- Man hat einen Webserver mit CentOS 7.
- Darüber soll eine statische Webseiten publiziert werden.
- Dazu benötigt man einen Webserver und TLS - Mehr nicht.
- Fehler? Ergänzungen? Fragen? Schreib mir.
tl;dr
- Nutzer und Pakete einrichten.
- Apache mit TLS installieren.
- LetsEncrypt-Zertifikat einrichten.
- Kein CGI oder FastCGI oder andere dynamischen Services.
ssh einrichten
Auf dem Server
- Auf der Maschine als root einloggen
ssh root@example.net
ssh -i id_server_rsa root@example.net
ssh -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -l root example.net
1
2
3
4
5
6
7
8
9
| cat /etc/os-release
uname -r
yum clean all
yum -y update
adduser webserver
passwd webserver
gpasswd -a webserver wheel
sed -i 's/^# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' /etc/sudoers
|
Auf dem lokalen Computer
1
2
| ssh-keygen -b 8192 -t rsa -f ~/.ssh/id_vps_rsa
ssh-copy-id -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -i id_vps_rsa.pub webserver@example.net
|
Auf dem Server
1
2
3
| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl reload sshd
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| yum -y install nmap
nmap localhost
yum -y install rkhunter
rkhunter --check
yum -y install wget curl p7zip
yum -y installtelnet
telnet google.com 80
yum -y install epel-release
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
|
Netzwerk einrichten
- Man kann FirewallD verwenden:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| yum -y install firewalld
systemctl status iptables
systemctl stop iptables
systemctl mask iptables
systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --list-all
firewall-cmd --reload
|
- Oder iptables nur mit ssh (22), http (80) und https (443):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| yum -y install iptables
systemctl unmask iptables
systemctl start iptables
systemctl enable iptables
ip link show
## Or use system-config-firewall:
# yum -y install system-config-firewall
# system-config-firewall
cat > /etc/sysconfig/iptables <__EOF__
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i venet+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i venet+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
__EOF__
systemctl restart iptables
|
Apache einrichten
Apache installieren
1
2
3
4
5
6
7
8
9
10
11
12
| yum clean all
yum -y update
yum -y install httpd httpd-tools mod_ssl apr apr-util openssl nano
# rpm -qil openssl
# rpm -qil mod_ssl
systemctl start httpd
systemctl enable httpd
systemctl status httpd
chown webserver /var/www/html
mkdir -p /var/www/html/example.net
|
- Zum abschalten des Webservers:
systemctl stop httpd
systemctl disable httpd
- Netzwerk-Geräte anzeigen lassen:
- Eigene IP-Adressen anzeigen lassen:
ip addr show venet0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'
Apache konfigurieren
1
2
| /etc/httpd/conf/httpd.conf
sed -i 's/^DocumentRoot "\/var\/www\/html"/DocumentRoot "\/var\/www\/html\/example.net"/' /etc/httpd/conf/httpd.conf
|
Test Webseite erstellen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| cat > /var/www/html/index.html <<__EOF__
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>frank.zisko.io</title>
</head>
<body>
<h1>Sorry,</h1>
<h2>here is no web service.</h2>
<p>See you later.</p>
</body>
</html>
__EOF__
|
HTTPS konfigurieren
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| mkdir /etc/httpd/sites-available
mkdir /etc/httpd/sites-enabled
cat >> /etc/httpd/conf/httpd.conf <<__EOF__
IncludeOptional sites-enabled/*.conf
__EOF__
cat >> /etc/httpd/sites-available/example.net.conf <<__EOF__
<VirtualHost *:80>
ServerName example.net
ServerAlias www.example.net
DocumentRoot /var/www/html/example.net
ErrorLog /var/log/apache/example.net/error.log
</VirtualHost>
__EOF__
# Enable.
ln -s /etc/httpd/sites-available/example.net.conf /etc/httpd/sites-enabled/example.net.conf
|
Links
- https://de.wikipedia.org/wiki/Apache_HTTP_Server
- https://de.wikipedia.org/wiki/GnuTLS
- https://de.wikipedia.org/wiki/OpenSSL
- https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7
- https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
- https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
- http://dokuwiki.nausch.org/doku.php/centos:web_c7:apache_2