定已安装mod_ssl软件包。

[root@server0 ~]# yum install mod_ssl

2)由于私钥是敏感信息,请确保其只被root用户读取。

[root@server0 ~]# ls -l /etc/pki/tls/private/server0.example.com.key

-r--------. 1 root root 1737 Dec 22 15:06 /etc/pki/tls/private/server0.example.com.key

3)编辑/etc/httpd/conf.d/ssl.conf, 将SSLCertificateFile和SSLCertificateKeyFile指令设置为分别指向X.509证书和密钥文件。

SSLCertificateFile /etc/pki/tls/certs/server0.example.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/server0.example.com.key

4)重启Web服务器。

[root@server0 ~]# systemctl restart httpd

5)如要进行确认,请使用https协议(https://serverX.example.com)通过Web客户端(如Firefox)访问Web服务器。Web客户端可能会发出它不认可证书发行者的警告。这种情况适用自签名证书。要求Web客户端绕过证书认证。(对于Firefox,请选择“I Understand the Risks” [我了解风险]、“Add Exception” [添加例外]和“Confirm Security Exception”[确认安全例外]。)

6)示例:

[root@httpdesktop html]# yum install crypto-utils -y

[root@httpdesktop html]# yum install mod_ssl -y

[root@httpdesktop html]# cd /etc/httpd/conf.d/

[root@httpdesktop conf.d]# ls

autoindex.conf  manual.conf  php.conf  ssl.conf      welcome.conf

default.conf    news.conf    README    userdir.conf

[root@httpdesktop conf.d]# netstat -antlpe | grep httpd

tcp6       0      0 :::80                   :::*                    LISTEN      0          114842     1142/httpd          

[root@httpdesktop conf.d]# systemctl restart httpd.service

[root@httpdesktop conf.d]# netstat -antlpe | grep httpd

tcp6       0      0 :::443                  :::*                    LISTEN      0          132080     2160/httpd          

tcp6       0      0 :::80                   :::*                    LISTEN      0          132068     2160/httpd          

[root@httpdesktop conf.d]# genkey www.westos.com

/usr/bin/keyutil -c makecert -g 1024 -s "CN=www.westos.com, OU=linux, O=westos, L=xi'an, ST=shannxi, C=CN" -v 1 -a -z /etc/pki/tls/.rand.2176 -o /etc/pki/tls/certs/www.westos.com.crt -k /etc/pki/tls/private/www.westos.com.key

cmdstr: makecert

 

cmd_CreateNewCert

command:  makecert

keysize = 1024 bits

subject = CN=www.westos.com, OU=linux, O=westos, L=xi'an, ST=shannxi, C=CN

valid for 1 months

random seed from /etc/pki/tls/.rand.2176

output will be written to /etc/pki/tls/certs/www.westos.com.crt

output key written to /etc/pki/tls/private/www.westos.com.key

 

 

Generating key. This may take a few moments...

 

Made a key

Opened tmprequest for writing

/usr/bin/keyutil Copying the cert pointer

Created a certificate

Wrote 882 bytes of encoded data to /etc/pki/tls/private/www.westos.com.key

Wrote the key to:

/etc/pki/tls/private/www.westos.com.key

[root@httpdesktop conf.d]# vim /etc/httpd/conf.d/ssl.conf

#101 SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt

#109 SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key

[root@httpdesktop conf.d]# systemctl restart httpd.service

[root@httpdesktop conf.d]#

4.网页重写

1)把所有80端口的请求全部重定向由https来处理

<Virtualhost *:80>

ServerName www0.example.com

RewriteEngine on

RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</Virtualhost>

2)Example: /etc/httpd/conf.d/www0.conf

<VirtualHost *:443>

servername www0.example.com

documentroot /srv/www0/www

SSLEngine on

SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt

SSLCertificateFile /etc/pki/tls/certs/www0.crt

SSLCertificateKeyFile /etc/pki/tls/private/www0.key

<Directory "/srv/www0/www">

require all granted

</Directory>

</VirtualHost>

<VirtualHost *:80>

servername www0.example.com

rewriteengine on

rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</VirtualHost>

3)示例:

[root@httpdesktop ~]# ls

anaconda-ks.cfg  Documents  Music     Public     Videos

Desktop          Downloads  Pictures  Templates

[root@httpdesktop ~]# cd /etc/httpd/conf.d/

[root@httpdesktop conf.d]# ls

autoindex.conf  manual.conf  php.conf  ssl.conf    userdir.conf

default.conf    news.conf    README    tmprequest  welcome.conf

[root@httpdesktop conf.d]# cp -p news.conf login.conf

[root@httpdesktop conf.d]# vim login.conf

[root@httpdesktop conf.d]# cat login.conf

<virtualhost *:443>

servername login.westos.com

documentroot "/www/virtual/login/html"

customlog "logs/login.log" combined

SSLCertificateKeyFile /etc/pki/tls/private/www.westos.com.key

SSLCertificateFile /etc/pki/tls/certs/www.westos.com.crt

SSLEngine on

</virtualhost>

<directory "/www/virtual/login/html">

require all granted

</directory>

<Virtualhost *:80>

ServerName login.westos.com

RewriteEngine on

RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</Virtualhost>

[root@httpdesktop conf.d]# systemctl restart httpd.service

[root@httpdesktop conf.d]# mkdir -p /www/virtual/login/html

[root@httpdesktop conf.d]# vim /www/virtual/login/html/test.html

[root@httpdesktop conf.d]# cat /www/virtual/login/html/test.html

login.com

[root@httpdesktop conf.d]# systemctl restart httpd.service

 

