lamp-module

时光总嘲笑我的痴心妄想 提交于 2020-02-26 14:31:14

要求:    (1) 三者分离于两台主机;
    (2) 一个虚拟主机用于提供phpMyAdmin;另一个虚拟主机用于提供wordpress;
    (3) xcache
    (4) 为phpMyAdmin提供https虚拟主机;

 

 HTTPD AND PHP-module: 192.168.8.16

 MariDB : 192.168.8.17

 

(1)192.168.8.16 配置

  yum install httpd php php-mysql   (安装apache程序及php模块)

  vim /etc/httpd/conf/httpd.conf

  Listen 80   (设定监听地址及端口,格式:192.168.8.x:80  ,不输入地址默认监听本机所有端口)

  ServerName 80   (指定httpd应用程序服务域名或地址,不输入默认为本地地址80端口)  注:此处如不修改会提示serverName错误

  DocumentRoot "/var/www/html"   (指定URL映射路径)

  wq

 

  vim /etc/httpd/conf.d/Virtual1.conf    (添加虚拟主机1配置文件,域名为 pma.vhosts.com , 作为 phpMyAdmin 服务器)

  

 0 <VirtualHost *:80>   (监听80端口) 1 ServerName "pma.vhosts.com"    (指定服务域名,也可以理解为监听的域名,当客户端访问该域名时将URL路径映射到配置文件中指定的路径下)
 2 DocumentRoot "/web/vhosts/www1"   (指定URL映射路径)
 3 <Directory "/web/vhosts/www1">   (权限设置允许客户端通过URL访问该目录)
 4         Options Indexes FollowSymLinks
 5         AllowOverride None
 6         Require all granted
 7 </Directory>
 8 <Directory "/tmp/">
 9         Options Indexes FollowSymLinks
10         AllowOverride None
11         Require all granted
12 </Directory>  
13 ErrorLog /var/log/httpd/pma/error_log     (指定服务器错误日志路径)
14 CustomLog /var/log/httpd/pma/access_log combined   (指定访问日志路径及日志格式:combined)
15 </VirtualHost> 

 

  

   vim /etc/httpd/conf.d/Virtual2.conf   (新增虚拟主机2配置文件,域名为 wp.vhosts.com ,做为wordpress 服务器)

  

 1 <VirtualHost *:80>
 2 ServerName "wp.vhosts.com"
 3 DocumentRoot "/web/vhosts/www2"
 4 <Directory "/web/vhosts/www2">
 5         Options Indexes FollowSymLinks
 6         AllowOverride None
 7         Require all granted
 8 </Directory>
 9 ErrorLog "/var/log/httpd/wp/error_log"
10 CustomLog "/var/log/httpd/wp/access_log" combined
11 </VirtualHost>

    

 

  创建相关目录:

  mkdir /web/vhosts/{www1,www2} -pv

  mkdir /var/log/httpd/{wp,pma} -pv  

 

下载 phpMyAdmin-4.0.10.20-all-languages.zip  

  unzip  phpMyAdmin-4.0.10.20-all-languages.zip    (解压)

  cp -a phpMyAdmin-4.0.10.20-all-languages  /web/vhosts/www1/

  cd /web/vhosts/www1/

  ln -sv phpMyAdmin-4.0.10.20-all-languages pma   (指定软链接,客户端端通过软链接目录访问应用服务,便于日后版本更新等操作)

  cd pma

  cp config.sample.inc.php  config.inc.php   

  openssl rand -base64 20    (生成20位随机字符串) 

  vim config.inc.php

  

$cfg['blowfish_secret'] = 'AzNv9me9gqEfC9Ya4rkTSHu598I'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH!  (将生成的20位字符串放入 = '此处')
 */
$cfg['Servers'][$i]['host'] = '192.168.20.243';  (指定mariadb 服务器地址) 注:需在mariadb服务器开通指定用户账号访问权限

 

 测试:  客户端访问  pma.vhosts.com/pma   (successd)

 

 

下载 wordpress -5.0.2 

  unzip wordpress-5.0.2.zip   (解压)

  cp wordpress /web/vhosts/www2/

  cd /web/vhosts/www2/

  ln -sv wordpress wp 

  cd wordpress 

  cp wp-config-sample.php wp-config.php

  vim wp-config.php

  

define( 'DB_NAME', '192.168.8.17' );     (指定数据库名称)

/** MySQL database username */
define( 'DB_USER', 'tom' );   (指定连接数据库用户)

/** MySQL database password */
define( 'DB_PASSWORD', '12345678' );   (指定数据库密码)

/** MySQL hostname */
define( 'DB_HOST', '192.168.8.17' );   (指定数据库地址)

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );   (数据库字符集)

 

   测试: http://wp.vhosts.com/wp   (successd)   

 

 

192.168.8.17 配置

  yum install mariadb-server 

  vim /etc/my.cnf      (插入以下行)

  

1 skip_name_resolve=ON
2 innodb_file_per_table=ON

 

 mysql     进入mariadb管理界面

 

grant all on *.* to 'tom'@'192.168.8.%' identified by '12345678';     (创建用户tom,允许通过192.168.8.* 网段访问)

 

  如有需要可创建数据库及表

  ss -tnl   :检查3306端口是否监听

 

 

压测: ab -n 100000 -c 200 http://pma.vhosts.com/pma/index.php

  

 1 Server Software:        Apache/2.4.6    (请求的服务版本)
 2 Server Hostname:        pma.vhosts.com  (请求的服务名称)
 3 Server Port:            80   (请求的端口号)
 4 
 5 Document Path:          /pma/index.php   (URL路径映射)
 6 Document Length:        8714 bytes   (page size)
 7 
 8 Concurrency Level:      200    (请求并发数)
 9 Time taken for tests:   92.017 seconds   (共使用 秒数)
10 Complete requests:      4992    (请求的次数)
11 Failed requests:        0     (失败的请求)
12 Write errors:           0     (网络连接写入错误数)
13 Total transferred:      50939343 bytes   (完全传输page size)
14 HTML transferred:       43944702 bytes   (实际传输的 page size)
15 Requests per second:    54.25 [#/sec] (mean)   (每 秒 多少个请求)
16 Time per request:       3686.596 [ms] (mean)   (平均每个用户等待多长时间)
17 Time per request:       18.433 [ms] (mean, across all concurrent requests)   (服务器平均用时多长时间处理)
18 Transfer rate:          540.61 [Kbytes/sec] received   (每秒获取多少数据)
19 
20 Connection Times (ms)
21               min  mean[+/-sd] median   max
22 Connect:        0    9  92.5      0    1003
23 Processing:    48 3602 898.9   3575    7483
24 Waiting:       33 2933 784.7   3000    7482
25 Total:         48 3612 901.7   3582    7483
26 
27 Percentage of the requests served within a certain time (ms)
28   50%   3582     (%50的用户请求 3582ms内返回)
29   66%   3861
30   75%   4056
31   80%   4194
32   90%   4703
33   95%   5232
34   98%   5707
35   99%   5987
36  100%   7483 (longest request)

 

 

192.168.1.16 安装xcache

  yum install php-xcache

  vim /etc/php.d/xcache

  

1 xcache.size  =               60M     (指定缓存用内存空间大小,越大缓存越多,速率越快)

 

  systemctl restart httpd

 

 

 

附录: DNS and Bind 解析配置

  yum install bind bind-utils

  vim /etc/named.conf

  

 1 options {
 2         listen-on port 53 { 192.168.20.243; 127.0.0.1; };   (指定监听地址与端口,可指定多个)
 3         listen-on-v6 port 53 { ::1; };
 4         directory       "/var/named";
 5         dump-file       "/var/named/data/cache_dump.db";
 6         statistics-file "/var/named/data/named_stats.txt";
 7         memstatistics-file "/var/named/data/named_mem_stats.txt";
 8         recursing-file  "/var/named/data/named.recursing";
 9         secroots-file   "/var/named/data/named.secroots";
10         allow-query     { any; };   (指定允许接收的请求,any为所有)
11 
12         /* 
13          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
14          - If you are building a RECURSIVE (caching) DNS server, you need to enable 
15            recursion. 
16          - If your recursive DNS server has a public IP address, you MUST enable access 
17            control to limit queries to your legitimate users. Failing to do so will
18            cause your server to become part of large scale DNS amplification 
19            attacks. Implementing BCP38 within your network would greatly
20            reduce such attack surface 
21         */
22         recursion yes;   (递归查询)
23 
24         dnssec-enable no;   (关闭dns校验)
25         dnssec-validation no;   (关闭dns校验)

 

 

  vim /etc/named.rfc1912.zone   (添加下面的行,区域配置)

  

zone "vhosts.com" IN {
        type master;
        file "vhosts.com.zone";
};

 

 

  vim /var/named/vhosts.com.zone     (新增解析库文件)

  

 1 $TTL 3600
 2 $ORIGIN vhosts.com.
 3 @       IN      SOA     ns1.vhosts.com.         admin.vhosts.com (
 4                 1
 5                 2H
 6                 10M
 7                 1W
 8                 1D
 9                 )
10 @       IN      NS      ns1.vhosts.com.
11 ns1     IN      A       192.168.20.244
12 pma     IN      A       192.168.20.242
13 wp      IN      A       192.168.20.242

 

 

  测试配置文件

 

[root@test ~]# named-checkconf 
[root@test ~]# named-checkzone vhosts.com /var/named/vhosts.com.zone 
zone vhosts.com/IN: loaded serial 1
OK

 

  启动并测试

  

 1 [root@test ~]# systemctl start named
 2 [root@test ~]# dig -t A pma.vhosts.com
 3 
 4 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A pma.vhosts.com
 5 ;; global options: +cmd
 6 ;; Got answer:
 7 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26488
 8 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
 9 
10 ;; OPT PSEUDOSECTION:
11 ; EDNS: version: 0, flags:; udp: 4096
12 ;; QUESTION SECTION:
13 ;pma.vhosts.com.            IN    A
14 
15 ;; ANSWER SECTION:
16 pma.vhosts.com.        3600    IN    A    192.168.20.242
17 
18 ;; AUTHORITY SECTION:
19 vhosts.com.        3600    IN    NS    ns1.vhosts.com.
20 
21 ;; ADDITIONAL SECTION:
22 ns1.vhosts.com.        3600    IN    A    192.168.20.244
23 
24 ;; Query time: 0 msec
25 ;; SERVER: 192.168.20.243#53(192.168.20.243)
26 ;; WHEN: Tue Feb 25 21:46:15 EST 2020
27 ;; MSG SIZE  rcvd: 93

 

 

 

192.168.8.16    为phpmyadmin 提供https虚拟主机

  (模拟  CA服务器:192.168.8.18)

 

  cd /etc/pki/CA/

  

 1 [root@test]# (umask 077;openssl genrsa -out private/cakey.pem 4096)   (生成4096位私钥文件 cakey.pem)
 2 Generating RSA private key, 4096 bit long modulus
 3 ......................................................................................................................++
 4 ...........................................................................................................++
 5 e is 65537 (0x10001)
 6 [root@test ]# openssl req -new -key private/cakey.pem -out httpd.csr -days 365   (生成证书签署请求文件) 7 You are about to be asked to enter information that will be incorporated
 8 into your certificate request.
 9 What you are about to enter is what is called a Distinguished Name or a DN.
10 There are quite a few fields but you can leave some blank
11 For some fields there will be a default value,
12 If you enter '.', the field will be left blank.
13 -----
14 Country Name (2 letter code) [XX]:CN
15 State or Province Name (full name) []:GD          
16 Locality Name (eg, city) [Default City]:SZ
17 Organization Name (eg, company) [Default Company Ltd]:DaWanQu
18 Organizational Unit Name (eg, section) []:Ops
19 Common Name (eg, your name or your server's hostname) []:pma.vhosts.com   (此处指定服务域名一定要与指定访问的域名一致,否则客户端会验证不通过)
20 Email Address []:
21 
22 Please enter the following 'extra' attributes
23 to be sent with your certificate request
24 A challenge password []:
25 An optional company name []:
26 [root@centos7 CA]# scp httpd.csr root@192.168.8.18:/etc/pki/CA/   (将证书签署请求拷贝到CA服务器/etc/pki/CA/ 目录下)
27 The authenticity of host '192.168.8.18 (192.168.8.18)' can't be established.
28 ECDSA key fingerprint is SHA256:FKhie5UQHlmOtTV/TZol/k7UIf0nfDRosf2smlFoXak.
29 ECDSA key fingerprint is MD5:1b:94:4c:eb:5f:20:7d:a8:87:d3:be:79:b1:08:56:57.
30 Are you sure you want to continue connecting (yes/no)? yes
31 Warning: Permanently added '192.168.8.18' (ECDSA) to the list of known hosts.
32 root@192.168.8.18's password: 
33 httpd.csr                                                                      100% 1687     2.4MB/s   00:00    
34 [root@test ]# 

 

 

 192.168.8.18  

  CA 主机上配置

  cd /etc/pki/CA/

  

 1 [root@bogon CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096)   (生成4096位私钥文件)
 2 Generating RSA private key, 4096 bit long modulus
 3 ...........................++
 4 ......................................................................................................................................................................................................................................................................................++
 5 e is 65537 (0x10001)
 6 [root@bogon CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365   (生成CA服务器自签证书, -days为证书有效期天数)
 7 You are about to be asked to enter information that will be incorporated
 8 into your certificate request.
 9 What you are about to enter is what is called a Distinguished Name or a DN.
10 There are quite a few fields but you can leave some blank
11 For some fields there will be a default value,
12 If you enter '.', the field will be left blank.
13 -----
14 Country Name (2 letter code) [XX]:CN
15 State or Province Name (full name) []:GD
16 Locality Name (eg, city) [Default City]:SZ
17 Organization Name (eg, company) [Default Company Ltd]:DaWanQu 
18 Organizational Unit Name (eg, section) []:Ops
19 Common Name (eg, your name or your server's hostname) []:DaWanQu
20 Email Address []:22 [root@bogon CA]# touch ./{serial,index.txt}   (创建签署证书必需文件)
23 [root@bogon CA]# echo 01 > serial    (写入序列号01)26 [root@bogon CA]# openssl ca -in httpd.csr -out httpd.crt -days 365    (签署httpd.csr 证书 ,输出为 httpd.crt)
36 Using configuration from /etc/pki/tls/openssl.cnf
37 Check that the request matches the signature
38 Signature ok
39 Certificate Details:
40         Serial Number: 1 (0x1)
41         Validity
42             Not Before: Feb 26 03:07:16 2020 GMT
43             Not After : Feb 25 03:07:16 2021 GMT
44         Subject:
45             countryName               = CN
46             stateOrProvinceName       = GD
47             organizationName          = DaWanQu
48             organizationalUnitName    = Ops
49             commonName                = pma.vhosts.com
50         X509v3 extensions:
51             X509v3 Basic Constraints: 
52                 CA:FALSE
53             Netscape Comment: 
54                 OpenSSL Generated Certificate
55             X509v3 Subject Key Identifier: 
56                 CA:A9:47:E2:96:31:4C:67:44:EE:29:D3:49:C1:B6:0B:50:09:66:99
57             X509v3 Authority Key Identifier: 
58                 keyid:E7:37:44:02:83:45:6E:5A:30:ED:6A:FF:69:D3:F4:29:73:C5:B6:CE
59 
60 Certificate is to be certified until Feb 25 03:07:16 2021 GMT (365 days)
61 Sign the certificate? [y/n]:yes
62 
63 
64 1 out of 1 certificate requests certified, commit? [y/n]yes
65 Write out database with 1 new entries
66 Data Base Updated 
67 [root@bogon CA]# scp httpd.crt root@192.168.8.16:/etc/pki/CA/     (将签署完成的证书文件拷贝到httpd服务器)
69 The authenticity of host '192.168.8.16 (192.168.8.16)' can't be established.
70 ECDSA key fingerprint is SHA256:I9f09gGvg6Zr5JFDYPLO5VKiAZ/Fzmy1F37f1SLgzkI.
71 ECDSA key fingerprint is MD5:47:75:60:9f:f0:b0:9e:00:c0:14:ad:59:3f:be:56:55.
72 Are you sure you want to continue connecting (yes/no)? yes
73 Warning: Permanently added '192.168.8.16' (ECDSA) to the list of known hosts.
74 root@192.168.8.16's password: 
75 /etc/profile.d/vimrc.sh: line 4: autocmd: command not found
76 /etc/profile.d/vimrc.sh: line 5: syntax error near unexpected token `('
77 /etc/profile.d/vimrc.sh: line 5: `func SetTitle()'
78 httpd.crt                                                                      100% 7139     7.9MB/s   00:00    
79 [root@bogon CA]# 

  

 

 

192.168.8.16  httpd主机配置

  yum install mod_ssl    (安装ssl支持模块)

  vim /etc/httpd/conf.d/ssl.conf   

  

Listen 443 https   (默认监听443端口)

#
DocumentRoot "/web/vhosts/www1"   (SSL 连接URL映射路径)
ServerName "pma.vhosts.com"   (服务域名)

<Directory "web/vhosts/www1">     (授权URL映射路径允许访问)
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

SSLCertificateFile /etc/pki/CA/httpd.crt   (指定证书文件路径)
SSLCertificateKeyFile /etc/pki/CA/private/cakey.pem   (指定私钥文件路径)

 

  

 

客户机配置

  将ca服务器自签证书导入到浏览器受信根证书中

 测试: https://pma.vhosts.com/pma/        (google浏览器测试不成功,火狐浏览器与IE测试成功)

 

 

 

 

  

  

   

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!