来自 澳门新葡亰官网 2019-11-20 12:39 的文章
当前位置: 澳门新葡亰app > 澳门新葡亰官网 > 正文

编写翻译安装httpd,做下安全加固--请看

 

系统版本:CentOS 6.9

前言

最近没更新新篇幅了,今天就来点干活,过多的也不说了下面着手干!干!干!

 

软件包

准备环境

centos7.5
apr-1.6.3.tar.gz 
apr-util-1.6.1.tar.gz     
httpd-2.4.34.tar.bz2                
php-7.1.18.tar.bz2
mariadb-10.2.16-linux-x86_64.tar.gz 
wordpress-4.9.4-zh_CN.tar.gz

apr-1.6.2.tar.gz
apr-util-1.6.0.tar.gz
httpd-2.4.27.tar.bz2
mariadb-5.5.57-linux-x86_64.tar.gz
php-5.6.31.tar.bz2
wordpress-4.8.1-zh_CN.zip

编译HTTP

编译安装httpd

1、安装包组以及相关包

yum groupinstall "development tools"
yum install pcre-devel openssl-devel expat-devel

 

准备工作
编译软件需要用到开发包组Development tools,在编译httpd中,会依赖openssl-devel pcre-devel expat-devel三个devel包,提前安装,避免过程中报错。

2、创建用户与解压

useradd  -r -s /sbin/nologin apache 
tar xf httpd-2.4.34.tar.bz2 
tar xf apr-1.6.3.tar.gz 
tar xf apr-util-1.6.1.tar.gz 

 

[root@6mini ~]# yum groupinstall "Development tools"
[root@6mini ~]# yum install openssl-devel pcre-devel expat-devel

3、移动apr目录

mv apr-1.6.3 httpd-2.4.34/srclib/apr
mv apr-util-1.6.1 httpd-2.4.34/srclib/apr-util

 

解压apr-1.6.2.tar.gz、apr-util-1.6.0.tar.gz和httpd-2.4.27.tar.bz2,复制apr-1.6.2到httpd-2.4.27,并改名为apr,复制apr-util-1.6.0到httpd-2.4.27,并改名为apr-util

4、源码编译

cd httpd-2.4.34/

./configure --prefix=/app/httpd24 
--enable-so 
--enable-ssl 
--enable-cgi 
--enable-rewrite 
--with-zlib 
--with-pcre 
--enable-modules=most 
--enable-mpms-shared=all 
--with-mpm=prefork 
--with-included-apr

make && make install 

 

[root@6mini ~]# tar xvf apr-1.6.2.tar.gz 
[root@6mini ~]# tar xvf apr-util-1.6.0.tar.gz 
[root@6mini ~]# tar xvf httpd-2.4.27.tar.bz2 

5、设置环境变量

echo 'PATH=/app/httpd24/bin:$PATH' > /etc/profile.d/lamp.sh

 

编译安装httpd,配置环境变量

澳门新葡亰app,6、编辑配置文件

vim /app/httpd24/conf/httpd.conf

user apache
group apache


取消下面注释
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so

在下面行添加index.php
IfModule dir_module>
    DirectoryIndex index.php index.html                                                                                       
</IfModule>

添加子配置文件
Include conf/extra/php.conf

 

[root@6mini httpd-2.4.27]# ./configure --prefix=/app/httpd24 
--enable-so --enable-ssl --enable-rewrite --with-zlib --with-pcre 
--with-included-apr --enable-modules=most 
--enable-mpms-shared=all --with-mpm=prefork
[root@6mini httpd-2.4.27]# make -j 2 && make install

[root@6mini httpd-2.4.27]# vim /etc/profile.d/lamp.sh
PASH=/app/httpd24/bin/:$PASH

[root@6mini httpd-2.4.27]# . /etc/profile.d/lamp.sh
[root@6mini httpd-2.4.27]# echo $PASH
/app/httpd24/bin/:

7、编辑子配置文件

vim  /app/httpd24/conf/extra/php.conf

添加以下内容
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

ProxyRequests Off
ProxyPassMatch ^/(.*.php)$ fcgi://127.0.0.1:9000/app/httpd24/htdocs/$1

 

制作httpd启动程序
复制其他主机上httpd的启动程序到当前主机并改名为httpd24

8、启动服务

apachectl

 

 

