Apache配置手册

1.1 Apache安装

[root@web1 ~]# yum install -y httpd

1.2 修改Apache的ServerName

[root@web1 ~]# vim /etc/httpd/conf/httpd.conf # 修改95行，取消'#'符，将ServerName改为本地主机FQDN ServerName www.1000cc.net:80

1.3 启动Apache服务

[root@web1 ~]# systemctl enable --now httpd

2.1 确认当前Apache工作模式

[root@web1 ~]# httpd -V | grep "Server MPM" Server MPM: prefork

2.2 修改Apache工作模式

[root@web1 ~]# vim /etc/httpd/conf.modules.d/00-mpm.conf # 第6行，为prefork模式 LoadModule mpm_prefork_module modules/mod_mpm_prefork.so # 第12行，为worker模式 #LoadModule mpm_worker_module modules/mod_mpm_worker.so # 第18行，为event模式 #LoadModule mpm_event_module modules/mod_mpm_event.so 修改完成后，重启apache服务 [root@web1 ~]# systemctl restart httpd

3.1 安装CLI客户端

[root@client ~]# yum install lynx -y

3.2 添加web srv网页页面

[root@web1 ~]# echo "welcome to 1000cc.net" > /var/www/html/index.html

3.3 为web服务器添加防火墙规则

[root@web1 ~]# firewall-cmd --add-service=http --permanent success [root@web1 ~]# firewall-cmd --reload success

3.4 客户端访问web srv

[root@client ~]# lynx 192.168.188.11 welcome to 1000cc.net

4.1 Perl脚本

1) 安装Perl [root@web1 ~]# yum install -y perl perl-CGI 2) 允许Apache执行CGI脚本 [root@web1 ~]# vim /etc/httpd/conf/httpd.conf # 确认144行，开启ExecCGI Options Indexes FollowSymLinks ExecCGI # 确认164行，允许索引index.cgi DirectoryIndex index.html index.cgi # 确认247行，默认开启 ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # 取消294行'#'符'，允许Aapche支持.cgi AddHandler cgi-script .cgi 3) 编写perl脚本 [root@web1 ~]# rm -f /var/www/html/index.html [root@web1 ~]# vim /var/www/html/index.cgi #!/usr/bin/perl print "Content-type: text/html\n\n"; print "<html>\n<body>\n"; print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n"; print "CGI Test Page"; print "\n</div>\n"; print "</body>\n</html>\n"; [root@web1 ~]# chmod 705 /var/www/html/index.cgi 4) 重启Apache [root@web1 ~]# systemctl restart httpd 5) 客户端访问web srv [root@client ~]# lynx 192.168.188.11 CGI Test Page

4.2 PHP Scripts

1) 安装PHP [root@web1 ~]# yum install -y php php-mbstring php-pear 2) 确认PHP相关配置文件存在并重启Apache [root@web1 ~]# ls /etc/httpd/conf.d/php.conf /etc/httpd/conf.modules.d/10-php.conf /etc/httpd/conf.d/php.conf /etc/httpd/conf.modules.d/10-php.conf [root@web1 ~]# systemctl restart httpd 3) 编写index.php文件 [root@web1 ~]# rm -f /var/www/html/index.cgi [root@web1 ~]# vim /var/www/html/index.php <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> <?php print Date("Y/m/d"); ?> </div> </body> </html> 4) 客户端访问web srv [root@client ~]# lynx 192.168.188.11 2020/01/20 # 正确应显示当前日期

4.3 Ruby脚本

1) 安装Ruby [root@web1 ~]# yum install -y ruby 2) 允许Apache执行Ruby脚本 [root@web1 ~]# vim /etc/httpd/conf/httpd.conf # 确认144行，开启ExecCGI Options Indexes FollowSymLinks ExecCGI # 确认164行，允许索引index.rb DirectoryIndex index.html index.cgi index.rb # 确认247行，默认开启 ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # 取消294行'#'符'，允许Aapche支持.cgi及.rb AddHandler cgi-script .cgi .rb 3) 重启Apache [root@web1 ~]# systemctl restart httpd 4) 编写index.rb [root@web1 ~]# rm -f /var/www/html/index.php [root@web1 ~]# vim /var/www/html/index.rb #!/usr/bin/ruby print "Content-type: text/html\n\n" print "<html>\n<body>\n" print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n" print "Ruby Script Test Page" print "\n</div>\n" print "</body>\n</html>\n" [root@web1 ~]# chmod 705 /var/www/html/index.rb 5) 客户端测试 [root@client ~]# lynx 192.168.188.11 Ruby Script Test Page

4.4 Python脚本

1) 安装Python [root@web1 ~]# yum install -y python 2) 配置Apache支持python [root@web1 ~]# vim /etc/httpd/conf/httpd.conf # 确认144行，开启ExecCGI Options Indexes FollowSymLinks ExecCGI # 确认164行，允许索引index.py DirectoryIndex index.html index.cgi index.rb index.py # 确认247行，默认开启 ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # 取消294行'#'符'，允许Aapche支持.cgi、.rb及.py AddHandler cgi-script .cgi .rb .py 3) 重启Apache [root@web1 ~]# systemctl restart httpd 4) 编写index.py [root@web1 ~]# rm -f /var/www/html/index.rb [root@web1 ~]# vim /var/www/html/index.py #!/usr/bin/env python print "Content-type: text/html\n\n" print "<html>\n<body>" print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">" print "Python Script Test Page" print "</div>\n</body>\n</html>" [root@web1 ~]# chmod 705 /var/www/html/index.py 5) 客户端测试 [root@client ~]# lynx 192.168.188.11 Rython Script Test Page

5.1 一个IP不同FQDN设定

1) 配置DNS服务 1.设定好DNS 服务，能够解析www.1000cc.net及web.1000cc.net两个FQDN 2) 编写虚拟主机文件 [root@web1 ~]# vim /etc/httpd/conf.d/www.conf <Directory /srv/1000cc/www> Require all granted AllowOverride None </Directory> <VirtualHost www.1000cc.net:80> DocumentRoot /srv/1000cc/www ServerName www.1000cc.net ServerAdmin wwwmaster@1000cc.net ErrorLog "logs/www_error_log" CustomLog "logs/www_access_log" common </VirtualHost> [root@web1 ~]# vim /etc/httpd/conf.d/web.conf <Directory /srv/1000cc/web> Require all granted AllowOverride None </Directory> <VirtualHost web.1000cc.net:80> DocumentRoot /srv/1000cc/web ServerName web.1000cc.net ServerAdmin webmaster@1000cc.net ErrorLog "logs/web_error_log" CustomLog "logs/web_access_log" common </VirtualHost> 3) 创建虚拟主机的资源目录及测试页面 [root@web1 ~]# mkdir -pv /srv/1000cc/www /srv/1000cc/web [root@web1 ~]# echo "www site" > /srv/1000cc/www/index.html [root@web2 ~]# echo "web site" > /srv/1000cc/web/index.html 4) 重启Apache服务 [root@web1 ~]# systemctl restart httpd 5) 客户端测试 [root@client ~]# lynx www.1000cc.net www site [root@client ~]# lynx web.1000cc.net web site

