1)在server上配置一个web站点http://server.example.com;
要求:从http://ldap.example.com/pub/example.html下载文件,并重新命名为index.html,不要修改文件内容。将文件index.html拷贝到您的DocumentRoot目录下;将来自于example.com的客户端可以访问web服务器;来自my133t的客户端的访问会被拒绝
[root@server30 ~]#
[root@server30 ~]#
[root@server30 ~]# ntpdate ldap.example.com
1 Jan 00:00:25 ntpdate[17386]: step time server 172.16.30.254 offset -127583043.347079 sec
[root@server30 ~]# yum install httpd -y //安装httpd软件包
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-17.el7 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-17.el7 for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64
--> Running transaction check
[root@server30 ~]# cd /var/www/html/
[root@server30 html]# wget -O index.html http://ldap.example.com/pub/example.html //下载网站主页文件
--2015-01-01 00:02:31-- http://ldap.example.com/pub/example.html
Resolving ldap.example.com (ldap.example.com)... 172.16.30.254
Connecting to ldap.example.com (ldap.example.com)|172.16.30.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21 [text/html]
Saving to: ‘index.html’
100%[====================================>] 21 --.-K/s in 0s
2015-01-01 00:02:31 (1.43 MB/s) - ‘index.html’ saved [21/21]
[root@server30 html]# ls
index.html
[root@server30 html]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=http accept' --permanent //防火墙上开放http服务
success
[root@server30 html]# firewall-cmd --reload
success
[root@server30 html]#
2)为站点http://server.example.com配置TLS加密;
已签名证书从http://ldap.example.com/pub/server30.crt获取
证书的秘钥从http://ldap.example.com/pub/server30.key获取
证书的签名授权信息从http://ldap.example.com/pub/group30.crt获取
[root@server30 html]# yum list all | grep mod_ssl
mod_ssl.x86_64 1:2.4.6-17.el7 base
[root@server30 html]# yum install mod_ssl* -y //安装ssl的软件包
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-17.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================
Package Arch Version Repository Size
==============================================================================
[root@server30 html]# cd /etc/httpd/
[root@server30 httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@server30 httpd]# cd conf.d/
[root@server30 conf.d]# ll
total 28
-rw-r--r--. 1 root root 2893 Mar 20 2014 autoindex.conf
-rw-r--r--. 1 root root 366 Mar 20 2014 README
-rw-r--r--. 1 root root 9426 Mar 20 2014 ssl.conf
-rw-r--r--. 1 root root 1252 Mar 20 2014 userdir.conf
-rw-r--r--. 1 root root 516 Mar 20 2014 welcome.conf
[root@server30 conf.d]# vim ssl.conf
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName server30.example.com:443 //去掉注释行,域名换成自己的主机名
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLCertificateFile /etc/pki/tls/certs/localhost.crt //证书文件1
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key //证书文件2
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt //证书文件3
[root@server30 tls]# cd /etc/pki/tls/certs/
[root@server30 certs]# ls
ca-bundle.crt localhost.crt Makefile
ca-bundle.trust.crt make-dummy-cert renew-dummy-cert
[root@server30 certs]#
[root@server30 certs]# wget http://ldap.example.com/pub/group30.crt
--2015-01-01 00:29:18-- http://ldap.example.com/pub/group30.crt
Resolving ldap.example.com (ldap.example.com)... 172.16.30.254
Connecting to ldap.example.com (ldap.example.com)|172.16.30.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3256 (3.2K)
Saving to: ‘group30.crt’
100%[====================================>] 3,256 --.-K/s in 0s
2015-01-01 00:29:18 (128 MB/s) - ‘group30.crt’ saved [3256/3256]
[root@server30 certs]# ls
ca-bundle.crt group30.crt //文件2 make-dummy-cert renew-dummy-cert
ca-bundle.trust.crt localhost.crt Makefile server30.crt //文件1
[root@server30 certs]# vim ssl.conf
SSLCertificateFile /etc/pki/tls/certs/server30.crt //修改为下载的server的crt文件名
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/group30.crt //修改为下载的crt文件名
[root@server30 tls]# cd private/
[root@server30 private]#
[root@server30 private]#
[root@server30 private]# pwd
/etc/pki/tls/private
[root@server30 private]# wget http://ldap.example.com/pub/server30.key //证书key文件
--2015-01-01 00:35:41-- http://ldap.example.com/pub/server30.key
Resolving ldap.example.com (ldap.example.com)... 172.16.30.254
Connecting to ldap.example.com (ldap.example.com)|172.16.30.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 887
Saving to: ‘server30.key’
100%[====================================>] 887 --.-K/s in 0s
2015-01-01 00:35:41 (55.5 MB/s) - ‘server30.key’ saved [887/887]
[root@server30 private]# ls
localhost.key server30.key
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/server30.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/server30.key //key证书的名字进行修改
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
:wq
[root@server30 private]# systemctl restart httpd
