httpd をインストール
[root@falcon21 ~]# dnf -y install httpd メタデータの期限切れの最終確認: 1:17:35 時間前の 2020年11月19日 09時24分29秒 に実施しました。 依存関係が解決しました。 =============================================================================================== パッケージ Arch バージョン リポジトリー サイズ =============================================================================================== インストール中: httpd x86_64 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 1.7 M 依存関係のインストール中: centos-logos-httpd noarch 80.5-2.el8 BaseOS 24 k mod_http2 x86_64 1.11.3-3.module_el8.2.0+486+c01050f0.1 AppStream 156 k トランザクションの概要 =============================================================================================== インストール 3 パッケージ ダウンロードサイズの合計: 1.8 M インストール済みのサイズ: 5.3 M パッケージのダウンロード: (1/3): centos-logos-httpd-80.5-2.el8.noarch.rpm 48 kB/s | 24 kB 00:00 (2/3): mod_http2-1.11.3-3.module_el8.2.0+486+c01050f0.1.x86_64 194 kB/s | 156 kB 00:00 (3/3): httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64.rpm 1.2 MB/s | 1.7 MB 00:01 ----------------------------------------------------------------------------------------------- 合計 931 kB/s | 1.8 MB 00:02 トランザクションの確認を実行中 トランザクションの確認に成功しました。 トランザクションのテストを実行中 トランザクションのテストに成功しました。 トランザクションを実行中 準備 : 1/1 インストール中 : centos-logos-httpd-80.5-2.el8.noarch 1/3 インストール中 : mod_http2-1.11.3-3.module_el8.2.0+486+c01050f0.1.x86_64 2/3 インストール中 : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/3 scriptlet の実行中: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/3 検証 : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 1/3 検証 : mod_http2-1.11.3-3.module_el8.2.0+486+c01050f0.1.x86_64 2/3 検証 : centos-logos-httpd-80.5-2.el8.noarch 3/3 Installed products updated. インストール済み: centos-logos-httpd-80.5-2.el8.noarch httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 mod_http2-1.11.3-3.module_el8.2.0+486+c01050f0.1.x86_64 完了しました! -------------------- [root@falcon21 ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.org [root@falcon21 ~]# vi /etc/httpd/conf/httpd.conf 89 ServerAdmin root@falcon21.space 98 ServerName www.falcon21.space:80 154 AllowOverride All 167 DirectoryIndex index.html ndex.php index.cgi [root@falcon21 ~]# systemctl enable --now httpd Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. [root@falcon21 ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/httpd.service.d └─php-fpm.conf Active: active (running) since Thu 2020-11-19 11:11:42 JST; 1min 8s ago Docs: man:httpd.service(8) Main PID: 50368 (httpd) Status: "Running, listening on: port 80" Tasks: 213 (limit: 48971) Memory: 23.5M CGroup: /system.slice/httpd.service ├─50368 /usr/sbin/httpd -DFOREGROUND ├─50369 /usr/sbin/httpd -DFOREGROUND ├─50370 /usr/sbin/httpd -DFOREGROUND ├─50371 /usr/sbin/httpd -DFOREGROUND └─50372 /usr/sbin/httpd -DFOREGROUND 11月 19 11:11:42 falcon21.space systemd[1]: Starting The Apache HTTP Server... 11月 19 11:11:42 falcon21.space systemd[1]: Started The Apache HTTP Server. 11月 19 11:11:43 falcon21.space httpd[50368]: Server configured, listening on: port 80 [root@falcon21 ~]# vi /var/www/html/index.html <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> Test Page </div> </body> </html> http://192.168.10.3/index.htmlで、確認OK。 