|
RPM包格式安装配置LAMP,提供两个虚拟主机,一个用于wordpress,一个用于phpMyAdmin,为后一个提供ssl访问方式. 一、首先用Yum 安装这几个软件:httpd, php, php-mysql, mysql-server 就可以了: # yum install -y php php-mysql mysql-server # service httpd start 安装好后就可以启动httpd服务了 创建2个虚拟主机的index.html 的主文件 # mkdir /vhosts/a.com/htdocs -pv # mkdir /vhosts/b.org/htdocs -pv # vim /vhosts/a.com/htdocs/index.html <h1>www.a.com</h1> 添加此内容; # vim /vhosts/b.org/htdocs/index.html <h1>www.b.org</h1> 添加此内容; # service httpd reload 重新载入服务 配置虚拟: # vim /etc/httpd/conf/httpd.conf 首先关闭’Main’server注释掉DocumentRoot指令即可; #DocumentRoot "/var/www/html" 因为要做两个虚拟主机,所有下面这一项必须启动起来; NameVirtualHost 172.16.8.101:80 然后在httpd.conf的最下方添加一下内容,来增加2个基于FQDN虚拟主机: <VirtualHost 172.16.8.101:80> ServerName www.a.com DocumentRoot /vhosts/a.com/htdocs/ </VirtualHost> <VirtualHost 172.16.8.101:80> ServerName www.b.or DocumentRoot /vhosts/b.org/htdocs/
</VirtualHost> 然后在/etc/hosts 文件中添加这两条记录即可访问了; 172.16.8.101 www.a.com a.com 172.16.8.101 www.b.org b.org
# httpd -t 检查配置文件中是否有语法错误; # service httpd restart 重新启动现在就可以基于FQDN来访问了; 如果想在windows 系统上访问最好去C:\Windows\System32\drivers\etc/hosts 文件中添加以下内容:就可以实现在Windows 下进行访问; 172.16.8.101www.a.com 172.16.8.101www.b.org
www.a.com用于wordpress,因为之前已经安装好了php包所以现在直接可以加载到php页面;
# cd /vhost/a.com/htdocs
# mv index.html index.php
修改成如下内容:
<h1>www.a.com</h1>
<?php
phpinfo();
?>
然后就可以通过浏览器访问到一下内容了:
然后可以直接用php 连接至MySQL服务器,需要安php-mysql 和mysql-server包;然后编辑 vim index.php
# vim index.php
<h1>www.a.com</h1>
<?php
$conn = mysql_connect('127.0.0.1','root','');
if ($conn)
echo "OK";
else
echo "Failure";
mysql_close($conn);
?>
然后启动mysql 服务:再访问www.a.com
# service mysqld start
这表示php已经可以联系到mysql服务器了;
现在就可以来安装 wordpress :
# cd /vhosts/a.com/htdocs/ 一定要下载到这个目录下面,要不然会访问不到wordpress
先去ftp服务器上下载安装包:
lftp 172.16.0.1:/pub/Sources/5.i386/new_lamp> mget wordpress-3.3.1-zh_CN.zip
4657514 bytes transferred
因为 wordpress 是zip 压缩的;所有解压缩的时候,要用unzip ;
# unzip wordpress-3.3.1-zh_CN.zip
# cd wordpress
# cp wp-config-sample.php wp-config.php
现在来访问 www.a.com/wordpress/ 会出现以下内容:
现在来编辑#vim wp-config.php修改为下面内容:
现在需要到数据库中创建用户和表,以及创建用户密码:
# mysql
mysql> CREATE DATABASE wpdb;
还必须授权用户能够访问数据库;
mysql> GRANT ALL ON wpdb.* TO 'wpuser'@'127.0.0.1' IDENTIFIED BY 'wppass';
Query OK, 0 rows affected (0.00 sec)
可能主机还要做反向解析;
mysql> GRANT ALL ON wpdb.* TO 'wpuser'@'localhost' IDENTIFIED BY 'wppass';
通知mysql 服务器重读授权表:
mysql> FLUSH PRIVILEGES;
退出数据库:
mysql> quit
此时 wordpress 可以访问了:
修改为如下:
此时再输入http://www.a.com/wordpress/就可以正常访问 MyBlog 了
现在来构建phpMyAdmin ,它是基于php平台,来管理mysql的界面程序;
我们把它构建到 www.b.org 下面:
# cd /vhosts/b.org/htdocs/
# lftp 172.16.0.1/pub/
lftp 172.16.0.1:/pub/Sources/sources/php> mget phpMyAdmin-4.0.5-all-languages.zip
# unzip phpMyAdmin-4.0.5-all-languages.zip
# ln -sv phpMyAdmin-4.0.5-all-languages pma
此时可以在浏览器中进行访问,会出现以下内容:
因为是中文界面;需要添加额外的扩展:
# yum install php-mbstring -y
# service httpd reload
在进行访问: www.b.org/pmb 就会出现登入界面了;
可以使用我们之前创建的 wpuser 登录:
此时数据库管理员的密码为空,(空密码是不能登录的)。此时只能登录到mysql服务器中修改管理员的密码:有可能密码会有2个:
mysql> SET PASSWORD FOR 'root'@'localhost'= PASSWORD('blue');
mysql> SET PASSWORD FOR 'root'@'127.0.0.1'= PASSWORD('blue');
mysql> FLUSH PRIVILEGES; 重读授权表,让密码生效;
此时再登录www.b.org/pma/ 就可以用管理员账号登录了:
把www.b.org变成ssl访问的方式:
构建一个私有CA:172.16.8.100 当做CA 的签证机构,然后172.16.8.101去申请证书:
1、生成私钥
[iyunv@localhost ~]# cd /etc/pki/CA/
[iyunv@localhost CA]# ls
certs crl newcerts private
[iyunv@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....................+++
..........................................................+++
e is 65537 (0x10001)
[iyunv@localhost CA]# ll private/
total 4
-rw------- 1 root root 1679 May 2 15:27 cakey.pem 生成cdkey的文件
2、生成自签署证书;
[iyunv@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:Blue
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.blue.com
Email Address []:cadmin@blue.com
[iyunv@localhost CA]# ll
total 20
-rw-r--r-- 1 root root 1371 May 2 15:35 cacert.pem
-new:生成新的证书签署请求;
