linux版本为Centos7
系统中没有安装httpd、php、php-mysql、mysql,以及mariadb,但已经安装mariadb-libs,/etc/文件夹中存在my.cnf,配置如下:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
决定先不卸载mariadb-libs,直接安装httpd、php、php-mysql以及mysql
[root@bogon etc]# yum info mariadb-libs
接下来安装mysql:
1、在官网上下载压缩包mysql57-community-release-el7-8.noarch.rpm ,并配置YUM源
[root@bogon local]# yum localinstall /usr/local/mysql57-community-release-el7-8.noarch.rpm
检查mysql源是否安装成功
[root@bogon local]# yum repolist enabled | grep "mysql.*-community.*"
mysql-connectors-community/x86_64 MySQL Connectors Community 45
mysql-tools-community/x86_64 MySQL Tools Community 57
mysql57-community/x86_64 MySQL 5.7 Community Server 247
2、安装mysql
[root@bogon local]# yum install mysql-community-server
3、安装完成后,查看/etc/my.cnf配置文件:
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html
[mysqld]
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
Apache的基本设定:
1、设定测试用主机名为localhost且在/etc/hosts内需要有一行:
[root@www ~]# vim /etc/hosts
127.0.0.1 localhost.localdomain localhost
本系统内/etc/hosts文件配置如下:
27.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
因此不做改动
启动www服务器:
[root@bogon mysql]# service httpd start
查看www服务器状态:
[root@bogon mysql]# service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2018-02-20 14:16:34 CST; 1min 10s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 12951 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─12951 /usr/sbin/httpd -DFOREGROUND
├─12952 /usr/sbin/httpd -DFOREGROUND
├─12953 /usr/sbin/httpd -DFOREGROUND
├─12954 /usr/sbin/httpd -DFOREGROUND
├─12955 /usr/sbin/httpd -DFOREGROUND
└─12957 /usr/sbin/httpd -DFOREGROUND
2月 20 14:16:33 bogon systemd[1]: Starting The Apache HTTP Server...
2月 20 14:16:33 bogon httpd[12951]: AH00558: httpd: Could not reliably determine the server's fully qualified d...essage
2月 20 14:16:34 bogon systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.
查询本机ip地址:
[root@bogon mysql]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.109 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::e83:d7e7:1e7e:e315 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:db:fe:5a txqueuelen 1000 (Ethernet)
RX packets 414227 bytes 595010287 (567.4 MiB)
RX errors 34 dropped 41 overruns 0 frame 0
TX packets 204165 bytes 12230973 (11.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:ed:a6:7e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用浏览器打开网址“http://192.168.0.109/”,页面如下:
即为Apache服务器正常运行。
测试php模组是否正常运行:
1、在/var/www/html内建立一个测试档案:
[root@bogon mysql]# vim /var/www/html/phpinfo.php
<?php phpinfo (); ?>
<?php ... ?>
是嵌入在 HTML 檔案內的 PHP 程式語法,在這兩個標籤內的就是 PHP 的程式碼。phpinfo();
是 PHP 程式提供的一個函式庫,這個函式庫可以顯示出 WWW 伺服器內的相關服務資訊, 包括主要的 Apache 資訊與 PHP 資訊等等。
2、使用浏览器打开网址“http://192.168.0.109/phpinfo.php”,页面如下:
即为php模组启动成功。
mysql基本设定
1、启动mysql服务:
[root@bogon mysql]# service mysqld start
Redirecting to /bin/systemctl start mysqld.service
2、查看mysql运行状态:
[root@bogon mysql]# service mysqld status
Redirecting to /bin/systemctl status mysqld.service
● mysqld.service - MySQL Server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled)
Active: active (running) since 三 2018-02-21 18:41:02 CST; 5min ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 1686 ExecStart=/usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid $MYSQLD_OPTS (code=exited, status=0/SUCCESS)
Process: 1164 ExecStartPre=/usr/bin/mysqld_pre_systemd (code=exited, status=0/SUCCESS)
Main PID: 1689 (mysqld)
CGroup: /system.slice/mysqld.service
└─1689 /usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mys...
2月 21 18:40:35 bogon systemd[1]: Starting MySQL Server...
2月 21 18:41:02 bogon systemd[1]: Started MySQL Server.
