[Linux] Exercise---Web server comprehensive experiment

Experiment requirements:

     Build a website for openlab:

           1. Based on the domain name www.openlab.com, the content of the website can be accessed as welcome to openlab!!!

           2. Create three virtual website directories for the company to display student information, teaching materials and payment websites respectively.

        (Access student information based on www.openlab.com/student website, visit teaching materials based on www.openlab.com/data website, visit payment website based on www.openlab.com/money)

           3. The student information website can only be accessed by song and tian, and all users of other websites can access it.

                Visit the payment website to achieve data encryption based on https access.

 

experiment procedure:

1. Install httpd package (http service) and mod_ssl package (specially provide password protection for Apache server)

[root@localhost conf.d]# yum install -y httpd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
上次元数据过期检查：0:23:32 前，执行于 2020年11月03日 星期二 16时30分44秒。
Package httpd-2.4.37-10.module+el8+2764+7127e69e.x86_64 is already installed.
依赖关系解决。
无需任何处理。
完毕！

[root@localhost conf.d]# yum install -y mod_ssl
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
上次元数据过期检查：0:02:33 前，执行于 2020年11月03日 星期二 16时30分44秒。
Package mod_ssl-1:2.4.37-10.module+el8+2764+7127e69e.x86_64 is already installed.
依赖关系解决。
无需任何处理。
完毕！

2. Write virtual host configuration file

[root@localhost ~]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim vhost-openlab.conf 

<VirtualHost 192.168.74.130:80>                       //虚拟主机模块（基于http访问）
        DocumentRoot /www/http                        //网页文件主目录
        ServerName www.openlab.com                    //主机名（此处为域名）
        alias /student  /openlab/student              //别名
        alias /data  /openlab/data                    //别名
</VirtualHost>

<VirtualHost 192.168.74.130:443>                      //虚拟主机模块（基于https访问）
        DocumentRoot /www/http                        //网页文件主目录
        ServerName www.openlab.com                    //主机名（此处为域名）
        alias /money  /openlab/money                  //别名
        SSLEngine on                                  //SSL认证开启
        SSLCertificateFile /etc/pki/tls/certs/zhengshu.crt       //证书文件存放位置
        SSLCertificateKeyFile /etc/pki/tls/certs/zhengshu.key    //私钥文件存放位置
</VirtualHost>

<Directory /www/http>                                 //目录模块（权限限定）
        AllowOverride none                            //不允许覆盖
        Require all granted                           //允许所有访问此目录
</Directory>

<Directory /openlab/student>                          //目录模块（权限限定）
        AllowOverride none                            //不允许覆盖
        Authtype basic                                //基本认证类型（账号）
        Authname "Please login:"                      //提示信息（双引号内添加）
        Authuserfile /etc/httpd/users                 //用户认证文件（有用户名和密码）
        Require user song tian                        //允许访问服务器名单
</Directory>

<Directory /openlab/data>                             //目录模块（权限限定）
        AllowOverride none                            //不允许覆盖
        Require all granted                           //允许所有人访问服务器
</Directory>

<Directory /openlab/money>                            //目录模块（权限限定）
        AllowOverride none                            //不允许覆盖
        Require all granted                           //允许所有人访问服务器
</Directory>              

 3. Make a certificate

# /etc/pki/tls/certs/目录下需要有Makefile文件可自制证书
# rhel8上没有此文件，若需要可从rhel7上复制该文件

[root@localhost conf.d]# cd /etc/pki/tls/certs/
[root@localhost certs]# ll
总用量 20
lrwxrwxrwx. 1 root root   49 8月  13 2018 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root   55 8月  13 2018 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 3952 10月 29 20:49 localhost.crt
-rw-r--r--. 1 root root 2388 10月 29 20:20 Makefile
-rw-r--r--. 1 root root 2236 11月  2 14:02 postfix.pem
[root@localhost certs]# make zhengshu.crt                    //制作名为zhengshu的证书
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > zhengshu.key
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................+++++
.......................+++++
e is 65537 (0x010001)
Enter pass phrase:                                                 //输入密码
Verifying - Enter pass phrase:                                     //确认密码
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key zhengshu.key -x509 -days 365 -out zhengshu.crt -set_serial 0
Enter pass phrase for zhengshu.key:                               //与上述密码相同
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ZG                                //国家代码
State or Province Name (full name) []:SX                            //省份
Locality Name (eg, city) [Default City]:Xi'an                       //城市
Organization Name (eg, company) [Default Company Ltd]:openlab       //公司名
Organizational Unit Name (eg, section) []:RHCE                      //部门或组织名
Common Name (eg, your name or your server's hostname) []:www.test.com  //主机名
Email Address []:[email protected]                    //邮箱

4. Create a user

[root@localhost ~]# htpasswd -c /etc/httpd/users song    //添加用户并将密码信息存入users目录下
New password: 
Re-type new password: 
Adding password for user song
[root@localhost ~]# htpasswd /etc/httpd/users tian      //添加用户并将密码信息存入users目录下
New password: 
Re-type new password: 
Adding password for user tian
[root@localhost ~]# htpasswd /etc/httpd/users li        //添加用户并将密码信息存入users目录下
New password: 
Re-type new password: 
Adding password for user li
[root@localhost ~]# htpasswd /etc/httpd/users zhao      //添加用户并将密码信息存入users目录下
New password: 
Re-type new password: 
Adding password for user zhao

 5. Create a web page file directory

[root@localhost ~]# mkdir -p /www/http
[root@localhost http]# mkdir -p  /openlab/{student,data,money}

6. Define the content of the web page file

[root@localhost conf.d]# echo welcome to openlab! > /www/http/index.html   //网页文件主界面
[root@localhost http]# echo 学生信息 > /openlab/student/index.html  //虚拟子目录：学生信息界面
[root@localhost http]# echo 教学资料 > /openlab/data/index.html     //虚拟子目录：教学资料界面
[root@localhost http]# echo 缴费通道 > /openlab/money/index.html    //虚拟子目录：缴费通道界面

7. Write the virtual machine cache file to this domain name resolution entry (/etc/hosts)

[root@localhost http]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.74.130 www.openlab.com           //添加此条信息

 8. Write the local host cache file into this domain name resolution entry (C:\Windows\System32\drivers\etc\hosts)

9. Turn off the firewall and selinux security mechanism

[root@localhost conf.d]# systemctl stop firewalld         //关闭防火墙
[root@localhost conf.d]# setenforce 0                     //关闭selinux
[root@localhost conf.d]# systemctl status firewalld       //查看防火墙状态
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@localhost conf.d]# getenforce                       //查看selinux状态
Permissive

10. Restart the httpd service

[root@localhost conf.d]# systemctl restart httpd
Enter TLS private key passphrase for www.openlab.com:443 (RSA) : ******

 11. Test

    ①Main interface of webpage file

[root@localhost conf.d]# curl http://www.openlab.com
welcome to openlab!

        

    ② Student information interface

[root@localhost conf.d]# curl http://www.openlab.com/student/ -u song    //song用户可访问
Enter host password for user 'song':
学生信息
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u tian   //tian用户可访问
Enter host password for user 'tian':
学生信息
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u li    //li用户被拒绝
Enter host password for user 'li':
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[root@localhost conf.d]# curl http://www.openlab.com/student/ -u zhao    //zhao用户被拒绝
Enter host password for user 'zhao':
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

      

 

    ③Teaching information interface

[root@localhost conf.d]# curl http://www.openlab.com/data/
教学资料

     

 

    ④Payment channel interface

[root@localhost conf.d]# curl -k https://www.openlab.com/money/
缴费通道

   

 

The experiment is complete! ! !