5.2 同一端口不同IP的设定

1) 前提 1. 要求:Apache Server上至少有两个及以上的IP地址，用以准备分配给两个多过个虚拟主机使用 2) 编写虚拟主机文件 [root@web1 ~]# vim /etc/httpd/conf.d/www.conf <Directory /srv/1000cc/www> Require all granted AllowOverride None </Directory> <VirtualHost 192.168.188.101:80> DocumentRoot /srv/1000cc/www ServerName www.1000cc.net ServerAdmin wwwmaster@1000cc.net ErrorLog "logs/www_error_log" CustomLog "logs/www_access_log" common </VirtualHost> [root@web1 ~]# vim /etc/httpd/conf.d/web.conf <Directory /srv/1000cc/web> Require all granted AllowOverride None </Directory> <VirtualHost 192.168.188.102:80> DocumentRoot /srv/1000cc/web ServerName web.1000cc.net ServerAdmin webmaster@1000cc.net ErrorLog "logs/web_error_log" CustomLog "logs/web_access_log" common </VirtualHost> 3) 创建虚拟主机的资源目录及测试页面 [root@web1 ~]# mkdir -pv /srv/1000cc/www /srv/1000cc/web [root@web1 ~]# echo "www site" > /srv/1000cc/www/index.html [root@web2 ~]# echo "web site" > /srv/1000cc/web/index.html 4) 重启Apache服务 [root@web1 ~]# systemctl restart httpd 5) 客户端测试 [root@client ~]# lynx 192.168.188.101 www site [root@client ~]# lynx 192.168.188.102 web site

5.3 同一IP不同端口的设定

1) 修改httpd.conf [root@web1 ~]# vim /etc/httpd/conf/httpd.conf # 开放2个到多个监听端口 # 于42行之下添加新的监听端口，修改完成后42-43行内容如下 Listen 80 Listen 8123 2) 编写虚拟主机文件 [root@web1 ~]# vim /etc/httpd/conf.d/www.conf <Directory /srv/1000cc/www> Require all granted AllowOverride None </Directory> <VirtualHost 192.168.188.101:80> DocumentRoot /srv/1000cc/www ServerName www.1000cc.net ServerAdmin wwwmaster@1000cc.net ErrorLog "logs/www_error_log" CustomLog "logs/www_access_log" common </VirtualHost> [root@web1 ~]# vim /etc/httpd/conf.d/web.conf <Directory /srv/1000cc/web> Require all granted AllowOverride None </Directory> <VirtualHost 192.168.188.101:8123> DocumentRoot /srv/1000cc/web ServerName web.1000cc.net ServerAdmin webmaster@1000cc.net ErrorLog "logs/web_error_log" CustomLog "logs/web_access_log" common </VirtualHost> 3) 创建虚拟主机的资源目录及测试页面 [root@web1 ~]# mkdir -pv /srv/1000cc/www /srv/1000cc/web [root@web1 ~]# echo "www site" > /srv/1000cc/www/index.html [root@web2 ~]# echo "web site" > /srv/1000cc/web/index.html 4) 重启Apache服务 [root@web1 ~]# systemctl restart httpd 5) 客户端测试 [root@client ~]# lynx 192.168.188.101 www site [root@client ~]# lynx http://192.168.188.102:8123 web site

7.1 基础认证

1) 配置基础认证 [root@web1 ~]# vim /etc/httpd/conf.d/basicauth.conf <Directory /var/www/html># 指定访问哪个资源时需要提交认证信息 AuthType Basic AuthName "Basic Authentication from 1000cc.net" AuthUserFile /etc/httpd/conf/htpasswd require valid-user </Directory> 2) 添加账户 [root@web1 ~]# htpasswd -c /etc/httpd/conf/htpasswd lisa # lisa为为虚拟账户。系统中可以不存在此账户 New password: Re-type new password: Adding password for user lisa 3) 重启apache服务 [root@web1 ~]# echo "welcome to web1.1000cc.net" > /var/www/html/index.html [root@web1 ~]# systemctl restart httpd 4) 客户端测试 [root@client ~]# lynx 192.168.188.11 Username for 'Basic Authentication from 1000cc.net' at server '192.168.188.11':lisa # 输入访问账户lisa Password:******** # 输入账户密码 ----------显示结果---------- welcome to web1.1000cc.net

7.2 基于PAM认证

1) 生成证书.详见HTTP+SSL 2) 安装mod_authnz_external模块即pwauth [root@web1 ~]# yum --enablerepo=epel -y install mod_authnz_external pwauth 3) 创建authpam配置文件 [root@web1 ~]# vim /etc/httpd/conf.d/authnz_external.conf #于6行，添加以下内容 <Directory /var/www/html/auth-pam> SSLRequireSSL AuthType Basic AuthName "PAM Authentication" AuthBasicProvider external AuthExternal pwauth require valid-user </Directory> 4) 重启Apache服务 [root@web1 ~]# mkdir -pv /var/www.html/pam-auth/ [root@web1 ~]# echo "AUTH PAM OK" > /var/www/html/pam-auth/index.html [root@web1 ~]# systemctl restart httpd 5) 客户端测试 [root@client ~]# lynx https://192.168.188.11/pam-auth # lynx信息提示 SSL error:self signed certificate-Continue? (y) y SSL error:host(192.168.188.11)!=cert(CN<web1.1000cc.net>)-Continue? (y) y SSL error:self signed certificate-Continue? (y) y SSL error:host(192.168.188.11)!=cert(CN<web1.1000cc.net>:CN<web1.1000cc.net>)-Continue? (y) y Username for 'PAM Authentication' at server '192.168.188.11:443': snow # 系统账户 Password: ******** # 系统账户snow密码 SSL error:self signed certificate-Continue? (y) y SSL error:host(192.168.188.11)!=cert(CN<web1.1000cc.net>)-Continue? (y) y -----------显示结果------- AUTH PAM OK