perl パスを通す [root@falcon21 ~]# ln -s /usr/bin/perl /usr/local/bin/perl [root@falcon21 ~]# whereis perl perl: /usr/bin/perl /usr/local/bin/perl /usr/share/man/man1/perl.1.gz ------------------------------ mod_ssl Certbot で、ssl 証明登録設定 Certbotクライアントインストール [root@falcon21 ~]# cd /usr/local/ [root@falcon21 local]# git clone https://github.com/certbot/certbot Cloning into 'certbot'... remote: Enumerating objects: 143, done. remote: Counting objects: 100% (143/143), done. remote: Compressing objects: 100% (103/103), done. remote: Total 84798 (delta 62), reused 89 (delta 39), pack-reused 84655 Receiving objects: 100% (84798/84798), 43.14 MiB | 10.39 MiB/s, done. Resolving deltas: 100% (62070/62070), done. [root@falcon21 ~]# /usr/local/certbot/certbot-auto -n インストール済み: keyutils-libs-devel-1.5.10-6.el8.x86_64 krb5-devel-1.17-18.el8.x86_64 libcom_err-devel-1.45.4-3.el8.x86_64 libffi-devel-3.1-21.el8.x86_64 libkadm5-1.17-18.el8.x86_64 libselinux-devel-2.9-3.el8.x86_64 libsepol-devel-2.9-1.el8.x86_64 libverto-devel-0.3.0-5.el8.x86_64 mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 openssl-devel-1:1.1.1c-15.el8.x86_64 pcre2-devel-10.32-1.el8.x86_64 pcre2-utf16-10.32-1.el8.x86_64 pcre2-utf32-10.32-1.el8.x86_64 platform-python-devel-3.6.8-23.el8.x86_64 python-rpm-macros-3-38.el8.noarch python3-rpm-generators-5-6.el8.noarch python3-virtualenv-15.1.0-19.module_el8.1.0+245+c39af44f.noarch python3-wheel-wheel-1:0.31.1-2.module_el8.1.0+245+c39af44f.noarch python36-devel-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64 zlib-devel-1.2.11-16.el8_2.x86_64 完了しました! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line. Run with '--help plugins' to see a list of options, and see https://eff.org/letsencrypt-plugins for more detail on what the plugins do and how to use them. コマンドラインフラグがありません。 非対話型の実行の場合、コマンドラインでプラグインを指定する必要があります。 '--help plugins'を指定して実行すると、オプションのリストが表示されます。 プラグインの機能と使用方法の詳細については、https://eff.org/letsencrypt-pluginsを参照してください。 --------------------- サーバー証明書取得 centos7 で使用していた証明書は使えない [root@falcon21 ~]# /usr/local/certbot/certbot-auto certonly --webroot -w /var/www/html -m webmaster@falcon21.space -d falcon21.space Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: http-01 challenge for falcon21.space Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/falcon21.space/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/falcon21.space/privkey.pem Your cert will expire on 2021-02-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le --------------------- Apache SSL設定(Certbot対応) [root@falcon21 ~]# vi /etc/httpd/conf.d/ssl.conf(完全) 1 # 2 # When we also provide SSL we have to listen to the 3 # the HTTPS port in addition. 4 # 5 Listen 443 https 6 7 ## 8 ## SSL Global Context 9 ## 10 ## All SSL configuration in this context applies both to 11 ## the main server and all SSL-enabled virtual hosts. 12 ## 13 14 # Pass Phrase Dialog: 15 # Configure the pass phrase gathering process. 16 # The filtering dialog program (`builtin' is a internal 17 # terminal dialog) has to provide the pass phrase on stdout. 18 SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog 19 20 # Inter-Process Session Cache: 21 # Configure the SSL Session Cache: First the mechanism 22 # to use and second the expiring timeout (in seconds). 23 SSLSessionCache shmcb:/run/httpd/sslcache(512000) 24 SSLSessionCacheTimeout 300 25 26 # Pseudo Random Number Generator (PRNG): 27 # Configure one or more sources to seed the PRNG of the 28 # SSL library. The seed data should be of good random quality. 29 # WARNING! On some platforms /dev/random blocks if not enough entropy 30 # is available. This means you then cannot use the /dev/random device 31 # because it would lead to very long connection times (as long as 32 # it requires to make more entropy available). But usually those 33 # platforms additionally provide a /dev/urandom device which doesn't 34 # block. So, if available, use this one instead. Read the mod_ssl User 35 # Manual for more details. 