服务器评测
说明:
1、以下每个服务要求服务器重启后依然有效;
2、yum服务通过http://172.16.0.1/yum提供;
3、要求selinux处于permissive状态;
4、本地网络为172.16.X.0/24,测试网络为192.168.0.0/24;
5、每位同学的IP地址为172.16.X.1, 子网掩码为255.255.0.0,网关为172.16.0.1,DNS服务器为172.16.0.1,主机名为stuX.example.com,其中X为你的座位号;
1、主机名称解析服务器配置,要求:
1)建立DNS服务器,负责解析的域为linuxidc.com;
2)要求将MX记录指向mail.linuxidc.com,且对应A记录为本机IP;
3)要求将NS记录指向ns.linuxidc.com,且对应A记录为本机IP;
4)建立www1,www2,proxy等A记录指向本机IP;为mail主机建立别名记录pop3和imaps;
5)为所有A记录建立PTR记录;
6)linuxidc.com区域仅允许172.16.0.0/16网络中的主机做区域传送;对应的反向区域不允许任何主机做区域传送;
7)为正向区域建立子域委派,两个子域为tech.linuxidc.com和fin.linuxidc.com,子域服务器地址为172.16.x.5;(仅给出实现授权的记录即可)
8)将example.com域的所有请求转发至172.16.0.1进行解析;
9)此DNS服务拒绝192.168.1.0/24网络内的任何主机使用;
参考答案:
# yum install -y bind //安装bind软件包
# yum install -y caching-nameserver //会自动生成named.ca和localhost的区域配置文件
# vi /etc/named.conf //手动建立DNS所需要的主配置文件
options {
directory “/var/named”;
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “example.com” IN {
type forward;
forwarders { 172.16.0.1; };
forward only;
};
zone “linuxidc.com” IN {
type master;
file “linuxidc.com”;
allow-transfer { 172.16.0.0/16; };
};
zone “34.16.172.in-addr.arpa” IN {
type master;
file “34.16.172.zone”;
allow-transfer { none; };
};
# cd /var/named
# vi linuxidc.com
$TTL 86400
@ IN SOA ns.linuxidc.com. linuxidc.admin.com. (
2012033000
28800
14400
3600000
86400 )
IN NS dns.linuxidc.com.
IN MX 5 mail.linuxidc.com.
tech.linuxidc.com IN NS ns.tech.linuxidc.com.
fin.linuxidc.com IN NS ns.fin.linuxidc.com.
ns.tech.linuxidc.com IN A 172.16.34.5
ns.fin.linuxidc.com IN A 172.16.34.5
dns IN A 172.16.34.1
mail IN A 172.16.34.1
www1 IN A 172.16.34.1
www2 IN A 172.16.34.1
proxy IN A 172.16.34.1
pop3 IN CNAME mail
imaps IN CNAME mail
# vi 34.16.172.zone
$TTL 86400
@ IN SOA ns.linuxidc.com. linuxidc.admin.com. (
2012033000
28800
14400
3600000
86400 )
IN NS dns.linuxidc.com.
1 IN PTR dns.linuxidc.com.
1 IN PTR www1.linuxidc.com.
1 IN PTR www2.linuxidc.com.
1 IN PTR mail.linuxidc.com.
1 IN PTR proxy.linuxidc.com.
# service named restart
# iptables -A INPUT -d 192.168.1.0/24 -p udp –dport 53 -j REJECT
# iptables -A INPUT -d 192.168.1.0/24 -p tdp –dport 53 -j REJECT
2、对本机的sshd服务做访问控制,要求:
1)仅允许172.16.0.0/16网段的主机访问;
2)仅通过ssh协议的v2版提供服务;
3)仅允许root用户、develop组和dba组中的用户访问;
参考答案:
# vim /etc/hosts.allow
sshd:172.16.
