配置安全的动态的WEB服务器
任务:使用apache配置动态web服务器,组建php+mysql开发环境,并且增加SSL安全协议,保护数据的传输安全。
基本概念
web服务器软件:在web网站上提供网页服务器的服务器程序
动态web网站:区别与传统的静态网站,网站内容能动态更新,经常变化。常见的新闻网站,论坛,电子商务网站都是动态web网站。
动态web网站经典组合
操作系统+WEB服务器+数据库+开发工具
windowsNT/2000+IIS+MSSQL+ASP
Linux+Apache+Mysql+PHP(LAMP)
SSL
LAMP的局限性
客户端向服务器提交的数据不经过加密,容易被第三方窃取,电子商务网站绝对不允许。
SSL
secure socket layer的缩写,是一种互联网上最普遍使用的安全通讯协议,保障网站服务器与客户机之间数据资料传输的安全性。开放版本—http://www.openssl.org
MODSSL
Apache服务器软件的SSL模块,http://www.modssl.org提供,在HTTP通信过程中保护数据。从Apache 2.0开始,这个模块己经整合进Apache web服务器软件了。
SSL
基本配置过程
预备软件
所需软件包
http://httpd.apache.org/download.cgi
wget http://dev.xiaonei.com/apache-mirror/httpd/httpd-2.2.11.tar.gz
wget http://www.apache.org/dist/httpd/httpd-2.2.11.tar.gz.md5
http://www.php.net/downloads.php
wget http://cn2.php.net/distributions/php-5.2.8.tar.gz
http://dev.mysql.com/downloads/
wget http://mysql.ntu.edu.tw/Downloads/MySQL-5.1/mysql-5.1.30.tar.gz
md5sum -c httpd-2.2.11.tar.gz.md5
httpd-2.2.11.tar.gz: Ok说明没有被破坏
安装httpd-2.2.11
tar xvzf httpd-2.2.11.tar.gz
cd httpd-2.2.11
./configure –help
./configure --sysconfdir=/etc --enable-ssl --enable-modules=all
make &>make.log &让这个在后台执行
tail -f make.log 监视日志文件
make install
2.启动服务
重启服务器的方法
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
killall -HUP httpd
netstat -tnl |grep :80
3.测试访问效果
yum install lynx
yum install links
links http://localhost
lynx http://localhost
默认网站首页目录/usr/local/apache2/htdocs/index.html
测试工具
mozilla/netscape,elinks或者IE
安装mysql
tar xvzf mysql-5.1.30.tar.gz
cd mysql-5.1.30
./configure --help | more
1.解压缩后
error: No curses/termcap library found
yum install libtermcap-devel
yum install ncurses-devel
./configure –sysconfdir=/etc
make;make install
make &> make.log &
fg可以入前台执行
make install
cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf
cp /mysql-5.1.30/support-files/my-large.cnf /etc/my.cnf
2.初始化数据库
userdel mysql
rm -rf /usr/local/var
useradd -d /usr/local/var mysql
su – mysql
/usr/local/bin/mysql_install_db
如遇到skip-federated
在/etc/my.cnf里面注释掉
3.启动服务器
cd /usr/local/;/usr/local/bin/mysqld_safe & 让程序在后台执行
4.用/usr/local/bin/mysql登录测试
mysql -u root
/s
/q
安装PHP
解压缩后运行
./configure --with-apxs2=/usr/local/apache2/bin/apxs –with-mysql=/usr/local/
如遇到Please check your libxml2 installation
yum install libxml
yum install libxml2-devel
make;make install
cp php.ini-dist /usr/local/lib/php.ini
2.编辑apache配置文件/etc/httpd.conf 增加
addType application/x-httpd-php .php .phtml
3.编写测试页面/usr/local/apache2/htdocs/test.php
测试页面
echo "<?php echo phpinfo(); ?>" >/usr/local/apache2/htdocs/index.php
links http://localhost/index .php
lynx http://localhost/index .php
收尾工作
让apache自动启动
echo "/usr/local/apache2/bin/apachectl start" >> /etc/rc.local
让mysql数据库服务器自动启动
cp support-files/mysql.server /etc/init.d/mysqld
chkconfig mysqld on
vi /etc/init.d/mysqld
basedir如果之前你不是默认安装的,要设置到你安装的目录,否则服务器启动不起来
Apache配置文件
重要的配置选项
/usr/local/apache2/bin/httpd -l查看支持的默认模块
ServerRoot "/usr/local/apache2"服务器运行的根目录
DocumentRoot "/usr/local/apache2/htdocs"服务器共享文件的起始位置
Listen 80服务器监听的端口
ServerAdmin you@example.com 管理员邮箱
User & Group daemon 服务器访问者的身份
ErrorLog "logs/error_log" 出错日志文件
DirectoryIndex index.html 默认文件夹索引文件
Alias /webpath /full/filesystem/path 为目录设置访问别名
locale
LANG=en_US.UTF-8
AddDefaultCharset utf-8
ps aux | grep httpd 查看apache的守护进程
ls -ld /usr/local/apache2/htdocs/
drwxr-xr-x 2 root root 4096 2008-12-15 09:15 /usr/local/apache2/htdocs/
可以看出daemon 的默认权限是r-x
chmod 750 /usr/local/apache2/htdocs/
此时我们访问http://192.168.0.102/index.php
则会You don't have permission to access /index.php on this server.
