Embed Size (px)
Citation preview
WRITE BY MUHAMMAD ZEESHAN BHATTI SYSTEM ADMINISTRATOR (DTAP) Advance Research Project & Technology PVT Ltd. Email: - [email protected]
APACHE+OPENSSL+CERTIFICATE+PHP+MYSQL+HTACCESS WEB DIRECTORY+SQUID WITHOUT SSL AND SSL SETUP
vi /etc/sysconfig/network NETWORKING=yes HOSTNAME=reverseproxy.node01 :wq! vi /etc/hosts ### LOCAL SERVER NAME RESOULTION### 127.0.0.1 localhost.localdomain localhost 192.168.254.154 reverseproxy.node01 reverseproxy ### DOMAINS SETTING ### 192.168.254.154 www.homedomain.com 192.168.254.154 www.sindh.com 192.168.254.154 www.islam.edu 192.168.254.154 www.abc.com 192.168.254.154 www.zeeshan.com 192.168.254.154 www.rhce.com :wq! yum install httpd php mysql mysql-server mod_ssl mod_auth_mysql mysql-devel php-devel php php-common php-gd php-mcrypt php-mhash php-xml php-xmlrpc php-
domxml php-gd php-mbstring php-mysql php-ncurses php-pear
yum install openssl openssl-devel mod_python python python-devel yum -y groupinstall "Development Tools" yum install wget mlocate links mkdir download cd download/ wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.5.tar.gz service httpd start && chkconfig --level 35 httpd on service mysqld start && chkconfig --level 35 mysqld on /usr/bin/mysql_secure_installation Set root password? [Y/n] y New password: redhat Re-enter new password: redhat Password updated successfully! Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y Reload privilege tables now? [Y/n] y Verify HTTPD MYSQL IS RUNNING. netstat -antp service iptables stop chkconfig --level 35 iptables off We should Create Document Roots. cd /var/www/ mkdir site1 site2 site3 site4 site5 site6 We should make index page for site1. vi site1/index.html <html> <body> <center>SITE1.HOMEDOMAIN.COM -of- 192.168.254.152 Default Apache Server</center> </body> </html> :wq! We should make index page for site2. vi site2/index.html html> <body> <center>SITE2.SINDH.COM -of- 192.168.254.152 Default Apache Server</center> </body> </html> :wq! We should make index page for site3. vi site3/index.html <html> <body> <center>SITE3.ISLAM.EDU -of- 192.168.254.152 Default Apache Server</center> </body> </html> :wq! We should make index page for site4. vi site4/index.html <html> <body> <center>SITE4.ABC.COM WEL COME ABC DOMAIN IS WORKING THIS IS MY FIRST PAGE</center> </body> </html> :wq!
We should make index page for site5. vi site5/index.html <html> <body> <center>SITE5.ZEESHAN.COM IS WORKING THIS IS MY PERSONAL WEB SITE PLEASE DONT TRYING TO HACK</center> Regards, Powerd By Zeehshan Bhatti SYSTEM ADMINISTRATOR Arpatech PVT LTD. </body> </html> :wq! We should make index page for site6. vi site6/index.html html> <body> <center>WEL COME RED HAT CERTIFIED ENGINEER SITE IS COMING SOON!!!</center> <center><b>Regards, Powerd By Zeehshan Bhatti SYSTEM ADMINISTRATOR Arpatech PVT LTD. </b></center> </body> </html> :wq! Verify PHP is running we create one test PHP Default Page. vi /var/www/html/test.php <?php phpinfo(); :wq! Open Browser & Type <192.168.254.154/test.php Nice PHP & MYSQL is Running Fine Now we Configure Apache vi /etc/httpd/conf/httpd.conf Listen 81 #on line 136 we change by default Apache Port. ServerTokens Prod #on line 44 we change by default OS. ServerSignature Off #on line 44 we change by default On. :wq! /etc/init.d/httpd restart
