lamp-module
2024-09-03 05:28:09
要求: (1) 三者分离于两台主机;
(2) 一个虚拟主机用于提供phpMyAdmin;另一个虚拟主机用于提供wordpress;
(3) xcache
(4) 为phpMyAdmin提供https虚拟主机;
HTTPD AND PHP-module: 192.168.8.16
MariDB : 192.168.8.17
(1)192.168.8.16 配置
yum install httpd php php-mysql (安装apache程序及php模块)
vim /etc/httpd/conf/httpd.conf
Listen 80 (设定监听地址及端口,格式:192.168.8.x:80 ,不输入地址默认监听本机所有端口)
ServerName 80 (指定httpd应用程序服务域名或地址,不输入默认为本地地址80端口) 注:此处如不修改会提示serverName错误
DocumentRoot "/var/www/html" (指定URL映射路径)
wq
vim /etc/httpd/conf.d/Virtual1.conf (添加虚拟主机1配置文件,域名为 pma.vhosts.com , 作为 phpMyAdmin 服务器)
0 <VirtualHost *:80> (监听80端口)
1 ServerName "pma.vhosts.com" (指定服务域名,也可以理解为监听的域名,当客户端访问该域名时将URL路径映射到配置文件中指定的路径下)
DocumentRoot "/web/vhosts/www1" (指定URL映射路径)
<Directory "/web/vhosts/www1"> (权限设置允许客户端通过URL访问该目录)
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "/tmp/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ErrorLog /var/log/httpd/pma/error_log (指定服务器错误日志路径)
CustomLog /var/log/httpd/pma/access_log combined (指定访问日志路径及日志格式:combined)
</VirtualHost>
vim /etc/httpd/conf.d/Virtual2.conf (新增虚拟主机2配置文件,域名为 wp.vhosts.com ,做为wordpress 服务器)
<VirtualHost *:>
ServerName "wp.vhosts.com"
DocumentRoot "/web/vhosts/www2"
<Directory "/web/vhosts/www2">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ErrorLog "/var/log/httpd/wp/error_log"
CustomLog "/var/log/httpd/wp/access_log" combined
</VirtualHost>
创建相关目录:
mkdir /web/vhosts/{www1,www2} -pv
mkdir /var/log/httpd/{wp,pma} -pv
下载 phpMyAdmin-4.0.10.20-all-languages.zip
unzip phpMyAdmin-4.0.10.20-all-languages.zip (解压)
cp -a phpMyAdmin-4.0.10.20-all-languages /web/vhosts/www1/
cd /web/vhosts/www1/
ln -sv phpMyAdmin-4.0.10.20-all-languages pma (指定软链接,客户端端通过软链接目录访问应用服务,便于日后版本更新等操作)
cd pma
cp config.sample.inc.php config.inc.php
openssl rand -base64 20 (生成20位随机字符串)
vim config.inc.php
$cfg['blowfish_secret'] = 'AzNv9me9gqEfC9Ya4rkTSHu598I'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! (将生成的20位字符串放入 = '此处')
*/
$cfg['Servers'][$i]['host'] = '192.168.20.243'; (指定mariadb 服务器地址) 注:需在mariadb服务器开通指定用户账号访问权限
测试: 客户端访问 pma.vhosts.com/pma (successd)
下载 wordpress -5.0.2
unzip wordpress-5.0.2.zip (解压)
cp wordpress /web/vhosts/www2/
cd /web/vhosts/www2/
ln -sv wordpress wp
cd wordpress
cp wp-config-sample.php wp-config.php
vim wp-config.php
define( 'DB_NAME', '192.168.8.17' ); (指定数据库名称) /** MySQL database username */
define( 'DB_USER', 'tom' ); (指定连接数据库用户) /** MySQL database password */
define( 'DB_PASSWORD', '' ); (指定数据库密码) /** MySQL hostname */
define( 'DB_HOST', '192.168.8.17' ); (指定数据库地址) /** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' ); (数据库字符集)
测试: http://wp.vhosts.com/wp (successd)
192.168.8.17 配置
yum install mariadb-server
vim /etc/my.cnf (插入以下行)
skip_name_resolve=ON
innodb_file_per_table=ON
mysql 进入mariadb管理界面
grant all on *.* to 'tom'@'192.168.8.%' identified by ''; (创建用户tom,允许通过192.168.8.* 网段访问)
如有需要可创建数据库及表
ss -tnl :检查3306端口是否监听
压测: ab -n 100000 -c 200 http://pma.vhosts.com/pma/index.php
Server Software: Apache/2.4.6 (请求的服务版本)
Server Hostname: pma.vhosts.com (请求的服务名称)
Server Port: 80 (请求的端口号) Document Path: /pma/index.php (URL路径映射)
Document Length: bytes (page size) Concurrency Level: 200 (请求并发数)
Time taken for tests: 92.017 seconds (共使用 秒数)