36 SSLRandomSeed startup file:/dev/urandom 256 37 SSLRandomSeed connect builtin 38 #SSLRandomSeed startup file:/dev/random 512 39 #SSLRandomSeed connect file:/dev/random 512 40 #SSLRandomSeed connect file:/dev/urandom 512 41 42 # 43 # Use "SSLCryptoDevice" to enable any supported hardware 44 # accelerators. Use "openssl engine -v" to list supported 45 # engine names. NOTE: If you enable an accelerator and the 46 # server does not start, consult the error logs and ensure 47 # your accelerator is functioning properly. 48 # 49 SSLCryptoDevice builtin 50 #SSLCryptoDevice ubsec 51 52 ## 53 ## SSL Virtual Host Context 54 ## 55 56 <VirtualHost _default_:443> 57 58 # General setup for the virtual host, inherited from global configuration 59 #DocumentRoot "/var/www/html" 60 #ServerName www.example.com:443 61 62 # Use separate log files for the SSL virtual host; note that LogLevel 63 # is not inherited from httpd.conf. 64 ErrorLog logs/ssl_error_log 65 TransferLog logs/ssl_access_log 66 LogLevel warn 67 68 # SSL Engine Switch: 69 # Enable/Disable SSL for this virtual host. 70 SSLEngine on 71 72 # SSL Protocol support: 73 # List the enable protocol levels with which clients will be able to 74 # connect. Disable SSLv2 access by default: 75 SSLProtocol all -SSLv2 -SSLv3 76 77 # SSL Cipher Suite: 78 # List the ciphers that the client is permitted to negotiate. 79 # See the mod_ssl documentation for a complete list. 80 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA 81 82 # Speed-optimized SSL Cipher configuration: 83 # If speed is your main concern (on busy HTTPS servers e.g.), 84 # you might want to force clients to specific, performance 85 # optimized ciphers. In this case, prepend those ciphers 86 # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. 87 # Caveat: by giving precedence to RC4-SHA and AES128-SHA 88 # (as in the example below), most connections will no longer 89 # have perfect forward secrecy - if the server's key is 90 # compromised, captures of past or future traffic must be 91 # considered compromised, too. 92 #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 93 SSLHonorCipherOrder on 94 95 # Server Certificate: 96 # Point SSLCertificateFile at a PEM encoded certificate. If 97 # the certificate is encrypted, then you will be prompted for a 98 # pass phrase. Note that a kill -HUP will prompt again. A new 99 # certificate can be generated using the genkey(1) command. 100 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt 101 SSLCertificateFile /etc/letsencrypt/live/falcon21.space/cert.pem 102 103 # Server Private Key: 104 # If the key is not combined with the certificate, use this 105 # directive to point at the key file. Keep in mind that if 106 # you've both a RSA and a DSA private key you can configure 107 # both in parallel (to also allow the use of DSA ciphers, etc.) 108 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 109 SSLCertificateKeyFile /etc/letsencrypt/live/falcon21.space/privkey.pem 110 111 # Server Certificate Chain: 112 # Point SSLCertificateChainFile at a file containing the 113 # concatenation of PEM encoded CA certificates which form the 114 # certificate chain for the server certificate. Alternatively 115 # the referenced file can be the same as SSLCertificateFile 116 # when the CA certificates are directly appended to the server 117 # certificate for convinience. 118 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 119 SSLCertificateChainFile /etc/letsencrypt/live/falcon21.space/chain.pem 120 121 # Certificate Authority (CA): 122 # Set the CA certificate verification path where to find CA 123 # certificates for client authentication or alternatively one 124 # huge file containing all of them (file must be PEM encoded) 125 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt 126 127 # Client Authentication (Type): 128 # Client certificate verification type and depth. Types are 129 # none, optional, require and optional_no_ca. Depth is a 130 # number which specifies how deeply to verify the certificate 131 # issuer chain before deciding the certificate is not valid. 