[root@server30 private]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=https accept' --permanent //添加https防火墙规则
success
[root@server30 private]# firewall-cmd --reload
success
[root@server30 private]#
3)在server上扩展您的WEB服务器;
1.为站点http://www.example.com创建一个虚拟主机
2.设置DocumentRoot为/var/www/virtual
3.从http://ldap.example.com/pub/www.html下载文件,并重命名为index.html,不要修改文件内容。
4.将文件内容index.html拷贝到DocumentRoot目录下
5.确保floyd用户能够在/var/www/virtual下创建文件
[root@server30 ~]# cd /var/www/
[root@server30 www]# ls
cgi-bin html
[root@server30 www]# mkdir virtual //先创建该目录
[root@server30 www]# ll
total 0
drwxr-xr-x. 2 root root 6 Mar 20 2014 cgi-bin
drwxr-xr-x. 2 root root 23 Jan 1 00:02 html
drwxr-xr-x. 2 root root 6 Jan 1 00:53 virtual
[root@server30 www]# wget -O virtual/index.html http://ldap.example.com/pub/www.html //下载网站文件并改名称
--2015-01-01 00:54:19-- http://ldap.example.com/pub/www.html
Resolving ldap.example.com (ldap.example.com)... 172.16.30.254
Connecting to ldap.example.com (ldap.example.com)|172.16.30.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16 [text/html]
Saving to: ‘virtual/index.html’
100%[====================================>] 16 --.-K/s in 0s
2015-01-01 00:54:20 (1.29 MB/s) - ‘virtual/index.html’ saved [16/16]
[root@server30 www]#
[root@server30 www]# ls virtual/
index.html //此时已有文件
[root@server30 www]# cat virtual/index.html
www.example.com //网站内容
[root@server30 www]# chown -R apache.apache /var/www/
[root@server30 www]# ll
total 0
drwxr-xr-x. 2 apache apache 6 Mar 20 2014 cgi-bin
drwxr-xr-x. 2 apache apache 23 Jan 1 00:02 html
drwxr-xr-x. 2 apache apache 23 Jan 1 00:54 virtual
[root@server30 www]#
[root@server30 www]# useradd floyd //创建此用户
[root@server30 www]# setfacl -m u:floyd:rwx virtual/ //对floyd用户授权
[root@server30 www]# getfacl virtual/
# file: virtual/
# owner: apache
# group: apache
user::rwx
user:floyd:rwx //可读写
group::r-x
mask::rwx
other::r-x
[root@server30 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@server30 conf.d]# find / -name *vhost* //查找虚拟主机的模板配置文件
/dev/vhost-net
/etc/selinux/targeted/modules/active/modules/vhostmd.pp
/usr/lib/modules/3.10.0-123.el7.x86_64/kernel/drivers/vhost
/usr/lib/modules/3.10.0-123.el7.x86_64/kernel/drivers/vhost/vhost_net.ko
/usr/lib64/httpd/modules/mod_vhost_alias.so
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf //此文件为模板文件
[root@server30 conf.d]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf . //拷贝到主配置文件里面来
[root@server30 conf.d]# ll
total 32
-rw-r--r--. 1 root root 2893 Mar 20 2014 autoindex.conf
-rw-r--r--. 1 root root 1511 Jan 1 01:08 httpd-vhosts.conf
-rw-r--r--. 1 root root 366 Mar 20 2014 README
-rw-r--r--. 1 root root 9425 Jan 1 00:37 ssl.conf
-rw-r--r--. 1 root root 1252 Mar 20 2014 userdir.conf
-rw-r--r--. 1 root root 516 Mar 20 2014 welcome.conf
[root@server30 conf.d]# vim httpd-vhosts.conf
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any block.
#
//这是虚拟主机1的配置
DocumentRoot "/var/www/html"
ServerName server30.example.com
//这是虚拟主机2的配置
DocumentRoot "/var/www/virtual"
ServerName www.example.com
//修改客户端的hosts文件,添加example.com的A记录
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.30.130 www.server30.com
172.16.30.130 www.example.com
[root@server30 conf.d]# systemctl restart httpd
[root@server30 conf.d]# su - floyd //切换到该普通用户
[floyd@server30 ~]$ cd /var/www/virtual/
[floyd@server30 virtual]$ ll
total 4
-rw-r--r--. 1 apache apache 16 Nov 28 13:11 index.html
[floyd@server30 virtual]$ touch aaa.txt
[floyd@server30 virtual]$ ll
total 4
-rw-rw-r--. 1 floyd floyd 0 Jan 1 01:18 aaa.txt
-rw-r--r--. 1 apache apache 16 Nov 28 13:11 index.html //可创建文件
[floyd@server30 virtual]$
4)Web访问控制;
在您server上的web服务器的DocumentRoot目录下创建一个名为private的目录从http://ldap.example.com/pub/private.html下载文件到这个目录,并重命名为index.html,不要修改文件内容;在server上,任何人都可以浏览private的内容,但其他从系统不能访问目录的内容
[root@server30 conf.d]# cd /var/www/html/
[root@server30 html]# mkdir private //先创建该目录
[root@server30 html]# wget -O private/index.html http://ldap.example.com/pub/private.html //下载网站主页文件
--2015-01-01 01:21:08-- http://ldap.example.com/pub/private.html
Resolving ldap.example.com (ldap.example.com)... 172.16.30.254
Connecting to ldap.example.com (ldap.example.com)|172.16.30.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8 [text/html]
Saving to: ‘private/index.html’
100%[====================================>] 8 --.-K/s in 0s
2015-01-01 01:21:09 (578 KB/s) - ‘private/index.html’ saved [8/8]
[root@server30 html]# ll private/
total 4
-rw-r--r--. 1 root root 8 Nov 28 13:11 index.html
[root@server30 html]#
[root@server30 html]# cat private/index.html
private //这是主页内容
[root@server30 html]# vim /etc/httpd/conf.d/httpd-vhosts.conf
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any block.
