"Linux in respect of such a study"!
Learning Website: https://www.linuxprobe.com/
Gray often good sites and learning programs ~ ~ ~!
Chapter 10. Using Apache service deployment static websites
Web services: through a browser to access the server, transfer 10.1 website service program is now able to provide Web services network program has IIS, Nginx and Apache and so on. Which, IIS (Internet Information Services, Internet Information Services) is a Windows system in the default Web service program, which is a graphical tool for website management, Web sites can not only provide services, can also provide FTP, NMTP, SMTP and other services . However, IIS can only be used on Windows systems, and our book name is "Linux in respect of such a study," so it will not within the scope of our study. Apache service can run on Linux, UNIX systems and even Windows system, supports virtual hosts based on IP, domain name and port number to support multiple authentication methods, integrated proxy server module, security Socket Layer (SSL), capable of real-time monitoring service status and custom log messages, and has a wealth of modules support all kinds. Apache program is in RHEL 5,6,7 system default Web Services program, which also has been the focus of relevant knowledge and content RHCSA RHCE certification exam. US Apache static pages dynamic space Nignx Russia 128M memory can hold a website. Static: html picture Dynamic: database (php) Step 1: the system image CD-ROM device to mount / media / cdrom directory. [Root @ localhost Desktop] # mkdir -p / media / cdrom [root @ localhost Desktop] # mount / dev / cdrom / media / cdrom / mount: / dev / sr0 write protection, will be mounted read-only [root @ localhost Desktop] # vim / etc / fstab # Created by anaconda on Mon Apr 22 15:33:10 2019 ## Accessible filesystems, by reference, are maintained under '/ dev / disk' # See man pages fstab (5), findfs (8), mount (8) and / or blkid (8) for more info # / dev / mapper / rhel-root / xfs defaults 1 1UUID = 476aa953-9954-4170-bfc7-69ec6cedad75 / boot xfs defaults, uquota 1 2 / dev / mapper / rhel-swap swap swap defaults 0 0 / dev / sdb1 / guazai ext4 defaults 0 0 / dev / sdb5 swap swap defaults 0 0 / dev / sdb6 / newFS xfs defaults 0 0 / dev / cdrom / media / cdrom iso9660 defaults 0 0 step 2: use Vim text editor to create Yum repository configuration file [root @ localhost Desktop] # vim /etc/yum.repos.d/rhel7.repo[rhel]name=rhel7baseurl=file:/ // media / cdromenable = 1gpgcheck = 0 step 3: hands Apache installation service program. Note that when using the yum command to install, with packages that names command behind the Apache service is httpd. If direct execution yum ××× tall apache command, the system error. [Root @ localhost Desktop] # yum ××× tall httpd is loaded plugins: langpacks, product-id, subscription-managerThis system is not registered to Red Hat Subscription Management You can use subscription-manager to register.Repository rhel is listed more. than once in the configuration dependencies are being addressed -> Checking affairs ---> httpd.x86_64.0.2.4.6-17.el7 package will be installed -> resolve dependencies complete dependency solve ================= =============================================== Package schema version the source size ================================================ ================ installing: httpd x86_64 2.4.6-17.el7 rhel 1.2 M transaction summary ================= =============================================== install software 1 total downloads package: 1.2 M installation size: 3.7 MIs this ok [y / d / N]: yDownloading packages: Running transaction checkRunning transaction testTransaction test succeededRunning transaction being installed: httpd-2.4.6-17.el7.x86_64 1/1 verification: httpd-2.4.6-17.el7.x86_64 1/1 is installed: httpd.x86_64 0: 2.4.6-17.el7 finished! Step 4: Enable httpd service program and added to the startup items so that it can operate with the system turned on, thereby continuing to provide users with a Web service: [root @ localhost Desktop] # systemctl restart httpd [root @ localhost Desktop ] # systemctl enable httpdln -s' /usr/lib/systemd/system/httpd.service '' /etc/systemd/system/multi-user.target.wants/httpd. service 'in the browser address bar (where to the Firefox browser, for example) input http://127.0.0.1 press Enter, you can see the default Web services used to provide the service httpd program page 10.2 configuration service file parameters 1, the site no data 2, insufficient permissions configure the service in the Linux system, in fact, modify the configuration file services, therefore, need to know the main configuration file location and use, httpd service program these profiles and as shown in table 10-1 storage position. Site storage path: var / www / html Table 10-1 Linux system configuration file services directory / etc / httpd main configuration file /etc/httpd/conf/httpd.conf site data directory / var / www / html access log / var / log / httpd / access_log error log / var / log / httpd / error_log view site data is empty, there is no data. [Root @ localhost ~] # cd / var / www / html [root @ localhost html] # ls site data in the index.html file. IP address and port data directory website domain DocumentRoot listens Listen Table 10-2 configuring httpd service program most commonly used parameters and Descriptions ServerAdmin ServerRoot directory service administrator to run the service user mailbox User Group service user groups to run a web server ServerName No default index page DirectoryIndex page ErrorLog the error log file CustomLog web access log file timeout timeout, the default is 300 seconds can be seen from table 10-2, DocumentRoot parameter is used to define the path to save website data, the default value of its argument is put website data stored in / var / www / html directory; and the current site of the home side common name index. html, so you can write to / var / www / html directory in a file, replace the default home side httpd service program, which will take immediate effect. After you do this, then in the Firefox browser refresh httpd service program, you can see the home side the content of the program has changed, shown in Figure 10-5. [Root @ localhost html] # vim index.htmlWelcome To LinuxProbe.Comdminglmignmlknglngmkgnlknglsnkdnkgankgdowapnglknglanbkgaodeng; sangngalkn Step 1: Create a directory to save site data, and create a home file. [Root @ localhost html] # mkdir / home / wwwroot [root @ localhost html] # systemctl restart httpd [root @ localhost html] # cd / home / wwwroot [root @ localhost wwwroot] # cp / var / www / html / index .html / home / wwwroot / [root @ localhost wwwroot] # lsindex1.html index.html linuxprobe [root @ localhost wwwroot] # cat index.htmlThe New Web Directory step 2: open the main configuration file httpd service program, about DocumentRoot line parameters used to define the 119 site data save path modification is / home / wwwroot, but also need to be about 124 lines for the path behind the directory parameter defined directory permissions are also revised to / home / wwwroot. Configuration file to save and exit after the modification is completed. Website data stored in / var / www / html directory, the directory to save the site data is revised to / home / wwwroot before the amendment: modified: [root @ localhost html] # vim / etc / httpd / conf / httpd. conf116 # documents. By default, all requests are taken from this di rectory, but117 # symbolic links and aliases may be used to point to other l ocations.118 # 119 DocumentRoot "/ home / wwwroot" 120121 # 122 # Relax access to content within /var/www.123 # 124 <Directory "/ home / wwwroot"> 125 AllowOverride None126 # Allow open access: 127 Require all granted128 </ Directory> 129130 # Further relax access to the default document root: 131 <Directory "/ var / www / html "> 132 # 133 # Possible values for the Options directive are" None "," All ", 134 # or any combination of: [root @ localhost ~] # systemctl restart httpd.service step 3: re start httpd service program and verify the effect, the content of the browser to refresh the page shown in Figure 10-6. strange! Why do I see the default home side httpd service program? When Logically speaking, only the home side in the site file does not exist or insufficient user privileges to display the default home side httpd service program. When we try to access http://127.0.0.1/index.html page, even found a page displaying "Forbidden, You do not have permission to access /index.html on this server "and all this is the mischief .10.3 SELinux SELinux SELinux security services subsystem three modes, as follows .enforcing:.. Enforce security policy model, the service does not intercept legitimate requests .permissive: the face of unauthorized access services, without forcing the issue only a warning, interception .disabled:. for ultra vires conduct was not warned not to intercept .SELinux role to play for files and services through the firewall below two protection mechanisms: the SELinux domain: the SELinux security context: open SELinux [root @ localhost ~] # vim / etc / selinux / config # This file controls the state of SELinux on the system # SELINUX = can take one of these three values. :.. # enforcing - SELinux security policy is enforced # permissive - SELinux prints warnings ××× tead of enforcing # disabled - No SELinux policy is loaded.SELINUX = enforcing # SELINUXTYPE = can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy On. ly selected processes are protected # mls -. Multi Level Security protection. SELINUXTYPE = targeted1, modify SELinux domain to see if SELinux turned on: [root @ localhost ~] # getenforceEnforcing set whether SELinux turned on: [root @ localhost ~] # setenforceusage: setenforce [Enforcing | Permissive | 1 | 0] [root @ localhost ~] # setenforce 0 [root @ localhost ~] # setenforce 1SELinux domains: functional management services, SELinux security context: file management can see by whom. We restored SELinux enabled services to enforce security policy model, and then view the site directory to save the original data and the current directory to save the site data whether SELinux security context has a different value: [root @ localhost ~] # ls -ldZ / var / www / htmldrwxr-xr-x root root system_u:. object_r: httpd_sys_content_t:. s0 / var / www / html [root @ localhost ~] # ls -ldZ / home / wwwroot / drwxrwxrwx root root unconfined_u: object_r: user_home_dir_t: s0 / home / wwwroot / semanage command semanage commands for managing SELinux policy, the format is "semanage [options] [file]." SELinux services greatly enhance the security of Linux systems, the user rights firmly locked in a cage. semanage command not only as a traditional command as chcon - settings file, the policy directory, you can also manage the network port, message interface (these new features will be covered later in this chapter). When using semanage command, often used several parameters and functions are as follows: -l parameters for the query; -a parameter is used to add; -m parameter is used to modify; -d parameter is used to delete. 2, modify the security context of the SELinux: You can add to the new site data directory new a SELinux security context, let this directory and all the files inside can be httpd service routine access to: [root @ localhost wwwroot] # semanage fcontext - a -t httpd_sys_content_t / home / wwwroot [root @ localhost wwwroot] # semanage fcontext -a -t httpd_sys_content_t / home / wwwroot / * [root @ localhost wwwroot] # restorecon -Rv / home / wwwroot / restorecon reset / home / wwwroot / index.html context unconfined_u: object_r: user_home_t: s0-> unconfined_u: object_r: httpd_sys_content_t: s0 [root @ localhost ~] # cd / home / wwwroot [root @ localhost wwwroot] # lsindex1.html index. html linuxprobe [root @ localhost wwwroot] # rm -rf linuxprobe [root @ localhost wwwroot] # rm -rf index.html [root @ localhost wwwroot] website under # cat index.htmlThe New Web Directory / home / wwwroot directory site data First name is index.html, the file can have only one. After you finish adding security context, we found that refreshes the site still see the site content, can not access the site immediately. Restorecon also need to use the command-set SELinux security context with immediate effect. When the restorecon command can add -Rv parameters specified directory recursive operations, and a display SELinux security context modification procedure. Finally, once again refresh the page, you can normally see the page content 10.4 Personal User Home feature Apache service: The main configuration file is /etc/httpd/conf/httpd.conf, not all configurations are stored in the main configuration file . Step 1: httpd service program, the default home page does not open individual user functions. To this end, we need to edit the following configuration file, and then UserDir disabled parameters preceded by a pound sign on line 17 (#) indicates httpd service program let the user open personal home page features; then the front UserDir public_html parameters at the same time the 24th row the pound sign (#) removed (UserDir parameter indicates the name of the directory site data stored in the user's home directory, ie public_html directory). Finally, after the modification is completed remember to save. [Root @ localhost wwwroot] # vim /etc/httpd/conf.d/userdir.conf 1 # 2 # UserDir: The name of the directory that is appended o nto a user's home 3 # directory if a ~ user request is received. 2627 # 28 # Control access to UserDir directories. The following is an example29 # for a site where these directories are restricted to read-only.30 # 31 <Directory "/ home / * / public_html"> 32 AllowOverride FileInfo AuthConfig Limit Indexes33 Options MultiViews Indexes SymLinksIfOwnerMatch Inc ludesNoExec34 Require method GET POST OPTIONS35 </ directory> [root @ localhost ~] # systemctl restart httpd step 2: Create the user's home directory to the directory and file save home side site data. In addition, around the house also need to modify directory permissions to 755, ensure that other people also have permission to read the contents inside. [Root @ localhost ~] # su - single sign-on linuxprobe: Shangsan 6 Yue 12 19:18:08 CST 2019pts / 0 [linuxprobe @ localhost ~] $ mkdir public_html [linuxprobe @ localhost ~] $ lsa dgjm public_html template document Desktop behkn xiaosu video download cfil peiexianzhi public pictures music [linuxprobe @ localhost ~] $ cd public_html [linuxprobe @ localhost public_html] $ vim index.htmlzheshi chuangjian mulu .chuangjian geren wangzhan mulu .. [Linuxprobe @ localhost ~] $ chmod -Rf 755 / home / linuxprobe Step 3: restart the httpd service program, enter the URL in the address bar of your browser, the format "URL / ~ username" (where the tilde is required, and there is no space between the web site, wave number, user name), you can see the user's personal site in theory. Not surprisingly, the system displays an error page, shown in Figure 10-9. It must still SELinux blame. Release limit domain in SELinux. [Root @ localhost linuxprobe] # setenforce 0 [root @ localhost linuxprobe] # setenforce 1 Step 4: What is the reason to think this error is yes. httpd service program when the user provides personal home page feature, the user data directory website itself should be stored