132 #SSLVerifyClient require 133 #SSLVerifyDepth 10 134 135 # Access Control: 136 # With SSLRequire you can do per-directory access control based 137 # on arbitrary complex boolean expressions containing server 138 # variable checks and other lookup directives. The syntax is a 139 # mixture between C and Perl. See the mod_ssl documentation 140 # for more details. 141 #<Location /> 142 #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ 143 # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 144 # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 145 # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 146 # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 147 # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 148 #</Location> 149 150 # SSL Engine Options: 151 # Set various options for the SSL engine. 152 # o FakeBasicAuth: 153 # Translate the client X.509 into a Basic Authorisation. This means that 154 # the standard Auth/DBMAuth methods can be used for access control. The 155 # user name is the `one line' version of the client's X.509 certificate. 156 # Note that no password is obtained from the user. Every entry in the user 157 # file needs this password: `xxj31ZMTZzkVA'. 158 # o ExportCertData: 159 # This exports two additional environment variables: SSL_CLIENT_CERT and 160 # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 161 # server (always existing) and the client (only existing when client 162 # authentication is used). This can be used to import the certificates 163 # into CGI scripts. 164 # o StdEnvVars: 165 # This exports the standard SSL/TLS related `SSL_*' environment variables. 166 # Per default this exportation is switched off for performance reasons, 167 # because the extraction step is an expensive operation and is usually 168 # useless for serving static content. So one usually enables the 169 # exportation for CGI and SSI requests only. 170 # o StrictRequire: 171 # This denies access when "SSLRequireSSL" or "SSLRequire" applied even 172 # under a "Satisfy any" situation, i.e. when it applies access is denied 173 # and no other module can change it. 174 # o OptRenegotiate: 175 # This enables optimized SSL connection renegotiation handling when SSL 176 # directives are used in per-directory context. 177 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire 178 <Files ~ "\.(cgi|shtml|phtml|php3?)$"> 179 SSLOptions +StdEnvVars 180 </Files> 181 <Directory "/var/www/cgi-bin"> 182 SSLOptions +StdEnvVars 183 </Directory> 184 185 # SSL Protocol Adjustments: 186 # The safe and default but still SSL/TLS standard compliant shutdown 187 # approach is that mod_ssl sends the close notify alert but doesn't wait for 188 # the close notify alert from client. When you need a different shutdown 189 # approach you can use one of the following variables: 190 # o ssl-unclean-shutdown: 191 # This forces an unclean shutdown when the connection is closed, i.e. no 192 # SSL close notify alert is send or allowed to received. This violates 193 # the SSL/TLS standard but is needed for some brain-dead browsers. Use 194 # this when you receive I/O errors because of the standard approach where 195 # mod_ssl sends the close notify alert. 196 # o ssl-accurate-shutdown: 197 # This forces an accurate shutdown when the connection is closed, i.e. a 198 # SSL close notify alert is send and mod_ssl waits for the close notify 199 # alert of the client. This is 100% SSL/TLS standard compliant, but in 200 # practice often causes hanging connections with brain-dead browsers. Use 201 # this only for browsers where you know that their SSL implementation 202 # works correctly. 