1. 启用HTTPS服务
HTTPS是在HTTP基础上加入SSL,安全性更高。嫌麻烦,我们使用OpenSSL生成免费证书,并在apache配置SSL。
1.1 使用openssl生成免费证书
1.安装OpenSSL。
ipam@ubuntu:~/Downloads$ sudo apt-get install openssl
2.生成一个RSA私钥,其中des加密算法,生成2048位私钥。
ipam@ubuntu:~/Downloads$ openssl genrsa -des3 -out ca.key 2048
查看生成的私钥可以使用
ipam@ubuntu:~/Downloads$ openssl rsa -text -in ca.key
3.创建证书签名请求CSR文件,生成过程中会要求填写一些信息
ipam@ubuntu:~/Downloads$ openssl req -new -key ca.key -out ca.csr
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (e.g. server FQDN or YOUR name) []:cn //填写即将发布url的根服务器,如*.example.cn
Email Address []:cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:cn
string is too short, it needs to be at least 4 bytes long
A challenge password []:cncn //你的证书密码,如果不想设置密码,可以直接回车
> An optional company name []:cn
查看csr文件命令如下
ipam@ubuntu:~/Downloads$ openssl req -text -in ca.csr -noout
4.生成签名证书
ipam@ubuntu:~/Downloads$ openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = cn, ST = cn, L = cn, O = cn, OU = cn, CN = cn, emailAddress = cn
Getting Private key
Enter pass phrase for ca.key:
1.2 配置apache
1.启用SSL模块
查看/etc/apache2/ports.conf
端口配置文件
Listen 80
Listen 443
Listen 443
可以看到要使用443服务,需要先启用SSL模块。
ipam@ubuntu:~/Downloads$ sudo a2enmod ssl
2.修改/etc/apache2/sites-available/
内的配置文件
为了方便管理,证书文件和私钥,分别拷贝至/etc/apache2/ssl/certs/ca.crt
以及/etc/apache2/ssl/private/ca.key
。由于apache在该文件夹内已创建了示例配置文件default-ssl.conf
,修改即可。
#三个部分必须修改
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/certs/ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/ca.key
也可以拷贝000-default.conf
文件,并进行简单修改。命名为phpipam-ssl.conf
,内容如下:
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
SSLEngine On
ServerAdmin webmaster@localhost
DocumentRoot /var/www/phpipam
SSLCertificateFile /etc/apache2/ssl/certs/ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/ca.key
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
3.启用apache SSL配置
若是修改了default-ssl.conf
,则
ipam@ubuntu:/etc/apache2/sites-available$ sudo a2ensite default-ssl.conf
文件名根据实际情况自行修改。
4.强制使用https
由于之前配置过http服务,考虑强制转成https,即输入网址后自动跳转https服务。修改/etc/apache2/sites-available/000-default.conf
,里面添加以下内容并保存。
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]
5.重载apache
ipam@ubuntu:/etc/apache2/sites-available$ sudo systemctl reload apache2.service
或者重启
ipam@ubuntu:/etc/apache2/sites-available$ sudo systemctl restart apache2.service
2. 数据库自动备份
cron是一个Linux定时执行工具,在Ubuntu,可通过/etc/crontab
文件进行查看,或者crontab -l
1.打开cron,并进行编辑。保存关闭有命令提示。
ipam@ubuntu:~/Downloads$ crontab -e
2.配置定时备份
文件备份在/home/ipam/Documents/bak/
。另外,%
在crontab为换行,因此%
之前需要添加转义字符\
;{}
和\
之间有空格,\
和;
之间没有空格,否则会报错 /usr/bin/find: 缺少“-exec”参数
。
#每天0时进行备份并对30天前的备份资料进行删除
* 0 */1 * * /usr/bin/mysqldump -uroot -p123456 phpipam > /home/ipam/Documents/bak/phpipam_bak_$(date "+\%Y\%m\%d").sql
* 0 */1 * * /usr/bin/find /home/ipam/Documents/bak/ -ctime +30 -exec rm {} \;
3. 定时扫描
也是使用的crontab。
*/30 * * * * /usr/bin/php /var/www/phpipam/functions/scripts/pingCheck.php
*/30 * * * * /usr/bin/php /var/www/phpipam/functions/scripts/discoveryCheck.php
4. 参考资料(因为链接太多被判定为广告,需要的自行百度)
1. Config Server Firewall:How to Generate Self-signed SSL Certificate using OpenSSL in Ubuntu 18.04
2. 挑战者V:Ubuntu 16.04配置SSL免费证书
3. hiekay:ubuntu apache2 配置安装ssl证书,https]
4. 龙恩0707:使用openssl 生成免费证书
5. ubuntu wiki
6. linux 命令大全
7. nancy05:备份与还原mysql 数据库的常用命令
8. 大专栏 IP地址管理(IPAM)
9. crontab命令详解 含启动/重启/停止
10.killkill:crontab 的写法(@reboot, @1early...)
11. siaisjack:Linux下date命令,格式化输出,时间设置
12.听风:linux每日命令(21):find命令之exec*
13. leno米雷のcoding记录:Linux的find命令实例详解和mtime ctime atime