Complete requests: 4992 (请求的次数)
Failed requests: 0 (失败的请求)
Write errors: 0 (网络连接写入错误数)
Total transferred: bytes (完全传输page size)
HTML transferred: bytes (实际传输的 page size)
Requests per second: 54.25 [#/sec] (mean) (每 秒 多少个请求)
Time per request: 3686.596 [ms] (mean) (平均每个用户等待多长时间)
Time per request: 18.433 [ms] (mean, across all concurrent requests) (服务器平均用时多长时间处理)
Transfer rate: 540.61 [Kbytes/sec] received (每秒获取多少数据) Connection Times (ms)
min mean[+/-sd] median max
Connect: 92.5
Processing: 898.9
Waiting: 784.7
Total: 901.7 Percentage of the requests served within a certain time (ms)
% 3582 (%50的用户请求 3582ms内返回)
%
%
%
%
%
%
%
% (longest request)
192.168.1.16 安装xcache
yum install php-xcache
vim /etc/php.d/xcache
xcache.size = 60M (指定缓存用内存空间大小,越大缓存越多,速率越快)
systemctl restart httpd
附录: DNS and Bind 解析配置
yum install bind bind-utils
vim /etc/named.conf
options {
listen-on port { 192.168.20.243; 127.0.0.1; }; (指定监听地址与端口,可指定多个)
listen-on-v6 port { ::; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; (指定允许接收的请求,any为所有)
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; (递归查询)
dnssec-enable no; (关闭dns校验)
dnssec-validation no; (关闭dns校验)
vim /etc/named.rfc1912.zone (添加下面的行,区域配置)
zone "vhosts.com" IN {
type master;
file "vhosts.com.zone";
};
vim /var/named/vhosts.com.zone (新增解析库文件)
$TTL
$ORIGIN vhosts.com.
@ IN SOA ns1.vhosts.com. admin.vhosts.com ( 2H
10M
1W
1D
)
@ IN NS ns1.vhosts.com.
ns1 IN A 192.168.20.244
pma IN A 192.168.20.242
wp IN A 192.168.20.242
测试配置文件
[root@test ~]# named-checkconf
[root@test ~]# named-checkzone vhosts.com /var/named/vhosts.com.zone
zone vhosts.com/IN: loaded serial
OK
启动并测试
[root@test ~]# systemctl start named
[root@test ~]# dig -t A pma.vhosts.com ; <<>> DiG 9.11.-P2-RedHat-9.11.-.P2.el7 <<>> -t A pma.vhosts.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
;; flags: qr aa rd ra; QUERY: , ANSWER: , AUTHORITY: , ADDITIONAL: ;; OPT PSEUDOSECTION:
; EDNS: version: , flags:; udp:
;; QUESTION SECTION:
;pma.vhosts.com. IN A ;; ANSWER SECTION:
pma.vhosts.com. IN A 192.168.20.242 ;; AUTHORITY SECTION:
vhosts.com. IN NS ns1.vhosts.com. ;; ADDITIONAL SECTION:
ns1.vhosts.com. IN A 192.168.20.244 ;; Query time: msec
;; SERVER: 192.168.20.243#(192.168.20.243)
;; WHEN: Tue Feb :: EST
;; MSG SIZE rcvd:
192.168.8.16 为phpmyadmin 提供https虚拟主机
(模拟 CA服务器:192.168.8.18)
cd /etc/pki/CA/
[root@test]# (umask 077;openssl genrsa -out private/cakey.pem 4096) (生成4096位私钥文件 cakey.pem)
Generating RSA private key, bit long modulus
......................................................................................................................++
...........................................................................................................++
e is (0x10001)
[root@test ]# openssl req -new -key private/cakey.pem -out httpd.csr -days 365 (生成证书签署请求文件) You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:DaWanQu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:pma.vhosts.com (此处指定服务域名一定要与指定访问的域名一致,否则客户端会验证不通过)
Email Address []: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 CA]# scp httpd.csr root@192.168.8.18:/etc/pki/CA/ (将证书签署请求拷贝到CA服务器/etc/pki/CA/ 目录下)
The authenticity of host '192.168.8.18 (192.168.8.18)' can't be established.