# vim /etc/hosts.deny
sshd:ALL
# vim /etc/ssh/sshd_config
Protocol 2 //默认开户
# vi /etc/pam.d/system-auth-ac //新加入以下一行
auth required pam_listfile.so item=group file=/etc/.pam sense=allow
# vi /etc/.pam
develop
dba
# usermod -a -G dba root
3、建立httpd服务器,要求:
1)提供两个基于名称的虚拟主机:
(a)www1.linuxidc.com,页面文件目录为/var/www/html/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.linuxidc.com,页面文件目录为/var/www/html/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
2)www1主机仅允许172.16.0.0/16网络中的客户机访问;www2主机可以被所有主机访问;
参考答案
# yum groupinstall -y “Development Libraries” “Development Tools” “X Software Development”
# yum install -y pcre pcre-devel
# rpm -Uvh apr-1.4.6-1.i386.rpm
# rpm -Uvh apr-devel-1.4.6-1.i386.rpm
# rpm -Uvh apr-util-1.4.1-1.i386.rpm
# rpm -Uvh apr-util-devel-1.4.1-1.i386.rpm
# yum install -y pcre pcre-devel
如果没有以上版本的apr和apr-util软件包的rpm版,也可以使用源码包编译安装
安装的时候指定–prefix路径,然后在编译apache的时候,使用–apr=/path/to/apr –apr-util=/path/to/apr-util
# tar xf httpd-2.4.1.tar.bz2
# cd httpd-2.4.1
# ./configure –prefix=/usr/local/apache –sysconfdir=/etc/httpd/ –enable-so –enable-ssl –enable-cgi –enable-rewrite –with-zlib
# make
# make install
# vim /etc/httpd/httpd.conf
把第464行的#号去掉,结果如下
463 # Virtual hosts
464 Include /etc/httpd//extra/httpd-vhosts.conf
# cd /etc/httpd/extra
# vim httpd-vhosts.conf
将系统自带的虚拟主机给注释掉(第23到38行前面加#号),然后仿照系统自带的自己写两个虚拟主机,配置如下
<VirtualHost *:80>
ServerAdmin admin@linuxidc.com
DocumentRoot “/var/www/html/www1”
ServerName “www1.linuxidc.com”
CustomLog “/var/log/httpd/www1.access” common
ErrorLog “/var/log/httpd/www1.err”
<Directory “/var/www/html/www1”>
Require ip 172.16.0.0/16
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin admin@linuxidc.com
DocumentRoot “/var/www/html/www2”
ServerName “www2.linuxidc.com”
CustomLog “/var/log/httpd/www2.access” common
ErrorLog “/var/log/httpd/www2.err”
<Directory “/var/www/html/www2”>
Require all granted
</Directory>
</VirtualHost>
# mkdir -p /var/www/html/www1
# mkdir -p /var/www/html/www2
# mkdir -p /var/log/httpd/
# cd /var/www/html/www1/
# echo “<h1><center>www1.linuxidc.com</center></h1>” >index.html
# cd ../www2
# echo “<h1><center>www2.linuxidc.com</center></h1>” >index.html
# /usr/local/apache/bin/apachectl start
4、建立nginx服务器,要求:
1)通过8080端口提供服务;
2)提供两个基于名称的虚拟主机(都通过8080端口提供服务):
(a)www1.linuxidc.com:8080,页面文件目录为/www/html/www1;错误日志为/var/log/nginx/www1.err,访问日志
为/var/log/nginx/www1.access;
(b)www2.linuxidc.com:8080,页面文件目录为/www/html/www2;错误日志为/var/log/nginx/www2.err,访问日志
为/var/log/nginx/www2.access;
3)www2主机仅允许172.16.0.0/16网络中的主机访问;
4)为nginx提供sysv服务控制脚本;
5)本机的8080端口仅允许已经建立的连接请求出站,仅允许新请求和已建立连接的请求入站;
参考答案:
# groupadd -r nginx
# useradd -r -g nginx -s /bin/false -M nginx
# tar xf nginx-1.0.14.tar.gz
# cd nginx-1.0.14
#
./configure \
–prefix=/usr \
–sbin-path=/usr/sbin/nginx \
–conf-path=/etc/nginx/nginx.conf \
–error-log-path=/var/log/nginx/error.log \
–http-log-path=/var/log/nginx/access.log \
–pid-path=/var/run/nginx/nginx.pid \
–lock-path=/var/lock/nginx.lock \
–user=nginx \
–group=nginx \
–with-http_ssl_module \
–with-http_flv_module \
–with-http_stub_status_module \
–with-http_gzip_static_module \
–http-client-body-temp-path=/var/tmp/nginx/client/ \
–http-proxy-temp-path=/var/tmp/nginx/proxy/ \
–http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
–http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \
–http-scgi-temp-path=/var/tmp/nginx/scgi \
–with-pcre
# make
# make install
# vim /etc/rc.d/init.d/nginx
写入以下内容
#!/bin/sh
#
# nginx – this script starts and stops the nginx daemon
#
# chkconfig: – 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ “$NETWORKING” = “no” ] && exit 0
nginx=”/usr/sbin/nginx”
prog=$(basename $nginx)
NGINX_CONF_FILE=”/etc/nginx/nginx.conf”
