linux学习笔记12-配置安全的动态的WEB服务器

 

配置安全的动态的WEB服务器

任务：使用apache配置动态web服务器，组建php+mysql开发环境，并且增加SSL安全协议，保护数据的传输安全。

基本概念

web服务器软件：在web网站上提供网页服务器的服务器程序

动态web网站：区别与传统的静态网站，网站内容能动态更新，经常变化。常见的新闻网站，论坛，电子商务网站都是动态web网站。

动态web网站经典组合

操作系统+WEB服务器+数据库+开发工具

windowsNT/2000+IIS+MSSQL+ASP

Linux+Apache+Mysql+PHP(LAMP)

SSL

LAMP的局限性

客户端向服务器提交的数据不经过加密，容易被第三方窃取，电子商务网站绝对不允许。

SSL

secure socket layer的缩写，是一种互联网上最普遍使用的安全通讯协议，保障网站服务器与客户机之间数据资料传输的安全性。开放版本—http://www.openssl.org

MODSSL

Apache服务器软件的SSL模块，http://www.modssl.org提供，在HTTP通信过程中保护数据。从Apache 2.0开始，这个模块己经整合进Apache web服务器软件了。

SSL

基本配置过程

预备软件

所需软件包

http://httpd.apache.org/download.cgi

wget http://dev.xiaonei.com/apache-mirror/httpd/httpd-2.2.11.tar.gz

wget http://www.apache.org/dist/httpd/httpd-2.2.11.tar.gz.md5

http://www.php.net/downloads.php

wget http://cn2.php.net/distributions/php-5.2.8.tar.gz

http://dev.mysql.com/downloads/

wget http://mysql.ntu.edu.tw/Downloads/MySQL-5.1/mysql-5.1.30.tar.gz

md5sum -c httpd-2.2.11.tar.gz.md5

httpd-2.2.11.tar.gz: Ok说明没有被破坏

安装httpd-2.2.11

tar xvzf httpd-2.2.11.tar.gz

cd httpd-2.2.11

./configure –help

./configure --sysconfdir=/etc --enable-ssl --enable-modules=all

make &>make.log &让这个在后台执行

tail -f make.log 监视日志文件

make install

2.启动服务

重启服务器的方法

/usr/local/apache2/bin/apachectl stop

/usr/local/apache2/bin/apachectl start

killall -HUP httpd

netstat -tnl |grep :80

3.测试访问效果

yum install lynx

yum install links

links http://localhost

lynx http://localhost

默认网站首页目录/usr/local/apache2/htdocs/index.html

测试工具

mozilla/netscape,elinks或者IE

安装mysql

tar xvzf mysql-5.1.30.tar.gz

cd mysql-5.1.30

./configure --help | more

1.解压缩后

error: No curses/termcap library found

yum install libtermcap-devel

yum install ncurses-devel

./configure –sysconfdir=/etc

make;make install

make &> make.log &

fg可以入前台执行

make install

cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf

cp /mysql-5.1.30/support-files/my-large.cnf /etc/my.cnf

2.初始化数据库

userdel mysql

rm -rf /usr/local/var

useradd -d /usr/local/var mysql

su – mysql

/usr/local/bin/mysql_install_db

如遇到skip-federated

在/etc/my.cnf里面注释掉

3.启动服务器

cd /usr/local/;/usr/local/bin/mysqld_safe & 让程序在后台执行

4.用/usr/local/bin/mysql登录测试

mysql -u root

/s

/q

安装PHP

解压缩后运行

./configure --with-apxs2=/usr/local/apache2/bin/apxs –with-mysql=/usr/local/

如遇到Please check your libxml2 installation

yum install libxml

yum install libxml2-devel

make;make install

cp php.ini-dist /usr/local/lib/php.ini

2.编辑apache配置文件/etc/httpd.conf 增加

addType application/x-httpd-php .php .phtml

3.编写测试页面/usr/local/apache2/htdocs/test.php

测试页面

echo "<?php echo phpinfo(); ?>" >/usr/local/apache2/htdocs/index.php

links http://localhost/index .php

lynx http://localhost/index .php

收尾工作

让apache自动启动

echo "/usr/local/apache2/bin/apachectl start" >> /etc/rc.local

让mysql数据库服务器自动启动

cp support-files/mysql.server /etc/init.d/mysqld

chkconfig mysqld on

vi /etc/init.d/mysqld

basedir如果之前你不是默认安装的，要设置到你安装的目录，否则服务器启动不起来

Apache配置文件

重要的配置选项

/usr/local/apache2/bin/httpd -l查看支持的默认模块

ServerRoot "/usr/local/apache2"服务器运行的根目录

DocumentRoot "/usr/local/apache2/htdocs"服务器共享文件的起始位置

Listen 80服务器监听的端口

ServerAdmin you@example.com 管理员邮箱

User & Group daemon 服务器访问者的身份

ErrorLog "logs/error_log" 出错日志文件

DirectoryIndex index.html 默认文件夹索引文件

Alias /webpath /full/filesystem/path 为目录设置访问别名

locale

LANG=en_US.UTF-8

AddDefaultCharset utf-8

ps aux | grep httpd 查看apache的守护进程

ls -ld /usr/local/apache2/htdocs/

drwxr-xr-x 2 root root 4096 2008-12-15 09:15 /usr/local/apache2/htdocs/

可以看出daemon 的默认权限是r-x

chmod 750 /usr/local/apache2/htdocs/

此时我们访问http://192.168.0.102/index.php

则会You don't have permission to access /index.php on this server.

