- web服务
- 安装web服务;
- 服务以用户webuser系统用户运行;
- 限制web服务只能使用系统500M物理内存;
- 全站点启用TLS访问,使用本机上的“CSK Global Root CA”颁发机构颁发,网站证书信息如下:
- C = CN
- ST = China
- L = BeiJing
- O = skills
- OU = Operations Departments
- CN = *.chinaskills.com
- 客户端访问https时应无浏览器(含终端)安全警告信息;
- 当用户使用http访问时自动跳转到https安全连接;
- 搭建www.chinaskills.cn站点;
- 网页文件放在StorgeSrv服务器上;
- 在StorageSrv上安装MriaDB,在本机上安装PHP,发布WordPress网站;
- MariaDB数据库管理员信息:User: root/ Password: Chinaskill21!。
- 创建网站download.chinaskills.cn站点;
- 仅允许ldsgp用户组访问;
- 网页文件存放在StorageSrv服务器上;
- 在该站点的根目录下创建以下文件“test.mp3, test.mp4, test.pdf”,其中test.mp4文件的大小为100M,页面访问成功后能够列出目录所有文件。
- 作安全加固,在任何页面不会出现系统和WEB服务器版本信息。
一、首先关闭selinux和防火墙
[root@appsrv /]# setenforce 0
setenforce: SELinux is disabled
[root@appsrv /]# nano /etc/selinux/config
SELinux = DISABLED
[root@appsrv /]# systemctl stop firewalld
二、安装apache服务和证书ssl模块
[root@appsrv /]# yum install httpd mod_ssl php php-mbstring php-mysql mariadb-server -y
三、添加用户
[root@appsrv /]# useradd -r webuser
[root@appsrv /]# nano /etc/httpd/conf/httpd.conf
User webuser
Group webuser
四、修改物理内存
[root@appsrv /]# nano /etc/systemd/system/multi-user.target.wants/httpd.service
#添加如下
memory_limit_in_bytes=500*1024*1024
[root@appsrv /]# systemctl daemon-reload
[root@appsrv /]# systemctl restart httpd
五、创建证书
[root@appsrv /]# nano /etc/pki/tls/openssl.cnf
dir = /csk-rootca
certificate = $dir/csk-ca.pem
[root@appsrv /]# mkdir /csk-rootca
[root@appsrv /]# cp -rf /etc/pki/tls/* /csk-rootca
[root@appsrv /]# cd /csk-rootca/
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 >serial
[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem 2048
CN
China
BeiJing
skills
Operations Departments
CSK Global Root CA
[root@appsrv csk-rootca]# openssl genrsa -out httpd.key 2048
[root@appsrv csk-rootca]# openssl req -new -key httpd.key -out httpd.csr
CN
China
BeiJing
skills
Operations Departments
*.chinaskills.cn
[root@appsrv csk-rootca]# openssl x509 -req -in httpd.csr -CA /csk-rootca/csk-ca.pem -CAkey /csk-rootca/private/cakey.pem -CAcreateserial -out httpd.crt
Signature ok
subject=/C=CN/ST=China/L=BeiJing/O=skills/OU=Operations Departments/CN=*.chinaskills.cn
Getting CA Private Key
六、挂载网页目录和上传文件
[root@appsrv csk-rootca]# mkdir /webdata
[root@appsrv csk-rootca]# mount -t nfs 192.168.100.200:/webdata /webdata
[root@appsrv /]# cd /webdata/
[root@appsrv webdata]# ls
wordpress-4.9.4-zh_CN.tar.gz
[root@appsrv webdata]# tar -zxf wordpress-4.9.4-zh_CN.tar.gz
[root@appsrv webdata]# touch test.mp3
[root@appsrv webdata]# touch test.pdf
[root@appsrv webdata]# dd if=/dev/zero of=test.mp4 bs=100MB count=1
1+0 records in
1+0 records out
104857600 bytes (105 MB) copied, 0.784643 s, 134 MB/s
[root@appsrv webdata]# chmod 777 wordpress
七、配置数据库
[root@appsrv /]# systemctl restart mariadb
[root@appsrv /]# mysql_secure_installation
#初始化root密码
[root@appsrv /]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database wordpress;
Query OK, 1 row affected (0.00 sec)
#可参考/usr/share/mysql/fill_help_tables.sql 文件
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'Chinaskill23!' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]>
八、添加重定向配置和站点配置
1、添加站点配置
[root@appsrv webdata]# nano /etc/httpd/conf/httpd.conf
ServerSignature Off //不显示系统和WEB服务器版本信息
ServerTokens Prod //不显示系统和WEB服务器版本信息
#具体参考这个文件/usr/share/doc/httpd-2.4.6/httpd-default.conf
<VirtualHost *:80>
Redirect permanent / https://www.chinaskills.cn/
</VirtualHost>
<VirtualHost www.chinaskills.cn:443>
DocumentRoot "/webdata/wordpress"
ServerName www.chinaskills.cn
SSLEngine on
SSLCertificateFile /csk-rootca/httpd.crt
SSLCertificateKeyFile /csk-rootca/httpd.key
<Directory /webdata >
Require all granted
</Directory>
</VirtualHost>
<VirtualHost download.chinaskills.cn:443>
DocumentRoot "/webdata"
ServerName download.chinaskills.cn
SSLEngine on
SSLCertificateFile /csk-rootca/httpd.crt
SSLCertificateKeyFile /csk-rootca/httpd.key
<directory /webdata >
Options Indexes
authname "download"
authtype basic
authuserfile "/var/passwd"
require valid-user
</directory>
</VirtualHost>
2、删除welcome页面并创建认证用户
[root@appsrv webdata]# rm /etc/httpd/conf.d/welcome.conf
rm: remove regular file ‘/etc/httpd/conf.d/welcome.conf’? y
[root@appsrv webdata]# htpasswd -c /var/passwd zsuser
New password:
Re-type new password:
Adding password for user zsuser
[root@appsrv webdata]# htpasswd /var/passwd lsusr
New password:
Re-type new password:
Adding password for user lsusr
3、重启服务并将证书传给客户端
[root@appsrv webdata]# systemctl restart httpd
[root@appsrv webdata]# scp /csk-rootca/csk-ca.pem root@192.168.0.190:/root
root@192.168.0.190's password:
csk-ca.pem 100% 1383 1.5MB/s 00:00
九、客户端测试、
确保wordpress放在了网页的根目录下
1、download(文件)
#显示信息必须是文件和证书锁绿色
2、www(wordpress站点)
#必须显示该页面,证书锁显示绿色
3、无版本信息
#开启效果
[root@insidecli /]# curl -I www.chinaskills.cn
HTTP/1.1 301 Moved Permanently
Date: Sat, 17 Jun 2023 03:26:46 GMT
Server: Apache
Location: https://www.chinaskills.cn/
Content-Type: text/html; charset=iso-8859-1
#不开启效果
[root@insidecli /]# curl -I www.chinaskills.cn
HTTP/1.1 301 Moved Permanently
Date: Sat, 17 Jun 2023 03:28:19 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
Location: https://www.chinaskills.cn/
Content-Type: text/html; charset=iso-8859-1