Now we Configure Apache Virtual Host vi /etc/httpd/conf.d/vhost80.conf ####VIRTUAL HOSTS##### NameVirtualHost 192.168.254.154:80 <VirtualHost 192.168.254.154:80> DocumentRoot /var/www/site1 ServerName www.homedomain.com ErrorLog logs/homedomain.com-error_log CustomLog logs/homedomain.com-access_log common SSLEngine off </VirtualHost> <VirtualHost 192.168.254.154:80> DocumentRoot /var/www/site2 ServerName www.sindh.com ErrorLog logs/sindh.com-error_log CustomLog logs/sindh.com-access_log common SSLEngine off </VirtualHost> <VirtualHost 192.168.254.154:80> DocumentRoot /var/www/site3 ServerName www.islam.edu ErrorLog logs/islam.edu-error_log CustomLog logs/islam.edu-access_log common SSLEngine off </VirtualHost> [root@localhost www]# tail -f /var/log/httpd/homedomain.com-access_log 192.168.254.1 - - [07/Jun/2013:01:01:58 +0500] "GET /favicon.ico HTTP/1.1" 404 209 192.168.254.1 - - [07/Jun/2013:01:01:58 +0500] "GET /favicon.ico HTTP/1.1" 404 209 root@localhost www]# tail -f /var/log/httpd/sindh.com-access_log 192.168.254.1 - - [07/Jun/2013:01:04:12 +0500] "GET /favicon.ico HTTP/1.1" 404 209 192.168.254.1 - - [07/Jun/2013:01:04:13 +0500] "GET /favicon.ico HTTP/1.1" 404 209 [root@localhost www]# tail -f /var/log/httpd/islam.edu-access_log 192.168.254.1 - - [07/Jun/2013:01:04:26 +0500] "GET /favicon.ico HTTP/1.1" 404 209 192.168.254.1 - - [07/Jun/2013:01:04:27 +0500] "GET /favicon.ico HTTP/1.1" 404 209 That’s Great our all 3 There Sites Logs is Showing Sites are up and Running fine We should configure SSL.conf for SSL VHOST Sites. cd /etc/httpd/conf.d/ vi ssl.conf Listen 220 #Please Change By default Port 443 into 220 for Reverse Proxy Setting #<VirtualHost _default_:443> #Please you just comment the directive
#please Insert in the end of File Virtual Host as per you domains ###SSL CERTIFICATE BASED WEB SITES ### ###WWW.ABC.COM### NameVirtualHost 192.168.254.154:220 <VirtualHost 192.168.254.154:220> DocumentRoot /var/www/site4 ServerName www.abc.com ErrorLog logs/abc.com-ssl_error_log TransferLog logs/abc.com-ssl_access_log SSLEngine on SSLCertificateFile /etc/pki/tls/certs/abc.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/abc.com.key </VirtualHost> ####WWW.ZEESHAN.COM VHOST### <VirtualHost 192.168.254.154:220> DocumentRoot /var/www/site5 ServerName www.zeeshan.com ErrorLog logs/zeeshan.com_ssl-error_log CustomLog logs/zeeshan.com_ssl-access_log common SSLEngine on SSLCertificateFile /etc/pki/tls/certs/zeeshan.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/zeeshan.com.key </VirtualHost> ####WWW.RHCE.COM VHOST### <VirtualHost 192.168.254.154:220> DocumentRoot /var/www/site6 ServerName www.rhce.com ErrorLog logs/rhce.com-error_log CustomLog logs/rhce.com-access_log common SSLEngine on SSLCertificateFile /etc/pki/tls/certs/rhce.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/rhce.com.key :wq! Now we generate certificates. cd /etc/pki/tls/certs/ make abc.com.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > abc.com.key Generating RSA private key, 2048 bit long modulus .+++ .+++ e is 65537 (0x10001) Enter pass phrase:redhat #Please give password Verifying - Enter pass phrase:redhat #Please again provide same password
openssl rsa -in abc.com.key -out abc.com.key Enter pass phrase for abc.com.key:redhat #Please again provide same password writing RSA key make abc.com.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key abc.com.key -out abc.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:SINDH Locality Name (eg, city) [Default City]:KARACHI Organization Name (eg, company) [Default Company Ltd]:ABC PVT LTD. Organizational Unit Name (eg, section) []:IT DEPARTMENT Common Name (eg, your name or your server's hostname) []:www.abc.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:redhat An optional company name []: Please Verify Now Your Generated Certificate openssl x509 -in abc.com.csr -out abc.com.crt -req -signkey abc.com.key -days 3650 Signature ok subject=/C=PK/ST=SINDH/L=KARACHI/O=ABC PVT LTD./OU=IT DEPARTMENT/CN=www.abc.com/emailAddress=\x09\[email protected] Getting Private key chmod 400 abc.com.* Now we generate zeeshan.com certificate make zeeshan.com.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > zeeshan.com.key Generating RSA private key, 2048 bit long modulus ...+++ .....................+++ e is 65537 (0x10001) Enter pass phrase:redhat # Please set password Verifying - Enter pass phrase:redhat #Same Password again.