[root@MiniLinux ~]#scp /etc/init.d/httpd 192.168.163.105:/etc/init.d/
The authenticity of host '192.168.163.105 (192.168.163.105)' can't be established.
RSA key fingerprint is b5:df:3d:28:80:8e:d4:81:3b:f2:56:81:77:6d:7d:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.163.105' (RSA) to the list of known hosts.
root@192.168.163.105's password: 
httpd                                                      100% 3488     3.4KB/s   00:00

[root@6mini httpd-2.4.27]# mv /etc/init.d/httpd /etc/init.d/httpd24

澳门新葡亰官网APP,二进制安装MYSQL

启动httpd24
修改httpd24的启动配置文件

1、在前几篇里有提到详细的安装过程,这里就直接干活代码

useradd -r -s /sbin/nologin mysql

tar xvf mariadb-10.2.16-linux-x86_64.tar.gz  -C /usr/local/

cd /usr/local/

ln -s mariadb-10.2.16-linux-x86_64/ mysql

chown -R mysql.mysql mysql/

mkdir /app/mysql

chown mysql.mysql /app/mysql

cd /usr/local/mysql/

scripts/mysql_install_db  --datadir=/app/mysql --user=mysql

mkdir /etc/mysql/  

cp support-files/my-huge.cnf  /etc/mysql/my.cnf

vim /etc/mysql/my.cnf

datadir=/app/mysql 

cp support-files/mysql.server  /etc/init.d/mysqld

chkconfig --add mysqld

chkconfig --list

service mysqld start

vim /etc/profile.d/lamp.sh 

PATH=/app/httpd24/bin:/usr/local/mysql/bin:$PATH

mysql -e "create database wpdb;grant all on wpdb.* to wpuser@'localhost' identified by 'centos'"

 

备注:这里可以跑下mysql安全脚本,做下安全巩固--请看https://www.cnblogs.com/xsuid/p/9368389.html

 

[root@6mini httpd-2.4.27]#vim /etc/init.d/httpd24

apachectl=/app/httpd24/bin/apachectl
httpd=${HTTPD-/app/httpd24/bin/httpd}
prog=httpd
pidfile=${PIDFILE-/app/httpd24/logs/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd24}

PHP编译安装

把httpd24添加到服务列表

1、安装包与解压

yum install libxml2-devel bzip2-devel libmcrypt-devel

tar xvf php-7.1.18.tar.bz2 

 

[root@6mini httpd-2.4.27]#chkconfig --add httpd24
[root@6mini httpd-2.4.27]#chkconfig --list
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
blk-availability    0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd24         0:off   1:off   2:off   3:off   4:off   5:off   6:off

2、源码编译

cd php-7.1.18/
./configure --prefix=/app/php 
--enable-mysqlnd 
--with-mysqli=mysqlnd 
--with-openssl 
--with-pdo-mysql=mysqlnd 
--enable-mbstring 
--with-freetype-dir 
--with-jpeg-dir 
--with-png-dir 
--with-zlib 
--with-libxml-dir=/usr 
--enable-xml 
--enable-sockets 
--enable-fpm 
--with-config-file-path=/etc 
--with-config-file-scan-dir=/etc/php.d 
--enable-maintainer-zts 
--disable-fileinfo

make -j 4 && make install

 

关闭防火墙和selinux

3、环境变量

vim  /etc/profile.d/lamp.sh
PATH=/app/php/bin:/app/httpd24/bin:/usr/local/mysql/bin:$PATH

 

[root@6mini httpd-2.4.27]#iptables -F
[root@6mini httpd-2.4.27]#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

[root@6mini httpd-2.4.27]#vim /etc/selinux/config
SELINUX=disabled
[root@6mini httpd-2.4.27]#setenforce 0
[root@6mini httpd-2.4.27]#getenforce 
Permissive

4、php设置

cp php.ini-production /etc/php.ini
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
PHP配置文件

chmod +x /etc/init.d/php-fpm
chkconfig --add php-fpm
chkconfig php-fpm on
启动程序

cd /app/php/etc
cp php-fpm.conf.default php-fpm.conf
cp php-fpm.d/www.conf.default php-fpm.d/www.conf
php fastcgi配置文件,根据情况来更改

澳门新葡亰app 1

澳门新葡亰app 2

澳门新葡亰app 3

 

检查/app/httpd24/logs/是否生成

5、启动服务

service php-fpm start

 

[root@6mini httpd-2.4.27]#ll /app/httpd24/logs/
total 8
-rw-r--r--. 1 root root   0 Oct 16 16:37 access_log
-rw-r--r--. 1 root root 246 Oct 16 16:37 error_log
-rw-r--r--. 1 root root   6 Oct 16 16:37 httpd.pid