in, so it should not need to change the home directory of the SELinux security context of the user and the corresponding home directory. However, earlier also we talked about the concept of SELinux domain. SELinux domain to ensure that services can not perform illegal operations, only this sub-subdivision to provide users with services. httpd service suddenly turned on the individual user home page feature in the end there is a default SELinux domain allow it? Displays the current name of the policy domain, and all SELinux specific projects. [Root @ localhost linuxprobe] # getsebool -a | grep httphttpd_anon_write -> offhttpd_builtin_scripting -> onhttpd_can_check_spam -> offhttpd_can_connect_ftp -> offhttpd_can_connect_ldap -> offhttpd_can_connect_mythtv -> offhttpd_can_connect_zabbix -> offhttpd_can_network_connect -> offhttpd_use_nfs -> offhttpd_use_openstack -> offhttpd_use_sasl -> offhttpd_verify_dns -> offnamed_tcp_bind_http_port -> offprosody_bind_http_port -> off [root @ localhost linuxprobe] # setsebool -P httpd_enable_homedirs = on sometimes, the site's owner does not want to directly page content is displayed, just want to let the user authenticated visitors to see the contents inside, then you can add features to your website password the first step: first generate the password database using the htpasswd command. -c parameter represents the first generation; later to add a password database files are stored, and verify that the user name to use (the user does not have to be already in the system local account). Password: redhat [root @ localhost Desktop] # htpasswd -c / etc / httpd / passwd abelNew password: Re-type new password: Adding password for user linuxprobe Step 2: Edit the configuration file individual user's home page features. Parameter information 31 to the line 35 is modified to the following, wherein the pound sign (#) is the beginning of the annotation information content Trent teacher Liu added, which can be ignored. Then save and exit the configuration file, restart the httpd service program to take effect. Before unmodified, the original document: 1 # 2 # UserDir:. The name of the directory that is appended onto a user's home 3 # directory if a ~ user request is received 4 # 5 # The path to the end user account 'public_html'/public_html">32 AllowOverride FileInfo AuthConfig Limit Indexes33 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec34 Require method GET POST OPTIONS35 </Directory>修改后配置文件:[root@localhost wwwroot]# vim /etc/httpd/conf.d/userdir.conf 1 # 2 # UserDir: The name of the directory that is appended onto a user's home 3 # directory if a ~user request is received. 4 # 5 # The path to the end user account 'public_html' directory must be 6 # accessible to the webserver userid. This usually means that ~userid 7 # must have permissions of 711, ~userid/public_html must have permissions 8 # of 755, and documents contained therein must be world-readable. 9 # Otherwise, the client will only receive a "403 Forbidden" message.10 #11 <IfModule mod_userdir.c>12 #13 # UserDir is disabled by default since it can confirm the presence14 # of a username on the system (depending on home directory15 # permissions).16 #17 #UserDir disabled1819 #20 # To enable requests to /~user/ to serve the user's public_html21 # directory, remove the "UserDir disabled" line above, and uncomment22 # the following line ×××tead:23 #24 UserDir public_html25 </IfModule>2627 #28 # Control access to UserDir directories. The following is an example29 # for a site where these directories are restricted to read-only.30 #31 <Directory "/home// Public_html "> 32 AllowOverride all33 authuserfile / etc / httpd / passwd34 authusername nihao qing shuru yonghuming35 authtype basic36 require user abel37 </ Directory> Username: abel Password: redhat10.5 virtual web hosting features Apache virtual host server function is based on the user different IP address request, host domain name or port number, implementation provides access multiple web sites while providing technical services to the outside, as shown in Figure 10-12 different users request resources and ultimately get to the page content is also different .10.5.1 host IP address configuration based on the IP address of the network card: [root @ localhost ~] # vim / etc / sysconfig / network-scripts / ifcfg-bond0 [root @ localhost ~] # system restart network [root @ localhost ~] # ping 192.168.1.120PING 192.168.1.120 (192.168.1.120) 56 (84) bytes of data.64 bytes from 192.168.1.120: icmp_seq = 1 ttl = 64 time = 0.032 ms64 bytes from 192.168.1.120: icmp_seq = 2 ttl = 64 time = 0.034 ms64 bytes from 192.168.1.120: icmp_seq = 3 ttl = 64 time = 0.034 ms64 bytes from 192.168.1.120: icmp_seq = 4 ttl = 64 time = 0.036 ms64 bytes fro m 192.168.1.120: icmp_seq = 5 ttl = 64 time = 0.050 ms64 bytes from 192.168.1.120:[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/140[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/140/[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/150[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/150/*[root@localhost ~]# restorecon -Rv /home/wwwroot10.5.2 基于主机域名