一、拓撲圖
二、架構說明
1)WordPress和phpMyAdmin簡介
WordPress是用於搭建個人博客站點的,是一個開源的PHP程序,如果你懂PHP開發你可以在此基礎上進行二次開發打造屬於自己的有個性的個人博客站點;
phpMyAdmin也是一個開源的PHP程序,用於管理MySQL數據庫,可以對MySQL數據庫進行圖形化的操作,輕鬆的管理MySQL數據庫。
2)訪問方式
客戶端通過訪問Web服務器上的網站,首先由DNS服務器解析網站的IP,客戶端通過解析的IP地址找到服務器,由服務器分別提供不同的網站地址,服務器通過rpm包格式安裝配置lamp架構,提供兩個虛擬主仙,一個用於wordpress,一個用於phpMyAdmin,其中wordpress用於http://www.blog.com地址訪問,phpMyAdmin提供的網站爲https://www.phpadmin.com
Web服務器向CA服務器申請證書,以構建HTTPS通信,客戶端把CA服務器的證書導出到瀏覽器受信任的根證書頒發機構中,以加密方式能Web服務器提供的HTTPS進行通信。
在訪問www.phpadmin時將自動跳轉到https://www.phpadmin.com,不用輸入https,就能訪問https://www.phpadmin.com站點,輕鬆的管理Mysql數據庫了。
三、架構規劃
1)主機規劃
主機 | IP地址 | 提供服務 |
客戶端 | 172.16.9.6 | - |
DNS | 192.168.0.92 | DNS域名解析 |
Web服務器 | 172.16.190.25 | http://www.blog.com https://www.phpmyadmin.com |
CA | 192.168.0.197 | 給Web服務器發證書 |
2)程序版本
bind-9.8.2-0.30.rc1.el6.x86_64
mariadb-5.5.43-linux-x86_64.tar.gz
httpd-2.2.15-39.el6.centos.x86_64
php-5.3.3-38.el6.x86_64
四、DNS配置
1)安裝bind程序包
yum install bind -y
2)修改/etc/named.conf配置文件中Options中的內容,其它的不變
options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file"/var/named/data/named_stats.txt"; allow-query { any; }; recursionyes; forwardfirst; forwarders{ 172.16.0.1; }; dnssec-enableno; dnssec-validationno; };
3)配置區域文件/etc/named.rfc1912.zones添加以下行
#用於指www.blog.com的解析庫文件 zone "blog.com" IN { typemaster; file"blog.com.zone"; allow-update{ none; }; }; #用於指www.phpadmin.com的解析庫文件 zone "phpadmin.com" IN { typemaster; file"phpadmin.com.zone"; allow-update{ none; }; };
4)創建區域解析庫文件/var/named
[root@DSN named]# cat blog.com.zone $TTL 86400 @ IN SOA ns1.blog.com. admin.blog.com. ( 2015050101 3D 7H 4D 1D) IN NS ns1 ns1 IN A 192.168.0.92 www IN A 172.16.190.25 [root@DNS named]# cat phpadmin.com.zone $TTL 86400 @ IN SOA ns1.phpadmin.com. admin.phpadmin.com. ( 2015050101 3D 7H 4D 1D) IN NS ns1 ns1 IN A 192.168.0.92 www IN A 172.16.190.25
5)啓動bind服務
service named start
五、CA服務器配置
1)創建輔助文件
[root@CA CA]# touch index.txt [root@CA CA]# echo 01 > serial
2)創建CA私鑰
[root@CA CA]# (umask 077;openssl genrsa-out private/cakey.pem 2048) Generating RSA private key, 2048 bit longmodulus ......................+++ ..................................................................................+++ e is 65537 (0x10001) [root@CA CA]# ll private/cakey.pem -rw------- 1 root root 1679 May 1 20:53 private/cakey.pem
3)創建CA根證書
[root@CA CA]# openssl req -new -x509 -keyprivate/cakey.pem -out cacert.pem -days3360 You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter '.', the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [DefaultCompany Ltd]:WuDay Organizational Unit Name (eg, section)[]:Ops Common Name (eg, your name or your server'shostname) []:ca.com Email Address []:[email protected] [root@CA CA]# ll cacert.pem -rw-r--r-- 1 root root 1350 May 1 20:57 cacert.pem
六、Web服務器lamp程序包安裝
1)安裝開發組件包