安装wordpress

tar xvf wordpress-4.9.4-zh_CN.tar.gz

cp -a wordpress/* /app/httpd24/htdocs/

cd /app/httpd24/htdocs/

mv wp-config-sample.php wp-config.php 

vim wp-config.php

根据上面mysql创建信息更改

澳门新葡亰app 4

 

使用curl检查httpd是否能正常使用

附加虚拟主机的实现

编辑文件
vim /etc/httpd/conf.d/vhosts.conf
DirectoryIndex  index.php
<VirtualHost *:80>
ServerName www.pma.com
DocumentRoot /var/www/html/
ProxyRequests Off
ProxyPassMatch ^/(.*.php)$ fcgi://127.0.0.1:9000/var/www/html/pma/$1
<Directory "/var/www/html">
Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www.wordpress.com
DocumentRoot /var/www/html/
ProxyRequests Off
ProxyPassMatch ^/(.*.php)$ fcgi://127.0.0.1:9000/var/www/html/wordpress/$1
<Directory "/var/www/html">
Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www.forum.com
DocumentRoot /var/www/html/
ProxyRequests Off
ProxyPassMatch ^/(.*.php)$ fcgi://127.0.0.1:9000/var/www/html/forum/$1
<Directory "/var/www/html">
Require all granted
</Directory>
</VirtualHost>

 

 

[root@6mini httpd-2.4.27]#curl 192.168.163.105
<html><body><h1>It works!</h1></body></html>

结语:后续更精彩

二进制安装mariadb

解压二进制安装包到/usr/local/目录,把解压后的mariadb目录改名为mysql或者创建一个名为mysql的软连接

[root@6mini local]#tar xvf mariadb-5.5.57-linux-x86_64.tar.gz -C /usr/local/
[root@6mini ~]#cd /usr/local/
[root@6mini local]#ls
bin  etc  games  include  lib  lib64  libexec  mariadb-5.5.57-linux-x86_64  sbin  share  src
[root@6mini local]#ln -s mariadb-5.5.57-linux-x86_64/ mysql
[root@6mini local]#ls
bin  games    lib    libexec                      mysql  share
etc  include  lib64  mariadb-5.5.57-linux-x86_64  sbin   src

编辑环境变量的配置文件,在文件中添加mysql环境变量

[root@6mini local]#vim /etc/profile.d/lamp.sh 
PASH=/app/httpd24/bin/:/usr/local/mysql/bin/:$PASH
[root@6mini local]#. /etc/profile.d/lamp.sh 
[root@6mini local]#echo $PASH
/app/httpd24/bin/:/usr/local/mysql/bin:/app/httpd24/bin/:

创建mysql用户,指定家目录为 /app/mysqldb,用户类型为系统用户

[root@6mini local]#useradd -r -m -d /app/mysqldb -s /sbin/nologin mysql
[root@6mini local]#getent passwd mysql
mysql:x:498:498::/app/mysqldb:/sbin/nologin

[root@6mini app]#ll -d mysqldb/
drwx------. 2 mysql mysql 4096 Oct 16 17:10 mysqldb/

运行scripts/mysql_install_db脚本,生成mysql文件,指定目录为/app/mysqldb/,指定用户为mysql

[root@6mini mysql]#scripts/mysql_install_db --datadir=/app/mysqldb/ --user=mysql
[root@6mini mysqldb]#ll /app/mysqldb/
total 32
-rw-rw----. 1 mysql mysql 16384 Oct 16 17:21 aria_log.00000001
-rw-rw----. 1 mysql mysql    52 Oct 16 17:21 aria_log_control
drwx------. 2 mysql root   4096 Oct 16 17:21 mysql
drwx------. 2 mysql mysql  4096 Oct 16 17:21 performance_schema
drwx------. 2 mysql root   4096 Oct 16 17:21 test

创建mysql配置文件

[root@6mini mysql]#mkdir /etc/mysql
[root@6mini mysql]#cp support-files/my-large.cnf /etc/mysql/my.cnf
[root@6mini mysql]#vim /etc/mysql/my.cnf
[mysqld]
datadir = /app/mysqldb
innodb_file_per_table = ON
skip_name_resolve = ON

复制mysql启动的服务进程文件到/etc/init.d/,并该名称mysql添加到服务列表

[root@6mini mysql]#cp support-files/mysql.server /etc/init.d/mysqld
[root@6mini mysql]#chkconfig --add mysqld

创建日志文件,并赋予mysql的写权限

[root@6mini mysql]#touch /var/log/mysqld.log
[root@6mini mysql]#chown mysql /var/log/mysqld.log
[root@6mini mysql]#ll /var/log/mysqld.log 
-rw-r--r--. 1 mysql root 0 Oct 16 17:39 /var/log/mysqld.log

启动mysql

[root@6mini mysql]#service mysqld start
Starting MySQL.171016 17:41:04 mysqld_safe Logging to '/var/log/mysqld.log'.
171016 17:41:04 mysqld_safe Starting mysqld daemon with databases from /app/mysqldb
.. SUCCESS! 

