Linux System Engineer

The system used in the experiment is redhat-rhel8 2.

Linux system management - Apache management and optimization

1, Function and installation of Apache

Web Server software
 stay web Commonly used when accessed http: //The way
http: //	##Hypertext Transfer Protocol

dnf install httpd.x86_64 -y

2, Enabling Apache

systemctl enable --now httpd					##Turn on the service and set the service bit for startup
firewall-cmd --list-all							##View fire wall information
firewall-cmd --permanent --add-service=http		##Permanently turn on http access in the firewall
firewall-cmd --permanent --add-service=https	##Permanently turn on https access in the firewall
firewall-cmd --reload							##Refresh the fire wall to make the settings take effect

vim /var/www/html/index.html					##Modify welcome interface
///
hello
///
172.25.254.109									##Test in browser

#apache enable

#Test successful

3, Basic information about Apache

Service Name: httpd

Profile:
/etc/httpd/conf/httpd.conf	##Master profile
/etc/httpd/conf.d/*.conf	##Sub profile

Default publishing Directory:
/var/www/html

Default publish file:
index.html

Default port:
80	##http
443	##https

User:
apache

journal:
/etc/httpd/logs

4, Basic configuration of Apacdhe

1. Port modification of Apache

vim /etc/httpd/conf/httpd.conf					##Modify profile
///
Listen 8080
///
systemctl restart httpd
netstat -antlupe | grep httpd					##Port view

If you need access
firewall-cmd --permanent --add-port=8080/tcp	##Permanently open 8080 port access in the fire wall
firewall-cmd --reload
systemctl restart httpd
http://172.25.254.109:8080 						## Browser access

firewall-cmd --permanent --remove-port=8080/tcp	##delete a port
vim /etc/httpd/conf/httpd.conf					##Restore profile

2. Default publish file

vim /var/www/html/index.html			##Default publish file
///
index.html
///
vim /var/www/html/westos.html			##New publish file
///
westos.html
///

vim /etc/httpd/conf/httpd.conf			##Modify profile
///
DirectoryIndex westos.html index.html	##Load westos first html
///
systemctl restart httpd

#In the configuration file, westos HTML before

#Visit westos.com first html

[note] if the configuration file does not include westos HTML, used when accessing http://172.25.254.109/westos.html

#Restore profile to default

#Default access index html

#You can also access it, but you need to add a path

3. Default publishing directory

mkdir /westos_apache					##New publishing directory
vim /westos_apache/index.html			##Edit the publication file of the publication directory
///
westos_apache
///
semanage fcontext -a -t httpd_sys_content_t '/westos_apache(/.*)?'	##Modify security context
restorecon -RvvF /westos_apache/		##Read security context
vim /etc/httpd/conf/httpd.conf			##Modify profile
///
#DocumentRoot "/var/www/html"			##Note default publishing directory
DocumentRoot "/westos_apache"			##Use new publishing directory
<Directory "/westos_apache">
        Require all granted				##Consent authorization
</Directory>
///
systemctl restart httpd

Test:
http://172.25.254.109
#westos_apache

[be careful]	After the experiment, comment out the changes and restore the default

#Profile modification

#Test access succeeded

#Restore profile

5, Access control of apache

[note] after modifying the configuration file, restart the service

1. Control IP

Experimental preparation:

mkdir /var/www/html/westos
vim /var/www/html/westos/index.html
///
westos/index.html
///

The current real machine ip is 172.25.254.9,a virtual machine ip is 172.25.254.109 as the server, and b virtual machine ip is 172.25.254.209 as the client
That is, access with the browser of real machine and b virtual machine

• Allow everyone except number 9 to access

vim /etc/httpd/conf/httpd.conf
///
<Directory "/var/www/html/westos">		##to grant authorization
        Order Allow,Deny				##Access allow first, then deny
        Allow from all					##Allow everyone access
        Deny from 172.25.254.9			##Access denied to 9
</Directory>
///
systemctl restart httpd

Test:
http: //172.25.254.109/westos/
9-> refuse
 other->agree

#Profile modification

#Real machine 9 access failed

#Virtual machine b access succeeded

• Deny access to everyone except No. 9

vim /etc/httpd/conf/httpd.conf
///
<Directory "/var/www/html/westos">
	Order Deny,Allow				##Visit deny first, then allow
        Deny from all				##Deny everyone access
        Allow from 172.25.254.9		##Allow No. 9 access
</Directory>
systemctl restart httpd

Test:
http: //172.25.254.109/westos/
9->agree
 other->refuse

#Profile modification

#Real machine 9 successfully accessed

#Virtual machine b access failed

2. Control access (username and password)

Experimental preparation:

cd /etc/httpd
htpasswd -cm .htpasswd admin			##Add user and password
#New password:123
#Re-type new password:123
#Adding password for user admin

cat .htpasswd							##View user and encrypted passwords

htpasswd -m .htpasswd admin1
#New password: 123
#Re-type new password: 123
#Adding password for user admin1

ls -a /etc/httpd						##View hidden files htpasswd
cat .htpasswd							##View content

[note] when adding another user, the parameter is - m, and using - cm will overwrite the first user

• Allow admin access only

vim /etc/httpd/conf/httpd.conf
///
<Directory "/var/www/html/westos">
        AuthUserFile /etc/httpd/.htpasswd		##Path to the executable
        AuthName "Please input username and password"
        AuthType basic
        Require user admin						##Allow admin user access
#       Require valid-users						##Notes, allowed All user access in htpasswd
</Directory>
///
systemctl restart httpd

#Profile modification

#admin user access succeeded

#admin1 user access failed

[note] clear the history and cache before logging in with a new user

• Allow All user access in htpasswd

vim /etc/httpd/conf/httpd.conf
///
#       Require user admin		##Note, admin user access
        Require valid-user		##Allow All user access in htpasswd
///
systemctl restart httpd

#When modifying the configuration file, pay attention to the location of valid users – > valid user and "#"

#admin user access succeeded

#admin1 user access succeeded

6, apache virtual host

Experimental preparation:

mkdir -p /var/www/vhost/westos.org/{news,music,map}					##New publishing directory
echo news.westos.org > /var/www/vhost/westos.org/news/index.html
echo music.westos.org > /var/www/vhost/westos.org/music/index.html
echo map.westos.org > /var/www/vhost/westos.org/map/index.html		##Publish file

vim /etc/httpd/conf.d/vhosts.conf				##Domain name profile
///
<VirtualHost _default_:80>
        DocumentRoot /var/www/html				##File path
        CustomLog logs/default.log combined		##Log path
</VirtualHost>

<VirtualHost *:80>
        ServerName music.westos.org				##name
        DocumentRoot /var/www/vhost/westos.org/music
        CustomLog logs/music.log combined
</VirtualHost>

<VirtualHost *:80>
        ServerName news.westos.org
        DocumentRoot /var/www/vhost/westos.org/news
        CustomLog logs/news.log combined
</VirtualHost>

<VirtualHost *:80>
        ServerName map.westos.org
        DocumentRoot /var/www/vhost/westos.org/map
        CustomLog logs/map.log combined
</VirtualHost>
///
systemctl restart httpd

#Profile modification

[note] resolve the domain name wherever you open the browser

su - root
vim /etc/hosts					##Domain name resolution profile
///
172.25.254.109 www.westos.org music.westos.org news.westos.org map.westos.org
///
ping map.westos.org

Test:
http://news.westos.org

[note] if there is no problem with the file, but the browser displays the contents of other domain names, clean the browser cache

#Domain name resolution file



#Access successful

7, Language support for apache

LAMP linux+Apache+Myaql+PHP/Perl/Python

1,php

dnf install php.x86_64 -y
systemctl restart httpd
vim /var/www/html/index.php
///
<?php
	phpinfo();
?>
///

