题目:
安装web服务;
服务以用户webuser系统用户运行;
限制web服务只能使用系统500M物理内存;
全站点启用TLS访问,使用本机上的“CSK Global Root CA”颁发机构颁发,网站证书信息如下:
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = *.chinaskills.cn
客户端访问https时应无浏览器(含终端)安全警告信息;
当用户使用http访问时自动跳转到https安全连接;
搭建www.chinaskills.cn站点;
网站根目录为/webdata/www;
网页内容使用“This is the test page of the www site!”
创建网站download.chinaskills.cn站点;
仅允许ldsgp用户组访问;
在该站点的根目录下创建以下文件“test.mp3, test.mp4, test.pdf”,其中test.mp4文件的大小为100M,页面访问成功后能够列出目录所有文件;
作安全加固,在任何页面不会出现系统和WEB服务器版本信息。
一、关闭防火墙
[root@appsrv ~]# setenforce 0
[root@appsrv ~]# systemctl stop firewalld
二、安装httpd及ssl模块
[root@appsrv ~]# yum install httpd mod_ssl
三、增加用户和修改物理内存大小
[root@appsrv ~]# useradd -r webuser
[root@appsrv ~]# vim /etc/httpd/conf/httpd.conf
User webuser
Group webuser
[root@appsrv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to
/usr/lib/systemd/system/httpd.service.
[root@appsrv ~]# vim /etc/systemd/system/multi-user.target.wants/httpd.service
[Service]
memory_limit_in_bytes=500*1024*1024
[root@appsrv ~]# systemctl daemon-reload
[root@appsrv ~]# systemctl restart httpd
四、创建证书并申请
创建根证书
[root@appsrv ~]# vim /etc/pki/tls/openssl.cnf
dir = /csk-rootca
certificate = $dir/csk-ca.pem
[root@appsrv ~]# mkdir /csk-rootca
[root@appsrv ~]# cp -rf /etc/pki/tls/* /csk-rootca/
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 >serial
[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..............+++
...........................................................+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]# openssl req -new -x509 -key ./private/cakey.pem -out csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
申请网站证书秘钥和请求证书
给证书签名
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
[root@appsrv csk-rootca]#
申请网站证书秘钥和请求证书
[root@appsrv csk-rootca]# openssl genrsa -out httpd.key 2048
Generating RSA private key, 2048 bit long modulus
......................................+++
.................................................................................
...................................................................+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.chinaskills.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@appsrv csk-rootca]#
给证书签名
[root@appsrv csk-rootca]# openssl x509 -req -in httpd.csr -CA /csk-rootca/csk-ca.pem -CAkey /csk-rootca/private/cakey.pem -CAcreateserial -out httpd.crt
Signature ok
subject=/C=CN/ST=China/L=BeiJing/O=skills/OU=Operations
Departments/CN=*.chinaskills.cn
Getting CA Private Key
[root@appsrv csk-rootca]#
五、修改配置文件以及重定向应用
[root@appsrv webdata]# vim /etc/httpd/conf/httpd.conf
最后一行插入
ServerSignature Off //不显示系统和WEB服务器版本信息
ServerTokens Prod //不显示系统和WEB服务器版本信息
<VirtualHost *:80>
ServerName www.chinaskills.cn
Redirect 302 / https://www.chinaskills.cn/
</VirtualHost>
<VirtualHost *:80>
ServerName www.chinaskills.cn
Redirect 302 / https://download.chinaskills.cn/
</VirtualHost>
<VirtualHost *:443>
ServerName www.chinaskills.cn
DocumentRoot /webdata/www
SSLEngine ON
SSLCertificateFile "/csk-rootca/httpd.crt"
SSLCertificateKeyFIle "/csk-rootca/httpd.key"
<Directory /webdata/www>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName download.chinaskills.cn
DocumentRoot /webdata/download
SSLEngine ON
SSLCertificateFile "/csk-rootca/httpd.crt"
SSLCertificateKeyFIle "/csk-rootca/httpd.key"
<Directory /webdata/download>
options Indexes
AuthType Basic
AuthName "Login"
AuthuserFile "/etc/httpd/.htpasswd"
Require valid-user
</Directory>
</VirtualHost>
六、挂载目录并创建内容
[root@appsrv csk-rootca]# mkdir /webdata
[root@appsrv ~]# cd /webdata/
[root@appsrv webdata]# mkdir www
[root@appsrv webdata]# mkdir download
[root@appsrv webdata]# echo 'This is the test page of the www site!' > /webdata/www/index.html
[root@appsrv webdata]# cd download
[root@appsrv download]# touch test.mp3
[root@appsrv download]# touch test.pdf
[root@appsrv download]# dd if=/dev/zero of=test.mp4 bs=100M count=1
1+0 records in
1+0 records out
104857600 bytes (105 MB) copied, 0.784643 s, 134 MB/s
删除默认欢迎页面并创建认证用户
[root@appsrv webdata]# rm /etc/httpd/conf.d/welcome.conf
rm: remove regular file ‘/etc/httpd/conf.d/welcome.conf’? y
[root@appsrv webdata]# htpasswd /etc/httpd/.htpasswd zsuser
New password:
Re-type new password:
Adding password for user zsuser
[root@appsrv webdata]#
七、重启服务并测试
[root@appsrv webdata]# systemctl restart httpd
把根证书拷贝到客户端上
[root@appsrv webdata]# scp /csk-rootca/csk-ca.pem root@192.168.0.190:/root
root@192.168.0.190's password:
csk-ca.pem 100%
1383 1.5MB/s 00:00
客户端配置证书
测试站点download.chinaskills.cn
