Shulou(Shulou.com)06/02 Report--

Table of contents:

(1) understand the basic configuration of Apache

(2) configure dynamic pages: CGI, WSGI, SSI

(3) set up a community power forum

(4) configure virtual host

(5) configure HTTPS

Apache is the number one Web server software in the world. It is an open source web server of the Apache Software Foundation. It can run on almost all widely used computer platforms, and is one of the most popular Web server software because of its cross-platform and security. It is fast, reliable and can compile interpreters such as Perl/Python into the server through a simple API extension.

Originally, it is only used for small or experimental Internet networks, and then gradually expanded to a variety of Unix systems, especially the support for Linux is quite perfect. Apache has a variety of products that can support SSL technology and support multiple virtual hosts. Apache is a process-based structure, which consumes more system overhead than threads, so it is not suitable for multiprocessor environment, so when an Apache Web site is expanded, it is usually to add servers or cluster nodes rather than processors. By far, Apache is still the most used Web server in the world, with a market share of about 60%. Many famous websites in the world, such as Amazon, Yahoo!, W3Consortium, Financial Times and so on, are the products of Apache. Its success mainly lies in its open source code, an open development team, support for cross-platform applications (which can run on almost all Unix, Windows, Linux system platforms) and its portability.

(1) understand the basic configuration of Apache

Usually, when we browse the web through the browser, we actually visit a Web server. After building the Web server, the client uses the http protocol (HyperText Transfer Protocol), that is, the hypertext transfer protocol, when accessing through the browser. The port it uses is 80.

We set up a Web server on the vms001 host, and first use yum to install the relevant software packages on the vms001 host.

Then restart the service and set it to start automatically. Since the firewall service is enabled, you also need to set the firewall to allow requests through http and https. Finally, go to the / etc/httpd/conf/ directory and edit the httpd.conf file.

The included files are all configuration files with the suffix conf in the conf.modules.d/ directory. The direction of this directory is not clear. In fact, it refers to the / etc/httpd/conf.modules.d/ directory by default.

The Listen port parameters in the httpd.conf file can be added as needed, but remember to modify the context of the port. You can refer to the sshd_config configuration file in the / etc/ssh/ directory (figures 1-4 to 1-7)

(1.5) both User and Group set apache, which means that the owner and group set by the httpd process is apache, where ServerAdmin means that the email address of the administrator is set, and an email report will be sent to the administrator when something goes wrong with the system.

(1.6) when there are multiple sites on our server, such as www.a.com and www.b.com, we need to set the corresponding ServerName, because both sites use the same IP address, so only when the corresponding ServerName entry is set, the server can distinguish between normal external client access.

(1.7) DocumentRoot mainly indicates the file path where web files are stored by default, and generally our home page is placed in the / var/www/html/ directory. Generally, there are no files in the / var/www/html/ directory, so when you enter the IP address of the Web service, you will see the Apache test page by default.

(1.8) if a subdirectory is created in the / var/www/ directory, but no separate permissions are set for the subdirectory, the subdirectory inherits the permissions in the upper directory / var/www/ directory.

We create a xx directory under the / var/www/html/ directory, create five html files, and create a separate permission property setting for the xx directory in the httpd.conf file under the / etc/httpd/conf/ directory. Note that the Options option has Indexes, which means that if there is no index.html home page, all files in the xx directory will be displayed as an index, and then restart the service once # systemctl restart httpd.service. Of course, the Indexes option is only valid for the / var/www/html/ directory, but not for the / var/www/html/ directory itself, because if there is no index.html home page in the / var/www/html/ directory, the information of the test page will be displayed.

(1.10) the FollowSymLinks option under the Options directory allows you to display files under the / var/www/html/xx/ directory that are soft-linked to other directory locations. At this time, we create a www soft link to the / www directory, then when the browser enters http://192.168.26.101/xx/www/, it will link to the index.html file in the / www directory.

(1.11) the AllowOverride parameter indicates whether to allow the .htaccess file in this directory to take effect, where we set the default none to authconfig for verification. Edit it in a configuration file .htaccess created in the / var/www/html/xx/ directory, and create the corresponding password file .htpasswd. After restarting the service, you will find that the login / xx/ directory requires password authentication.

(1.12) the Require parameters under the Directory directory in the httpd.conf configuration file are generally as follows

Require all denied: deny all client access

Require all granted: allow all clients to access

Require ip 192.168.26.100 192.168.26.130: allow access to the IP address of a network segment

Require local: only local access is allowed

(1.13) in the httpd.conf configuration file, the DirectoryIndex parameter under the IfModule directory is set to the default home page. The general value is index.html. If there is no default home page, all index information in the directory will be displayed. The Require parameter under the Files directory sets the permissions for hidden files with the .ht suffix, for example, the default permission for .htaccess is denied.

(1.14) the ErrorLog error log is stored in logs/error_log under ServerRoot by default. We know that the default value of ServerRoot is / etc/httpd directory. The content in the / etc/httpd/logs/ directory is the same as the information in the / var/log/httpd/ directory.

(1.15) the Alias parameter is mainly used to set aliases. You can set an access name arbitrarily, such as / hello. At the same time, the aliases should be consistent with each other. If there is a "/", add both "/"; if there is no "/", do not add both. None are added here (figure 1-33). After setting the Alias information, you should also set the Directory information for the created directory. You can enter the created directory information / zz here, and it will be automatically applied to all the following subdirectories. This kind of application is very common, for example, when we install Zabbix monitoring, we use this way to access the system.

(2) configure dynamic pages: CGI, WSGI, SSI

(2. 1) Common Gateway Interface (Common Gateway Interface,CGI) is the specification of external programs when Web server runs. First we create a CGI page and go to the / var/www/cgi-bin/ directory to create a perl script file for aa.pl

(2.2) in addition to writing Perl scripts to achieve functions, we can also use shell scripts to achieve, we create an aa.sh script file in the / var/www/cgi-bin directory, which can also be displayed normally on the page.

WSGI is the abbreviation of Web Server Gateway Interface. From a layer point of view, the position of the layer where WSGI is located is lower than that of CGI. Is to use python to achieve a dynamic page function, such as openstack dashboard. To use the WSGI function, you need to install the relevant software package first.

The server side contains SSI, which is the abbreviation of Server Side Includes. SSI is a HTML instruction that directs the server to dynamically claim the content of a web page. We create an index.html home page in the / var/www/html/xx/ directory (figure 1-50), add the Includes option to the httpd.conf configuration file, and change the home page suffix from index.html to index.shtml to achieve SSI page access.

(2.5) We can also replace part of the SSI print time with a script file for display.

If we want to automatically jump to the http://192.168.26.101/xx/index.shtml when we visit http://192.168.26.101/xx/, we can configure the solution in the httpd.conf configuration file by rewriting the address.

(3) set up a community power forum

We create a community dynamic forum, first create a / bbs directory under the root directory, and create a Discuz directory under the / xx directory, and copy the forum package Discuz forums X3.2 to the Discuz directory.

(3.2) then add configuration information for aliases and directory settings to the httpd.conf configuration file under the / etc/httpd/conf directory.

Since SELinux is enabled on the system, you need to modify the context information of the set directory and restart the httpd service.

Then we enter the database and set the password of the login database of root to redhat

(3.5) create a database named blog in the Mariadb database, create a user bob, log in to the blog database with a password of redhat, and have all operation rights to the database.

Type http://192.168.26.101/bbs in the browser at this time, and you can enter the installation interface of Discuz Community Power normally.

During installation, we temporarily set the permissions of the / bbs directory to 777, and stop SELinux.

(3.8) set up the corresponding database name and corresponding user password information in the installation database interface, so that our forum website has been set up.

(3.9) We enter the user name and password information set in the installation wizard, we can enter the administrator's login interface, and make the relevant section settings.

(3.10) at this time, our community power forum can provide services normally.

(4) configure virtual host

The IncludeOptional parameter in the httpd.conf configuration file in the / etc/httpd/conf/ directory indicates that all configuration files in the / etc/httpd/conf.d/ directory will be loaded.

(4.2) Virtual host refers to the construction of multiple sites on the same server. For example, there are two hostnames www.a.com and www.b.com on the server side, and the addresses they resolve are all 1.1.1.1 IP addresses of the eth0 port of the network card. Then we send a request from the client PC to the host address of the www.a.com. Although the access IP address is 1.1.1.1, the packet header marks the information that he needs to access in the message sent out on the PC side. At this time, the server will be marked by the setting of the ServerName field in the httpd.conf configuration file, and different sites can be distinguished by defining different hostnames. There are three common ways to configure virtual hosts: 1, virtual hosts based on hostname (4. 3 to 4. 9), 2, virtual hosts based on IP addresses (4. 10 to 4. 12), and 3, port-based virtual hosts.

Then we create a configuration file for baidu.conf in the / etc/unbound/local.d/ directory.

We use the vms002 host to test and set the DNS server of the vms002 host to 192.168.26.101. It is found that the IP addresses resolved by the hosts in different domain names are the same.

We copy the template file of / usr/share/doc/httpd-2.4.6/httpd-vhosts.conf to the conf.d/ directory and name it vhost.conf file name.

Fill in the following configuration information in the vhost.conf configuration file in the / etc/httpd/conf.d/ directory.

(4.7) in the vhost.conf configuration file, we need to add the settings for the virtual host / baidu directory so that the vms001.baidu.com virtual host address can be accessed normally.

Since the virtual host is configured, if the address of the virtual host is entered in the vhost.conf configuration file in the / etc/httpd/conf.d/ directory, then the configuration information of the original vms001.example.com host must also be written into the vhost.conf configuration file.

(4.9) at this point, we can access the home page information of the corresponding domain name through vms002 host access vms001.example.com host and vms001.baidu.com host. This is the configuration of our virtual host based on the hostname.

Then we configure the virtual host configuration based on the IP address.

# ip addr show dev eno16777728

# ip addr add 192.168.26.110/24 dev eno16777728

# ip addr show dev eno16777728

(4.10) then we modify the IP address information for the host in the baidu.conf configuration file in the / etc/unbound/local.d/ directory.

We go to the / etc/httpd/conf.d/ directory and in the vhost.conf configuration file, fill in the IP addresses of different virtual hosts to the corresponding VirtualHost parameter locations.

At this time, the address of the vms001.baidu.com virtual host can be accessed normally on the vms002 host, and the address of the vms001.example.com virtual host can also be accessed normally.

(5) configure HTTPS

Usually when we visit a site, for example, when browsing the web to browse Sohu's news, we use the HTTP protocol, and all the content is transmitted in clear text. Because the news browsed by customers is public, there is no strong need for secure data transmission. But sometimes, for example, when we visit Alipay, because user names, passwords and account funds are involved, we do not want these information to be transmitted in clear text on the Internet, otherwise it will cause some security risks to our information. So at this point we should use the HTTPS protocol, the Hypertext transfer Security Protocol (Hypertext Transfer Protocol Secure), to communicate. Https uses SSL to encrypt the transport layer, that is, https=http+tls/ssl.

Generally speaking, there are three types of encryption, namely, symmetric encryption, asymmetric encryption and hash function. For symmetric encryption, the key used is the same, and what key is used for encryption requires a consistent key for decryption. Client A (PC side) uses key 123 to encrypt the data and passes it to client B (Alipay Wallet). Client B also needs to use key 123 to decrypt the data after receiving it. But how should client B get the key 123 used by client A? Plaintext transmission through the Internet may be stolen by Hacker, and informed by telephone may also be eavesdropped. the difficulty of symmetric encryption algorithm lies in not knowing how to transmit the key securely. The advantages of symmetric encryption algorithm are high speed and security, and the disadvantage of symmetric encryption algorithm is that it can not guarantee the secure transmission key. Common AES,DES algorithms belong to symmetric encryption algorithms.

Asymmetric encryption mainly includes public key and private key pair, in which the public key can be transmitted in public plaintext, and the private key needs to be saved independently. Asymmetric encryption usually has two functions, including data encryption and digital signature. Data encryption uses public key encryption and private key decryption. For example, client A (PC side) transmits data to client B (Alipay wallet), and client B has a public key and a private key. Client An obtains the public key of client B to encrypt the data. After the encryption is completed, it does not matter that the plaintext transmission in the network is completed. At this time, client B obtains the encrypted data and uses its own private key B for private decryption.

So the common practice is to combine symmetric encryption with asymmetric encryption, client A transmits data to client B, client A uses key 123 to encrypt the data, and then transmits the data to client B in clear text. Client A then obtains the public key B of client B, and transmits the key 123 to client B using B public encryption. At this time, client B uses B private key 123 to decrypt, and decrypts the encrypted information transmitted by client A using the decrypted key 123, thus completing the Internet security transmission.

Sometimes in the process of network transmission, client A (PC side) transmits information to client B (Alipay Wallet). When client B sends its public key B to client A, client C (Hacker) intercepts client B's public key, and client C disguises its public key C as Public B and sends it to client A. Client A begins to use C public encryption data and send it to client C, client C then uses C private decryption data to obtain confidential files, and then client C uses client B's public key B to encrypt and transfer the acquired files to client B. At this time, client An and client B feel that they are communicating directly, but they do not know that there is a Hacker of client C in the middle.

Because we cannot guarantee that client A's public key B must belong to client B, we can solve this problem with a digital signature, which uses private key encryption and public key decryption. For example, client A first uses a hash function to generate a hash code for the transferred file, and then client A uses the private key A to privately encrypt the generated hash code. Then client A passes the original data and A privately generated hash code message to client B. after client B receives the message, client B uses A's public key A to decrypt and get a hash code. then client B uses the hash function to generate a new hash code for the original transferred file, and compares it with the hash code obtained by A public decryption, if the two hash codes are the same Indicates that the data has not been modified during transmission.

Because A client can generate any number of key pairs, the problem encountered at this time is that we have no way to prove the inevitable relationship between A private and client A. therefore, there is an institution CA in the Internet, namely Certificate Authority (certificate authority,CA), which, as a trusted third party in e-commerce transactions, bears the responsibility of verifying the legitimacy of the public key in the public key system. The CA center issues a digital certificate for each user who uses the public key. The function of the digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the integer. The digital signature of CA makes it impossible for Hacker to forge and tamper with certificates. It is responsible for the production, distribution and management of digital certificates needed by all individuals involved in online transactions, so it is the core link of secure electronic transactions. Certificate Authority (CA) is a network organization that manages and issues security credentials and information security keys. The registry (RA) verifies the digital certificate provided by the applicant, and the certificate is issued after CA verification. The content includes the personal information of the applicant, the public key and the period of validity of the authentication, as the basis for online proof of identity. For example, in network transactions, Alipay will generate a pair of keys including public key and private key, and Alipay will generate a csr certificate request file with the private key and send it to CA for verification. CA will issue a certificate to Alipay after verification. At this time, this certificate is the public key, which is the public key of Alipay after CA has done digital signature authentication. At this time, the client is ready to communicate with Alipay, and the negotiation between them is to use the symmetric encryption algorithm to communicate, and then the client PC encrypts the data using the key 123 of the symmetric encryption algorithm generated by itself and sends it to Alipay, but at this time Alipay does not know what the encrypted key 123 is, so it cannot decrypt the data. At this time, PayBao will send the certificate issued from CA to the client PC. The certificate file obtained by the client PC is essentially the Alipay public key. The Alipay public key obtained by the client PC has the digital signature of the CA institution, while the common CA public key file is generally built in the browser. We know that the digital signature is private key encryption and public key decryption. In this case, the client browser uses the built-in CA public key to authenticate the certificate. If the authentication is passed, it shows that this is indeed a public key file from Alipay. The asymmetric encryption of the data is encrypted using the public key and decrypted by the private key. At this time, the browser encrypts the key 123 using the public key of Alipay and transmits it to Alipay. After Alipay obtains the key 123, it uses its own private key to decrypt the data, and finally uses the key 123 to decrypt the symmetrically encrypted file so as to obtain the data information transmitted by the client PC.

(5.1) go to the / etc/httpd/conf directory, first create a private key certificate client.key for the payer, then create a self-signed Alipay public key certificate client.pem, and finally create a CA private key client.ca

Go to the / etc/httpd/conf.d/ directory and edit the ssl.conf configuration file. Restart the Web service after the configuration is complete.

(5.3) Test https://www.baidu.com/ access on the vms002 host.

Remember to enable SSL authentication in both the vhost.conf and ssl.conf files in the / etc/httpd/conf.d/ directory, and configure the key information, so that you can use https to access different virtual hosts.

Next, a virtual host based on IP address is used for an experiment. Https://vms001.baidu.com can be accessed normally, but https://vms001.example.com cannot be accessed normally.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.