7.3 实现LDAP认证

7.3.1 配置LDAP Server

1) 安装OpenLDAP Server [root@ldapsrv ~]# yum install openldap-servers openldap-clients -y [root@ldapsrv ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldapsrv ~]# chown ldap. /var/lib/ldap/DB_CONFIG [root@ldapsrv ~]# systemctl enable --now slapd 2) 设置OpenLDAP管理员密码 [root@ldapsrv ~]# slappasswd New password: Re-enter new password: {SSHA}J1WHWd+cV2Xq/N2DwIFGoBkoZr3uGJZ2 [root@ldapsrv ~]# vim chrootpw.ldif # 输入内容 angetype: modify add: olcRootPW olcRootPW: {SSHA}J1WHWd+cV2Xq/N2DwIFGoBkoZr3uGJZ2 [root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 3) 定义基本架构 [root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" 4) 在OpenLDAP数据库中设定域名(将1000cc.net替换为你自己的域名) [root@ldapsrv ~]# vim chdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=1000cc,dc=net" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=1000cc,dc=net dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=1000cc,dc=net dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}J1WHWd+cV2Xq/N2DwIFGoBkoZr3uGJZ2 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=1000cc,dc=net" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=1000cc,dc=net" write by * read [root@ldapsrv ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" [root@ldapsrv ~]# vim basedomain.ldif dn: dc=1000cc,dc=net objectClass: top objectClass: dcObject objectclass: organization o: 1000cc net dc: 1000cc dn: cn=Manager,dc=1000cc,dc=net objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=1000cc,dc=net objectClass: organizationalUnit ou: People dn: ou=Group,dc=1000cc,dc=net objectClass: organizationalUnit ou: Group [root@ldapsrv ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f basedomain.ldif Enter LDAP Password: # 输入管理员密码 adding new entry "dc=1000cc,dc=net" adding new entry "cn=Manager,dc=1000cc,dc=net" adding new entry "ou=People,dc=1000cc,dc=net" adding new entry "ou=Group,dc=1000cc,dc=net" 5) 设定用户密码 [root@ldapsrv ~]# slappasswd New password: # 为用户设定密码 Re-enter new password: {SSHA}TSlbJRalVbjv5QA94s5Ib1aSF37JreCA 6) 添加账户 [root@ldapsrv ~]# vim ldapuser.ldif dn: uid=snow,ou=People,dc=1000cc,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: snow chuai sn: Linux userPassword: {SSHA}1a7rwZs3xY4bDJOphPdk/wW1f7h6STgB loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/snow dn: cn=snow,ou=Group,dc=1000cc,dc=net objectClass: posixGroup cn: snow chuai gidNumber: 1000 memberUid: snow [root@ldapsrv ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=snow,ou=People,dc=1000cc,dc=net" adding new entry "cn=snow,ou=Group,dc=1000cc,dc=net" 7) 防火墙设定 [root@ldapsrv ~]# firewall-cmd --add-service=ldap --permanent success [root@ldapsrv ~]# firewall-cmd --reload success

7.3.2 生成ssl证书

1) 创建key [root@srv2 ~]# cd /etc/pki/tls/certs [root@srv2 certs]# make server.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ..+++ ......................................+++ e is 65537 (0x10001) Enter pass phrase: # 输入密码 Verifying - Enter pass phrase: 2) 移除passphrase [root@srv2 certs]# openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key 3) 生成csr [root@srv2 certs]# make server.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: CN State or Province Name (full name) []: BeiJing Locality Name (eg, city) [Default City]: BeiJing Organization Name (eg, company) [Default Company Ltd]: 1000cc.net Organizational Unit Name (eg, section) []: tech Common Name (eg, your name or your server's hostname) []: srv2.1000cc.net Email Address []:回车 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:回车 An optional company name []:回车 4) 生成证书 [root@srv2 certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=1000cc.net/OU=tech/CN=srv2.1000cc.net Getting Private key [root@srv2 certs]# cd 5) 配置Apache SSL功能 [root@srv2 ~]# yum install httpd mod_ssl -y [root@srv2 ~]# vim /etc/httpd/conf.d/ssl.conf # 取消59-60行注释，并修改为如下内容 DocumentRoot "/var/www/html" ServerName srv2.1000cc.net:443 # 修改75行为如下内容 SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 # 修改100,107,116三行，并取消注释。修改为如下内容 SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/certs/server.key SSLCertificateChainFile /etc/pki/tls/certs/server.crt 6) 配置http自动转为https功能 [root@srv2 ~]# vim /etc/httpd/conf.d/vhost.conf <VirtualHost *:80> DocumentRoot /var/www/html ServerName srv2.1000cc.net RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> [root@srv2 ~]# echo "Hello 1000cc.net" > /var/www/html/index.html [root@srv2 ~]# systemctl enable --now httpd 7) 配置防火墙规则 [root@srv2 ~]# firewall-cmd --add-service=https --permanent success [root@srv2 ~]# firewall-cmd --reload success 8) 测试https [浏览器]==>http://srv2.1000cc.net===>自动转为===>https://srv2.1000cc.net

7.3.3 完成LDAP验证

1) 安装LDAP模块 [root@srv2 ~]# yum install -y mod_ldap 2) 配置ldapauth.conf [root@srv2 ~]# vim /etc/httpd/conf.d/ldap4auth.conf <Directory /var/www/html/ldapauth> SSLRequireSSL AuthName "LDAP Auth From 1000cc.net" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://ldapsrv.1000cc.net/dc=1000cc,dc=net?uid?sub?(objectClass=*) Require ldap-filter objectClass=posixAccount </Directory> 3) 建立测试页 [root@srv2 ~]# mkdir /var/www/html/ldapauth [root@srv2 ~]# vim /var/www/html/ldapauth/index.html <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> Test Page for LDAP Auth </div> <body> </html> 4) 重启Apache服务 [root@srv2 ~]# systemctl restart httpd 5) 客户端测试 [浏览器]===>http://srv2.1000cc.net/ldapauth

7.4 实现kerberos认证

7.4.1 安装kerberos工具

1) 确认NTP同步 2) 确认能够成功解析srv1.1000cc.net及client.1000cc.net的FQDN解析 3) 安装Kerberos服务端工具 [root@srv1 ~]# yum install krb5-server krb5-libs -y