说明此时daemon己没有访问权限
tail /usr/local/apache2/logs/error_log 这些错误信息一般会反应在日志里
测试alias
Alias /doc "/usr/share/doc"
<Directory "/usr/share/doc">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
目录访问控制选项
<Directory />
Options FollowSymLinks
AllowOverride None不让任何人覆盖
Order deny,allow
Deny from all
</Directory>
<Directory "/usr/local/apache2/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
测试CGI
配置文件选项:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
编写cgi文件:
/usr/local/apache2/cgi-bin/<cgifile>
确认cgi程序是daemon用户可以执行的
chgrp daemon /usr/local/apache2/cgi-bin/<cgifile>
chmod 750 /usr/local/apache2/cgi-bin/<cgifile>
测试cgi程序的执行效果
links http://localhost/cgi-bin/<cgifile>
ls -l /usr/local/apache2/cgi-bin/
total 8
-rw-r--r-- 1 redhat users 294 2004-12-11 13:52 printenv
-rw-r--r-- 1 redhat users 779 2004-12-11 13:52 test-cgi
more /usr/local/apache2/cgi-bin/test.sh
#!/bin/bash
echo "content-type: text/plain"
whoami
date
ps aux|grep httpd确认执行者
chgrp daemon test.sh
chmod g+x test.sh增加执行位
chgrp daemon /usr/local/apache2/cgi-bin/test-cgi
chmod g+x /usr/local/apache2/cgi-bin/test-cgi
ls -l /usr/local/apache2/cgi-bin/
http://192.168.0.102/cgi-bin/test-cgi
虚拟主机
在192.168.0.101配置好DNS,将IP指向 192.168.0.102
echo "nameserver 192.168.0.101">/etc/resolv.conf
host www.chinaitlab.com
host www.redhat.org.cn
mkdir -p /var/www/www.chinaitlab.com
mkdir -p /var/www/www.redhat.org.cn
echo "hi,welcome to www.chinaitlab.com">/var/www/www.chinaitlab.com/index.html
echo "hi,welcome to www.redhat.org.cn">/var/www/www.redhat.org.cn/index.html
more /etc/httpd.conf
NameVirtualHost 192.168.0.102:80
<VirtualHost 192.168.0.102:80>
ServerAdmin webmaster@chinaitlab.com
DocumentRoot /var/www/www.chinaitlab.com
ServerName www.chinaitlab.com
ErrorLog logs/www.chinaitlab.com-error_log
CustomLog logs/www.chinaitlab.com-access_log common
</VirtualHost>
<VirtualHost 192.168.0.102:80>
ServerAdmin webmaster@redhat.org.cn
DocumentRoot /var/www/www.redhat.org.cn
ServerName www.redhat.org.cn
ErrorLog logs/www.redhat.org.cn-error_log
CustomLog logs/www.redhat.org.cn-access_log common
</VirtualHost>
more /etc/httpd.conf
links http://www.chinaitlab.com
links http://www.redhat.org.cn
激活SSL模块
/usr/local/apache2/bin/httpd -l查看默认模块
vi /etc/httpd.conf
Include /etc/extra/httpd-ssl.conf
openssl genrsa -out /etc/server.key 1024
openssl req -new -x509 -key /etc/server.key -out /etc/server.crt
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Guangdong
Locality Name (eg, city) [Newbury]:Shenzhen
Organization Name (eg, company) [My Company Ltd]:Chinaitlab.com
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:www.chinaitlab.com
Email Address []:support@chinaitlab.com
chown daemon server.key
chmod 400 server.key
编辑/etc/ssl.conf
重新启动web服务器
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachect1startssl
修改启动脚本/etc/rc.local里面的相应的命令
参考资料
Apache
PHP
Mysql
TUX—运行在内核中的web服务器