openssl rsa -in zeeshan.com.key -out zeeshan.com.key Enter pass phrase for zeeshan.com.key:redhat writing RSA key make zeeshan.com.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key zeeshan.com.key -out zeeshan.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:SINDH Locality Name (eg, city) [Default City]:KARACHI Organization Name (eg, company) [Default Company Ltd]:ZEESHAN PVT LTD. Organizational Unit Name (eg, section) []:IP OPERATIONS Common Name (eg, your name or your server's hostname) []:www.zeeshan.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:REDHAT openssl x509 -in zeeshan.com.csr -out zeeshan.com.crt -req -signkey zeeshan.com.key - days 3650 Signature ok subject=/C=PK/ST=SINDH/L=KARACHI/O=ZEESHAN PVT LTD./OU=IP OPERATIONS/CN=www.zeeshan.com/[email protected] Getting Private key chmod 400 zeeshan.com.* Now we generate rhce.com certificate make rhce.com.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > rhce.com.key Generating RSA private key, 2048 bit long modulus ....+++ ......+++ e is 65537 (0x10001) Enter pass phrase:redhat # Please set password Verifying - Enter pass phrase:redhat #Same Password again.
openssl rsa -in rhce.com.key -out rhce.com.key Enter pass phrase for rhce.com.key:redhat writing RSA key make rhce.com.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key rhce.com.key -out rhce.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:SINDH Locality Name (eg, city) [Default City]:KARACHI Organization Name (eg, company) [Default Company Ltd]:RHCE PVT LTD PROMETRIC CENTER. Organizational Unit Name (eg, section) []:IT DEPARTMENT Common Name (eg, your name or your server's hostname) []:www.rhce.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:redhat An optional company name []: openssl x509 -in rhce.com.csr -out rhce.com.crt -req -signkey rhce.com.key -days 3650 Signature ok subject=/C=PK/ST=SINDH/L=KARACHI/O=RHCE PVT LTD PROMETRIC CENTER./OU=IT DEPARTMENT/CN=www.rhce.com/[email protected] Getting Private key chmod 400 rhce.com.* Great All Certificates Successfully we generated! Finally we can restart Apache web Service /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] Open Web Browser and type https://www.abc.com tail -f /var/log/httpd/abc.com-ssl_access_log 192.168.254.1 - - [07/Jun/2013:18:24:40 +0500] "GET / HTTP/1.1" 200 114 192.168.254.1 - - [07/Jun/2013:18:24:41 +0500] "GET /favicon.ico HTTP/1.1" 404 209 Great www.abc.com is Running Fine and logs is showing
Open Web Browser and type https://www.zeeshan.com tail -f /var/log/httpd/zeeshan.com_ssl-access_log 192.168.254.1 - - [07/Jun/2013:18:24:50 +0500] "GET / HTTP/1.1" 200 211 192.168.254.1 - - [07/Jun/2013:18:24:52 +0500] "GET /favicon.ico HTTP/1.1" 404 209 Great www.zeeshan.com is Running Fine and logs is showing Open Web Browser and type https://www.rhce.com/
tail -f /var/log/httpd/rhce.com_ssl-access_log 192.168.254.1 - - [07/Jun/2013:18:31:54 +0500] "GET / HTTP/1.1" 200 209 192.168.254.1 - - [07/Jun/2013:18:31:55 +0500] "GET /favicon.ico HTTP/1.1" 404 209 Great www.rhce.com is Running Fine and logs is showing We configure .htaccss based Password Protected Web Directory in Apache. cd /var/www/site2/ mkdir lock htpasswd –c .htpasswd redhat Adding password for username. New password:bhatti password Re-type new password:bhatti vi /etc/httpd/conf/httpd.conf #Insert these lines in the end of file. <Directory /var/www/site2/lock> Options Indexes Includes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny Allow from all </Directory> :wq! Now we Start Squid Source package Installation. cd root/download/ tar -xzvf squid-3.3.5.tar.gz mv squid-3.3.5.tar.gz /tmp/ cd squid-3.3.5/ mkdir /opt/squid ./configure --prefix=/opt/squid --enable-shared=yes --enable-static=no --enable-carp --enable-
storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-
esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2
--disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --
disable-htcp --disable-forw-via-db --enable-follow-x-forwarded-for --enable-cache-digests --disable-
poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-
hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-
logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --
enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-
default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-
underscores --enable-ssl ; make; make install && echo "SQUID SUCCESS" || echo "SQUID FAILED"
Great Compilation Not getting any Error it should successfully Done.
cd /opt/squid/etc/ vi squid.conf http_port 3128 #Please Insert these lines bellow in this Directive. http_port 80 accel defaultsite=www.homedomain.com vhost http_port 80 accel defaultsite=www.sindh.com vhost http_port 80 accel defaultsite=www.islam.edu vhost https_port 443 accel cert=/etc/pki/tls/certs/abc.com.crt key=/etc/pki/tls/certs/abc.com.key defaultsite=www.abc.com vhost https_port 443 accel cert=/etc/pki/tls/certs/zeeshan.com.crt key=/etc/pki/tls/certs/zeeshan.com.key defaultsite=www.zeeshan.com vhost https_port 443 accel cert=/etc/pki/tls/certs/rhce.com.crt key=/etc/pki/tls/certs/rhce.com.key defaultsite=www.rhce.com vhost # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /opt/squid/var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /opt/squid/var/cache/squid #Please Insert these lines in the end of File. ####################################################################### ######SQUID SERVER AS REVERS PROXY FOR APACHE WEB SERVER FOR PORT 81### ####################################################################### cache_peer 192.168.254.154 parent 81 0 no-query originserver login=PASS name=saturn ##################################################################### ###SQUID SERVER AS REVERS PROXY FOR APACHE WEB SERVER FOR PORT 220### ##################################################################### cache_peer 192.168.254.154 parent 220 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=zeeshan #################################################### ### ACL's FOR APACHE WEB SERVER VHSOT FOR PORT 81### #################################################### acl saturn_users dstdomain www.homedomain.com acl saturn_users dstdomain www.sindh.com acl saturn_users dstdomain www.islam.edu ##################################################### ### ACL's FOR APACHE WEB SERVER VHSOT FOR PORT 220### ##################################################### acl zee dstdomain www.abc.com acl zee dstdomain www.zeeshan.com acl zee dstdomain www.rhce.com