yum groupinstall "Developmenttools" "Server Platform Development" -y
2)安裝httpd程序包
yum install httpd -y
3)安裝mysql程序包
yum install mysql -y yum install mysql-server -y yum install php-mysql -y
4)安裝php程序包
yum install php -y yum install php-mbstring -y yum install php-mcrypt -y
5)安裝ssl模塊
yum install mod_ssl -y
七、Web服務器httpd配置
1)創建用於存放站點程序的目錄
mkdir /web/{wordpress,phpadmin} -p
2)修改/etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html" #註釋DocumentRoot DirectoryIndex index.php index.html index.html.var #添加index.php爲Web的首頁 NameVirtualHost *:80 #開啓虛擬主機 <VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /web/wordpress #站點www.blog.com的程序存放路徑 ServerName www.blog.com #域名 ErrorLog logs/error-blog.com #錯誤日誌 CustomLog logs/access-blog.com.log combined #訪問日誌 <Directory "/web/wordpress"> #定義站點訪問屬性 Options None AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /web/phpadmin ServerName www.phpadmin.com ErrorLog logs/error-phpadmin.com CustomLoglogs/access-phpadmin.com.log combined RedirectMatch^/$ https://www.phpadmin.com #重定向站點到https://www.phpadmin.com <Directory "/web/phpadmin"> Options None AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost>
八、Web服務器SSL配置
1)創建證書和私鑰存放目錄
mkkdir /etc/httpd/ssl
cd /etc/httpd/ssl
2)創建私鑰
[root@Web-Server ssl]# (umask 077;opensslgenrsa -out httpd.key 2048) Generating RSA private key, 2048 bit longmodulus .+++ ..........................................+++ e is 65537 (0x10001)
3)創建證書申請
[root@Web-Server ssl]# openssl req -new-key httpd.key -out httpd.csr -days 3360 You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter '.', the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [DefaultCompany Ltd]:WuDay Organizational Unit Name (eg, section)[]:Ops Common Name (eg, your name or your server'shostname) []:www.phpadmin.com Email Address []:[email protected] Please enter the following 'extra'attributes to be sent with your certificate request A challenge password []: An optional company name []:
4)把證書申請發送給CA服務器
[root@Web-Server ssl]# scp [email protected]:/tmp The authenticity of host '192.168.0.197(192.168.0.197)' can't be established. RSA key fingerprint is2e:bb:a7:50:d4:26:f7:5d:82:46:ad:9f:97:31:4f:82. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '192.168.0.197'(RSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 1041 1.0KB/s 00:00
4)CA服務器驗證證書申請並簽發
[root@CA CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt Using configuration from/etc/pki/tls/openssl.cnf Check that the request matches thesignature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 1 14:29:08 2015GMT Not After : Apr 30 14:29:08 2016 GMT Subject: countryName = CN stateOrProvinceName = BJ organizationName = WuDay organizationalUnitName = Ops commonName = www.phpadmin.com emailAddress [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D2:9E:1D:5E:9B:FF:9B:F9:21:62:9A:78:CE:57:63:04:14:56:63:0F X509v3 Authority Key Identifier: keyid:93:E3:5C:A2:2C:66:DE:BF:53:02:64:64:09:6D:95:D1:4F:92:BF:56 Certificate is to be certified until Apr 3014:29:08 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated
5)從CA服務器拉回證書
[root@Web-Server ssl]# scp [email protected]:/tmp/httpd.crt./ [email protected]'s password: httpd.crt 100% 4547 4.4KB/s 00:00 [root@Web-Server ssl]# ll total 16 -rw-r--r-- 1 root root 4547 May 1 22:23 httpd.crt -rw-r--r-- 1 root root 1041 May 1 22:18 httpd.csr -rw------- 1 root root 1675 May 1 22:16 httpd.key
6)修改/etc/httpd/conf.d/ssl.conf配置文件
<VirtualHost 172.16.190.25:443> #443端口監聽在172.16.190.25 DocumentRoot "/web/phpadmin" ServerName www.phpadmin.com:443 SSLCertificateFile /etc/httpd/ssl/httpd.crt #指定站點證書存放位置 SSLCertificateKeyFile/etc/httpd/ssl/httpd.key #指定私鑰文件存放位置
九、啓動httpd和mysqld服務
service httpd start
service mysqld start
十、安裝wordpass和phpMyAdmin程序
1)下載wordpass和phpMyAdmin程序包
2)解壓文件wordpass和phpMyAdmin程序包
[root@Web-Server ~]# unzipwordpress-3.3.1-zh_CN.zip [root@Web-Server ~]# cd wordpress [root@Web-Server wordpress]# cp -aR ./*/web/wordpress/ [root@Web-Server ~]# tar xfphpMyAdmin-3.5.1-all-languages.tar.bz2 [root@Web-Server ~]# cd phpMyAdmin-3.5.1-all-languages [[email protected]]# cp -aR ./* /web/phpadmin/
十一、創建wordpass數據庫和用戶和用於登錄很管理數據庫phpMyAdmin的root密碼
[root@Web-Server wordpress]# mysql mysql> CREATE DATABASE wordpress; #創建數據庫wordpress Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL ON wordpress.* TO'wpuser'@'localhost' IDENTIFIED BY 'wordpass'; #創建用戶wpuser設置密碼爲wordpress並授權管理wordpress庫中所有表 Query OK, 0 rows affected (0.00 sec) mysql> SET PASSWORD FOR'root'@'localhost'=PASSWORD('mysql'); #修改root用戶的密碼爲mysql Query OK, 0 rows affected (0.00 sec) mysql> SET PASSWORD FOR'root'@'127.0.0.1'=PASSWORD('mysql'); Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; #刷新數據庫,讓內存中的數據存回磁盤中 Query OK, 0 rows affected (0.00 sec)
十二、配置wordpass程序的wp-config.php
/** WordPress 數據庫的名稱 */ define('DB_NAME', 'wordpress'); /** MySQL 數據庫用戶名 */ define('DB_USER', 'wpuser'); /** MySQL 數據庫密碼 */ define('DB_PASSWORD', 'wordpass');
十三、客戶端IP設置
十四、客戶端安裝根證書
通過CA服務器把自己的證書共享出來,客戶端安裝CA證書,用於驗證www.phpadmin.com和加密通信。通過Xshell自帶的lftp功能把證書下載到本地的操作系統上,並把cacert.pem的擴展名改爲.crt,然後進行安裝證書。
1)在沒有安裝根證書之前的訪問
2)點擊“繼續瀏覽此網站(不推薦)”,雖然可以繼續訪問,但瀏覽器會提示不受信任的證書,因爲我們是私建的證書,所以要把根證書導入到瀏覽器中,這個過程就是你訪問www.12306.cn一樣,你懂的噻!
3)安裝根證書
安裝完之後重啓瀏覽器就能以https加密通信訪問www.phpadmin.com站點了。
十五、訪問www.blog.com
第一次訪問www.blog.com需要進行安裝,輸入站點標明,用戶名,密碼及電子郵件後,點擊安裝“安裝WordPress”,安裝後訪問就是以上效果,你可以進行登錄,登錄的用戶名和密碼就是安裝wordpress輸入的用戶名和密碼,登錄就可以進行發表屬於自己的個人博客站點。
十六、訪問www.phpadmin.com
在訪問www.phpadmin時不用輸入https://www.phpadmin.com,直接輸入www.phpadmin.com,Web服務器會自動的跳轉至https://www.phpadmin.com,就能訪問https://www.phpadmin.com站點,輕鬆的管理Mysql數據庫了。
這個過程就像訪問百度一下,百度會自動的跳轉至https://www.baidu.com。
登錄後輕鬆的管理MySQL數據庫;