lamp 基于rpm包环境搭建,以及https的实现
1 搭建开始 环境准备开始:1
2
# service httpd24 stop # 关闭此前编译的2.4
# yum install -y php
php和httpd结合的方式是模块化的:
1
2
3
4
5
# rpm -ql php
/etc/httpd/conf.d/php.conf
/usr/lib64/httpd/modules/libphp5.so # 就这个模块
/var/lib/php/session
/var/www/icons/php.gif
既然是模块,就无需启动服务,启动httpd即可
1
2
3
4
5
# service httpd start
# /usr/sbin/httpd -M|grep php
httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
php5_module (shared) # 模块已加载
Syntax OK
使用浏览器访问IP地址: 测试php是否已经启动:
1
2
3
4
5
6
7
8
9
# cd /vhosts/a.com/htdocs/
# mv index.html index.php
# vim index.php
<h1>www.a.com</h1> # 在此行下面添加测试代码
<?php
phpinfo();
?>
<h2>PHP Test Page</h2>
刷新浏览器,出现一堆信息: php解释器不会和数据库打交道,和数据库打交道的是php应用程序本身,但是这种打交道是通过驱动完成的。这种驱动php和MySQL都有提供。安装驱动:
1
2
# yum install -y php-mysql
# service httpd reload
刷新浏览器可以看到结果:
Additional .ini files parsed
/etc/php.d/curl.ini, /etc/php.d/fileinfo.ini, /etc/php.d/json.ini, /etc/php.d/mysql.ini, /etc/php.d/mysqli.ini, /etc/php.d/pdo.ini, /etc/php.d/pdo_mysql.ini, /etc/php.d/pdo_sqlite.ini, /etc/php.d/phar.ini, /etc/php.d/sqlite3.ini, /etc/php.d/zip.ini
安装mysql服务器端:
1
2
3
# yum install -y mysql-server
# service mysqld start
# ss -tunl|grep :3306
测试mysql确实启动:
1
2
3
4
5
6
7
8
9
10
11
12
# vim index.php
<h1>www.a.com</h1>
<?php
$conn = mysql_connect('127.0.0.1','root','');
if ($conn)
echo "OK";
else
echo "Failure";
mysql_close($conn);
?>
刷新浏览器显示OK,lamp环境就这样简单的搭建起来了。
2 WordPress搞起
1
2
3
4
5
6
7
8
9
10
11
# unzip wordpress-3.3.1-zh_CN.zip
# cd wordpress
# vim wp-config-sample.php # 修改三项
define('DB_NAME', 'wpdb');
/** MySQL 数据库用户名 */
define('DB_USER', 'wpuser');
/** MySQL 数据库密码 */
define('DB_PASSWORD', 'wppass');
# cp wp-config-sample.php wp-config.php
建立数据库:
1
2
3
4
5
# mysql
mysql> CREATE DATABASE wpdb;
mysql> GRANT ALL ON wpdb.* TO 'wpuser'@'127.0.0.1' IDENTIFIED BY 'wppass';
mysql> GRANT ALL ON wpdb.* TO 'wpuser'@'localhost' IDENTIFIED BY 'wppass';
mysql> FLUSH PRIVILEGES;
浏览器访问http://172.16.45.10/wordpress/就能出现安装界面3 phpMyAdmin搞起
1
2
3
4
5
# unzip phpMyAdmin-4.0.5-all-languages.zip
# ln -s phpMyAdmin-4.0.5-all-languages pma
# cd pma/
# yum install php-mbstring –y # 多字节字串,为了支持中文需要启动此功能
# service httpd reload
浏览器访问http://172.16.45.10/pma/ 给mysql root设置密码:
1
2
3
mysql> SET PASSWORD FOR 'root'@'localhost'=PASSWORD('123456');
mysql> SET PASSWORD FOR 'root'@'127.0.0.1'=PASSWORD('123456');
mysql> FLUSH PRIVILEGES;
可以使用root身份登录了
4 搞两个虚拟主机
1
2
3
4
5
6
7
8
9
10
11
12
# vim /etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html" # 注释掉
NameVirtualHost *:80 # 将这行注释取消
<VirtualHost *:80>
servername www.a.com
documentroot /vhosts/a.com/htdocs/
</virtualhost>
<VirtualHost *:80>
servername www.c.net
documentroot /vhosts/c.net/htdocs
</virtualhost>
5 配置httpd支持https1、为服务器申请数字证书(a) 为了测试,创建私有CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# cd /etc/pki/CA/ # 另开一个虚拟机
# (umask 077; openssl genrsa -out private/cakey.pem 2048) # 创建私钥
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 10000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:HA
Locality Name (eg, city) :ZZ
Organization Name (eg, company) :MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
# 此证书需要共享给其他用户,因为需要此证书里面的公钥做验证。
# touch index.txt
# echo 01 > serial
(b) 在服务器创建证书签署请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# cd /etc/httpd/
# mkdir ssl
# cd ssl/
# (umask 077; openssl genrsa -out httpd.key 1024)
# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:HA
Locality Name (eg, city) :ZZ
Organization Name (eg, company) :MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# scp httpd.csr root@172.16.45.1:/tmp # 将请求发给CA
(c) CA签证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# cd /tmp/
# openssl ca -in httpd.csr -out httpd.crt -days 3653
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 25 17:27:07 2015 GMT
Not After : Apr 25 17:27:07 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www.a.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:8C:DA:7F:FE:18:59:C5:C4:82:C8:20:30:88:8B:BF:1F:8C:6A:67
X509v3 Authority Key Identifier:
keyid:C5:77:A0:E0:54:72:42:99:83:0D:7A:F8:53:6D:24:E4:CF:6D:CA:30
Certificate is to be certified until Apr 25 17:27:07 2025 GMT (3653 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# scp httpd.crt 172.16.45.10:/etc/httpd/ssl/ # 将签署好的证书发回
2、配置httpd支持使用ssl,及使用的证书。但是http默认是不支持ssl的,使用httpd -M|grep ssl命令是没有结果的。因此需要安装mod_ssl这个支包。
1
2
3
4
5
6
7
8
# yum -y install mod_ssl
# rpm -ql mod_ssl # 查看该包生成的文件
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so # 模块文件
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir # 缓存功能,加速ssl握手过程
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
编辑配置文件后,重启监听443端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# cp /etc/httpd/conf.d/ssl.conf{,.bak}
# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost *:443>
ServerName www.a.com:443 # 虚拟主机的主机名
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log # 二进制格式
LogLevel warn
SSLEngine on # ssl功能的总开关
SSLProtocol all -SSLv2 # 不使用ssl v2版
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW # 加密的算法
SSLCertificateFile /etc/httpd/ssl/httpd.crt # 签署好的证书文件
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key # 私钥文件
</VirtualHost>
# httpd -t
# service httpd restart
3、测试基于https访问相应的主机# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]:s_client可以将自己扮演成客户端
1
2
# scp /etc/pki/CA/cacert.pem 172.16.45.10:/tmp # 将CA的证书发给扮演的客户端,用来验证服务器的证书
# openssl s_client -connect www.a.com:443 -CAfile /tmp/cacert.pem
在windows上测试:使用浏览器直接访问IP地址https://172.16.45.10,出现警告,因为没有使用域名访问并且该CA不被信任。 将CA变为受信任的机构:把CA的证书发送到windows桌面并更名为cacert.crt后,就能安装了。安装完成后,编辑hosts文件,添加172.16.45.10 www.a.com,最后重启浏览器再次进行访问就没问题了。
页:
[1]