#
DocumentRoot "/var/www/html"
ServerName server30.example.com
//对网站的访问做限制,只有本机ip系统才可以访问该网站内容
Require ip 172.16.30.130
DocumentRoot "/var/www/virtual"
ServerName www.example.com
[root@server30 html]# systemctl restart httpd
5)动态内容由名为alt.example.com的虚拟主机提供
虚拟主机监听的端口为8909
从http://ldap.example.com/pub/webapp.wsgi下载一个脚本后,然后放在适当的位置,不要修改文件内容
客户端访问http://alt.example.com:8909时,应该接收到动态生成的web页面
此http://alt.example.com:8909必须能够被example.com内所有的系统访问
[root@server30 www]# ls
cgi-bin html virtual
[root@server30 www]# mkdir wsgi //先创建该目录
[root@server30 www]# ls
cgi-bin html virtual wsgi
[root@server30 www]# cd wsgi/
[root@server30 wsgi]# wget http://ldap.example.com/pub/webapp.wsgi //下载此站点主页文件
--2015-01-01 01:38:22-- http://ldap.example.com/pub/webapp.wsgi
Resolving ldap.example.com (ldap.example.com)... 172.16.30.254
Connecting to ldap.example.com (ldap.example.com)|172.16.30.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 277
Saving to: ‘webapp.wsgi’
100%[====================================>] 277 --.-K/s in 0s
2015-01-01 01:38:22 (15.9 MB/s) - ‘webapp.wsgi’ saved [277/277]
[root@server30 wsgi]# ls
webapp.wsgi
[root@server30 wsgi]#
[root@server30 wsgi]# chown -R apache:apache /var/www/ //修改文件的属主为apache
[root@server30 wsgi]#
[root@server30 wsgi]#
[root@server30 wsgi]# ll /var/www/
total 4
drwxr-xr-x. 2 apache apache 6 Mar 20 2014 cgi-bin
drwxr-xr-x. 3 apache apache 37 Jan 1 01:20 html
drwxrwxr-x+ 2 apache apache 37 Jan 1 01:18 virtual
drwxr-xr-x. 2 apache apache 24 Jan 1 01:38 wsgi
[root@server30 wsgi]# vim /etc/httpd/conf.d/httpd-vhosts.conf
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any block.
#
DocumentRoot "/var/www/html"
ServerName server30.example.com
Require ip 172.16.30.130
DocumentRoot "/var/www/virtual"
ServerName www.example.com
Listen 8909 //增加监听的端口
//增加的虚拟主机的配置
WSGIScriptAlias / "/var/www/wsgi/webapp.wsgi"
ServerName alt.example.com
[root@server30 wsgi]# rpm -qa | grep wsgi
[root@server30 wsgi]# yum install all | grep wsgi
Error: Nothing to do
[root@server30 wsgi]# yum install mod_wsgi* -y //安装wsgi的软件包
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package mod_wsgi.x86_64 0:3.4-11.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================
Package Arch Version Repository Size
==============================================================================
Installing:
mod_wsgi x86_64 3.4-11.el7 base 76 k
Transaction Summary
==============================================================================
[root@server30 wsgi]# semanage port -l | grep http //查看http在seliux上的端口
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@server30 wsgi]# semanage port -a -t http_port_t -p tcp 8909 //添加8909端口为开放状态
[root@server30 wsgi]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 8909, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@server30 wsgi]#
[root@server30 wsgi]# systemctl restart httpd
[root@server30 wsgi]# ss -tunl | grep 8909
tcp LISTEN 0 128 :::8909 :::* //8909端口已然处于监听状态
[root@server30 wsgi]#
[root@server30 wsgi]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 port protocol=tcp port=8909 accept' --permanent //添加防火墙,开放8909端口
success
[root@server30 wsgi]# firewall-cmd --reload
success
[root@server30 wsgi]#
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.30.130 www.server30.com
172.16.30.130 www.example.com
172.16.30.130 alt.example.com //增加该域名的A记录