7.4.2 配置Krb服务端

1) 配置kdc [root@srv1 ~]# vim /var/kerberos/krb5kdc/kdc.conf # 将EXMAPLE.COM改为你定义的域名(一定要大写) [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] 1000CC.NET = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } 2) 配置acl文件，授权账户对指定域控制 [root@srv1 ~]# vim /var/kerberos/krb5kdc/kadm5.acl 将EXMAPLE.COM改为你定义的域名(一定要大写) */admin@1000CC.NET * 3) 配置krb5文件 [root@srv1 ~]# vim /etc/krb5.conf 将EXMAPLE.COM改为你定义的域名(一定要大写),将kerberos.exmaple.com改为你的krbsrv的(一定要小写)FQDN # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = 1000CC.NET default_ccache_name = KEYRING:persistent:%{uid} [realms] 1000CC.NET = { kdc = srv1.1000cc.net admin_server = srv1.1000cc.net } [domain_realm] .1000cc.net = 1000CC.NET 1000cc.net = 1000CC.NET 4) 生成kerberos数据库(注意大写域名) [root@srv1 ~]# kdb5_util create -s -r 1000CC.NET Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm '1000CC.NET', master key name 'K/M@1000CC.NET' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: # 定义密码 Re-enter KDC database master key to verify: 5) 确认数据库生成成功 [root@srv1 ~]# ls -l /var/kerberos/krb5kdc/ total 24 -rw------- 1 root root 21 Feb 22 01:00 kadm5.acl -rw------- 1 root root 450 Feb 22 00:58 kdc.conf -rw------- 1 root root 8192 Feb 22 01:05 principal -rw------- 1 root root 8192 Feb 22 01:05 principal.kadm5 -rw------- 1 root root 0 Feb 22 01:05 principal.kadm5.lock -rw------- 1 root root 0 Feb 22 01:05 principal.ok 6) 启动kerberos服务 [root@srv1 ~]# systemctl enable --now krb5kdc kadmin 7) 创建一个本地账户 [root@srv1 ~]# useradd snow [root@srv1 ~]# passwd snow Changing password for user snow. New password: # 密码为123456 BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. 8) 添加一个kerberos管理员账户，便于远程连接 [root@srv1 ~]# kadmin.local Authenticating as principal root/admin@1000CC.NET with password. kadmin.local: addprinc root/admin Enter password for principal "root/admin@1000CC.NET": # 定义管理员密码 Re-enter password for principal "root/admin@1000CC.NET": Principal "root/admin@1000CC.NET" created. 9) 添加一个kerberos普通账户，便于远程连接 kadmin.local: addprinc snow Enter password for principal "snow@1000CC.NET": # 密码为654321 Re-enter password for principal "snow@1000CC.NET": Principal "snow@1000CC.NET" created. 10) 添加主机至kerberos数据库中 kadmin.local: addprinc -randkey host/srv1.1000cc.net Principal "host/srv1.1000cc.net@1000CC.NET" created. kadmin.local: addprinc -randkey host/srv2.1000cc.net Principal "host/client.1000cc.net@1000CC.NET" created. 11) 创建srv1.1000cc.net的秘钥 kadmin.local: ktadd host/srv1.1000cc.net Entry for principal host/srv1.1000cc.net with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/srv1.1000cc.net with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin.local: quit

7.4.3 在srv2上配置SSL并实现https

1) 创建key [root@srv2 ~]# cd /etc/pki/tls/certs [root@srv2 certs]# make server.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ..+++ ......................................+++ e is 65537 (0x10001) Enter pass phrase: # 输入密码 Verifying - Enter pass phrase: 2) 移除passphrase [root@srv2 certs]# openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key 3) 生成csr [root@srv2 certs]# make server.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: CN State or Province Name (full name) []: BeiJing Locality Name (eg, city) [Default City]: BeiJing Organization Name (eg, company) [Default Company Ltd]: 1000cc.net Organizational Unit Name (eg, section) []: tech Common Name (eg, your name or your server's hostname) []: srv2.1000cc.net Email Address []:回车 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:回车 An optional company name []:回车 4) 生成证书 [root@srv2 certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=1000cc.net/OU=tech/CN=srv2.1000cc.net Getting Private key [root@srv2 certs]# cd 5) 配置Apache SSL功能 [root@srv2 ~]# yum install httpd mod_ssl -y [root@srv2 ~]# vim /etc/httpd/conf.d/ssl.conf # 取消59-60行注释，并修改为如下内容 DocumentRoot "/var/www/html" ServerName srv2.1000cc.net:443 # 修改75行为如下内容 SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 # 修改100,107,116三行，并取消注释。修改为如下内容 SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/certs/server.key SSLCertificateChainFile /etc/pki/tls/certs/server.crt 6) 配置http自动转为https功能 [root@srv2 ~]# vim /etc/httpd/conf.d/vhost.conf <VirtualHost *:80> DocumentRoot /var/www/html ServerName srv2.1000cc.net RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> [root@srv2 ~]# echo "Hello 1000cc.net" > /var/www/html/index.html [root@srv2 ~]# systemctl enable --now httpd 7) 配置防火墙规则 [root@srv2 ~]# firewall-cmd --add-service=https --permanent success [root@srv2 ~]# firewall-cmd --reload success 8) 测试https [浏览器]==>http://srv2.1000cc.net===>自动转为===>https://srv2.1000cc.net

7.4.4 实现kerberos验证

1) 安装kerberos验证模块 [root@srv2 ~]# yum install mod_auth_kerb -y 2) 配置krb5 [root@srv2 ~]# vim /etc/krb5.conf # 将EXAMPLE.COM改为1000CC.NET(注意大写) # 将example.com改为1000cc.net(注意小写) # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = 1000CC.NET default_ccache_name = KEYRING:persistent:%{uid} [realms] 1000CC.NET = { kdc = srv1.1000cc.net # 定义kerberos server的信息 admin_server = srv1.1000cc.net # 定义kerberos server的信息 } [domain_realm] .1000cc.net = 1000CC.NET 1000cc.net = 1000CC.NET 3) 生成krb5.keytab [root@srv2 ~]# echo "HTTP/srv2.1000cc.net@1000CC.NET" > /etc/httpd/conf.d/krb5.keytab 4) 创建krb5认证区域 [root@srv2 ~]# vim /etc/httpd/conf.d/auth_kerberos.conf <Directory /var/www/html> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Authntication" KrbAuthRealms 1000CC.NET Krb5Keytab /etc/httpd/conf.d/krb5.keytab KrbMethodNegotiate Off KrbSaveCredentials Off KrbVerifyKDC Off Require valid-user </Directory> [root@srv2 ~]# systemctl restart httpd 5) 客户端测试 [浏览器]==>http://srv2.1000cc.net

8.1 生成SSL证书

1) 生成SSL证书 # 生成私钥并脱密 [root@web1 ~]# cd /etc/pki/tls/certs [root@web1 ~]# openssl genrsa -des3 -out web.key 1024 Generating RSA private key, 1024 bit long modulus ......................................++++++ ..................................++++++ e is 65537 (0x10001) Enter pass phrase for web.key: # 输入密码 Verifying - Enter pass phrase for web.key: # 验证所输入的密码 [root@srv1 ~]# openssl rsa -in web.key -out web.key Enter pass phrase for web.key: # 输入刚才所设定的密码,脱密 writing RSA key [root@srv1 ~]# chmod 400 web.key # 生成证书 [root@srv1 ~]# openssl req -new -x509 -days 3650 -key web.key -out web.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:1000cc Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:srv1.1000cc.net Email Address []:

8.2 配置SSL

# 安装Apache的ssl模块 [root@web1 ~]# yum install mod_ssl -y # 配置ssl [root@web1 ~]# vim /etc/httpd/conf.d/ssl.conf # 取消59行'#'符 DocumentRoot "/var/www/html” # 取消60行'#'符 ServerName web1.1000cc.net:443 # 于100行,设定证书所在路径及证书文件名 SSLCertificateFile /etc/pki/tls/certs/web.crt # 于107行,设定key所在路径及key文件名 SSLCertificateKeyFile /etc/pki/tls/certs/web.key [root@web1 ~]# echo "web1.1000cc.net" > /var/www/html/index.html [root@web1 ~]# systemctl restart httpd

8.3 客户端测试

[root@web1 ~]# lynx https://192.168.188.11 # lynx将提示以下信息,此信息主要因为是自行设定的证书，未经过CA认证 SSL error:self signed certificate-Continue? (y) y SSL error:host(192.168.188.11)!=cert(CN)-Continue? (y)y ----Lynx 显示内容---- web1.1000cc.net

8.4 http自动跳转至https

[root@web1 ~]# vim /etc/httpd/conf.d/vhost.conf <VirtualHost *:80> DocumentRoot /var/www/html ServerName www.1000y.cloud RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> # 客户端访问测试---确认跳转至htts [root@web1 ~]# lynx http://192.168.188.11

8.5 使用免费的SSL证书---可用于互联网

1) 拥有一个已经注册好的WEB Site并具备相关的DNS解析 2) 安装certbot至https://letsencrypt.org/生成新的SSL域名[证书生命周期为30天] [root@web1 ~]# yum --enablerepo=epel -y install certbot 3) 为WEB Site申请证书 [root@web1 ~]# certbot certonly --webroot -w /var/www/html -d www.1000cc.net.cn Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): snow@mail.1000cc.net.cn Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Starting new HTTPS connection (1): supporters.eff.org Obtaining a new certificate Performing the following challenges: http-01 challenge for www.1000cc.net.cn Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.1000cc.net.cn/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.1000cc.net.cn/privkey.pem Your cert will expire on 2020-04-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@web1 ~]# ls /etc/letsencrypt/live/www.1000cc.net.cn/ cert.pem chain.pem fullchain.pem privkey.pem README 4) 为其他服务申请证书----以MAIL Server为例 [root@web1 ~]# certbot certonly --standalone -d mail.1000cc.net.cn Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for mail.1000cc.net.cn Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mail.1000cc.net.cn/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mail.1000cc.net.cn/privkey.pem Your cert will expire on 2020-04-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le 5) 证书续租 [root@web1 ~]# certbot renew 或 [root@web1 ~]# crontab -l 0 0 */29 * * /usr/bin/certbot renew 6) 转换windows的证书格式 [root@web1 ~]# openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out qyy_for_iis.pfx Enter Export Password: Verifying - Enter Export Password:

8.6 多虚拟主机多SSL证书配置方法[由http自动跳转至https]

1) 生成多个ssl证书 2) 安装完成ssl模块 3) 配置第1个虚拟主机---1000cc.conf [root@web1 conf.d]# pwd /etc/httpd/conf.d [root@web1 conf.d]# vim 1000cc.conf <Directory /website/1000cc> Require all granted AllowOverride None </Directory> <Directory /website/1000cc> AuthType Basic AuthName "Basic Authentication from 1000cc.net" AuthUserFile /etc/httpd/conf/1000cc require valid-user </Directory> <VirtualHost www.1000cc.net.cn:80> DocumentRoot "/website/1000cc" ServerName www.1000cc.net.cn ServerAdmin root@localhost RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost www.1000cc.net.cn:443> DocumentRoot "/website/1000cc" ServerName www.1000cc.net.cn ServerAdmin root@localhost SSLEngine on SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/letsencrypt/live/www.1000cc.net.cn/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.1000cc.net.cn/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.1000cc.net.cn/chain.pem </VirtualHost> 4) 配置第2个虚拟主机---1000y.conf [root@web1 conf.d]# vim 1000y.conf <Directory /website/1000y> Require all granted AllowOverride None </Directory> <Directory /website/1000y> AuthType Basic AuthName "Basic Authentication from 1000y.cloud" AuthUserFile /etc/httpd/conf/1000y require valid-user </Directory> <VirtualHost www.1000y.cloud:80> DocumentRoot "/website/1000y" ServerName www.1000y.cloud ServerAdmin root@localhost RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost www.1000y.cloud:443> DocumentRoot "/website/1000y" ServerName www.1000y.cloud ServerAdmin root@localhost SSLEngine on SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/letsencrypt/live/www.1000y.cloud/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.1000y.cloud/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.1000y.cloud/chain.pem </VirtualHost> [root@web1 conf.d]# systemctl restart httpd 5) 创建验证文件1000cc及10000y [root@web1 conf.d]# htpasswd -c /etc/httpd/conf/1000cc lisa New password: Re-type new password: Adding password for user lisa [root@web1 conf.d]# htpasswd -c /etc/httpd/conf/1000y snow New password: Re-type new password: Adding password for user snow 6) 客户端访问测试并确认跳转至htts [root@client ~]# lynx www.1000cc.net.cn [root@client ~]# lynx www.1000y.cloud

1) 创建SSL所需的证书(详见HTTP+SSL) 2) 创建一个目录作为webdav [root@web1 ~]# mkdir /mnt/webdav [root@web1 ~]# chown apache. /mnt/webdav [root@web1 ~]# chmod 770 /mnt/webdav 3) 编写webdav配置文件 [root@web1 ~]# vim /etc/httpd/conf.d/webdav.conf DavLockDB "/tmp/DavLock" Alias /webdav /mnt/webdav <Location /webdav> DAV On SSLRequireSSL Options None AuthType Basic AuthName WebDAV AuthUserFile /etc/httpd/conf/htpasswd <RequireAny> Require method GET POST OPTIONS Require valid-user </RequireAny> </Location> 4) 重启Apache服务 [root@web1 ~]# systemctl restart httpd 5) 客户端测试 [root@web1 ~]# yum install --enablerepo=epel davfs2 -y [root@web1 ~]# mount.davfs https://192.168.188.11/webdav /mnt/webdav Please enter the username to authenticate with server https://192.168.188.11/webdav or hit enter for none. Username: lisa # 输入htpasswd所设定的账户 Please enter the password to authenticate user lisa with server https://192.168.188.11/webdav or hit enter for none. Password: # 输入htpasswd所设定的账户密码 mount.davfs: the server certificate does not match the server name mount.davfs: the server certificate is not trusted issuer: tech, 1000cc, BeiJing, BeiJing, CN subject: tech, 1000cc, BeiJing, BeiJing, CN identity: web1.1000cc.net fingerprint: 62:a3:46:e2:42:ba:91:5d:04:d5:28:69:19:8e:c1:6d:64:09:45:ca You only should accept this certificate, if you can verify the fingerprint! The server might be faked or there might be a man-in-the-middle-attack. Accept certificate for this session? [y,N] y mount.davfs: Warning: can't write entry into mtab, but will mount the file system anyway [root@web1 ~]# df -Th | grep https # 验证 https://192.168.188.11/webdav fuse 26G 13G 13G 50% /mnt/webdav