-key: 私钥文件路径,用于提取公钥;
-days N: 证书有效时长,单位为“天”;
-out:输出文件保存位置;
-x509:直接输出自签署的证书文件,通常只有构建CA时才这么用;
3、提供辅助文件:
# touch /etc/pki/CA/index.txt创建数据库索引文件;
# echo 01 > /etc/pki/CA/serial序列号;
172.16.8.101向服务器申请证书:
在证书申请的主机上进行如下步骤;
(1)生成私钥;
# cd /etc/httpd/ # mkdir ssl # cd ssl/ # (umask 077;openssl genrsa -out httpd.key 1024)生成密钥: Generating RSA private key, 1024 bit long modulus ....++++++ ......++++++ e is 65537 (0x10001) # ll total 4 -rw------- 1 root root 887 May 2 16:05 httpd.key (2)生成证书签署请求;
[iyunv@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:Blue Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []: www.b.org Email Address []:webadmin@blue.com ↑要跟被互联网访问的主机名保持一致 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:←可以加密,就算被别人获取到也需要密码才能看到; An optional company name []: [iyunv@localhost ssl]# ll total 8 -rw-r--r-- 1 root root 676 May 2 16:08 httpd.csr -rw------- 1 root root 887 May 2 16:05 httpd.key (3)把请求发送给CA;
[iyunv@localhost ssl]# scp httpd.csr root@172.16.8.100:/tmp
root@172.16.8.100's password:
httpd.csr 100% 676 0.7KB/s 00:00
2、CA签发证书
(1)验证请求者信息
(2)签署证书
[iyunv@localhost tmp]# openssl ca -in httpd.csr -out httpd.crt -days 36500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 2 08:34:30 2015 GMT
Not After : Apr 8 08:34:30 2115 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = Blue
organizationalUnitName = Ops
commonName = www.b.org
emailAddress = webadmin@blue.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
88:87:8F:A1:CC:CC:38:FD:33:61:DE:22:C4:0D:3F:C0:C4:F3:3F:31
X509v3 Authority Key Identifier:
keyid:78:1B:5E:39:51:FD:C2:F8:12:92:5D:16:5C:B2:04:09:BA:DE:42:FC
Certificate is to be certified until Apr 8 08:34:30 2115 GMT (36500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@localhost tmp]# ls
hsperfdata_root httpd.crt httpd.csr
(3)把签署好的证书发还给请求者
[iyunv@localhost tmp]# scp httpd.crt root@172.16.8.101:/etc/httpd/ssl
The authenticity of host '172.16.8.101 (172.16.8.101)' can't be established.
RSA key fingerprint is e9:2e:db:0f:19:22:86:0c:e8:d8:2c:28:37:16:04:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.8.101' (RSA) to the list of known hosts.
root@172.16.8.101's password:
httpd.crt 100% 3793 3.7KB/s 00:00
172.16.8.101 的/etc/httpd/ssl 就有已经签署好的证书了;
[iyunv@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机;
配置httpd支持使用ssl,及使用的证书;
httpd 默认是不支持SSL的; # httpd -M | grep ssl
# yum -y install mod_ssl安装支持ssl 的模块;
# rpm -ql mod_ssl
# cd /etc/httpd/conf.d
# cp ssl.conf{,.bak}
# vim ssl.conf
找到这一项:并修改:
<VirtualHost 172.16.8.101:443>
启用这两项:并修改:
基于虚拟主机访问:应该要与要设定为ssl的那个虚拟主机的FQDN保持一致;
DocumentRoot "/vhosts/b.org/htdocs"
ServerName www.b.org:443
指定在SSL会话中使用的证书文件:
SSLCertificateFile /etc/httpd/ssl/httpd.crt
指定自己的私钥文件:
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# httpd -t 检查语法;
# service httpd restart重启httpd 服务来重新读取信息;
# ss -tnl 查看443端口是否开启;
(3)测试使用基于https访问相应的主机;
把CA的证书复制到web 服务器端来进行验证;
[iyunv@localhost CA]# scp cacert.pem 172.16.8.101:/tmp
root@172.16.8.101's password:
cacert.pem 100% 1371 1.3KB/s 00:00
[iyunv@localhost conf.d]# openssl s_client -connect www.b.org:443 -CAfile /tmp/cacert.pem
CONNECTED(00000003)
depth=1 C = CN, ST = HB, L = WH, O = Blue, OU = Ops, CN = ca.blue.com, emailAddress = cadmin@blue.com
verify return:1
depth=0 C = CN, ST = HB, O = Blue, OU = Ops, CN = www.b.org, emailAddress = webadmin@blue.com
verify return:1
---
Certificate chain
0 s:/C=CN/ST=HB/O=Blue/OU=Ops/CN=www.b.org/emailAddress=webadmin@blue.com
i:/C=CN/ST=HB/L=WH/O=Blue/OU=Ops/CN=ca.blue.com/emailAddress=cadmin@blue.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCSEIxCzAJBgNVBAcMAldIMQ0wCwYDVQQKDARCbHVlMQwwCgYDVQQL
Start Time: 1430559707
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
此时CA验证成功;
此时就可以用 https://www.bog,这就是基于https访问相应的主机;
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2015-5-4 08:44:57
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