说明此时daemon己没有访问权限

tail /usr/local/apache2/logs/error_log 这些错误信息一般会反应在日志里

测试alias

Alias /doc "/usr/share/doc"

<Directory "/usr/share/doc">

Options Indexes MultiViews

AllowOverride None

Order allow,deny

Allow from all

</Directory>

目录访问控制选项

<Directory />

Options FollowSymLinks

AllowOverride None不让任何人覆盖

Order deny,allow

Deny from all

</Directory>

<Directory "/usr/local/apache2/htdocs">

#

# Possible values for the Options directive are "None", "All",

# or any combination of:

# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

#

# Note that "MultiViews" must be named *explicitly* --- "Options All"

# doesn't give it to you.

#

# The Options directive is both complicated and important. Please see

# http://httpd.apache.org/docs/2.2/mod/core.html#options

# for more information.

#

Options Indexes FollowSymLinks

#

# AllowOverride controls what directives may be placed in .htaccess files.

# It can be "All", "None", or any combination of the keywords:

# Options FileInfo AuthConfig Limit

#

AllowOverride None

#

# Controls who can get stuff from this server.

#

Order allow,deny

Allow from all

</Directory>

测试CGI

配置文件选项：

ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

编写cgi文件：

/usr/local/apache2/cgi-bin/<cgifile>

确认cgi程序是daemon用户可以执行的

chgrp daemon /usr/local/apache2/cgi-bin/<cgifile>

chmod 750 /usr/local/apache2/cgi-bin/<cgifile>

测试cgi程序的执行效果

links http://localhost/cgi-bin/<cgifile>

ls -l /usr/local/apache2/cgi-bin/

total 8

-rw-r--r-- 1 redhat users 294 2004-12-11 13:52 printenv

-rw-r--r-- 1 redhat users 779 2004-12-11 13:52 test-cgi

more /usr/local/apache2/cgi-bin/test.sh

#!/bin/bash

echo "content-type: text/plain"

whoami

date

ps aux|grep httpd确认执行者

chgrp daemon test.sh

chmod g+x test.sh增加执行位

chgrp daemon /usr/local/apache2/cgi-bin/test-cgi

chmod g+x /usr/local/apache2/cgi-bin/test-cgi

ls -l /usr/local/apache2/cgi-bin/

http://192.168.0.102/cgi-bin/test-cgi

虚拟主机

在192.168.0.101配置好DNS，将IP指向 192.168.0.102

echo "nameserver 192.168.0.101">/etc/resolv.conf

host www.chinaitlab.com

host www.redhat.org.cn

mkdir -p /var/www/www.chinaitlab.com

mkdir -p /var/www/www.redhat.org.cn

echo "hi,welcome to www.chinaitlab.com">/var/www/www.chinaitlab.com/index.html

echo "hi,welcome to www.redhat.org.cn">/var/www/www.redhat.org.cn/index.html

more /etc/httpd.conf

NameVirtualHost 192.168.0.102:80

<VirtualHost 192.168.0.102:80>

ServerAdmin webmaster@chinaitlab.com

DocumentRoot /var/www/www.chinaitlab.com

ServerName www.chinaitlab.com

ErrorLog logs/www.chinaitlab.com-error_log

CustomLog logs/www.chinaitlab.com-access_log common

</VirtualHost>

<VirtualHost 192.168.0.102:80>

ServerAdmin webmaster@redhat.org.cn

DocumentRoot /var/www/www.redhat.org.cn

ServerName www.redhat.org.cn

ErrorLog logs/www.redhat.org.cn-error_log

CustomLog logs/www.redhat.org.cn-access_log common

</VirtualHost>

more /etc/httpd.conf

links http://www.chinaitlab.com

links http://www.redhat.org.cn

激活SSL模块

/usr/local/apache2/bin/httpd -l查看默认模块

vi /etc/httpd.conf

Include /etc/extra/httpd-ssl.conf

openssl genrsa -out /etc/server.key 1024

openssl req -new -x509 -key /etc/server.key -out /etc/server.crt

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Guangdong

Locality Name (eg, city) [Newbury]:Shenzhen

Organization Name (eg, company) [My Company Ltd]:Chinaitlab.com

Organizational Unit Name (eg, section) []:Linux

Common Name (eg, your name or your server's hostname) []:www.chinaitlab.com

Email Address []:support@chinaitlab.com

chown daemon server.key

chmod 400 server.key

编辑/etc/ssl.conf

重新启动web服务器

/usr/local/apache2/bin/apachectl stop

/usr/local/apache2/bin/apachect1startssl

修改启动脚本/etc/rc.local里面的相应的命令

参考资料

Apache

网站-- http://www.apache.org

随机帮助—http://localhost/manual

PHP

网站—http://www.php.net

Mysql

网站—http://www.mysql.com

TUX—运行在内核中的web服务器