DAY09 Web Service (ENGINNER03)

First, HTTP Service Foundation 1.1 Web communication basic Concept 1.1.1 Architecture

Based on B/s architecture, is actually a derivative version of C/S architecture.

1.1.2 Principle

Web page available on the service side
Browser downloads and displays Web pages
Port number: 80/tcp

1.1.3 Protocol

Hyper Text Markup Language (HTML) Hypertext Markup Language
Hyper Text Transfer Protocol (HTTP) Hypertext Transfer Protocol

1.1.4 Server and Client

Service side: httpd, Nginx, Tomcat
Client: ELinks, Firefox, IE, Chrome

Comparison of 1.1.5 Prefork and worker modes

Prefork mode uses multiple child processes, with only one thread per child process. Each process can only maintain one connection at a certain time. On most platforms, the Prefork MPM is more efficient than the worker mpm, but the memory usage is much larger. Prefork's wireless path design in some cases will be more advantageous than a worker: it can use third-party modules that do not handle thread safety, and it is easier to debug for platforms that have difficulty debugging threads.

Worker mode uses multiple child processes, each of which has multiple threads. Each thread can only maintain one connection at a certain time. In general, worker MPM is a good choice on a high-traffic HTTP server because the worker MPM uses much less memory than Prefork MPM. But the worker MPM also has an imperfect place, and if a thread crashes, the entire process will "die" with all of its threads. Because threads share memory space, a program must be recognized by the system as "every thread is safe" at run time.

Second, build a single Web server 2.1/etc/httpd/conf/httpd.conf

HTTPD Global master configuration file

2.2 Modifying the global master configuration file

42 lines, Listen Ip:port #监听ip地址和端口号
95 lines, ServerName #设置服务器的域名
119 lines, DocumentRoot #设置网站的根目录

2.3 httpd-t

Check the syntax of the master configuration file for errors

Three, virtual web host (multi-site) 3.1 definition

Multiple different Web sites provided by the same server

3.2 Distinguishing ways

So how does a server differentiate between different sites? There are three different ways
Domain-based (must master)
Port-based (understanding)
Based on IP address (not used)

3.3/etc/httpd/conf.d/*.conf

Defined by a global master configuration file, typically with custom profiles.
Specifically on line No. 353

3.4 Configuring the Virtual host format

<virtualhost *:@@[email protected]@>
ServerAdmin [email protected]
DocumentRoot "@@[email protected]@/docs/dummy-host.example.com"
ServerName dummy-host.example.com
Serveralias www.dummy-host.example.com
Errorlog "/var/log/httpd/dummy-host.example.com-error_log"
Customlog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost>

3.5/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf

HTTPD Virtual host format Help file

3.6 Impact of the virtual Web host on the default Web site

Once the virtual Web host is enabled, the external documentroot and servername are ignored. The first virtual site in the virtual Web host configuration file is considered the default site and responds with the default site if the URL that the client accesses does not belong to any virtual host. Therefore, the servername defined in the main configuration file must add a virtual host in the virtual Web host configuration file, otherwise it will not be accessible

3.7 httpd Service access control

The Master profile defines/disables access for all, and it also defines that only/var/www is allowed to access it. The result is that only the/var/www directory is available to everyone, and the other directories below are inaccessible

Allow native access only, prohibit other system access
<directory "/var/www/abc/private" >
Require IP 172.25.0.11 127.0.0.1
</Directory>

Allow access to the/webroot directory
<directory "/webroot" >
Require all granted
</Directory>

Allow everyone access, but prohibit 172.34.0.0/24 access
<directory "/var/www/html/doc" >
Require all granted
Require not IP 172.34.0.0/24
</Directory>

3.8 Troubleshooting of Client Access server resources

First firewall is restricted
Second, the access control of the service itself
Again see if SELinux limits

3.9 SELinux's policy protection for httpd

SELinux manages all files in the system using the security context

SELinux restricts httpd to only access the following files, and httpd them with tags:
/etc/httpd/conf/httpd.conf
/etc/http/conf.d/*.conf
/etc/www