12.1 拓扑

|---------------| |--------------------| |--------------| | Web Client | ------> | Web Reverse Proxy | ------> | Web Server | |---------------| |--------------------| |--------------|

12.2 反向代理实现

1) 安装httpd [root@webproxy2 ~]# yum install httpd 2) 确认proxy模块存在 [root@webproxy2 ~]# grep "mod_proxy" /etc/httpd/conf.modules.d/00-proxy.conf 3) 编写反向代理配置文件 [root@webproxy2 ~]# vim /etc/httpd/conf.d/reverse_proxy.conf <IfModule mod_proxy.c> ProxyRequests Off <Proxy *> Require all granted </Proxy> ProxyPass / http://web1.1000cc.net/ # 指定后端的web server ProxyPassReverse / http://web1.1000cc.net/ </IfModule> 4) 启动Apache服务 [root@webproxy2 ~]# systemctl enable --now httpd 5) 安装httpd并启动 [root@websrv ~]# yum install -y httpd [root@websrv ~]# systemctl enable --now httpd [root@websrv ~]# echo "websrv site" > /var/www/html/index.html 6) 客户端访问 [root@webclient ~]# lynx webproxy2.1000cc.net # 客户端访问代理服务器 # 显示结果为websrv的内容信息 websrv site

13.1 拓扑

|--------------| |--> | Web Server1 | | |--------------| |---------------| |--------------------| | |--------------| | Web Client | ------> | Web Reverse Proxy |----->| Web Server2 | |---------------| |--------------------| | |--------------| | |--------------| |--> | Web Server3 | |--------------|

13.2 为三台web srv搭建httpd服务

1) 安装httpd服务 [root@websrv1 ~]# yum install -y httpd [root@websrv2 ~]# yum install -y httpd [root@websrv3 ~]# yum install -y httpd 2) 启动httpd服务 [root@websrv1 ~]# systemctl enable --now httpd [root@websrv2 ~]# systemctl enable --now httpd [root@websrv3 ~]# systemctl enable --now httpd 3) 创建index.html [root@websrv1 ~]# echo "websrv1" > /var/www/html/index.html [root@websrv2 ~]# echo "websrv2" > /var/www/html/index.html [root@websrv3 ~]# echo "websrv3" > /var/www/html/index.html

13.3 配置负载服务器

1) 安装httpd [root@webproxy3 ~]# yum install httpd 3) 确认proxy模块存在 [root@webproxy3 ~]# grep "mod_prox" /etc/httpd/conf.modules.d/00-proxy.conf 3) 配置负载均衡及故障切换功能 [root@webproxy3 ~]# vim /etc/httpd/conf.d/1000cc-proxy.conf <IfModule mod_proxy.c> ProxyRequests Off <Proxy *> Require all granted </Proxy> ProxyPass / balancer://1000cc stickysession=JSESSIONID nofailover=Off <proxy balancer://1000cc> # 设定1000cc集群组成员,并设定权重 BalancerMember http://websrv1.1000cc.net/ loadfactor=1 BalancerMember http://websrv2.1000cc.net/ loadfactor=1 BalancerMember http://websrv3.1000cc.net/ loadfactor=1 ProxySet lbmethod=bybusyness # 算法为byrequests </proxy> </IfModule> # 如果打算代理至后端节点的二级目录，可按以下内容建立配置 [root@webproxy3 ~]# vim /etc/httpd/conf.d/1000y-proxy.conf <IfModule mod_proxy.c> ProxyRequests Off <Proxy *> Require all granted </Proxy> ProxyPass / balancer://1000y stickysession=JSESSIONID nofailover=Off <proxy balancer://1000y> # 指定将请求反代给后端的指定的FQDN下在web资源目录, 如[http://fqdn/web] BalancerMember http://srv4.1000y.cloud/web loadfactor=1 BalancerMember http://srv2.1000y.cloud/web loadfactor=1 BalancerMember http://srv3.1000y.cloud/web loadfactor=1 ProxySet lbmethod=bybusyness </proxy> </IfModule> 4) 启动Apache [root@webprox3 ~]# systemctl enable --now httpd

13.4 客户端测试

1) 测试负载均衡功能 [root@client ~]# lynx webproxy3.1000cc.net websrv1.1000cc.net # 第1次显示的信息内容 [root@client ~]# lynx webproxy3.1000cc.net websrv2.1000cc.net # 第2次显示的信息内容 [root@client ~]# lynx webproxy3.1000cc.net websrv3.1000cc.net # 第3次显示的信息内容 2) 测试故障切换 [root@websrv1 ~]# systemctl stop httpd [root@client ~]# lynx webproxy3.1000cc.net websrv2.1000cc.net # 第1次显示的信息内容 [root@client ~]# lynx webproxy3.1000cc.net websrv3.1000cc.net # 第2次显示的信息内容 [root@client ~]# lynx webproxy3.1000cc.net websrv2.1000cc.net # 第3次显示的信息内容,自动不显示websrv1的内容 3) 恢复故障节点 [root@websrv1 ~]# systemctl start httpd [root@client ~]# lynx webproxy3.1000cc.net websrv1.1000cc.net # 第1次显示的信息内容 [root@client ~]# lynx webproxy3.1000cc.net websrv2.1000cc.net # 第2次显示的信息内容 [root@client ~]# lynx webproxy3.1000cc.net websrv3.1000cc.net # 第3次显示的信息内容,所有调度恢复正常

15.1 AWstats

1) 安装AWstats [root@srv1 ~]# yum --enablerepo=epel install httpd awstats -y 2) 配置AWstats awstats.srv1.1000cc.net.conf是自动生成的 [root@srv1 ~]# vim /etc/awstats/awstats.srv1.1000cc.net.conf # 确认125行.如果apache日志为combined则无需改动。如果为common则改为4 LogFormat=1 # 确认156行.确认FQDN SiteDomain="srv1.1000cc.net" # 确认171行.设置要排除的访问地址 HostAliases="REGEX[^.*srv1\.1000cc\.net$] REGEX[^192\.168\.10\.]" [root@srv1 ~]# vim /etc/httpd/conf.d/awstats.conf # 在30行添加如下信息 Require ip 192.168.10.0/24 [root@srv1 ~]# /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=srv1.1000cc.net -update [root@srv1 ~]# systemctl enable --now httpd 2) 访问awstats [浏览器]====>http://srv1.1000cc.net/awstats/awstats.pl

