要求: (1) 三者分离于两台主机;
(2) 一个虚拟主机用于提供phpMyAdmin;另一个虚拟主机用于提供wordpress;
(3) xcache
(4) 为phpMyAdmin提供https虚拟主机;
HTTPD AND PHP-module: 192.168.8.16
MariDB : 192.168.8.17
(1)192.168.8.16 配置
yum install httpd php php-mysql (安装apache程序及php模块)
vim /etc/httpd/conf/httpd.conf
Listen 80 (设定监听地址及端口,格式:192.168.8.x:80 ,不输入地址默认监听本机所有端口)
ServerName 80 (指定httpd应用程序服务域名或地址,不输入默认为本地地址80端口) 注:此处如不修改会提示serverName错误
DocumentRoot "/var/www/html" (指定URL映射路径)
wq
vim /etc/httpd/conf.d/Virtual1.conf (添加虚拟主机1配置文件,域名为 pma.vhosts.com , 作为 phpMyAdmin 服务器)
0 <VirtualHost *:80> (监听80端口) 1 ServerName "pma.vhosts.com" (指定服务域名,也可以理解为监听的域名,当客户端访问该域名时将URL路径映射到配置文件中指定的路径下) 2 DocumentRoot "/web/vhosts/www1" (指定URL映射路径) 3 <Directory "/web/vhosts/www1"> (权限设置允许客户端通过URL访问该目录) 4 Options Indexes FollowSymLinks 5 AllowOverride None 6 Require all granted 7 </Directory> 8 <Directory "/tmp/"> 9 Options Indexes FollowSymLinks 10 AllowOverride None 11 Require all granted 12 </Directory> 13 ErrorLog /var/log/httpd/pma/error_log (指定服务器错误日志路径) 14 CustomLog /var/log/httpd/pma/access_log combined (指定访问日志路径及日志格式:combined) 15 </VirtualHost>
vim /etc/httpd/conf.d/Virtual2.conf (新增虚拟主机2配置文件,域名为 wp.vhosts.com ,做为wordpress 服务器)
1 <VirtualHost *:80> 2 ServerName "wp.vhosts.com" 3 DocumentRoot "/web/vhosts/www2" 4 <Directory "/web/vhosts/www2"> 5 Options Indexes FollowSymLinks 6 AllowOverride None 7 Require all granted 8 </Directory> 9 ErrorLog "/var/log/httpd/wp/error_log" 10 CustomLog "/var/log/httpd/wp/access_log" combined 11 </VirtualHost>
创建相关目录:
mkdir /web/vhosts/{www1,www2} -pv
mkdir /var/log/httpd/{wp,pma} -pv
下载 phpMyAdmin-4.0.10.20-all-languages.zip
unzip phpMyAdmin-4.0.10.20-all-languages.zip (解压)
cp -a phpMyAdmin-4.0.10.20-all-languages /web/vhosts/www1/
cd /web/vhosts/www1/
ln -sv phpMyAdmin-4.0.10.20-all-languages pma (指定软链接,客户端端通过软链接目录访问应用服务,便于日后版本更新等操作)
cd pma
cp config.sample.inc.php config.inc.php
openssl rand -base64 20 (生成20位随机字符串)
vim config.inc.php
$cfg['blowfish_secret'] = 'AzNv9me9gqEfC9Ya4rkTSHu598I'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! (将生成的20位字符串放入 = '此处') */ $cfg['Servers'][$i]['host'] = '192.168.20.243'; (指定mariadb 服务器地址) 注:需在mariadb服务器开通指定用户账号访问权限
测试: 客户端访问 pma.vhosts.com/pma (successd)
下载 wordpress -5.0.2
unzip wordpress-5.0.2.zip (解压)
cp wordpress /web/vhosts/www2/
cd /web/vhosts/www2/
ln -sv wordpress wp
cd wordpress
cp wp-config-sample.php wp-config.php
vim wp-config.php
define( 'DB_NAME', '192.168.8.17' ); (指定数据库名称) /** MySQL database username */ define( 'DB_USER', 'tom' ); (指定连接数据库用户) /** MySQL database password */ define( 'DB_PASSWORD', '12345678' ); (指定数据库密码) /** MySQL hostname */ define( 'DB_HOST', '192.168.8.17' ); (指定数据库地址) /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); (数据库字符集)
测试: http://wp.vhosts.com/wp (successd)
192.168.8.17 配置
yum install mariadb-server
vim /etc/my.cnf (插入以下行)
1 skip_name_resolve=ON 2 innodb_file_per_table=ON
mysql 进入mariadb管理界面
grant all on *.* to 'tom'@'192.168.8.%' identified by '12345678'; (创建用户tom,允许通过192.168.8.* 网段访问)
如有需要可创建数据库及表
ss -tnl :检查3306端口是否监听
压测: ab -n 100000 -c 200 http://pma.vhosts.com/pma/index.php
1 Server Software: Apache/2.4.6 (请求的服务版本) 2 Server Hostname: pma.vhosts.com (请求的服务名称) 3 Server Port: 80 (请求的端口号) 4 5 Document Path: /pma/index.php (URL路径映射) 6 Document Length: 8714 bytes (page size) 7 8 Concurrency Level: 200 (请求并发数) 9 Time taken for tests: 92.017 seconds (共使用 秒数) 10 Complete requests: 4992 (请求的次数) 11 Failed requests: 0 (失败的请求) 12 Write errors: 0 (网络连接写入错误数) 13 Total transferred: 50939343 bytes (完全传输page size) 14 HTML transferred: 43944702 bytes (实际传输的 page size) 15 Requests per second: 54.25 [#/sec] (mean) (每 秒 多少个请求) 16 Time per request: 3686.596 [ms] (mean) (平均每个用户等待多长时间) 17 Time per request: 18.433 [ms] (mean, across all concurrent requests) (服务器平均用时多长时间处理) 18 Transfer rate: 540.61 [Kbytes/sec] received (每秒获取多少数据) 19 20 Connection Times (ms) 21 min mean[+/-sd] median max 22 Connect: 0 9 92.5 0 1003 23 Processing: 48 3602 898.9 3575 7483 24 Waiting: 33 2933 784.7 3000 7482 25 Total: 48 3612 901.7 3582 7483 26 27 Percentage of the requests served within a certain time (ms) 28 50% 3582 (%50的用户请求 3582ms内返回) 29 66% 3861 30 75% 4056 31 80% 4194 32 90% 4703 33 95% 5232 34 98% 5707 35 99% 5987 36 100% 7483 (longest request)
192.168.1.16 安装xcache
yum install php-xcache
vim /etc/php.d/xcache
1 xcache.size = 60M (指定缓存用内存空间大小,越大缓存越多,速率越快)
systemctl restart httpd
附录: DNS and Bind 解析配置
yum install bind bind-utils
vim /etc/named.conf
1 options { 2 listen-on port 53 { 192.168.20.243; 127.0.0.1; }; (指定监听地址与端口,可指定多个) 3 listen-on-v6 port 53 { ::1; }; 4 directory "/var/named"; 5 dump-file "/var/named/data/cache_dump.db"; 6 statistics-file "/var/named/data/named_stats.txt"; 7 memstatistics-file "/var/named/data/named_mem_stats.txt"; 8 recursing-file "/var/named/data/named.recursing"; 9 secroots-file "/var/named/data/named.secroots"; 10 allow-query { any; }; (指定允许接收的请求,any为所有) 11 12 /* 13 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 14 - If you are building a RECURSIVE (caching) DNS server, you need to enable 15 recursion. 16 - If your recursive DNS server has a public IP address, you MUST enable access 17 control to limit queries to your legitimate users. Failing to do so will 18 cause your server to become part of large scale DNS amplification 19 attacks. Implementing BCP38 within your network would greatly 20 reduce such attack surface 21 */ 22 recursion yes; (递归查询) 23 24 dnssec-enable no; (关闭dns校验) 25 dnssec-validation no; (关闭dns校验)
vim /etc/named.rfc1912.zone (添加下面的行,区域配置)
zone "vhosts.com" IN { type master; file "vhosts.com.zone"; };
vim /var/named/vhosts.com.zone (新增解析库文件)
1 $TTL 3600 2 $ORIGIN vhosts.com. 3 @ IN SOA ns1.vhosts.com. admin.vhosts.com ( 4 1 5 2H 6 10M 7 1W 8 1D 9 ) 10 @ IN NS ns1.vhosts.com. 11 ns1 IN A 192.168.20.244 12 pma IN A 192.168.20.242 13 wp IN A 192.168.20.242
测试配置文件
[root@test ~]# named-checkconf [root@test ~]# named-checkzone vhosts.com /var/named/vhosts.com.zone zone vhosts.com/IN: loaded serial 1 OK
启动并测试
1 [root@test ~]# systemctl start named 2 [root@test ~]# dig -t A pma.vhosts.com 3 4 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A pma.vhosts.com 5 ;; global options: +cmd 6 ;; Got answer: 7 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26488 8 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 9 10 ;; OPT PSEUDOSECTION: 11 ; EDNS: version: 0, flags:; udp: 4096 12 ;; QUESTION SECTION: 13 ;pma.vhosts.com. IN A 14 15 ;; ANSWER SECTION: 16 pma.vhosts.com. 3600 IN A 192.168.20.242 17 18 ;; AUTHORITY SECTION: 19 vhosts.com. 3600 IN NS ns1.vhosts.com. 20 21 ;; ADDITIONAL SECTION: 22 ns1.vhosts.com. 3600 IN A 192.168.20.244 23 24 ;; Query time: 0 msec 25 ;; SERVER: 192.168.20.243#53(192.168.20.243) 26 ;; WHEN: Tue Feb 25 21:46:15 EST 2020 27 ;; MSG SIZE rcvd: 93
192.168.8.16 为phpmyadmin 提供https虚拟主机
(模拟 CA服务器:192.168.8.18)
cd /etc/pki/CA/
1 [root@test]# (umask 077;openssl genrsa -out private/cakey.pem 4096) (生成4096位私钥文件 cakey.pem) 2 Generating RSA private key, 4096 bit long modulus 3 ......................................................................................................................++ 4 ...........................................................................................................++ 5 e is 65537 (0x10001) 6 [root@test ]# openssl req -new -key private/cakey.pem -out httpd.csr -days 365 (生成证书签署请求文件) 7 You are about to be asked to enter information that will be incorporated 8 into your certificate request. 9 What you are about to enter is what is called a Distinguished Name or a DN. 10 There are quite a few fields but you can leave some blank 11 For some fields there will be a default value, 12 If you enter '.', the field will be left blank. 13 ----- 14 Country Name (2 letter code) [XX]:CN 15 State or Province Name (full name) []:GD 16 Locality Name (eg, city) [Default City]:SZ 17 Organization Name (eg, company) [Default Company Ltd]:DaWanQu 18 Organizational Unit Name (eg, section) []:Ops 19 Common Name (eg, your name or your server's hostname) []:pma.vhosts.com (此处指定服务域名一定要与指定访问的域名一致,否则客户端会验证不通过) 20 Email Address []: 21 22 Please enter the following 'extra' attributes 23 to be sent with your certificate request 24 A challenge password []: 25 An optional company name []: 26 [root@centos7 CA]# scp httpd.csr root@192.168.8.18:/etc/pki/CA/ (将证书签署请求拷贝到CA服务器/etc/pki/CA/ 目录下) 27 The authenticity of host '192.168.8.18 (192.168.8.18)' can't be established. 28 ECDSA key fingerprint is SHA256:FKhie5UQHlmOtTV/TZol/k7UIf0nfDRosf2smlFoXak. 29 ECDSA key fingerprint is MD5:1b:94:4c:eb:5f:20:7d:a8:87:d3:be:79:b1:08:56:57. 30 Are you sure you want to continue connecting (yes/no)? yes 31 Warning: Permanently added '192.168.8.18' (ECDSA) to the list of known hosts. 32 root@192.168.8.18's password: 33 httpd.csr 100% 1687 2.4MB/s 00:00 34 [root@test ]#
192.168.8.18
CA 主机上配置
cd /etc/pki/CA/
1 [root@bogon CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096) (生成4096位私钥文件) 2 Generating RSA private key, 4096 bit long modulus 3 ...........................++ 4 ......................................................................................................................................................................................................................................................................................++ 5 e is 65537 (0x10001) 6 [root@bogon CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 (生成CA服务器自签证书, -days为证书有效期天数) 7 You are about to be asked to enter information that will be incorporated 8 into your certificate request. 9 What you are about to enter is what is called a Distinguished Name or a DN. 10 There are quite a few fields but you can leave some blank 11 For some fields there will be a default value, 12 If you enter '.', the field will be left blank. 13 ----- 14 Country Name (2 letter code) [XX]:CN 15 State or Province Name (full name) []:GD 16 Locality Name (eg, city) [Default City]:SZ 17 Organization Name (eg, company) [Default Company Ltd]:DaWanQu 18 Organizational Unit Name (eg, section) []:Ops 19 Common Name (eg, your name or your server's hostname) []:DaWanQu 20 Email Address []:22 [root@bogon CA]# touch ./{serial,index.txt} (创建签署证书必需文件) 23 [root@bogon CA]# echo 01 > serial (写入序列号01)26 [root@bogon CA]# openssl ca -in httpd.csr -out httpd.crt -days 365 (签署httpd.csr 证书 ,输出为 httpd.crt) 36 Using configuration from /etc/pki/tls/openssl.cnf 37 Check that the request matches the signature 38 Signature ok 39 Certificate Details: 40 Serial Number: 1 (0x1) 41 Validity 42 Not Before: Feb 26 03:07:16 2020 GMT 43 Not After : Feb 25 03:07:16 2021 GMT 44 Subject: 45 countryName = CN 46 stateOrProvinceName = GD 47 organizationName = DaWanQu 48 organizationalUnitName = Ops 49 commonName = pma.vhosts.com 50 X509v3 extensions: 51 X509v3 Basic Constraints: 52 CA:FALSE 53 Netscape Comment: 54 OpenSSL Generated Certificate 55 X509v3 Subject Key Identifier: 56 CA:A9:47:E2:96:31:4C:67:44:EE:29:D3:49:C1:B6:0B:50:09:66:99 57 X509v3 Authority Key Identifier: 58 keyid:E7:37:44:02:83:45:6E:5A:30:ED:6A:FF:69:D3:F4:29:73:C5:B6:CE 59 60 Certificate is to be certified until Feb 25 03:07:16 2021 GMT (365 days) 61 Sign the certificate? [y/n]:yes 62 63 64 1 out of 1 certificate requests certified, commit? [y/n]yes 65 Write out database with 1 new entries 66 Data Base Updated 67 [root@bogon CA]# scp httpd.crt root@192.168.8.16:/etc/pki/CA/ (将签署完成的证书文件拷贝到httpd服务器) 69 The authenticity of host '192.168.8.16 (192.168.8.16)' can't be established. 70 ECDSA key fingerprint is SHA256:I9f09gGvg6Zr5JFDYPLO5VKiAZ/Fzmy1F37f1SLgzkI. 71 ECDSA key fingerprint is MD5:47:75:60:9f:f0:b0:9e:00:c0:14:ad:59:3f:be:56:55. 72 Are you sure you want to continue connecting (yes/no)? yes 73 Warning: Permanently added '192.168.8.16' (ECDSA) to the list of known hosts. 74 root@192.168.8.16's password: 75 /etc/profile.d/vimrc.sh: line 4: autocmd: command not found 76 /etc/profile.d/vimrc.sh: line 5: syntax error near unexpected token `(' 77 /etc/profile.d/vimrc.sh: line 5: `func SetTitle()' 78 httpd.crt 100% 7139 7.9MB/s 00:00 79 [root@bogon CA]#
192.168.8.16 httpd主机配置
yum install mod_ssl (安装ssl支持模块)
vim /etc/httpd/conf.d/ssl.conf
Listen 443 https (默认监听443端口) # DocumentRoot "/web/vhosts/www1" (SSL 连接URL映射路径) ServerName "pma.vhosts.com" (服务域名) <Directory "web/vhosts/www1"> (授权URL映射路径允许访问) Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> SSLCertificateFile /etc/pki/CA/httpd.crt (指定证书文件路径) SSLCertificateKeyFile /etc/pki/CA/private/cakey.pem (指定私钥文件路径)
客户机配置
将ca服务器自签证书导入到浏览器受信根证书中
测试: https://pma.vhosts.com/pma/ (google浏览器测试不成功,火狐浏览器与IE测试成功)
来源:https://www.cnblogs.com/qingfengguoke/p/12364456.html