ECDSA key fingerprint is SHA256:FKhie5UQHlmOtTV/TZol/k7UIf0nfDRosf2smlFoXak.
ECDSA key fingerprint is MD5:1b::4c:eb:5f::7d:a8::d3:be::b1:::.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.8.18' (ECDSA) to the list of known hosts.
root@192.168.8.18's password:
httpd.csr % .4MB/s :
[root@test ]#
192.168.8.18
CA 主机上配置
cd /etc/pki/CA/
[root@bogon CA]# (umask ;openssl genrsa -out private/cakey.pem ) (生成4096位私钥文件)
Generating RSA private key, bit long modulus
...........................++
......................................................................................................................................................................................................................................................................................++
e is (0x10001)
[root@bogon CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 (生成CA服务器自签证书, -days为证书有效期天数)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:DaWanQu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:DaWanQu
Email Address []: [root@bogon CA]# touch ./{serial,index.txt} (创建签署证书必需文件)
[root@bogon CA]# echo > serial (写入序列号01) [root@bogon CA]# openssl ca -in httpd.csr -out httpd.crt -days (签署httpd.csr 证书 ,输出为 httpd.crt)
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0x1)
Validity
Not Before: Feb :: GMT
Not After : Feb :: GMT
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = DaWanQu
organizationalUnitName = Ops
commonName = pma.vhosts.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CA:A9::E2:::4C:::EE::D3::C1:B6:0B::::
X509v3 Authority Key Identifier:
keyid:E7::::::6E:5A::ED:6A:FF::D3:F4:::C5:B6:CE Certificate is to be certified until Feb :: GMT ( days)
Sign the certificate? [y/n]:yes out of certificate requests certified, commit? [y/n]yes
Write out database with new entries
Data Base Updated
67 [root@bogon CA]# scp httpd.crt root@192.168.8.16:/etc/pki/CA/ (将签署完成的证书文件拷贝到httpd服务器)
The authenticity of host '192.168.8.16 (192.168.8.16)' can't be established.
ECDSA key fingerprint is SHA256:I9f09gGvg6Zr5JFDYPLO5VKiAZ/Fzmy1F37f1SLgzkI.
ECDSA key fingerprint is MD5::::9f:f0:b0:9e::c0::ad::3f:be::.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.8.16' (ECDSA) to the list of known hosts.
root@192.168.8.16's password:
/etc/profile.d/vimrc.sh: line : autocmd: command not found
/etc/profile.d/vimrc.sh: line : syntax error near unexpected token `('
/etc/profile.d/vimrc.sh: line : `func SetTitle()'
httpd.crt % .9MB/s :
[root@bogon CA]#
192.168.8.16 httpd主机配置
yum install mod_ssl (安装ssl支持模块)
vim /etc/httpd/conf.d/ssl.conf
Listen https (默认监听443端口) #
DocumentRoot "/web/vhosts/www1" (SSL 连接URL映射路径)
ServerName "pma.vhosts.com" (服务域名) <Directory "web/vhosts/www1"> (授权URL映射路径允许访问)
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory> SSLCertificateFile /etc/pki/CA/httpd.crt (指定证书文件路径)
SSLCertificateKeyFile /etc/pki/CA/private/cakey.pem (指定私钥文件路径)
客户机配置
将ca服务器自签证书导入到浏览器受信根证书中
测试: https://pma.vhosts.com/pma/ (google浏览器测试不成功,火狐浏览器与IE测试成功)
最新文章
- Linux连接Internet
- Codeforces Round #373 (Div. 2) E. Sasha and Array
- Python标准库12 数学与随机数 (math包,random包)
- once
- Jenkins 快速搭建持续集成环境
- C#:装箱和拆箱相关知识整理
- Java Day03 面向对象程序设计
- (四)—性能测试工具curl-loader(linux)
- 15个HTML元素方法!
- 软件工程:java实现wc项目基本功能
- web@前端--html,css,javascript简介、第一个页面(常用标签简介)
- 浅谈IIS 和 asp.net的应用之间的关系
- ubuntu16.04 caffe(GPU模式)安装
- 2018NOIP爆0记第一弹
- Pollard Rho因子分解算法
- 二次封装bootstrap-table及功能优化
- linux系统上使用unzip命令
- SQL Server 的索引结构实例
- Golang命名规范和开发规范
- 半平面交 (poj 1279(第一道半平面NlogN)完整注释 )