15.2 Matomo

1) 安装httpd及php环境 [root@srv1 ~]# yum install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm -y [root@srv1 ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo [root@srv1 ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/remi-safe.repo [root@srv1 ~]# yum --enablerepo=remi-safe install php71 php71-php-pear php71-php-mbstring -y [root@srv1 ~]# scl enable php71 bash [root@srv1 ~]# php -v PHP 7.1.33 (cli) (built: Feb 18 2020 07:13:50) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies [root@srv1 ~]# vim /etc/profile.d/php71.sh #!/bin/bash source /opt/remi/php71/enable export X_SCLS="`scl enable php71 'echo $X_SCLS'`" [root@srv1 ~]# yum --enablerepo=remi-safe install php71-php httpd -y # 如果存在10-php.conf请移除 [root@srv1 ~]# mv /etc/httpd/conf.modules.d/10-php.conf /etc/httpd/conf.modules.d/10-php.conf.bak [root@srv1 ~]# systemctl enable --now httpd [root@srv1 ~]# echo '<?php phpinfo(); ?>' > /var/www/html/info.php [root@srv1 ~]# curl http://localhost/info.php | grep 'PHP Version' | tail -1 | sed -e 's/<[^>]*>//g' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68870 0 68870 0 0 2882k 0 --:--:-- --:--:-- --:--:-- 2924k PHP Version 7.1.33 2) 安装MariaDB (1) 安装MariaDB [root@srv1 ~]# yum install mariadb-server -y [root@srv1 ~]# vim /etc/my.cnf # 于[mysqld]最尾部追加如下内容: character-set-server=utf8 [root@srv1 ~]# systemctl enable --now mariadb (2) 初始化MariaDB [root@srv1 ~]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): # enter OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] y # 设置root密码 New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y # 移除anonymous账户 ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y # 禁用root远程登录 ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y # 移除test数据库 - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y # 重新加载privilege ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! (3) 测试MariaDB连接 [root@srv1 ~]# mysql -u root -p Enter password: # 输入密码 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 16 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> select user,host,password from mysql.user; +------+-----------+-------------------------------------------+ | user | host | password | +------+-----------+-------------------------------------------+ | root | localhost | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | | root | 127.0.0.1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | | root | ::1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | +------+-----------+-------------------------------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> exit Bye [root@srv1 ~]# (4) 防火墙规则设定 [root@srv1 ~]# firewall-cmd --add-service=mysql --permanent success [root@srv1 ~]# firewall-cmd --reload success 3) 创建Matomo数据库 [root@srv1 ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 17 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database matomo; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all privileges on matomo.* to matomo@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> grant all privileges on matomo.* to matomo@'%' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye 4) 安装matomo [root@srv1 ~]# yum --enablerepo=remi-safe install php71-php-mysqlnd php71-php-pdo php71-php-gd php71-php-xml -y [root@srv1 ~]# vim /etc/opt/remi/php71/php.ini # 在389行，更改内存限制 memory_limit = 512M # 在最后追加如下内容 extension=/opt/remi/php71/root/usr/lib64/php/modules/mysqli.so extension=/opt/remi/php71/root/usr/lib64/php/modules/pdo_mysql.so extension=/opt/remi/php71/root/usr/lib64/php/modules/pdo.so [root@srv1 ~]# wget http://builds.matomo.org/matomo.zip -P /var/www/html [root@srv1 ~]# unzip /var/www/html/matomo.zip -d /var/www/html [root@srv1 ~]# chown -R apache. /var/www/html/matomo/tmp [root@srv1 ~]# chown -R apache. /var/www/html/matomo/config [root@srv1 ~]# chmod +w /var/www/html/matomo/matomo.js [root@srv1 ~]# chown apache. /var/www/html/matomo/matomo.js 5) SELinux设定 [root@srv1 ~]# setsebool -P httpd_can_network_connect_db on [root@srv1 ~]# chcon -R -t httpd_sys_rw_content_t /var/www/html/piwik/tmp [root@srv1 ~]# chcon -R -t httpd_sys_rw_content_t /var/www/html/piwik/config [root@srv1 ~]# semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/piwik/tmp [root@srv1 ~]# semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/piwik/config 6) 生成https (1) 创建key [root@srv1 ~]# cd /etc/pki/tls/certs [root@srv1 certs]# make server.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ..+++ ......................................+++ e is 65537 (0x10001) Enter pass phrase: # 输入密码 Verifying - Enter pass phrase: (2) 移除passphrase [root@srv1 certs]# openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key (3) 生成csr [root@srv1 certs]# make server.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: CN State or Province Name (full name) []: BeiJing Locality Name (eg, city) [Default City]: BeiJing Organization Name (eg, company) [Default Company Ltd]: 1000cc.net Organizational Unit Name (eg, section) []: tech Common Name (eg, your name or your server's hostname) []: srv1.1000cc.net Email Address []:# 回车 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:# 回车 An optional company name []:# 回车 (4) 生成证书 [root@srv1 certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=1000cc.net/OU=tech/CN=srv2.1000cc.net Getting Private key [root@srv1 certs]# cd (5) 配置Apache SSL功能 [root@srv1 ~]# yum install mod_ssl -y [root@srv1 ~]# vim /etc/httpd/conf.d/ssl.conf # 取消59-60行注释，并修改为如下内容 DocumentRoot "/var/www/html" ServerName srv1.1000cc.net:443 # 修改75行为如下内容 SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 # 修改100,107,116三行，并取消注释。修改为如下内容 SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/certs/server.key SSLCertificateChainFile /etc/pki/tls/certs/server.crt (6) 配置http自动转为https功能 [root@srv2 ~]# vim /etc/httpd/conf.d/vhost.conf <VirtualHost *:80> DocumentRoot /var/www/html ServerName srv1.1000cc.net RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> [root@srv1 ~]# systemctl restart httpd (7) 配置防火墙规则 [root@srv2 ~]# firewall-cmd --add-service=https --permanent success [root@srv2 ~]# firewall-cmd --reload success 7) 配置Piwik [浏览器]===>http://srv1.1000cc.net/matomo # 追踪代码需要加入至网页中，便于matomo统计数据 # 因没有支撑的站点,所以暂时无法收取数据 8) 编写页面用以生成访问数据 (1) 编辑页面并加入matomo的代码 [root@srv1 ~]# rm -rf /var/www/html/info.php # 生成一个页面，并将matomo的js代码加入至此页面 [root@srv1 ~]# vim /var/www/html/index.html <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> Welcome to 1000cc.net </div> # 将matoom的代码插入至此处 <!-- Matomo --> <script type="text/javascript"> var _paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//srv1.1000cc.net/matomo/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script> <!-- End Matomo Code --> </body> </html> (2) 用浏览器访问几次网站 [浏览器]===>http://srv1.1000cc.net (3) 刷新matomo监控页面

16.1 安装PHP

1) 安装httpd及php环境 [root@srv1 ~]# yum install httpd php php-mbstring php-pear -y [root@srv1 ~]# vim /etc/php.ini # 修改878行,更改时区 date.timezone = "Asia/Shanghai" [root@srv1 ~]# systemctl enable --now httpd

16.2 安装MariaDB

1) 安装MariaDB v10.2并加载环境 [root@srv1 ~]# yum install mariadb-server -y [root@srv1 ~]# vim /etc/my.cnf # 于[mysqld]最尾部追加如下内容: character-set-server=utf8 [root@srv1 ~]# systemctl enable --now mariadb 2) 初始化MariaDB v10.2 [root@srv1 ~]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): # enter OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] y # 设置root密码 New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y # 移除anonymous账户 ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y # 禁用root远程登录 ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y # 移除test数据库 - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y # 重新加载privilege ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! 3) 测试MariaDB连接 [root@srv1 ~]# mysql -u root -p Enter password: # =输入密码 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 16 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> select user,host,password from mysql.user; +------+-----------+-------------------------------------------+ | user | host | password | +------+-----------+-------------------------------------------+ | root | localhost | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | | root | 127.0.0.1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | | root | ::1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | +------+-----------+-------------------------------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> exit Bye [root@srv1 ~]# 4) 防火墙规则设定 [root@srv1 ~]# firewall-cmd --add-service=mysql --permanent success [root@srv1 ~]# firewall-cmd --reload success

16.3 创建WorkPress数据库

[root@srv1 ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 34 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database wordpress; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all privileges on wordpress.* to wordpress@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> grant all privileges on wordpress.* to wordpress@'%' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye<

16.4 安装及配置WorkPress

[root@srv1 ~]# yum --enablerepo=epel install wordpress -y [root@srv1 ~]# vim /etc/wordpress/wp-config.php # 23行,指定wordpress的数据库名 define( 'DB_NAME', 'wordpress' ); # 26行,指定wordpress的数据库的账户名 define( 'DB_USER', 'wordpress' ); # 29行,指定wordpress的数据库的账户密码 define( 'DB_PASSWORD', 'password' ); # 32行,指定wordpress的数据库服务器的IP define( 'DB_HOST', 'localhost' ); [root@srv1 ~]# vim /etc/httpd/conf.d/wordpress.conf # 于第10行(Require local)下，追加如下内容 Require all granted [root@srv1 ~]# systemctl restart httpd

16.5 访问测试

[浏览器]====>http://srv1.1000cc.net/wordpress

16.6 中文汉化

1) 在网络上找wordpress的中文语言包 2) 将中文语言包解压到/usr/share/wordpress/wp-content目录 3) 登录wordpress,进入账户后台

18.1 限速模块

1) 开启限速模块 [root@srv1 ~]# vim /etc/httpd/conf.modules.d/00-base.conf ...... ...... 将72行注释取消 LoadModule ratelimit_module modules/mod_ratelimit.so 2) 设定限速目录 [root@srv1 ~]# vim /etc/httpd/conf.d/ratelimit.conf 设定/download目录限速下载为500KB/sec <IfModule mod_ratelimit.c> <Location /download> SetOutputFilter RATE_LIMIT SetEnv rate-limit 500 </Location> </IfModule> [root@srv1 ~]# systemctl restart httpd

18.2 限制每个IP的并发连接数模块

1) 安装模块 [root@srv1 ~]# yum --enablerepo=epel install mod_limitipconn -y 2) 配置模块 [root@srv1 ~]# vim /etc/httpd/conf.d/limitipconn.conf MaxConnPerIP 0 # 设定/limit目录的最大连接数配定 <Location /qyy> # 设定最大连接数3 MaxConnPerIP 3 # 不应用与text/*类型的文档 NoIPLimit text/* </Location> <Location /1000cc> # 设定最大连接数2 MaxConnPerIP 2 # 应用于application/x-tar类型的文档 OnlyIPLimit application/x-tar </Location> [root@srv1 ~]# systemctl restart httpd 3) 测试 [root@srv1 ~]# sab -n 10 -c 10 http://localhost/qyy/index.html [root@srv1 ~]# sab -n 10 -c 10 http://localhost/qyy/test.png [root@srv1 ~]# sab -n 10 -c 10 http://localhost/1000cc/test.tar

18.3 开启evasive模块抵御DoS攻击

1) 安装evasive模块 [root@srv1 ~]# yum --enablerepo=epel install mod_evasive -y 2) 配置evasive模块 [root@srv1 ~]# vim /etc/httpd/conf.d/mod_evasive.conf # 修改18行,设定对相同页面或URI的请求数的阈值。一旦超过该间隔的阈值，客户端的IP地址将添加到阻止列表中) DOSPageCount 5 # 修改24行,设定同一客户端对对象请求总数的阈值。一旦超过则把客户端IP地址将入至阻止列表 DOSSiteCount 50 # 修改28行,设定页面技术阈值 DOSPageInterval 1 # 修改32行,设定站点技术阈值 DOSPageInterval 1 # 修改41行,客户端被阻止的时间 DOSBlockingPeriod 300 # 修改41行,新加入的阻止列表将通知给定的邮件地址 DOSEmailNotify root@localhost # 修改66行,指定日志目录 DOSLogDir "/var/log/mod_evasive" [root@srv1 ~]# mkdir /var/log/mod_evasive [root@srv1 ~]# chown apache. /var/log/mod_evasive [root@srv1 ~]# systemctl restart httpd 3) 测试evasive模块 [root@srv1 ~]# ab -n 1000 -c 50 http://127.0.0.1/ # 或 [root@srv1 ~]# perl /usr/share/doc/mod_evasive-1.10.1/test.pl HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK HTTP/1.1 200 OK ..... ..... HTTP/1.1 403 Forbidden # 已经被加入黑名单 HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden ..... ..... HTTP/1.1 403 Forbidden 4) 产生日志 [root@srv1 ~]# ll /var/log/mod_evasive total 4 -rw-r--r-- 1 apache apache 4 Feb 23 20:52 dos-127.0.0.1