Apache site security in CentOS

Because http is transmitted in plain text, the information on the site is easily visible to others. To ensure the security of our site, there are three common methods: authentication, source control, and encrypted access (https ).

1.Identity Verification: as the name suggests, when a user accesses our site, the visitor needs to be authenticated. Only the user enters the correct user name and password can access our site content.

Environment: rhel 5.4

Software package used: httpd-2.2.3-31.el5.i386.rpm

Specific implementation:

Echo "welcome to my home">/var/www/html/index.html create a website homepage

Vim/etc/httpd/conf/httpd. conf modify the httpd configuration file

306 <Directory "/var/www/html">

327 AllowOverride all change none to all here

335 </Directory>

Service httpd start httpd service

Create a description file named. htaccess in the root directory of the site. The file content is as follows:

Authuserfile/var/www/. htpasswd indicates the authentication library file

Authname "please input your name and password" Verification prompt

Authtype basic indicates the authentication type

Require valid-user indicates the user that can be accessed (legally authenticated user)

Use htpasswd to generate the. htpasswd account file:

Htpasswd-c/var/www/. htpasswd zhangsan (Note:-c is required when a new file is generated, which is not required when the user is appended)

New password: 123

Re-type new password: 123

Service httpd restart httpd service

2.Source Control: We can restrict and prohibit access to users of network segments.

Specific implementation:

We only need to modify the httpd configuration file based on the above:

332 Order allow, deny

333 deny from 192.168.2.2 indicates that users except 192.168.2.2 are allowed to access

334 Allow from all

Note: The order of the 332 rows is different because the results are different!

3.Encrypted access: We use http and secure socket ssl to verify the security of the site. Ssl is a layer between the application layer and the transport layer. Because http is transmitted in plain text, Netscape) after ssl is developed by the company and standardized by the Standardization Organization, it is also called tls.

Principle of https: when the client accesses the server, the server issues a digital certificate to the client (the certificate is issued by the CA). The certificate includes: registrant ID, serial number, Public Key (n, e), validity period, issuer ID, and CA digital signature (digital signature can ensure the integrity, authenticity, and non-repudiation of information, so as to ensure that the certificate is not tampered ). At this time, the client will generate a key K, and encrypt it with the server's public key on the ssl layer, and transmit it to the server through the network for decryption at the ssl layer by the server's private key, in this case, the client and server have the same key K, and then the client and server perform symmetric encryption and decryption to transmit information.

Implementation environment: rhel 5.4

Required Software Package: httpd-2.2.3-31.el5.i386.rpm

Mod_ssl-2.2.3-31.el5.i386.rpm

Distcache-1.4.5-14.1.i386.rpm this pack is mod_ssl dependent

Bind-9.3.6-4.P1.el5.i386.rpm

Bind-chroot-9.3.6-4.P1.el5.i386.rpm

Caching-nameserver-9.3.6-4.P1.el5.i386.rpm

Topology:

Specific implementation:

Install the required software package:

Rpm-ivh httpd-2.2.3-31.el5.i386.rpm

Rpm-ivh mod_ssl-2.2.3-31.el5.i386.rpm

Rpm-ivh distcache-1.4.5-14.1.i386.rpm

Rpm-ivh bind-9.3.6-4.P1.el5.i386.rpm

Rpm-ivh bind-chroot-9.3.6-4.P1.el5.i386.rpm

Rpm-ivh caching-nameserver-9.3.6-4.P1.el5.i386.rpm

Because the server requires a certificate, a Certificate Authority CA is required. Therefore, you must first set up a CA server. on linux, you can use openca and openssl to implement CA. Here we use openssl:

Vim/etc/pki/tls/openssl. cnf modify the configuration file

45 dir =/etc/pki/CA specify the directory where all files are stored (absolute path)

46 certs = $ dir/certs specify the directory for storing certificates

47 crl_dir = $ dir/crl specify the certificate storage directory for revocation

48 database = $ dir/index.txt database index file

51 new_certs_dir = $ dir/newcerts by default, the Directory of the new certificate is placed

53 certificate = $ dir/cacert. pem CAserver certificate

54 serial = $ dir/serial initial certificate serial number (+ 1 for each issued Certificate)

58 private_key = $ dir/private/cakey. pem CA private key storage location

88 countryName = optional

89 stateOrProvinceName = optional

90 organizationName = optional

135 countryName = Country Name (2 lettercode)

136 countryName_default = CN

137 countryName_min = 2

138 countryName_max = 2

140 stateOrProvinceName = State or Province Name (fullname)

141stateOrProvinceName_default = HENAN

143 localityName = Locality Name (eg, city)

144 localityName_default = ZHENGZHOU

The above certs crl newcertsdirectory and index.txt serial file do not exist, so you need to create them in the directory/etc/pki/CA:

Mkdir certs crl newcerts

Touch index.txt serial

Echo "01"> serial gives serial an initial value

Generate a private key for the CA server:

Openssl genrsa 1024> private/cakey. pem

Chmod 600 private/cakey. pem modify private Key Permissions

Generate a certificate for the CA server:

Openssl req-new-keyprivate/cakey. pem-x509-out cacert. pem

Now we modify the configuration file/etc/httpd/conf/httpd. conf of the web server.

# Listen 80 disable port 80

Cd/var/www/html enter this directory

Echo "welcome to my home"> index.html generates the homepage

Issue a certificate to the web server:

Mkdir/etc/httpd/certs: create a directory for storing web certificates and keys

Cd/etc/httpd/certs switch directory

Openssl genrsa 1024> httpd. key generates a private key for the web server

Chmod 600 httpd. key: Modify the permission value of the Private key

Openssl req-new-key httpd. key-out httpd. req: request file for certificate generation

Openssl ca-in httpd. req-out httpd. cert CA issues a request file to form a certificate

Bind the certificate with the web server and modify the/etc/httpd/conf. d/ssl. conf file.

112 SSLCertificateFile/etc/httpd/certs/httpd. cert indicates the certificate storage location

119 SSLCertificateKeyFile/etc/httpd/certs/httpd. key indicates the location where the private key exists.

128 SSLCertificateChainFile/etc/pki/CA/cacert. pem indicates the location of the CA certificate

DNS server Configuration:

Cp-pnamed. caching-nameserver.conf named. conf copy the sample file of the configuration file

Vim/var/named/chroot/etc/named. conf modify the configuration file

15 listen-on port 53 {any ;};

27 allow-query {any ;};

28 allow-query-cache {any ;};

37 match-clients {any ;};

38 match-destinations {any ;};

Vim/var/named/chroot/etc/named. rfc1912.zones modify the region declaration file and add an abc.com domain

Go to the/var/named/chroot/var/named directory:

Cp-p localhost. zone abc.com. zone copy a region File

Vim abc.com. zone: Modify the region File

Client Access test:

Install the certificate to make the Certificate Authority a trusted institution:

Access the https://www.abc.com again

This article from the "night wind" blog, please be sure to keep this source http://jiangkun08.blog.51cto.com/6266992/1281694