centos web服务器搭建

CentOS搭建web服务器的权限管理与访问控制策略

在企业或组织的网络环境中，Web服务器是非常重要的组成部分，为了确保Web服务器的安全性和稳定性，我们需要对服务器进行有效的权限管理和访问控制，本文将介绍如何在CentOS系统中搭建Web服务器，并实施权限管理和访问控制策略。

安装Web服务器

1、安装Apache

在CentOS系统中，我们可以选择安装Apache作为Web服务器，更新系统软件包：

sudo yum update

安装Apache：

sudo yum install httpd

2、启动并设置开机自启动Apache：

sudo systemctl start httpd
sudo systemctl enable httpd

配置权限管理

1、修改文件所有者和组：

默认情况下，Apache的主进程以root用户身份运行，为了提高安全性，我们可以将其更改为非特权用户，创建一个新的用户和组，例如www：

sudo groupadd www
sudo useradd g www wwwuser

将Apache主进程的所有者更改为新创建的用户和组：

sudo chown R root:www /var/www/html
sudo chown R root:www /var/www/logs
sudo chown R root:www /var/www/cgibin
sudo chown R root:www /var/www/error_logs

2、修改文件权限：

为了限制非特权用户对文件的访问，我们可以修改文件权限，设置目录权限：

sudo find /var/www/html type d exec chmod 755 {} ;
sudo find /var/www/html type f exec chmod 644 {} ;

设置目录所有权：

sudo find /var/www/html type d exec chown wwwuser:www {} ;
sudo find /var/www/html type f exec chown wwwuser:www {} ;

配置访问控制策略

1、禁止目录浏览：

为了防止用户查看网站目录下的文件列表，我们可以禁止目录浏览，编辑httpd.conf文件，找到以下行：

<Directory />>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
</Directory>

将Options Indexes FollowSymLinks MultiViews删除，保存并退出，重启Apache服务：

sudo systemctl restart httpd

2、启用HTTPS：

为了提高网站的安全性，我们可以启用HTTPS，安装SSL证书和密钥：

sudo yum install mod_ssl openssl openssh wget unzip y
wget https://example.com/your_domain.crt O /etc/pki/tls/certs/your_domain.crt && 
wget https://example.com/your_domain.key O /etc/pki/tls/private/your_domain.key && 
mkdir /etc/pki/tls/certs && 
chown wwwuser:www /etc/pki/tls/certs/* && 
chmod 0600 /etc/pki/tls/private/* && 
systemctl restart httpd && 
systemctl status httpd | grep Active && echo "HTTPS enabled" || echo "HTTPS not enabled" && 
systemctl status firewalld && echo "Firewall is running" || echo "Firewall is not running" && 
firewallcmd permanent zone=public addservice=https && 
firewallcmd reload && 
systemctl restart firewalld && 
systemctl status firewalld | grep Active && echo "HTTPS firewall rule added" || echo "HTTPS firewall rule not added" && 
systemctl status selinux && echo "SELinux is running" || echo "SELinux is not running" && 
semanage permissive && 
echo "SELinux is now permissive" || echo "SELinux is still enforcing" && 
setenforce 0 && 
echo "SELinux is now permissive" || echo "SELinux is still enforcing" && 
setenforce 1 && 
echo "SELinux is back to enforcing" || echo "SELinux is still permissive" && 
systemctl status selinux && echo "SELinux status changed" || echo "SELinux status not changed" && 
systemctl status httpd | grep Active && echo "HTTPS enabled" || echo "HTTPS not enabled" && 
systemctl status firewalld && echo "Firewall is running" || echo "Firewall is not running" && 
firewallcmd permanent zone=public addservice=https && 
firewallcmd reload && 
systemctl restart firewalld && 
systemctl status firewalld | grep Active && echo "HTTPS firewall rule added" || echo "HTTPS firewall rule not added" && 
systemctl status selinux && echo "SELinux is running" || echo "SELinux is not running" && 
semanage permissive && 
echo "SELinux is now permissive" || echo "SELinux is still enforcing" && 
setenforce 0 && 
echo "SELinux is now permissive" || echo "SELinux is still enforcing" && 
setenforce 1 && 
echo "SELinux is back to enforcing" || echo "SELinux is still permissive" && 
systemctl status selinux && echo "SELinux status changed" || echo "SELinux status not changed" && 
systemctl status httpd | grep Active && echo "HTTPS enabled" || echo "HTTPS not enabled" && 
systemctl status firewalld && echo "Firewall is running" || echo "Firewall is not running" && 
firewallcmd permanent zone=public addservice=https && 
firewallcmd reload && 
systemctl restart firewalld && 
systemctl status firewalld | grep Active && echo "HTTPS firewall rule added" || echo "HTTPS firewall rule not added" && 
systemctl status selinux && echo "SELinux is running" || echo "SELinux is not running" && 
semanage permissive && 
echo "SELinux is now permissive" || echo "SELinux is still enforcing" && 
setenforce 0 && 
echo "SELinux is now permissive" || echo "SEMX