 

五、CGI

 

1.通用网关接口(CGI)是网站上放置动态内容的最简单的方法。CGI脚本可用于许多目的,但是谨慎控制使用哪个CGI脚本以及允许谁添加和运行这些脚本十分重要。编写质量差的CGI脚本可能为外部攻击者提供了破坏网站及其内容安全性的途径。因此,在Web服务器级别和SELinux策略级别,都存在用于限制CGI脚本使用的设置。

1)Example:

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">

AllowOverride None

Options None

Require all granted

</Directory>

# ll -dZ /var/www/cgi-bin/

drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/

2)示例:

[root@httpdesktop html]# ls

admin  index.php  test.html

[root@httpdesktop html]# mkdir cgi

[root@httpdesktop html]# ls

admin  cgi  index.php  test.html

[root@httpdesktop html]# yum install httpd-manual -y

[root@httpdesktop html]# ls

admin  cgi  index.php  test.html

[root@httpdesktop html]# systemctl restart httpd.service

[root@httpdesktop html]# vim /etc/httpd/conf/httpd.conf

#178 <IfModule dir_module>

#179     DirectoryIndex test.html index.html

#180 </IfModule>

[root@httpdesktop html]# systemctl restart httpd.service

[root@httpdesktop html]# cd cgi/

[root@httpdesktop cgi]# ls

[root@httpdesktop cgi]# vim index.cgi

[root@httpdesktop cgi]# cat index.cgi

#!/usr/bin/perl

print "Content-type: text/html\n\n";

print `date`;

[root@httpdesktop cgi]# chmod +x index.cgi

[root@httpdesktop cgi]# ./index.cgi

Content-type: text/html

 

Mon Apr 17 01:56:55 EDT 2017

[root@httpdesktop cgi]# vim /etc/httpd/conf.d/default.conf

[root@httpdesktop cgi]# cat /etc/httpd/conf.d/default.conf

<virtualhost _default_:80>

documentroot "/www/html"

customlog "logs/default.log" combined

</virtualhost>

<directory "/www/html">

require all granted

</directory>

<Directory "/www/html/cgi">

    Options +ExecCGI

    AddHandler cgi-script .cgi

</Directory>

[root@httpdesktop cgi]# systemctl restart httpd.service

[root@httpdesktop cgi]# semanage fcontext -l | grep http

[root@httpdesktop cgi]# ls -Zd /www/html/cgi/

drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /www/html/cgi/

[root@httpdesktop cgi]# semanage fcontext -a -t "httpd_sys_script_exec_t" '/www/html/cgi(/.*)?'

[root@httpdesktop cgi]# restorecon -FvvR /www/html/cgi

restorecon reset /www/html/cgi context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0

restorecon reset /www/html/cgi/index.cgi context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0

[root@httpdesktop cgi]# cd /www/html/

[root@httpdesktop html]# vim /etc/httpd/conf/httpd.conf

#178 <IfModule dir_module>

#179     DirectoryIndex test.html index.html index.cgi

#180 </IfModule>

[root@httpdesktop html]# systemctl restart httpd.service

2.php语言支持:

1)安装php软件包,其中包含mod_php模块:

# yum install -y php

2)模块配置文件: /etc/httpd/conf.d/php.conf

<FilesMatch \.php$>

SetHandler application/x-httpd-php

</FilesMatch>

DirectoryIndex index.php

3)在server0上构建php练习环境,此脚本会自动配置mariadb,并生成/var/www/html/index.php动态网页:

# lab phpdb setup

4)安装php的数据库支持:

# yum install -y php-mysql

5)重启httpd服务后,测试网页是否访问正常.

PS:当web服务器连接的数据库在远程时,需要改变Selinux:

# setsebool -P httpd_can_network_connect_db=1

# setsebool -P httpd_can_network_connect=1

(如果数据库的端口不是3306时,需要改此项)

6)示例:

[root@httpdesktop ~]# cd /www/html/

[root@httpdesktop html]# ls

admin  test.html

[root@httpdesktop html]# vim index.php

[root@httpdesktop html]# vim /etc/hosts

[root@httpdesktop html]# yum install php -y

[root@httpdesktop html]# systemctl restart httpd.service

3.WSGI提供python语言支持:

1)安装mod_wsgi软件包:

# yum install -y mod_wsgi

2)执行脚本,会生成python测试文件/home/student/webapp.wsgi:

# lab webapp setup

3)在虚拟主机中加入以下参数:

<VirtualHost *:443>

servername webapp0.example.com

...

WSGIScriptAlias / /srv/webapp0/www/webapp.wsgi

...

</VirtualHost>

4)重启httpd服务,并在desktop0上测试:

# curl -k https://webapp0.example.com