环境准备开始:
[root ~]# service httpd24 stop # 关闭此前编译的2.4 [root ~]# yum install -y php
php和httpd结合的方式是模块化的:
[root ~]# rpm -ql php /etc/httpd/conf.d/php.conf /usr/lib64/httpd/modules/libphp5.so # 就这个模块 /var/lib/php/session /var/www/icons/php.gif
既然是模块,就无需启动服务,启动httpd即可
[root ~]# service httpd start [root ~]# /usr/sbin/httpd -M|grep php httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName php5_module (shared) # 模块已加载 Syntax OK
使用浏览器访问IP地址:
测试php是否已经启动:
[root ~]# cd /vhosts/a.com/htdocs/ [root htdocs]# mv index.html index.php [root htdocs]# vim index.php <h1>www.a.com</h1> # 在此行下面添加测试代码 <?php phpinfo(); ?> <h2>PHP Test Page</h2>
刷新浏览器,出现一堆信息:
php解释器不会和数据库打交道,和数据库打交道的是php应用程序本身,但是这种打交道是通过驱动完成的。这种驱动php和MySQL都有提供。安装驱动:
[root htdocs]# yum install -y php-mysql [root htdocs]# service httpd reload
刷新浏览器可以看到结果:
Additional .ini files parsed | /etc/php.d/curl.ini, /etc/php.d/fileinfo.ini, /etc/php.d/json.ini, /etc/php.d/mysql.ini, /etc/php.d/mysqli.ini, /etc/php.d/pdo.ini, /etc/php.d/pdo_mysql.ini, /etc/php.d/pdo_sqlite.ini, /etc/php.d/phar.ini, /etc/php.d/sqlite3.ini, /etc/php.d/zip.ini |
安装mysql服务器端:
[root htdocs]# yum install -y mysql-server [root htdocs]# service mysqld start [root htdocs]# ss -tunl|grep :3306
测试mysql确实启动:
[root htdocs]# vim index.php <h1>www.a.com</h1> <?php $conn = mysql_connect(‘127.0.0.1‘,‘root‘,‘‘); if ($conn) echo "OK"; else echo "Failure"; mysql_close($conn); ?>
刷新浏览器显示OK,lamp环境就这样简单的搭建起来了。
[root htdocs]# unzip wordpress-3.3.1-zh_CN.zip [root htdocs]# cd wordpress [root wordpress]# vim wp-config-sample.php # 修改三项 define(‘DB_NAME‘, ‘wpdb‘); /** MySQL 数据库用户名 */ define(‘DB_USER‘, ‘wpuser‘); /** MySQL 数据库密码 */ define(‘DB_PASSWORD‘, ‘wppass‘); [root wordpress]# cp wp-config-sample.php wp-config.php
建立数据库:
[root wordpress]# mysql mysql> CREATE DATABASE wpdb; mysql> GRANT ALL ON wpdb.* TO ‘wpuser‘@‘127.0.0.1‘ IDENTIFIED BY ‘wppass‘; mysql> GRANT ALL ON wpdb.* TO ‘wpuser‘@‘localhost‘ IDENTIFIED BY ‘wppass‘; mysql> FLUSH PRIVILEGES;
浏览器访问http://172.16.45.10/wordpress/就能出现安装界面
[root htdocs]# unzip phpMyAdmin-4.0.5-all-languages.zip [root htdocs]# ln -s phpMyAdmin-4.0.5-all-languages pma [root htdocs]# cd pma/ [root pma]# yum install php-mbstring –y # 多字节字串,为了支持中文需要启动此功能 [root pma]# service httpd reload
浏览器访问http://172.16.45.10/pma/
给mysql root设置密码:
mysql> SET PASSWORD FOR ‘root‘@‘localhost‘=PASSWORD(‘123456‘); mysql> SET PASSWORD FOR ‘root‘@‘127.0.0.1‘=PASSWORD(‘123456‘); mysql> FLUSH PRIVILEGES;
可以使用root身份登录了
[root ~]# vim /etc/httpd/conf/httpd.conf #DocumentRoot "/var/www/html" # 注释掉 NameVirtualHost *:80 # 将这行注释取消 <VirtualHost *:80> servername www.a.com documentroot /vhosts/a.com/htdocs/ </virtualhost> <VirtualHost *:80> servername www.c.net documentroot /vhosts/c.net/htdocs </virtualhost>
1、为服务器申请数字证书
(a) 为了测试,创建私有CA
[root ~]# cd /etc/pki/CA/ # 另开一个虚拟机 [root CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) # 创建私钥 [root CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 10000 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com Email Address []: # 此证书需要共享给其他用户,因为需要此证书里面的公钥做验证。 [root CA]# touch index.txt [root CA]# echo 01 > serial
(b) 在服务器创建证书签署请求
[root ~]# cd /etc/httpd/ [root httpd]# mkdir ssl [root httpd]# cd ssl/ [root ssl]# (umask 077; openssl genrsa -out httpd.key 1024) [root ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:www.a.com Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [root ssl]# scp httpd.csr root@172.16.45.1:/tmp # 将请求发给CA
(c) CA签证
[root CA]# cd /tmp/ [root tmp]# openssl ca -in httpd.csr -out httpd.crt -days 3653 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 25 17:27:07 2015 GMT Not After : Apr 25 17:27:07 2025 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = MageEdu organizationalUnitName = Ops commonName = www.a.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 56:8C:DA:7F:FE:18:59:C5:C4:82:C8:20:30:88:8B:BF:1F:8C:6A:67 X509v3 Authority Key Identifier: keyid:C5:77:A0:E0:54:72:42:99:83:0D:7A:F8:53:6D:24:E4:CF:6D:CA:30 Certificate is to be certified until Apr 25 17:27:07 2025 GMT (3653 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root tmp]# scp httpd.crt 172.16.45.10:/etc/httpd/ssl/ # 将签署好的证书发回
2、配置httpd支持使用ssl,及使用的证书。但是http默认是不支持ssl的,使用httpd -M|grep ssl命令是没有结果的。因此需要安装mod_ssl这个支包。
# yum -y install mod_ssl [root ssl]# rpm -ql mod_ssl # 查看该包生成的文件 /etc/httpd/conf.d/ssl.conf /usr/lib64/httpd/modules/mod_ssl.so # 模块文件 /var/cache/mod_ssl /var/cache/mod_ssl/scache.dir # 缓存功能,加速ssl握手过程 /var/cache/mod_ssl/scache.pag /var/cache/mod_ssl/scache.sem
编辑配置文件后,重启监听443端口
[root ssl]# cp /etc/httpd/conf.d/ssl.conf{,.bak} [root ssl]# vim /etc/httpd/conf.d/ssl.conf <VirtualHost *:443> ServerName www.a.com:443 # 虚拟主机的主机名 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log # 二进制格式 LogLevel warn SSLEngine on # ssl功能的总开关 SSLProtocol all -SSLv2 # 不使用ssl v2版 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW # 加密的算法 SSLCertificateFile /etc/httpd/ssl/httpd.crt # 签署好的证书文件 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key # 私钥文件 </VirtualHost> [root ssl]# httpd -t [root ssl]# service httpd restart
3、测试基于https访问相应的主机
# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]:s_client可以将自己扮演成客户端
[root tmp]# scp /etc/pki/CA/cacert.pem 172.16.45.10:/tmp # 将CA的证书发给扮演的客户端,用来验证服务器的证书 [root ssl]# openssl s_client -connect www.a.com:443 -CAfile /tmp/cacert.pem
在windows上测试:
使用浏览器直接访问IP地址https://172.16.45.10,出现警告,因为没有使用域名访问并且该CA不被信任。
将CA变为受信任的机构:把CA的证书发送到windows桌面并更名为cacert.crt后,就能安装了。安装完成后,编辑hosts文件,添加172.16.45.10 www.a.com,最后重启浏览器再次进行访问就没问题了。
原文地址:http://10042224.blog.51cto.com/10032224/1641450