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/subsys/nginx
make_dirs() {
# make required directories
user=`nginx -V 2>&1 | grep “configure arguments:” | sed ‘s/[^*]*–user=\([^ ]*\).*/\1/g’ -`
options=`$nginx -V 2>&1 | grep ‘configure arguments:’`
for opt in $options; do
if [ `echo $opt | grep ‘.*-temp-path’` ]; then
value=`echo $opt | cut -d “=” -f 2`
if [ ! -d “$value” ]; then
# echo “creating” $value
mkdir -p $value && chown -R $user $value
fi
fi
done
}
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
make_dirs
echo -n $”Starting $prog: “
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $”Stopping $prog: “
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
reload() {
configtest || return $?
echo -n $”Reloading $prog: “
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case “$1” in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $”Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}”
exit 2
esac
# chmod +x /etc/rc.d/init.d/nginx
# chkconfig –add nginx
# vim /etc/nginx/nginx.conf 添加以下内容,把原来的server虚拟主机给注释掉,不然会跟apache的80端口冲突
以下内容,要写到http关键字里面,不能写到其它server或者location里面,不然会报错
server {
listen 8080;
server_name www1.linuxidc.com;
root /www/html/www1;
index index.html;
access_log /var/log/nginx/www1.access main;
error_log /var/log/nginx/www1.err;
}
server {
listen 8080;
server_name www2.linuxidc.com;
root /www/html/www2/;
index index.html;
access_log /var/log/nginx/www2.access;
error_log /var/log/nginx/www2.err;
location / {
allow 172.16.0.0/16;
deny all;
}
}
# mkdir -p /www/html/www1
# mkdir -p /www/html/www2
# cd /www/html/www1/
# echo “<h1><center>Nginx www1.linuxidc.com</center></h1>” >index.html
# cd ../www2
# echo “<h1><center>Nginx www2.linuxidc.com</center></h1>” >index.html
# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -A INPUT -p tcp –dport 8080 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp –sport 8080 -m state –state ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
5、为第3题中的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(Henan)、城市(Zhengzhou)和组织(linux);
(2)设置部门为TECH,主机名为www2.linuxidc.com,邮件为admin@linuxidc.com;
(3)此服务禁止来自于192.168.0.0/24网络中的主机访问;
参考答案:
# cd /etc/pki/tls/
# vim openssl.cnf //修改45行dir后面的内容
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
# cd ../CA
# mkdir certs
# mkdir crl
# mkdir newcerts
# touch index.txt
# echo 01 >serial
# echo 01 >sernumber
# (umask 077;openssl genrsa 2048 >private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
# cd /etc/httpd/
# mkdir ssl && cd ssl
# (umask 077;openssl genrsa 1024 >httpd.key)
# openssl req -new -key httpd.key -out httpd.csr
# openssl ca -in httpd.csr -out httpd.crt
# vim /etc/httpd/httpd.conf //开户ssl的虚拟主机,去掉481行的#号即可,如下
# Secure (SSL/TLS) connections
Include /etc/httpd/extra/httpd-ssl.conf
加载ssl所需要的模块,打开第88行和第128行的注释
88 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
128 LoadModule ssl_module modules/mod_ssl.so
# vi ../extra/httpd-ssl.conf //修改ssl虚拟主机的配置文件,系统默认的有一个虚拟主机,修改一下即可使用
<VirtualHost _default_:443> //在第83行
# General setup for the virtual host
DocumentRoot “/var/www/html/www2”
ServerName www2.linuxidc.com:443
ServerAdmin admin@linuxidc.com
ErrorLog “/var/log/httpd/error_log”
TransferLog “/var/log/httpd/access_log”
<Directory “/var/www/html/www2”>
require all granted
</Directory>
打开以下注释
SSLCertificateFile “/etc/httpd/ssl/httpd.crt” 106行
SSLCertificateKeyFile “/etc/httpd/ssl/httpd.key” 116行
# iptables -A INPUT -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
如果不能访问,直接停止iptables服务
6、为第3题中的第1个虚拟主机提供php+mysql的服务,要求:
(1)通过在原有主页中添加phpinfo()测试页表明启用php成功;
(2)将mysql的root用户密码设置为”123456″(引号中的内容);
(3)通过http://www1.linuxidc.com/pma提供本机mysql服务的web管理接口;
参考答案:
# mkdir -p /mydata/data
# groupadd -r mysql
# useradd -g mysql -r -s /sbin/nologin -M -d /mydata/data mysql
# chown -R mysql:mysql /mydata/data
# tar xf mysql-5.5.20-linux2.6-i686.tar.gz -C /usr/local/
# cd /usr/local/
# ln -sv mysql-5.5.20-linux2.6-i686/ /usr/local/mysql
# cd mysql
# chown -R mysql:mysql .
# scripts/mysql_install_db –user=mysql –datadir=/mydata/data
# chown -R root .
# cp support-files/my-large.cnf /etc/my.cnf
# vi /etc/my.cnf
thread_concurrency = 2 //第39行
datadir = /mydata/data //新加一行
# cp support-files/mysql.server /etc/rc.d/init.d/mysqld
# chmod +x /etc/rc.d/init.d/mysqld
# chkconfig –add mysqld
# vi /etc/man.config
MANPATH /usr/local/mysql/man //新加一行
# ln -sv /usr/local/mysql/include /usr/include/mysql
# echo ‘/usr/local/mysql/lib’ > /etc/ld.so.conf.d/mysql.conf
# ldconfig
# vi /etc/profile
export PATH=$PATH:/usr/local/apache/bin:/usr/local/mysql/bin
# . /etc/profile
# service mysqld start
# mysql
Welcome to the MySQL monitor. Commands end with ; or \g. //看到welcome说明mysql正常
mysql> quit
# mysqladmin -uroot -p password 123456
# tar xf php-5.3.10.tar.bz2
# cd php-5.3.10
# ./configure –prefix=/usr/local/php –with-mysql=/usr/local/mysql –with-openssl –with-mysqli=/usr/local/mysql/bin/mysql_config –enable-
mbstring –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib –with-libxml-dir=/usr –enable-xml –with-
apxs2=/usr/local/apache/bin/apxs
# make
# make install
# cp php.ini-production /usr/local/php/lib/php.ini
# vim /etc/httpd/httpd.conf
添加如下二行
AddType application/x-httpd-php .php //378行
AddType application/x-httpd-php-source .phps
定位至DirectoryIndex index.html
修改为:
DirectoryIndex index.php index.html
# cd /var/www/html/www2/
# vi index.php //内容如下
<?php
phpinfo();
?>
然后访问测试一下就OK了。
# tar xf phpMyAdmin-3.4.10.1-all-languages.tar.bz2
# mv phpMyAdmin-3.4.10.1-all-languages pma
# cd pma
# mv config.sample.inc.php config.inc.php
# vi config.inc.php //在等号后面随便写点儿内容。然后就可以访问管理MYSQL了
$cfg[‘blowfish_secret’] = ‘234lsajfljsafsaf’; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
错误总结:
安装的时候,报以下错误
120330 20:47:27 [ERROR] ./bin/mysqld: unknown option ‘–skip-locking
解决:
# rm -rf /etc/my.cnf
7、架设FTP服务器,要求:
(1)可以让匿名用户访问;
(2)通过基于mysql的虚拟用户为ftpuser1和ftpuser2提供文件共享服务;且ftpuser1可以上传文件、创建目录、删除文件和下载文件,但ftpuser2只能
下载文件;
(3)FTP服务仅允许172.16.0.0/16中的主机访问,且每秒钟接受的新请求的个数不能超过10个;
(4)开启ftp服务的传输日志,日志文件为/var/log/vsftpd.log;
参考答案:
# yum install -y vsftpd
# tar xf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure –with-mysql=/usr/local/mysql –with-openssl
# make
# make install
# ls /usr/lib/security/ //可以看到有以下两个文件生成
pam_mysql.la pam_mysql.so
# cp /usr/lib/security/* /lib/security/
# mysql -uroot -p
mysql> create database vsftpd;
mysql> grant select on vsftpd.* to vsftpd@localhost identified by ‘123456’;
mysql> grant select on vsftpd.* to vsftpd@127.0.0.1 identified by ‘123456’;
mysql> use vsftpd;
mysql> create table users (
-> id int AUTO_INCREMENT NOT NULL,
-> name char(20) NOT NULL UNIQUE KEY,
-> passwd char(48) NOT NULL,
-> primary key(id)
