• Man hat einen Webserver mit CentOS 7.
  • Darüber soll eine statische Webseiten publiziert werden.
  • Dazu benötigt man einen Webserver und TLS - Mehr nicht.
  • Fehler? Ergänzungen? Fragen? Schreib mir.

tl;dr

  • Nutzer und Pakete einrichten.
  • Apache mit TLS installieren.
  • LetsEncrypt-Zertifikat einrichten.
  • Kein CGI oder FastCGI oder andere dynamischen Services.

ssh einrichten

Auf dem Server

  • Auf der Maschine als root einloggen
    • ssh root@example.net
    • ssh -i id_server_rsa root@example.net
    • ssh -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -l root example.net
1
2
3
4
5
6
7
8
9

cat /etc/os-release
uname -r
yum clean all
yum -y update

adduser webserver
passwd webserver
gpasswd -a webserver wheel
sed -i 's/^# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' /etc/sudoers

Auf dem lokalen Computer

1
2

ssh-keygen -b 8192 -t rsa -f ~/.ssh/id_vps_rsa
ssh-copy-id -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -i id_vps_rsa.pub webserver@example.net

Auf dem Server

1
2
3

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl reload sshd

Tools einrichten

1
2
3
4
5
6
7
8
9
10
11
12
13

yum -y install nmap
nmap localhost

yum -y install rkhunter
rkhunter --check

yum -y install wget curl p7zip

yum -y installtelnet
telnet google.com 80

yum -y install epel-release
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm

Netzwerk einrichten

  • Man kann FirewallD verwenden:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

yum -y install firewalld

systemctl status iptables
systemctl stop iptables
systemctl mask iptables

systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld

firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --list-all
firewall-cmd --reload
  • Oder iptables nur mit ssh (22), http (80) und https (443):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

yum -y install iptables
systemctl unmask iptables
systemctl start iptables
systemctl enable iptables

ip link show

## Or use system-config-firewall:
# yum -y install system-config-firewall
# system-config-firewall

cat > /etc/sysconfig/iptables <__EOF__
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i venet+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -m icmp --icmp-type redirect -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i venet+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
__EOF__

systemctl restart iptables

Apache einrichten

Apache installieren

1
2
3
4
5
6
7
8
9
10
11
12

yum clean all
yum -y update
yum -y install httpd httpd-tools mod_ssl apr apr-util openssl nano
# rpm -qil openssl
# rpm -qil mod_ssl

systemctl start httpd
systemctl enable httpd
systemctl status httpd

chown webserver /var/www/html
mkdir -p /var/www/html/example.net
  • Zum abschalten des Webservers:
    • systemctl stop httpd
    • systemctl disable httpd
  • Netzwerk-Geräte anzeigen lassen:
    • ip link show
  • Eigene IP-Adressen anzeigen lassen:
    • ip addr show venet0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

Apache konfigurieren

1
2

/etc/httpd/conf/httpd.conf
sed -i 's/^DocumentRoot "\/var\/www\/html"/DocumentRoot "\/var\/www\/html\/example.net"/' /etc/httpd/conf/httpd.conf

Test Webseite erstellen

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

cat > /var/www/html/index.html <<__EOF__
<!DOCTYPE html>
<html lang="en">

   <head>
      <meta charset="utf-8">
      <title>frank.zisko.io</title>
   </head>

   <body>
	<h1>Sorry,</h1>
	<h2>here is no web service.</h2>
    <p>See you later.</p>
   </body>

</html>
__EOF__

HTTPS konfigurieren

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

mkdir /etc/httpd/sites-available
mkdir /etc/httpd/sites-enabled

cat >> /etc/httpd/conf/httpd.conf <<__EOF__
IncludeOptional sites-enabled/*.conf
__EOF__


cat >> /etc/httpd/sites-available/example.net.conf <<__EOF__
<VirtualHost *:80>
    ServerName example.net
    ServerAlias www.example.net
    DocumentRoot /var/www/html/example.net
    ErrorLog /var/log/apache/example.net/error.log
</VirtualHost>
__EOF__

# Enable.
ln -s /etc/httpd/sites-available/example.net.conf /etc/httpd/sites-enabled/example.net.conf
  • https://de.wikipedia.org/wiki/Apache_HTTP_Server
  • https://de.wikipedia.org/wiki/GnuTLS
  • https://de.wikipedia.org/wiki/OpenSSL
  • https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7
  • https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
  • https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
  • http://dokuwiki.nausch.org/doku.php/centos:web_c7:apache_2