使用mysql_secure_installation初始化数据库

[root@6mini bin]#mysql_secure_installation
/usr/local/mysql/bin/mysql_secure_installation: line 393: find_mysql_client: command not found

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

使用root登录数据库,为workpress创建数据库,并授权给用户wpu

[root@6mini bin]#mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 12
Server version: 5.5.57-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE wpdb;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL ON wpdb.* TO wpu@'%' IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> QUIT
Bye

使用wpu用户登录数据库,查看并确认数据库wpdb的生成

[root@6mini bin]#mysql -uwpu -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 13
Server version: 5.5.57-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wpdb               |
+--------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> 

源码编译php

编译安装php之前,首先安装php的依赖包libxml2-devel bzip2-devel libmcrypt-devel,再进行编译安装

[root@6mini ~]#yum install libxml2-devel bzip2-devel libmcrypt-devel
[root@6mini ~]#tar xvf php-5.6.31.tar.bz2 
[root@6mini ~]#cd php-5.6.31
[root@6mini php-5.6.31]# ./configure --prefix=/app/php --with-mysql=/usr/local/mysql/ --with-openssl --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mbstring --with-png-dir --with-jpeg-dir --with-freetype-dir --with-zlib --with-libxml-dir=/usr --enable-xml --enable-sockets --with-apxs2=/app/httpd24/bin/apxs --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2

[root@6mini php-5.6.31]# make -j 2 && make install

复制一个php的配置文件,直接改名,不用设置

[root@6mini php-5.6.31]#cp php.ini-production /etc/php.ini

编辑httpd的配置文件,使httpd支持php

[root@6mini php-5.6.31]#vim /app/httpd24/conf/httpd.conf

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.html

测试php程序
首先启动httpd24,在主目录里编辑php测试页进行测试

[root@6mini php-5.6.31]#service httpd24 restart
Stopping httpd:                                            [  OK  ]
Starting httpd: AH00557: httpd: apr_sockaddr_info_get() failed for 6mini
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
                                                           [  OK  ]
[root@6mini php-5.6.31]#vim /app/httpd24/htdocs/index.php
<?php
phpinfo();
?>

使用浏览器查看php网页

澳门新葡亰app 5

配置wordpress

解压wordpress到httpd主目录,并改名为blog

[root@6mini ~]#unzip wordpress-4.8.1-zh_CN.zip -d /app/httpd24/htdocs/
[root@6mini ~]#cd /app/httpd24/htdocs
[root@6mini htdocs]#mv wordpress/ blog

利用wordpress的配置模板生成配置文件,并修改数据库的信息,确保数据库正常使用

[root@6mini htdocs]#cd blog/
[root@6mini blog]#mv wp-config-sample.php wp-config.php 
[root@6mini blog]#vim wp-config.php 

<?php
/**
 * WordPress基础配置文件。
 *
 * 这个文件被安装程序用于自动生成wp-config.php配置文件,
 * 您可以不使用网站,您需要手动复制这个文件,
 * 并重命名为“wp-config.php”,然后填入相关信息。
 *
 * 本文件包含以下配置选项:
 *
 * * MySQL设置
 * * 密钥
 * * 数据库表名前缀
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/zh-cn:%E7%BC%96%E8%BE%91_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL 设置 - 具体信息来自您正在使用的主机 ** //
/** WordPress数据库的名称 */
define('DB_NAME', 'wpdb');

/** MySQL数据库用户名 */
define('DB_USER', 'wpu');

/** MySQL数据库密码 */
define('DB_PASSWORD', 'centos');

/** MySQL主机 */
define('DB_HOST', 'localhost');

浏览器登录并配置wordpress站点

http://192.168.163.105/blog

澳门新葡亰app 6

澳门新葡亰app 7

澳门新葡亰app 8

澳门新葡亰app 9

澳门新葡亰app 10

安装完成

本文由澳门新葡亰app发布于澳门新葡亰官网,转载请注明出处:编写翻译安装httpd,做下安全加固--请看

关键词: