一、Apache基本配置
场景
1>Apache服务器和客户端在同一网段
2>主机名:
[root@apacheserver ~]# hostnamectl set-hostname apache.example.com
开始配置:
1.安装apache软件包:
[root@apacheserver ~]# yum install httpd httpd-manual
2.启动apache服务:
[root@apacheserver ~]# systemctl start httpd
[root@apacheserver ~]# systemctl enable httpd
3.查看监听端口:
[root@apacheserver ~]# ss -antlp |grep httpd 或者
4.设置防火墙不阻挡apache
[root@apacheserver ~]# firewall-cmd --permanent --add-service=http
success
[root@apacheserver ~]# firewall-cmd --permanent --add-service=https
success
[root@apacheserver ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns http https ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
到此apache的基本配置就完成了,我们可以在客户端用浏览器访问apache服务器,
5.测试页的撰写
在/var/www/html/下建立文件index.html
[root@apacheserver ~]# vim /var/www/html/index.html
[root@apacheserver ~]# cat /var/www/html/index.html
hello
此时在客户端用浏览器访问就会看到index.html的内容
二、修改Apache默认的设置
1.修改Apache默认的监听端口
1>修改配置文件
[root@apacheserver ~]# vim /etc/httpd/conf/httpd.conf
42 Listen 8080
2>重启服务
[root@apacheserver ~]# systemctl restart httpd
3>在客户端浏览器输入服务器ip:端口号
172.25.254.190:8080
2.修改Apache默认发布文件
1>修改配置文件
[root@apacheserver ~]# vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
DirectoryIndex xiyou index.html
</IfModule>
2>写发布文件
[root@apacheserver ~]# vim /var/www/html/xiyou
[root@apacheserver ~]# cat /var/www/html/xiyou
welcom to xiyou
3>重启服务
[root@apacheserver ~]# systemctl restart httpd
4>在客户端浏览器测试
3.修改Apache默认发布目录
1>新建默认发布目录
[root@apacheserver ~]# mkdir /wuhui/html -p
2>修改配置文件
[root@apacheserver ~]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/wuhui/html"
<Directory "/wuhui">
Require all granted
</Directory>
3>写新发布目录里写发布文件index.html
[root@apacheserver html]# vim index.html
[root@apacheserver html]# cat index.html
new directory
3>重启服务
[root@apacheserver ~]# systemctl restart httpd
4>在客户端浏览器测试
容易出错:
修改默认目录之后,不显示index.html的内容,而是直接跳转到欢迎页面,这是因为selinux的原因
三、基于域名配置虚拟主机
1.修改客户端的/etc/hosts
172.25.254.190 www.westos.com apache.westos.com music.westos.com
2.建立虚拟主机的发布目录和发布文件
[root@apache www]# mkdir news
[root@apache www]# mkdir music
[root@apache www]# echo new > /var/www/news/index.html
[root@apache www]# echo music > /var/www/music/index.html
3.写虚拟主机的配置文件
[root@apache www]# cd /etc/httpd/conf.d/
[root@apache conf.d]# vim default.conf
<virtualhost _default_:80>
documentroot /var/www/html
customlog "logs/default.log" combined
</virtualhost>
<directory /var/www/html>
require all granted
</directory>
[root@apache conf.d]# vim news.conf
<virtualhost *:80>
servername apache.westos.com
documentroot /var/www/news
customlog "logs/news.log" combined
</virtualhost>
<directory /var/www/news>
require all granted
</directory>
[root@apache conf.d]# vim music.conf
<virtualhost *:80>
servername music.westos.com
documentroot /var/www/music
customlog "logs/music.log" combined
</virtualhost>
<directory /var/www/music>
require all granted
</directory>
4.重启服务
[root@apache conf.d]# systemctl restart httpd
五、Apache内置用户验证机制
1.在/etc/httpd/conf/创建用户
[root@apache conf]# htpasswd -cm apacheuser admin
New password:
Re-type new password:
Adding password for user admin
[root@apache conf]# htpasswd -m apacheuser tom
New password:
Re-type new password:
Adding password for user tom
2.在/etc/httpd/conf.d/修改虚拟主机配置文件
[root@apache conf.d]# vim news.conf
添加内容:
<directory /var/www/news/admin>
authuserfile /etc/httpd/conf/apacheuser
authname "input name,passwd"
authtype basic
require valid-user
</directory>
3.重启服务
[root@apache conf.d]# systemctl restart httpd
拒绝或允许某一个ip来访问apache网页:
[root@apache conf.d]# vim /etc/httpd/conf.d/news.conf
禁止172.25.254.90访问,钥匙允许就oerder deny,allow
<directory /var/www/news/admin>
order allow,deny 哪个在前先做哪个
allow from 172.25.254.90
deny from all
</directory>
六、CGI
通用网关接口(CGI)是网站上放置动态内容的最简单的方法。CGI脚本可用于许多目的,但是谨慎控制使用哪个CGI脚本以及允许谁添加和运行这些脚本十分重要。编写质量差的CGI脚本可能为外部攻击者提供了破坏网站及其内容安全性的途径。因此,在Web服务器级别和SELinux策略级别,都存在用于限制CGI脚本使用的设置。
Example:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
# ll -dZ /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
php语言支持:
安装php软件包,其中包含mod_php模块:
# yum install -y php
模块配置文件: /etc/httpd/conf.d/php.conf
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
DirectoryIndex index.php
在server0上构建php练习环境,此脚本会自动配置mariadb,并生成
/var/www/html/index.php动态网页:
# lab phpdb setup
安装php的数据库支持:
# yum install -y php-mysql
重启httpd服务后,测试网页是否访问正常.
注意当web服务器连接的数据库在远程时,需要改变Selinux:
# setsebool -P httpd_can_network_connect_db=1
# setsebool -P httpd_can_network_connect=1
(如果数据库的端口不是3306时,需要改此项)
七、配置HTTPS
1.自定义自签名证书
1>安装crypto-utils和mod_ssl,要是安装过就不用了
[root@apache www]# yum list installed | grep crypto-utils
[root@apache www]# yum list installed | grep mod_ssl
[root@apache ~]# yum install mod_ssl.x86_64
[root@apache www]# yum install crypto-utils
2> 调用genkey,同时为生成的文件指定唯一名称(例如,服务器的主机全名)。
--days可以指定证书有效期
[root@apache www]# genkey apache.example.com
2.安装证书及其私钥
1>确定已安装mod_ssl软件包。
[root@apache www]# yum list installed | grep mod_ssl
2>由于私钥是敏感信息,请确保其只被root用户读取。
[root@apache www]# ls -l /etc/pki/tls/private/apache.example.com.key
-r--------. 1 root root 937 Mar 7 23:54 /etc/pki/tls/private/apache.example.com.key
3>编写要加密的虚拟主机的配置文件
[root@apache www]# vim /etc/httpd/conf.d/login.conf
<virtualhost *:443>
servername login.westos.com
documentroot /var/www/login
customlog "logs/login.log" combined
sslengine on
sslcertificatefile /etc/pki/tls/certs/apache.example.com.crt
sslcertificatekeyfile /etc/pki/tls/private/apache.example.com.key
</virtualhost>
<directory /var/www/login>
require all granted
</directory>
4>重启apache服务
[root@apache www]# systemctl restart httpd
测试:
在客户端修改文件vim /etc/hosts
浏览器:https://login.westos.com
3.网页重写
把所有80端口的请求全部重定向由https来处理
修改https服务器的虚拟主机的配置文件:
<virtualhost *:443>
servername login.westos.com
documentroot /var/www/login
customlog "logs/login.log" combined
sslengine on
sslcertificatefile /etc/pki/tls/certs/apache.example.com.crt
sslcertificatekeyfile /etc/pki/tls/private/apache.example.com.key
</virtualhost>
<directory /var/www/login>
require all granted
</directory>
<virtualhost *:80>
servername login.westos.com
rewriteengine on
rewriterule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</virtualhost>