web、selinux、firewalld小实验

目录

题目

服务端

关防火墙、selinux前

关防火墙、selinux后

配置防火墙、安全上下文

客户端

关防火墙、selinux前

开防火墙、selinux

配置防火墙、安全上下文后

总结

---

题目

1.防火墙、selinux不能关闭 2.该网站具备账户验证 3.https

服务端

关防火墙、selinux前

 [root@Server ~]# dnf install nginx -y >/dev/null
 [root@Server ~]# dnf install httpd-tools -y >/dev/null
 ​
 # 生成密钥根据密钥创建证书为https做准备
 [root@Server ~]# openssl genrsa -out /etc/pki/tls/private/nginx.key
 [root@Server ~]# openssl req -utf8 -new -x509 -key /etc/pki/tls/private/nginx.key -days 100 -out /etc/pki/tls/certs/nginx.crt
 ​
 # 为账户验证访问创建密码
 [root@Server ~]# htpasswd -cb /etc/nginx/conf.d/user_passwd domain_name_port 123
 Adding password for user domain_name_port
 ​
 [root@Server ~]# mkdir -p /web/domain_name_port/
 [root@Server ~]# echo "this page use https protocol ,port is 88 ,domain_name is xixi.com." > /web/domain_name_port/index.html
 ​
 [root@Server ~]# vim /etc/nginx/conf.d/domain_name_port.conf
 server {
     listen 192.168.126.100:88 ssl http2;
     server_name xixi.com;
     root /web/domain_name_port/;
     auth_basic on;
     auth_basic_user_file "/etc/nginx/conf.d/user_passwd";
     ssl_certificate_key "/etc/pki/tls/private/nginx.key";
     ssl_certificate "/etc/pki/tls/certs/nginx.crt";
     location =/index.html {
     }
 }
 ​
 [root@Server ~]# nginx -t
 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
 nginx: configuration file /etc/nginx/nginx.conf test is successful
 [root@Server ~]# systemctl start nginx
 [root@Server ~]# netstat -lntp | grep nginx
 tcp        0      0 192.168.126.100:88      0.0.0.0:*               LISTEN      2637/nginx: master
 tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2637/nginx: master
 tcp6       0      0 :::80                   :::*                    LISTEN      2637/nginx: master
 ​
 [root@Server ~]# getenforce
 Disabled
 [root@Server ~]# systemctl status firewalld | grep -i active
      Active: inactive (dead)
 [root@Server ~]#

关防火墙、selinux后

配置防火墙、安全上下文

 [root@Server ~]# grubby --update-kernel ALL --args selinux=1
 [root@Server ~]# reboot
 ……………………
 [root@Server ~]# setenforce 1
 [root@Server ~]# systemctl start firewalld
 [root@Server ~]# getenforce
 Enforcing
 [root@Server ~]# systemctl status firewalld | grep -i active
      Active: active (running) since Fri 2025-11-28 10:21:58 CST; 23s ago
 [root@Server ~]# systemctl start nginx
 Job for nginx.service failed because the control process exited with error code.
 See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
 ​
 # selinux配置
     # 修改/web及其以下目录安全上下文类型
 [root@Server ~]# rpm -ql nginx | grep index.html
 /usr/share/nginx/html/index.html
 [root@Server ~]# ls -Z /usr/share/nginx/html/index.html
 system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/index.html
 [root@Server ~]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
 [root@Server ~]# restorecon -R /web/
 [root@Server ~]# ls -Zd /web/
 system_u:object_r:httpd_sys_content_t:s0 /web/
 [root@Server ~]# ls -Z /web/
 unconfined_u:object_r:httpd_sys_content_t:s0 domain_name_port
 [root@Server ~]# ls -Z /web/domain_name_port/
 unconfined_u:object_r:httpd_sys_content_t:s0 index.html
 ​
     # 给端口打标签
 [root@Server ~]# semanage port -l | less
 http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
 [root@Server ~]# semanage port -a -t http_port_t -p tcp 88
 Port tcp/88 already defined, modifying instead
 [root@Server ~]# semanage port -l | grep http_port_t
 http_port_t                    tcp      88, 80, 81, 443, 488, 8008, 8009, 8443, 9000
 pegasus_http_port_t            tcp      5988
 [root@Server ~]# systemctl start nginx
 [root@Server ~]# systemctl status nginx.service |grep -i active
      Active: active (running) since Fri 2025-11-28 10:56:23 CST; 1min 8s ago
     # 到此安全上下文修改完成，nginx服务也成功起起来了，接下来编写自建服务，防火墙放行自建服务
 ​
 # 防火墙配置
     # 自建服务的模版全部都在/lib/firewalld/services目录中
     # 复制模板写到/etc/firewalld/services/目录下
 [root@Server ~]# firewall-cmd --list-all | grep services
   services: cockpit dhcpv6-client ssh
 [root@Server ~]# vim /etc/firewalld/services/my_https.xml
 :r /lib/firewalld/services/https.xml        # 直接末行模式读入https.xml文件
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>my_htpps</short>
   <description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
   <port protocol="tcp" port="88"/>
 </service>
 ​
 [root@Server ~]# firewall-cmd --permanent --add-service=my_https
 success
 [root@Server ~]# firewall-cmd --reload
 success
 [root@Server ~]# firewall-cmd --list-all | grep services
   services: cockpit dhcpv6-client my_https ssh

客户端

关防火墙、selinux前

 [root@Client ~]# vim /etc/hosts
 192.168.126.100 xixi.com
 [root@Client ~]# ping -c 2 xixi.com
 PING xixi.com (192.168.126.100) 56(84) bytes of data.
 64 bytes from xixi.com (192.168.126.100): icmp_seq=1 ttl=64 time=0.626 ms
 64 bytes from xixi.com (192.168.126.100): icmp_seq=2 ttl=64 time=0.542 ms
 ​
 --- xixi.com ping statistics ---
 2 packets transmitted, 2 received, 0% packet loss, time 1002ms
 rtt min/avg/max/mdev = 0.542/0.584/0.626/0.042 ms
 [root@Client ~]# curl -u domain_name_port https://xixi.com:88 -k
 Enter host password for user 'domain_name_port':
 this page use https protocol ,port is 88 ,domain_name is xixi.com.

开防火墙、selinux

 [root@Client ~]# curl -u domain_name_port https://xixi.com:88 -k
 Enter host password for user 'domain_name_port':
 curl: (7) Failed to connect to xixi.com port 88: No route to host

配置防火墙、安全上下文后

 # 防火墙放行自建服务，配置安全上下文后
 [root@Client ~]# curl -u domain_name_port https://xixi.com:88 -k
 Enter host password for user 'domain_name_port':
 this page use https protocol ,port is 88 ,domain_name is xixi.com.

总结

防火墙和selinux都开着，比较符合服务器实际情况。