################################# ### HTTP ACCESS ALLOW FOR ACLS### ################################# http_access allow saturn_users http_access allow zee ############################# ###CACHE PEER ALLOW RULES#### ############################# cache_peer_access saturn allow saturn_users cache_peer_access zeeshan allow zee ########################### ###CACHE PEER DENY RULES### ########################### cache_peer_access saturn deny all cache_peer_access zeeshan deny all visible_hostname reverseproxy.node01 :wq! chown squid:squid var/ -R ./sbin/squid –z ./sbin/squid – ps aux | grep squid root 1692 0.0 0.7 15264 3936 ? Ss 22:12 0:00 ./squid squid 1694 3.4 3.3 45344 17352 ? S 22:12 0:00 (squid-1) squid 1695 0.0 0.1 3632 976 ? S 22:12 0:00 (logfile-daemon) /var/log/squid/access.log squid 1696 0.0 0.1 3480 888 ? S 22:12 0:00 (unlinkd) root 1698 0.0 0.1 4356 748 pts/0 S+ 22:12 0:00 grep squid Great Squid is Started & Log and Process is Showing Squid is running as Normal Condition. /sbin/service httpd restart Stopping httpd: [FAILED] OHHHHHHHHHHHHHHHH Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:220 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:220 no listening sockets available, shutting down Unable to open logs Resolution of this Error vi /etc/selinux/config SELINUX=disabled :wq! setenforce 0
netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1304/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1166/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1407/master tcp 0 52 192.168.254.154:22 192.168.254.1:34160 ESTABLISHED 1477/sshd tcp 0 0 :::80 :::* LISTEN 1694/(squid-1) tcp 0 0 :::81 :::* LISTEN 1661/httpd tcp 0 0 :::22 :::* LISTEN 1166/sshd tcp 0 0 :::3128 :::* LISTEN 1694/(squid-1) tcp 0 0 :::443 :::* LISTEN 1694/(squid-1) tcp 0 0 :::220 :::* LISTEN 1661/httpd tail -f /var/log/squid/access.log 1370625428.239 135 192.168.254.1 TCP_MISS/304 289 GET http://www.homedomain.com/ - FIRSTUP_PARENT/192.168.254.154 - 1370625428.417 2 192.168.254.1 TCP_MISS/404 614 GET http://www.homedomain.com/favicon.ico - FIRSTUP_PARENT/192.168.254.154 text/html That’s Great www.homedomain.com is running Fine! tail -f /var/log/httpd/homedomain.com-access_log 192.168.254.154 - - [07/Jun/2013:22:17:08 +0500] "GET /squid-internal-periodic/store_digest HTTP/1.1" 404 315 192.168.254.154 - - [07/Jun/2013:22:17:08 +0500] "GET / HTTP/1.1" 304 - 192.168.254.154 - - [07/Jun/2013:22:17:08 +0500] "GET /favicon.ico HTTP/1.1" 404 293 That’s Great www.homedomain.com is running Fine! tail -f /var/log/squid/access.log 1370625559.985 98 192.168.254.1 TCP_MISS/200 522 GET https://www.abc.com/ - FIRSTUP_PARENT/192.168.254.154 text/html 1370625560.145 30 192.168.254.1 TCP_MISS/404 608 GET https://www.abc.com/favicon.ico - FIRSTUP_PARENT/192.168.254.154 text/html That’s Great https:\\www.abc.com is running Fine!
|THE END|
![Improving OpenSSL* performance white paperSSL/TLS [2] protocols, and is a commonly deployed library for SSL/TLS world-wide. The SSL/TLS protocols consist of two phases: an initial](https://img.pdfslide.us/doc/110x75/5f0f4b4c7e708231d4437278/improving-openssl-performance-white-paper-ssltls-2-protocols-and-is-a-commonly.jpg)
![Add-on Application License - Fuji Xerox › sync › files › product › ...2 • Paperless Fax Delivery Open SSL [Open SSL License] Copyright (c) 1998-2011 The OpenSSL Project](https://img.pdfslide.us/doc/110x75/5f0ce9437e708231d437bda5/add-on-application-license-fuji-xerox-a-sync-a-files-a-product-a-2.jpg)