-> );
mysql> insert into users(name,passwd) values(‘ftpuser1’,password(‘123456’));
mysql> insert into users(name,passwd) values(‘ftpuser2’,password(‘123456’));
mysql> flush privileges;
# vi /etc/pam.d/vsftp.mysql
auth required /lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd
crypt=2
account required lib/security/pam_mysql.so user=vsftpd passwd=123456 host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd
crypt=2
#useradd -s /sbin/nologin -d /var/ftproot vsftp
#chmod go+rx /var/ftproot
# vi /etc/vsftpd/vsftpd.conf //添加以下
chroot_local_user=YES
guest_enable=YES
guest_username=vsftp
pam_service_name=vsftpd.mysql
# service vsftpd restart //重启,以验证虚拟用户是不是可以登陆
# vi /etc/vsftpd/vsftpd.conf //添加一项
user_config_dir=/etc/vsftpd_user_conf
# mkdir /etc/vsftpd_user_conf
# vi /etc/vsftpd_user_conf/ftpuser1
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
# vi /etc/vsftpd_user_conf/ftpuser2
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
修改主配置文件
# vi /etc/vsftpd/vsftpd.conf
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
# iptables
# iptables -A INPUT -d 172.16.34.1 -p tcp –dport 80 -m limit –limit 1/second –limit-burst 3 -j ACCEPT
# iptables -A INPUT -s 172.16.0.0/16 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -s 172.16.0.0/16 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
8、设置/data目录通过nfs共享,但仅允许172.16.0.0/16网段的主机访问;
参考答案:
# vi /etc/exports
/data 172.16.0.0/16(ro,sync)
9、为第4题中的第1个虚拟主机提供php+mysql的服务,要求:
(1)通过在原有主页中添加phpinfo()测试页表明启用php成功;
(2)mysql服务器使用跟第6题中的同一个mysql,而php则需要编译安装最新版本;
(3)通过http://www1.linuxidc.com:8080/wp提供wordpress博客系统;
参考答案:
# rm -rf /root/php-5.3.10
# tar xf php-5.3.10.tar.bz2
# ./configure –prefix=/usr/local/php4nginx –with-mysql=/usr/local/mysql –with-openssl –enable-fpm –with-
mysqli=/usr/local/mysql/bin/mysql_config –enable-mbstring –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib-dir –with-libxml-
dir=/usr –enable-xml –with-bz2 –with-curl
# make
# make install
# cp php.ini-production /usr/local/php4nginx/etc/php.ini
# cp sapi/fpm/init.d.php-fpm /etc/rc.d/init.d/php-fpm
# chmod +x /etc/rc.d/init.d/php-fpm
# cp /usr/local/php4nginx/etc/php-fpm.conf.default /usr/local/php4nginx/etc/php-fpm.conf
# vim /usr/local/php4nginx/etc/php-fpm.conf
启用如下选项:
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 2
pm.max_spare_servers = 8
pid = /var/run/php-fpm.pid
# chkconfig –add php-fpm
# service php-fpm start //可能会提示失败,查看下9000端口,开关的话,说明就OK
143
# vim /etc/nginx/nginx.conf
在要启用php的server里面,写入以下内容即可,并在index 里面加入index.php
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
#vim /etc/nginx/fastcgi_params //删除原有内容,改成以下的
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
最后,我的nginx的web1配置文件如下
server {
listen 8080;
server_name www1.linuxidc.com;
root /www/html/www1;
index index.php index.html;
access_log /var/log/nginx/www1.access main;
error_log /var/log/nginx/www1.err;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
}
# cd /www/html/www1
# vi index.php
<?php
phpinfo();
