马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
赛题拓扑:
标题:
- 安装WEB服务。
- 服务以用户webuser系统用户运行。
- 限制WEB服务只能使用系统500M物理内存。
- 全站点启用TLS访问,使用本机上的“CSK Global Root CA”颁发机构颁发,网站证书信息如下:
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = *.chinaskills.com
- 客户端访问https时应无欣赏器(含终端)安全警告信息。
- 当用户使用http访问时主动跳转到https安全连接。
- 搭建www.chinaskills.cn站点。
- 网页文件放在StorgeSrv服务器上。
- 在StorageSrv上安装MriaDB,在本机上安装PHP,发布WordPress网站。
- MariaDB数据库管理员信息:User: root/ Password: 000000。
- [root@appsrv ~]# yum install httpd mod_ssl php php-mysql -y
- [root@appsrv ~]# useradd webuser
- [root@appsrv ~]# vim /etc/passwd
- webuser:x:666:1001::/home/webuser:/bin/bash #uid改为1000以下
- [root@appsrv ~]# vim /etc/httpd/conf/httpd.conf #修改66、67行
- User webuser
- Group webuser
- [root@appsrv ~]# systemctl enable httpd
- Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
- [root@appsrv ~]# vim /etc/systemd/system/multi-user.target.wants/httpd.service
- [server]
- memorylimit=500M
- [root@appsrv ~]# systemctl daemon-reload
- [root@appsrv ~]# systemctl restart httpd
- [root@appsrv ~]# mkdir /webdata
- [root@appsrv ~]# vim /etc/fstab
- 192.168.100.200:/webdata /webdata nfs defaults 0 0
- [root@appsrv ~]# mount -a
- [root@appsrv ~]# df -Th | grep /webdata
- 192.168.100.200:/webdata nfs4 20G 185M 19G 1% /webdata
- 先配置好CA证书颁发机构
- [root@appsrv csk-rootca]# openssl genrsa -out httpd.key 2048
- [root@appsrv csk-rootca]# openssl req -new -key httpd.key -out httpd.csr
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2letter code)[XX]:CN
- State or Province Name (full name)[]:China
- Locality Name (eg, city)[Default City]:BeiJing
- Organization Name (eg, company)[Default Company Ltd]:skills
- Organizational Unit Name (eg, section)[]:Operations Departments
- Common Name (eg, your name or your server's hostname) []:*.chinaskills.cn
- Email Address []:
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- [root@appsrv csk-rootca]# openssl x509 -req -in http.csr -CA /csk-rootca/csk-ca.pem -CAkey /csk-rootca/private/cakey.pem -CAcreateserial -out http.crt
- Signature ok
- subject=/C=CN/ST=China/L=BeiJing/O=skills/OU=Operations Departments/CN=*.chinaskills.cn
- Getting CA Private Key
- [root@appsrv csk-rootca]# scp http.* root@192.168.100.200:/root
- The authenticity of host '192.168.100.200 (192.168.100.200)' can't be established.
- ECDSA key fingerprint is SHA256:pWgL9ec8DMjRGJO79thzFylRMNnAsLGLY8TUc+RO8Ms.
- ECDSA key fingerprint is MD5:44:5c:51:9a:2c:1b:ff:7c:0c:13:09:d3:77:a9:8e:cd.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '192.168.100.200' (ECDSA) to the list of known hosts.
- root@192.168.100.200's password:
- http.crt 100% 1261 1.6MB/s 00:00
- http.csr 100% 1033 2.2MB/s 00:00
- http.key 100% 1675 2.9MB/s 00:00
- [root@appsrv csk-rootca]# scp http.* root@192.168.100.254:/root
- The authenticity of host '192.168.100.254 (192.168.100.254)' can't be established.
- ECDSA key fingerprint is SHA256:fbInU3tFkaQUhhZNSIsHGZOPMG1T1f3J55qqtzfdeAU.
- ECDSA key fingerprint is MD5:a4:fa:8d:39:a3:9c:c0:81:1b:f0:6b:5b:f1:31:9e:aa.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '192.168.100.254' (ECDSA) to the list of known hosts.