3、使用mysql的管理员账号root(与Linux的root无关)登录mysql,默认情况下刚刚初始化的root账号应该是没有密码的。
[root@bogon ~]# mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
[root@bogon ~]# mysqladmin -u root password 'xueyw123456'
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
发现无法登录mysql,尝试通过免密方式登录:修改my.cnf文件,在[mysqld]
下添加skip-grant-tables
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html
[mysqld]
skip-grant-tables
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
重启mysql,再次尝试以root登录
[root@bogon ~]# service mysqld restart
Redirecting to /bin/systemctl restart mysqld.service
[root@bogon ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.21 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
登录mysql后尝试修改root密码,出现No database selected
错误,发现需要选择mysql数据库。
mysql> update user set password=password("xueyw123456") where user="root" and host="localhost";
ERROR 1046 (3D000): No database selected
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
选择mysql数据库后再次修改密码,出现Unknown column 'password' in 'field list'
错误。
mysql> update user set password=password("xueyw123456") where user="root" and host="localhost";
ERROR 1054 (42S22): Unknown column 'password' in 'field list'
查阅资料得知原来是mysql数据库下已经没有password这个字段了,password字段变为authentication_string
。
mysql> update mysql.user set authentication_string=password('xueyw123456') where user='root';
Query OK, 1 row affected, 1 warning (0.11 sec)
Rows matched: 1 Changed: 1 Warnings: 1
修改密码后将my.cnf文件中的skip-grant-tables
删掉,并重启mysql。
[root@bogon ~]# service mysqld restart
Redirecting to /bin/systemctl restart mysqld.service
[root@bogon ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.21
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
输入修改过的密码登录成功。
防火墙与SELinux规则设定
centos7版本对防火墙进行 加强,不再使用原来的iptables,启用firewall
1、查看已开放端口(默认不开放任何端口)
[root@bogon~]# firewall-cmd --list-ports
2、开放80端口
firewall-cmd –zone=public(作用域) –add-port=80/tcp(端口和访问类型) –permanent(永久生效)
[root@bogon sysconfig]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
3、重启防火墙
[root@bogon sysconfig]# firewall-cmd --reload
success
4、查看80端口是否开放
[root@bogon~]# firewall-cmd --list-ports
80/tcp
5、停止防火墙
[root@bogon ~]# service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
5、删除端口
[root@bogon~]# firewall-cmd --zone=public --remove-port=80/tcp --permanent
6.SElinux设定
[root@bogon~]# getsebool -a | grep httpd
[root@bogon~]# setsebool -P httpd_can_network_connect=1
测试外部客户端能否连接服务器
1、在/var/www/html
中创建测试页index.html
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>This is my HOme page</p>
</body>
</html>
2、在客户端使用浏览器打开http://192.168.0.112/发现无法读取,检查/var/log/httpd/error_log
以及/var/log/messages
的内容:
[root@bogon html]# tail /var/log/httpd/error_log
[Thu Feb 22 12:04:39.801041 2018] [core:error] [pid 6314] (13)Permission denied: [client 192.168.0.110:49965] AH00035: access to /index.html denied (filesystem path '/var/www/html/index.html') because search permissions are missing on a component of the path
[root@bogon html]# tail /var/log/messages
Feb 22 12:04:38 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages run: sealert -l ed15e89e-3fd6-4bd9-9a6c-5ce6ad18cf8c
Feb 22 12:04:38 localhost python: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.#012#012***** Plugin restorecon (99.5 confidence) suggests ************************#012#012If you want to fix the label. #012/var/www/html/index.html default label should be httpd_sys_content_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /var/www/html/index.html#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that httpd should be allowed getattr access on the index.html file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
3、按照提示执行
[root@bogon html]# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-httpd.pp
[root@bogon html]# semodule -i my-httpd.pp
4、在客户端打开http://192.168.0.112/,读取成功。
Apache模块配置:
1、安装mod_perl和mod_python:
使用yum搜索如下
[root@bogon modules]# yum search mod_perl
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.163.com
================================ 匹配:mod_perl ================================
perl-CGI.noarch : Handle Common Gateway Interface requests and responses
perl-IO-Socket-SSL.noarch : Perl library for transparent SSL
[root@bogon modules]# yum search mod_python
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.163.com
=============================== 匹配:mod_python ===============================
mod_wsgi.x86_64 : A WSGI interface for Python web applications in Apache
安装模块:
[root@bogon modules]# yum install perl-CGI.noarch mod_wsgi.x86_64
2、Options参数设定:
编辑/etc/httpd/conf/httpd.conf
,找到#AddHandler cgi-script .cgi
,把前边的#
去掉,然后在.cgi
后面加上.pl
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
AddHandler cgi-script .cgi .pl
3、开放某个目录的CGI执行权限:
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
AddHandler cgi-script .cgi .pl
<Directory "/var/www/html/cgi">
Options +ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
4、重启apache,接下來只要CGI 程式具有 x 權限即可执行。示例如下:
[root@bogon ~]# mkdir /var/www/html/cgi
[root@bogon ~]# vim /var/www/html/cgi/helloworld.pl
#!/usr/bin/perl
print "Content-type:text/html\r\n\r\n";
print "Hello, World.";
[root@bogon ~]# chmod a+x /var/www/html/cgi/helloworld.pl
5、在浏览器中输入http://192.168.0.112/cgi/helloworld.pl
查看网页,但显示 500 Internal Server Error。
6、查看错误日志显示如下:
[root@bogon ~]#tail /var/log/httpd/error_log
[Fri Feb 23 12:13:27.770662 2018] [cgi:error] [pid 3668] [client 192.168.0.110:52536] AH01215: (13)Permission denied: exec of '/var/www/html/cgi/helloworld.pl' failed
7、查询资料(https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed)得知是SELinux阻止在一个非标准的目录中从apache内部运行CGI脚本。
8、使用以下命令检查cgi-bin目录策略:
[root@bogon ~]# semanage fcontext --list | grep cgi-bin
/var/www/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/mailman.*/cgi-bin/.* regular file system_u:object_r:mailman_cgi_exec_t:s0
/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? regular file system_u:object_r:httpd_suexec_exec_t:s0
/var/www/cgi-bin/munin.* all files system_u:object_r:munin_script_exec_t:s0
/var/www/cgi-bin/apcgui(/.*)? all files system_u:object_r:apcupsd_cgi_script_exec_t:s0
/usr/lib/dirsrv/cgi-bin(/.*)? all files system_u:object_r:dirsrvadmin_script_exec_t:s0
...
这意味着,在apache标准的cgi-bin目录中创建的每个文件都将被自动授予SELinux类型httpdsysscriptexect
,并且可由httpd执行。
9、将/var/www/html/cgi添加到以上类型中:
[root@bogon ~]# semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/cgi(/.*)?"
[root@bogon ~]# restorecon -R -v /var/www/html/cgi/
restorecon reset /var/www/html/cgi context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_script_exec_t:s0
restorecon reset /var/www/html/cgi/helloworld.pl context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_script_exec_t:s0
10、查看是否添加成功:
[root@bogon ~]# semanage fcontext --list | grep cgi
...
/var/www/html/cgi(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
...
11、在浏览器中输入网址http://192.168.0.112/cgi/helloworld.pl,成功看到Helloworld页面。
.htaccess设定:
1、建立保护目录资料:
[root@bogon ~]# mkdir /var/www/html/protect
[root@bogon ~]# vim /var/www/html/protect/index.html
<html>
<head><title>This is a page for test</title></head>
<body>If you see this page, you can enter this protected page.
</body>
</html>
2、以root身份更改httpd.conf设定
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
#确保下面这几行是存在的:
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
#在某个不受影响的地方加入这一段:
<Directory "/var/www/html/protect">
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
实际操作中发现/etc/httpd/conf/httpd.conf
中存在下面这几行:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
决定只添加目录权限(即上述第二段)。
3、建立保护目录下的.htaccess档案:
[root@localhost protect]# vim .htaccess
#加入下面这几行
AuthName "Protect test by .htacess"
Authtype Basic
AuthUserFile /var/www/apache.passwd
require user test
设定好后立即生效,不需要重启apache。
4、建立密码档案htapasswd
#htpasswd用法为:
[root@localhost ~]htpasswd [-cmdD] 密碼檔檔名 使用者帳號
#1.建立apache.passwd,账号为test
[root@localhost ~]# htpasswd -c /var/www/apache.passwd test
New password:
Re-type new password:
Adding password for user test
[root@localhost ~]# cat /var/www/apache.passwd
test:$apr1$1L/fsMAt$M10oKS9OtBtbEQebnEbw20
#2、在已经存在的apache.passwd内增加test1这个账号:
[root@localhost ~]# htpasswd /var/www/apache.passwd test1
New password:
Re-type new password:
Adding password for user test1
再次强调,这个档案档名需要与.htaccess内的AuthUserFile相同,且不要放在浏览器可以浏览到的目录。
5、测试
使用浏览器打开http://172.16.150.151/protect/,发现无需认证登陆可以直接浏览网页。
于是在httpd.conf设定档中添加如下几行:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
再次打开网页发现设定生效,需要认证才能浏览网页。
常用登陆档分析软件:
①webalizer
1、在官网上http://www.webalizer.org/download.html下载源码包,解压缩:
[root@localhost softwares]# tar -jxvf webalizer-2.23-08-src.tar.bz2
2、在编译过程中发现需要安装zlib,在官网上http://www.zlib.net/下载源码包,解压缩、编译:
[root@localhost local]# mv /softwares/zlib-1.2.11.tar.gz
[root@localhost local]# tar -zxvf zlib-1.2.11.tar.gz
[root@localhost local]# mv zlib-1.2.11 zlib
[root@localhost zlib]# cd zlib
[root@localhost zlib]# ./configure
[root@localhost zlib]# make
[root@localhost zlib]# make install
3、配置zlib的系统文件:
[root@localhost lib]# vim /etc/ld.so.conf.d/zlib.conf
#在文件中添加一行
/usr/local/zlib
#加载配置好的文件
[root@localhost lib]# ldconfig
4、继续编译webalizer,发现错误:
configure: error: png library not found.. please install libpng
尝试使用yum安装libpng:
[root@localhost webalizer-2.23-08]# yum install libpng.x86_64
#显示libpng.x86_64已经被安装,
[root@localhost webalizer-2.23-08]# yum install libpng-devel.x86_64
5、继续编译webalizer,发现错误:
configure: error: gd library not found.. please install libgd
尝试使用yum安装libgd:
[root@localhost webalizer-2.23-08]# yum install libgdata.x86_64
#显示libgdata.x86_64已经被安装
[root@localhost webalizer-2.23-08]# yum install libgdata-devel.x86_64 libgdither-devel.x86_64 compat-libgdata13.x86_64
#仍然显示错误,需要安装libgd