3.10 Ls-zd/var/www

View SELinux Tags

Ls-zd/var/www
Drwxr-xr-x. Root root system_u:object_r:httpd_sys_content_t:s0/var/www

3.11 Chcon-r--reference=/var/www/webroot

Using/var/www as a template,/webroot's SELinux label is modified to be the same as/var/www, and is recursively modified

Iv. Digital Certificate Foundation 4.1 PKI System

PKI (public Key Infrastructure)
Public
Private
Certificate
Certification Authority

V. Secure Web Services 5.1 definition

The PKI system, using the public key to provide encryption, can ensure the privacy and integrity of the message
Port 443/tcp

5.2 Protocol

HTTPS (Security Hyper Text Transfer Protocol) Secure Hypertext Transfer Protocol
SSL (Secure Socket Layer) Secure sockets tier
TLS (Transport layer Security) Secure Transport Layer protocol

5.3 Configuring https5.3.1 yum-y Install Mod_ssl

Install the TLS protocol support, add a file after installation/etc/httpd/conf.d/ssl.conf

5.3.2 Deploying certificates

Deploy the root certificate, the certificate of the Web site to/etc/pki/tls/cert
Deploy the private key to/etc/pki/tls/private

5.3.3/etc/httpd/conf.d/ssl.conf

59 lines, change the documentroot to/webroot
60 lines, change the servername to server0.example.com:443
100 lines, modify the certificate file name to Server0.cert
107 line, modify key file named Server0.key
122 line, modify CA certificate file named Example-ca.cert

VI. deployment of Dynamic Web sites 6.1 yum-y install Mod_wsgi

Install packages that support the Python engine

6.2/usr/share/doc/mod_wsgi-3.4/readme

Introduction Document for WSGI features

6.3 wget Http://172.25.0.254/pub/materials/webinfo.wsgi

Download the dynamic website with the following content:
#!/usr/bin/env python
Import time

def application (environ, start_response):
response_body = ' UNIX EPOCH time ' now:%s\n '% time.time ()
Status = ' OK '
Response_headers = [(' Content-type ', ' Text/plain '),
(' Content-length ', ' 1 '),
(' Content-length ', str (len (response_body)))]
Start_response (status, Response_headers)
return [Response_body]

6.4 Modifying from a configuration file

Listen 8909
<virtualhost *:8909>
Documentroot/var/www/nsd
ServerName webapp0.example.com
Wsgiscriptalias//var/www/nsd/webinfo.wsgi #让浏览器找wsgi去翻译网页
</VirtualHost>

6.5 Journalctl-xn

HTTPD Service restart failed, view verbose log.
Nov 17:23:40 localhost.localdomain python[4200]: SELinux is preventing/usr/sbin/httpd from Name_bind access on the TCP _socket.

* Plugin bind_ports (92.2 confidence) suggests * * * *

If you want to ALLOW/USR/SBIN/HTTPD to bind to network port 8909
Then you need to modify the port type.
Do
#semanage port-a-t port_type-p TCP 8909
Where Port_type is one of the following:http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t , Ntop_po

* Plugin Catchall_boolean (7.83 confidence) suggests * *

If you want to allow NIS to Enabled
Then you must tell SELinux on this by enabling the ' nis_enabled ' Boolean.

Do
Setsebool-p nis_enabled 1

* Plugin catchall (1.41 confidence) suggests * *

If you believe this httpd should be allowed name_bind access to the Tcp_socket by default.
Then you should the report this as a bug.
You can generate a local policy module to the this access.
Do
Allow this access for now by executing:
#grep Httpd/var/log/audit/audit.log | Audit2allow-m Mypol
#semodule-I. MYPOL.PP
It's SELinux again!

6.6 Semanage port-l |grep http

See which ports of SELinux allow HTTP

6.7 semanage port-a-t http_port_t-p TCP 8909

Setting SELinux add allows HTTP to use port 8909, which consumes more resources

DAY09 Web Service (ENGINNER03)