- root@192.168.100.254's password:
- http.crt 100% 1261 2.2MB/s 00:00
- http.csr 100% 1033 2.6MB/s 00:00
- http.key 100% 1675 3.4MB/s 00:00
- [root@appsrv csk-rootca]# cd
- [root@appsrv ~]# vim /etc/httpd/conf.d/web.conf
- <VirtualHost *:80>
- redirect permanent / https://www.chinaskills.cn/
- </VirtualHost>
- <virtualHost www.chinaskills.cn:443>
- Documentroot "/webdata/wordpress" 网站根目录
- servername www.chinaskills.cn 网站的域名
- sslengine on 开启SSL
- sslcertificatefile /csk-rootca/httpd.crt 网站证书的路径
- sslcertificatekeyfile /csk-rootca/httpd.key 网站密钥的路径
- <Directory /webdata > 配置根目录的权限
- require all granted
- </Directory>
- </VirtualHost>
- 上传wordpress安装包
- [root@appsrv ~]# unzip wordpress-4.9.4-zh_CN.zip
- [root@appsrv ~]# ls /webdata/
- wordpress wordpress-4.9.4-zh_CN.zip
- 部署数据库:
- [root@storagesrv ~]# systemctl start mariadb
- [root@storagesrv ~]# mysql_secure_installation
- NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
- SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
- In order to log into MariaDB to secure it, we'll need the current
- password for the root user. If you've just installed MariaDB, and
- you haven't set the root password yet, the password will be blank,
- so you should just press enter here.
- Enter current password for root (enter for none):
- OK, successfully used password, moving on...
- Setting the root password ensures that nobody can log into the MariaDB
- root user without the proper authorisation.
- Set root password? [Y/n] y
- New password: 000000
- Re-enter new password: 000000
- Password updated successfully!
- Reloading privilege tables..
- ... Success!
- By default, a MariaDB installation has an anonymous user, allowing anyone
- to log into MariaDB without having to have a user account created for
- them. This is intended only for testing, and to make the installation
- go a bit smoother. You should remove them before moving into a
- production environment.
- Remove anonymous users? [Y/n]
- ... Success!
-
- Normally, root should only be allowed to connect from 'localhost'. This
- ensures that someone cannot guess at the root password from the network.
- Disallow root login remotely? [Y/n]
- ... Success!
- By default, MariaDB comes with a database named 'test' that anyone can
- access. This is also intended only for testing, and should be removed
- before moving into a production environment.
- Remove test database and access to it? [Y/n]
- - Dropping test database...
- ... Success!
- - Removing privileges on test database...
- ... Success!
- Reloading the privilege tables will ensure that all changes made so far
- will take effect immediately.
- Reload privilege tables now? [Y/n]
- ... Success!
- Cleaning up...
- All done! If you've completed all of the above steps, your MariaDB
- installation should now be secure.
- Thanks for using MariaDB!
- [root@storagesrv ~]# mysql -u root -p
- Enter password:
- Welcome to the MariaDB monitor. Commands end with ; or \g.
- Your MariaDB connection id is 14
- Server version: 5.5.68-MariaDB MariaDB Server
- Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
- Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
- MariaDB [(none)]> create database wordpress;
- Query OK, 1 row affected (0.00 sec)
- MariaDB [(none)]> grant all privileges on *.* to 'root'@'%' identified by
- '000000'with grant option;
- Query OK, 0 rows affected (0.00 sec)
- MariaDB [(none)]> flush privileges;
- Query OK, 0 rows affected (0.00 sec)
- MariaDB [(none)]>
- [root@storagesrv ~]#
- [root@appsrv ~]# systemctl restart httpd
- [root@insidecli ~]# cp csk-ca.pem /etc/pki/ca-trust/source/anchors/csk-ca.crt
- [root@insidecli ~]# update-ca-trust
- [root@insidecli ~]# curl -I http://www.chinaskills.cn
- [root@insidecli ~]# curl -I http://www.chinaskills.cn
- insidecli浏览器访问https://www.chinaskills.cn发布网站
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