203 # Notice: Most problems of broken clients are also related to the HTTP 204 # keep-alive facility, so you usually additionally want to disable 205 # keep-alive for those clients, too. Use variable "nokeepalive" for this. 206 # Similarly, one has to force some clients to use HTTP/1.0 to workaround 207 # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 208 # "force-response-1.0" for this. 209 BrowserMatch "MSIE [2-5]" \ 210 nokeepalive ssl-unclean-shutdown \ 211 downgrade-1.0 force-response-1.0 212 213 # Per-Server Logging: 214 # The home of a custom SSL log file. Use this when you want a 215 # compact non-error SSL logfile on a virtual host basis. 216 #CustomLog logs/ssl_request_log \ 217 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 218 CustomLog logs/access_log combined env=!no_log 219 Header always set Strict-Transport-Security "max-age=15768000" 220 </VirtualHost> 221 ********************* 毎月自動でサーバー証明書を更新する 証明書自動更新スクリプト作成 [root@falcon21 ~]# vi /etc/cron.monthly/certbot #!/bin/sh log=`mktemp` code=0 # # 証明書更新 # for conf in `ls /etc/letsencrypt/renewal/` do # ドメイン名取得 domain=`echo ${conf}|sed -e 's/\([^ ]*\)\.conf/\1/p' -e d` # 認証方式取得 authenticator=`grep authenticator /etc/letsencrypt/renewal/${conf}|awk '{print $3}'` if [ ${authenticator} = 'webroot' ]; then # Web認証の場合 # ドキュメントルート取得 webroot=`grep -A 1 webroot_map /etc/letsencrypt/renewal/${conf}|grep =|awk '{print $3}'` # 証明書更新 /usr/local/certbot/certbot-auto certonly --webroot \ -w ${webroot} -d ${domain} --renew-by-default >> ${log} 2>&1 [ $? -ne 0 ] && cat ${log} else # スタンドアロン認証の場合 # 証明書更新 lsof -i:80 > /dev/null 2>&1 if [ $? -eq 0 ]; then echo 'Webサーバー稼働中のためスタンドアロン認証不可' else /usr/local/certbot/certbot-auto certonly -a standalone \ -d ${domain} --renew-by-default >> ${log} 2>&1 [ $? -ne 0 ] && cat ${log} fi fi done # # 証明書更新反映 # # Webサーバー設定再読込み lsof -i:443 > /dev/null 2>&1 if [ $? -eq 0 ]; then rpm -q systemd > /dev/null 2>&1 if [ $? -eq 0 ]; then systemctl reload httpd else /etc/rc.d/init.d/httpd reload > /dev/null 2>&1 fi fi # SMTPサーバー設定再読込み lsof -i:465 > /dev/null 2>&1 if [ $? -eq 0 ]; then rpm -q systemd > /dev/null 2>&1 if [ $? -eq 0 ]; then systemctl reload postfix else /etc/rc.d/init.d/postfix reload > /dev/null 2>&1 fi fi # IMAPサーバー設定再読込み lsof -i:995 > /dev/null 2>&1 if [ $? -eq 0 ]; then rpm -q systemd > /dev/null 2>&1 if [ $? -eq 0 ]; then systemctl reload dovecot else /etc/rc.d/init.d/dovecot reload > /dev/null 2>&1 fi fi # # ログをsyslogへ出力後削除 # cat ${log}|logger -t `basename ${0}` ; rm -f ${log} --------------------- [root@falcon21 ~]# chmod +x /etc/cron.monthly/certbot http起動 [root@falcon21 ~]# systemctl start httpd [root@falcon21 ~]# systemctl enable httpd [root@falcon21 ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/httpd.service.d └─php-fpm.conf Active: active (running) since Thu 2020-11-19 14:01:07 JST; 2min 27s ago Docs: man:httpd.service(8) Main PID: 57095 (httpd) Status: "Total requests: 3; Idle/Busy workers 100/0;Requests/sec: 0.0216; Bytes served/sec: 96 > Tasks: 213 (limit: 48971) Memory: 30.0M CGroup: /system.slice/httpd.service ├─57095 /usr/sbin/httpd -DFOREGROUND ├─57097 /usr/sbin/httpd -DFOREGROUND ├─57098 /usr/sbin/httpd -DFOREGROUND ├─57099 /usr/sbin/httpd -DFOREGROUND └─57100 /usr/sbin/httpd -DFOREGROUND 11月 19 14:01:07 falcon21.space systemd[1]: Starting The Apache HTTP Server... 11月 19 14:01:07 falcon21.space systemd[1]: Started The Apache HTTP Server. 11月 19 14:01:07 falcon21.space httpd[57095]: Server configured, listening on: port 443, port 80 --------------------- https://falcon21.space/ Test Pageページ表示 ----------------
投票数:0
平均点:0.00