站点安全

一：环境配置
[root@localhost ~]# cd /media/cdrom/Packages/
[root@localhost Packages]# yum –disablerepo=* –enablerepo=c7-media install httpd -y
[root@localhost Packages]# yum –disablerepo=* –enablerepo=c7-media install psmisc -y
二：来源控制
只让其来访问，不让其它来访问
[root@localhost Packages]# vim /etc/httpd/conf/httpd.conf

[root@localhost Packages]# systemctl restart httpd
[root@localhost ~]# lynx http://192.168.159.135


[root@localhost Packages]# yum –disablerepo=* –enablerepo=c7-media install lynx -y
不让其来访问，让其它来访问
[root@localhost Packages]# vim /etc/httpd/conf/httpd.conf

[root@localhost Packages]# systemctl restart httpd

[root@localhost ~]# lynx http://192.168.159.135

三：身份验证
[root@localhost html]# vim .htaccess

[root@localhost html]# cat .htaccess
authuserfile /var/www/html/.htpasswd
[root@localhost html]# htpasswd -c .htpasswd zhangsan #建立账号库
New password:
Re-type new password:
Adding password for user zhangsan
[root@localhost html]# cat .htpasswd
[root@localhost html]# htpasswd .htpasswd lisi #加入新身份
New password:
Re-type new password:
Adding password for user lisi
[root@localhost html]# cat .htpasswd
zhangsan:$apr1$vzEoNd2l$Sstcce2L1O0765a8fl4w9/ lisi:$apr1$a39pYSnB$PDD8yTn1Bzeb2WUzBnZFt1
打开身份验证
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

[root@localhost ~]# service httpd restart



点击取消：



[root@localhost html]# lynx http://192.168.159.135

四：加密访问
[root@localhost ~]# yum –disablerepo=* –enablerepo=c7-media install httpd -y
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# touch index.txt
[root@localhost CA]# touch serial
[root@localhost CA]# echo “01” >serial

1 ：办理CA的权限
修改/etc/pki/CA/tls/openssl.conf
[root@localhost ~]# cd /etc/pki
[root@localhost pki]# vim /etc/pki/tls/openssl.cnf


产生私钥
[root@localhost CA]# openssl genrsa 1024 >private/cakey.pem
[root@localhost CA]# vim private/cakey.pem
[root@localhost CA]# chmod 600 private/cakey.pem #加密
产生CA的证书
[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem

2：办理自己的权限
[root@localhost CA]# yum –disablerepo=* –enablerepo=c7-media install mod_ssl -y
产生私钥
[root@localhost pki]# mkdir /etc/httpd/certs #创建新文件
[root@localhost pki]# cd /etc/httpd/certs
[root@localhost certs]# openssl genrsa 1024 >httpd.key #产生私钥
[root@localhost certs]# chmod 600 httpd.key #加密
请求文件
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.req

web服务器证书
[root@localhost certs]# openssl ca -in httpd.req -out httpd.cer


[root@localhost CA]# vim /etc/httpd/conf.d/ssl.conf

[root@localhost CA]# systemctl start httpd
[root@localhost html]#firewall-cmd –zone=public –add-service http –permanent
[root@localhost html]#firewall-cmd –zone=public –add-service https –permanent
[root@localhost html]#firewall-cmd –reload
[root@localhost html]#firewall-cmd –zone=public –list-all
[root@localhost html]#systemctl status firewalld


只要密文不要铭文：
[root@localhost html]#vim /etc/httpd/conf/httpd.cong

[root@localhost html]#service httpd restart