虚拟网站主机
Apache的虚拟主机功能是服务器基于用户请求的不同IP地址、主机域名或端口号,实现提供多个网站同时为外部提供访问服务的技术,如图10-12所示,用户请求的资源不同,最终获取到的网页内容也各不相同。
------------------------------------------------------------------------------------------------------------------------------------------------------------------
1,基于IP地址
如果一台服务器有多个IP地址,而且每个IP地址与服务器上部署的每个网站一一对应,这样当用户请求访问不同的IP地址时,会访问到不同网站的页面资源。而且,每个网站都有一个独立的IP地址,对搜索引擎优化也大有裨益。因此以这种方式提供虚拟网站主机功能不仅最常见,也受到了网站站长的欢迎(尤其是草根站长)。
------------------------------------------------------------------------------------------------------------------------------------------------------------------
#设置IP地址,192.168.10.77,192.168.10.87,192.168.10.97。确保设置ok
#创建网站数据。在/home/wwwroot中创建用于保存不同网站数据的3个目录,并向其中分别写入网站的首页文件。
root@localhost wwwroot]# ls -lR
.:
total 0
drwxr-xr-x. 2 root root 23 Dec 5 12:03 77
drwxr-xr-x. 2 root root 23 Dec 5 12:04 87
drwxr-xr-x. 2 root root 23 Dec 5 12:04 97
./77:
total 4
-rw-r--r--. 1 root root 28 Dec 5 12:03 index.html
./87:
total 4
-rw-r--r--. 1 root root 27 Dec 5 12:04 index.html
./97:
total 4
-rw-r--r--. 1 root root 28 Dec 5 12:04 index.html
[root@localhost wwwroot]#
#在httpd服务的配置文件中大约113行处开始,分别追加写入三个基于IP地址的虚拟主机网站参数,然后保存并退出。记得需要重启httpd服务,这些配置才生效。
[root@localhost wwwroot]# vim /etc/httpd/conf/httpd.conf
<virtualhost 192.168.10.77>
documentroot /home/wwwroot/77
servername www.zhxu.com
<directory /home/wwwroot/77>
allowoverride none
require all granted
</directory>
</virtualhost>
#Firefox显示问题,需要设置SELinux
[root@localhost wwwroot]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot #此路径不要忘记
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/77
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/87
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/97
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/77/*
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/87/*
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/97/*
[root@localhost wwwroot]# restorecon -Rv /home/wwwroot/* #使之生效
restorecon reset /home/wwwroot/77 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/77/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/87 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/87/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/97 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/97/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@localhost wwwroot]#
------------------------------------------------------------------------------------------------------------------------------------------------------------------
2,基于域名
当服务器无法为每个网站都分配一个独立IP地址的时候,可以尝试让Apache自动识别用户请求的域名,从而根据不同的域名请求来传输不同的内容。在这种情况下的配置更加简单,只需要保证位于生产环境中的服务器上有一个可用的IP地址(这里以192.168.10.10为例)就可以了。
由于当前还没有介绍如何配置DNS解析服务,因此需要手工定义IP地址与域名之间的对应关系。/etc/hosts是Linux系统中用于强制把某个主机域名解析到指定IP地址的配置文件。简单来说,只要这个文件配置正确,即使网卡参数中没有DNS信息也依然能够将域名解析为某个IP地址。
------------------------------------------------------------------------------------------------------------------------------------------------------------------
#定义IP地址和域名
[root@localhost ~]# vim /etc/hosts
192.168.10.77 www.zhxu.com bbs.zhxu.com tech.zhxu.com
#编辑网站数据
[root@localhost ~]# mkdir -p /home/wwwroot
[root@localhost ~]# cd /home/wwwroot/
[root@localhost wwwroot]# ll
total 0
[root@localhost wwwroot]# mkdir www
[root@localhost wwwroot]# mkdir bbs
[root@localhost wwwroot]# mkdir tech
[root@localhost wwwroot]#
[root@localhost wwwroot]# echo "Welcome to www" > www/index.html
[root@localhost wwwroot]# echo "Welcome to bbs" > bbs/index.html
[root@localhost wwwroot]# echo "Welcome to tech" > tech/index.html
#安装httpd
[root@localhost ~]# mkdir /media/cdrom
[root@localhost ~]# echo "/dev/cdrom /media/cdrom iso9660 defaults 0 0" >> /etc/fstab
[root@localhost ~]# mount -a
mount: /dev/sr0 is write-protected, mounting read-only
[root@localhost ~]# vim /etc/yum.repos.d/rhel.repo
[rhel]
name=rhel
baseurl=file:///media/cdrom
enabled=1
gpgcheck=0
#编辑http主配置,追加写入
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
<virtualhost 192.168.10.77>
documentroot /home/wwwroot/www
servername www.zhxu.com
<directory /home/wwwroot/www>
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.10.77>
documentroot /home/wwwroot/bbs
servername bbs.zhxu.com
<directory /home/wwwroot/bbs>
allowoverride none
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.10.77>
documentroot /home/wwwroot/tech
servername tech.zhxu.com
<directory /home/wwwroot/tech>
allowoverride none
require all granted
</directory>
</virtualhost>
#设置SELinux
[root@localhost ~]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www/*
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/bbs
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/bbs/*
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/tech