Test:
http://172.25.254.109/index.php

#Access successful

2,cgi

cd /var/www/html/
mkdir cgi
cd cgi
vim index.cgi
///
#!/usr/bin/perl
print "Content-type:text/html\n\n";
print `date`;							##`date ` means to execute the command
										##Note that the symbol is `, not quotation marks
///
chmod +x index.cgi						##Execution Authority
ls -Zd /var/www/cgi-bin/				##View security context
semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html/cgi(/.*)?'	##Set synchronization security context
restorecon -RvvF /var/www/html/cgi/		##Read settings
./index.cgi								##See if the command can be run
##At this time, the browser cannot open CGI / index CGI, only the source code can be seen, because it cannot be recognized

vim /etc/httpd/conf.d/vhosts.conf		##Domain name profile
///
<Directory "/var/www/html/cgi">
        Options +ExecCGI
        AddHandler cgi-script .cgi		##Both types of files can be identified and executed
</Directory>
///
systemctl restart httpd

testing:
http://172.25.254.109/cgi/index.cgi

[note] if there is no error, check selinux and change it to permissive

#Edit publish file

#At this time, the browser cannot open CGI / index CGI, you can only see the source code

#Access successful

3,wsgi

cd /var/www/html/
vim index.wsgi						##Edit publish file
///
def application(env,westos):
  westos('200 ok',[('Content-Type','text/html')])
  return [b'hello westos']
/// 									## Pay attention to indentation
chmod +x index.wsgi					##Give execution permission

dnf search wsgi		
dnf install python3-mod_wsgi.x86_64 -y
systemctl restart httpd

##172.25.254.109/index. Is displayed in the browser WSGI pop-up download index wsgi

vim /etc/httpd/conf.d/vhosts.conf
///
<VirtualHost *:80>
        ServerName wsgi.westos.org
        WSGIScriptAlias / /var/www/html/index.wsgi
</VirtualHost>
///
systemctl restart httpd

##Domain name resolution
vim /etc/hosts
///
172.25.254.109 www.westos.org music.westos.org news.westos.org map.westos.org wsgi.westos.org
///
ping wsgi.westos.org

Test:
browser
wsgi.westos.org

#Before domain name resolution, the download file will pop up

#Domain name resolution succeeded

#Access successful

8, Encrypted access to apache

Install encryption software
dnf install mod_ssl -y									##Install encryption plug-in
systemctl restart httpd

mkdir /etc/httpd/tls
openssl req --newkey rsa:2048 -nodes -sha256 -keyout /etc/httpd/tls/westos.org.key -x509 -days 365 -out /etc/httpd/tls/westos.org.crt
///
CN-->Shaanxi-->Xi'an-->WESTOS-->Linux-->www.westos.org-->admin@westos.org
///

############
-req													##request
x509													##Certificate format
--newkey rsa:2048 -nodes								##Generate private key
-sha256 -keyout /etc/httpd/tls/westos.org.key			##Generate certificate signature file
-x509 -days 365 -out /etc/httpd/tls/westos.org.crt		##Generate certificate
############

ls /etc/httpd/tls/
mkdir /var/www/vhost/westos.org/login
vim /var/www/vhost/westos.org/login/index.html
///
login.westos.org
///

vim /etc/httpd/conf.d/vhosts.conf
///
<VirtualHost *:443>
        ServerName login.westos.org
        DocumentRoot /var/www/vhost/westos.org/login
        Customlog logs/login.log combined
        SSLEngine on
        SSLCertificateFile /etc/httpd/tls/westos.org.crt
        SSLCertificateKeyFile /etc/httpd/tls/westos.org.key
</VirtualHost>
///
systemctl restart httpd

############
^(/.*)$						##Address entered in the customer address field
%{HTTP_HOST}				##Client host
$1							##The value of the first string of characters following the root of RewriteRule
############

##Domain name resolution
vim /etc/hosts
///
172.25.254.109 www.westos.org music.westos.org news.westos.org map.westos.org wsgi.westos.org login.westos.org
///
ping login.westos.org

Test:
browser
login.westos.org