?>
# service nginx restart
可以测试PHP了
测试没问题的话,开始布置wordpress
# cd /www/html/www1/
# mv /root/wordpress-3.3.1-zh_CN.zip .
# unzip /root/wordpress-3.3.1-zh_CN.zip
# mv wordpress wp
# cd wp
# mv wp-config-sample.php wp-config.php
# vi wp-config.php //填上相应的数据库相关信息
define(‘DB_NAME’, ‘wp’);
define(‘DB_USER’, ‘wp’);
define(‘DB_PASSWORD’, ‘123456’);
define(‘DB_HOST’, ‘localhost’);
# mysql -uroot -p
mysql> create database wp;
mysql> grant all privileges on wp.* to wp@localhost identified by ‘123456’;
mysql> flush all privileges;
然后客户端通过WEB页面,进行WP的安装即可。
10、通过PAM完成以下功能:
(1)禁止root用户在tty6终端登录;
(2)设置Ubuntu用户登录系统后所能够打开的文件个数硬限制为200,软限制为120;
(3)设置develop组中的用户登录系统后所能够运行的进程数的硬限制为300,软限制为200;
参考答案:
# vi /etc/pam.d/system-auth
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
# vi /etc/securetty
删除tty6
# vi /etc/security/limits.conf
ubuntu soft nofile 120
ubuntu hard nofile 200
# vi /etc/security/limits.conf
@develop soft nproc 200
@develop hard nproc 300
11、设置telnet服务,要求:
(1)仅允许来自于192.168.0.0/24中的主机访问此服务;
(2)每个IP所能够发起的并发连接请求最多为6个;
(3)此服务所接受的最大并发连接数为20,达到20时则暂停提供服务10秒钟;
参考答案:
# vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
only_from = 192.168.0.0/24
per_source = 6
instances = 20
cps = 20 10
}
12、设定本机对ping请求的响应:
(1)本机仅接受来自于172.16.0.0/16网络的ping请求,且请求频度每秒不能超过10个;
(2)本机可以向其它任意主机发起Ping请求;
参考答案:
# iptables -A INPUT -s 172.16.0.0/16 -p icmp –icmp-type 8 -m limit –limit 8/second –limit-burst 10 -j ACCEPT
# iptables -A OUTPUT -s 172.16.0.0/16 -p icmp –icmp-type 0 -j ACCEPT
# iptables -A OUTPUT -p icmp –icmp-type 8 -j ACCEPT
# iptables -A INPUT -p icmp –icmp-type 0 -j ACCEPT
13、为第4题中的nginx服务的第二个虚拟机建立访问控制,要求:
1)为此虚拟主机提供基本认证功能,并为其提供两个虚拟用户webuser1和webuser2,密码均为RedHat,要求允许此两用户在提供密码的情况下访问此站点;
参考答案:
# /usr/local/apache/bin/htpasswd -cm /etc/nginx/.htpasswd webuser1
# /usr/local/apache/bin/htpasswd -m /etc/nginx/.htpasswd webuser2
# vi /usr/local/nginx/conf/nginx.conf
server {
listen 8080;
server_name www2.linuxidc.com;
root /www/html/www2/;
index index.html;
access_log /var/log/nginx/www2.access;
error_log /var/log/nginx/www2.err;
auth_basic “Hi Buddy.”;
auth_basic_user_file “/etc/nginx/.htpasswd”;
location / {
allow 172.16.0.0/16;
deny all;
}
}
至此,已完成全部题目。nginx的web1和web2的最终配置为
附件
server {
listen 8080;
server_name www1.linuxidc.com;
root /www/html/www1;
index index.php index.html;
access_log /var/log/nginx/www1.access main;
error_log /var/log/nginx/www1.err;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 8080;
server_name www2.linuxidc.com;
root /www/html/www2/;
index index.html;
access_log /var/log/nginx/www2.access;
error_log /var/log/nginx/www2.err;
auth_basic “Hi Buddy.”;
auth_basic_user_file “/etc/nginx/.htpasswd”;
location / {
allow 172.16.0.0/16;
deny all;
}
}