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/tech/*
[root@localhost ~]#
[root@localhost ~]# restorecon -Rv /home/wwwroot/*
restorecon reset /home/wwwroot/bbs context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/bbs/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/tech context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/tech/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/www context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/www/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@localhost ~]#
------------------------------------------------------------------------------------------------------------------------------------------------------------------
2,基于端口号
基于端口号的虚拟主机功能可以让用户通过指定的端口号来访问服务器上的网站资源。在使用Apache配置虚拟网站主机功能时,基于端口号的配置方式是最复杂的。因此我们不仅要考虑httpd服务程序的配置因素,还需要考虑到SELinux服务对新开设端口的监控。一般来说,使用80、443、8080等端口号来提供网站访问服务是比较合理的,如果使用其他端口号则会受到SELinux服务的限制。
在接下来的实验中,我们不但要考虑到目录上应用的SELinux安全上下文的限制,还需要考虑SELinux域对httpd服务程序的管控。
------------------------------------------------------------------------------------------------------------------------------------------------------------------
#创建网站数据
[root@localhost ~]# mkdir /home/wwwroot
[root@localhost ~]# cd /home/wwwroot/
[root@localhost wwwroot]# ll
total 0
[root@localhost wwwroot]#
[root@localhost wwwroot]# mkdir 6111
[root@localhost wwwroot]# mkdir 6222
[root@localhost wwwroot]#
[root@localhost wwwroot]# ls -l
total 0
drwxr-xr-x. 2 root root 6 Dec 6 15:17 6111
drwxr-xr-x. 2 root root 6 Dec 6 15:17 6222
[root@localhost wwwroot]#
[root@localhost wwwroot]# echo "Port:6111" > 6111/index.html
[root@localhost wwwroot]# echo "Port:6222" > 6222/index.html
#在httpd中配置端口监听
[root@localhost wwwroot]# vim /etc/httpd/conf/httpd.conf
Listen 6111
Listen 6222
#添加基于端口的虚拟主机网站参数
<virtualhost 192.168.10.77:6111>
documentroot /home/wwwroot/6111
servername www.zhxu.com
<directory /home/wwwroot/6111>
allowoverride none
require all greanted
</directory>
</virtualhost>
<virtualhost 192.168.10.77:6222>
documentroot /home/wwwroot/6222
servername www.zhxu.com
<directory /home/wwwroot/6222>
allowoverride none
require all greanted
</directory>
</virtualhost>
#SELinux设置
[root@localhost wwwroot]# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111/*
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6112
[root@localhost wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6112/*
[root@localhost wwwroot]# restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/6111 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/6111/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/6222 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/wwwroot/6222/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
[root@localhost wwwroot]#
[root@localhost wwwroot]# systemctl restart httpd #重启服务httpd报错
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
#查询SELinux默认允许端口
[root@localhost wwwroot]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
#手动添加
[root@localhost wwwroot]# semanage port -a -t http_port_t -p tcp 6111
[root@localhost wwwroot]# semanage port -a -t http_port_t -p tcp 6222
[root@localhost wwwroot]#
[root@localhost wwwroot]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 6222, 6111, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@localhost wwwroot]#
[root@localhost wwwroot]# systemctl restart httpd
[root@localhost wwwroot]# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Thu 2018-12-06 16:16:44 CST; 6s ago
Process: 5691 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 5867 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
├─5867 /usr/sbin/httpd -DFOREGROUND
├─5870 /usr/sbin/httpd -DFOREGROUND
├─5871 /usr/sbin/httpd -DFOREGROUND
├─5872 /usr/sbin/httpd -DFOREGROUND
├─5874 /usr/sbin/httpd -DFOREGROUND
└─5876 /usr/sbin/httpd -DFOREGROUND
Dec 06 16:16:44 localhost.localdomain httpd[5867]: AH00112: Warning: DocumentRoot [/home/wwwroot/6222] does not exist
Dec 06 16:16:44 localhost.localdomain httpd[5867]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, u...message
Dec 06 16:16:44 localhost.localdomain systemd[1]: Started The Apache HTTP Server.
Dec 06 16:16:45 localhost.localdomain python[5869]: SELinux is preventing /usr/sbin/httpd from getattr access on the directory .
***** Plugin catchall_boolean (47.5 confidence) suggests ******************...
Dec 06 16:16:45 localhost.localdomain python[5869]: SELinux is preventing /usr/sbin/httpd from getattr access on the directory .
***** Plugin catchall_boolean (47.5 confidence) suggests ******************...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost wwwroot]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
再打开火狐验证正常:
