如何在ubuntu20.04上安装和保护Apache

时间:2019-05-19 01:26:38  来源:igfitidea点击:

本教程将在ubuntu20.04lts(focusfossa)操作系统上安装apacheweb服务器。

我们还将学习如何使用加密SSL证书来保护域。本教程也适用于Ubuntu18.04、Ubuntu16.04和Ubuntu19.10Linux系统。

环境

对于本教程,我们使用webhost.theitroad.com,指向我们的服务器。

第一步-安装Apache

Apache包在Ubunts上的默认软件存储库下可用。我们可以使用传统的包管理工具轻松地安装它。

首先,更新本地包指数,以反映最新的上游变化。然后安装Apache2Web服务器。

sudo apt update
sudo apt install apache2

确认后,apt将在系统上安装Apache和其他必需的依赖项。

第2步-测试你的Web服务器

一旦安装完成,Apache服务将自动在Ubuntu系统上启动。我们可以通过运行以下命令来查找Apache服务状态:

结果状态为 “Active:Active(running)”表示Apache服务已成功启动。

在web浏览器中从Apache请求一个页面。
http://服务器ip
我们将看到默认的Apache登录页。

第3步-创建虚拟主机

在虚拟主机的帮助下,我们可以从单个服务器托管多个域。虚拟主机将域的配置封装到其中。我们将设置一个名为webhost.tecamin.net。

让我们从域的目录开始,如下所示:

sudo mkdir /var/www/webhost
sudo chmod -R 755 /var/www/webhost
sudo chown -R www-data:www-data /var/www/webhost

接下来,创建一个index.html

nano /var/www/webroot/index.html

添加以下示例内容:

<html>
  <head>
      <title>欢迎访问</title>
  </head>
  <body>
      <h1>成功!!!</h1>
  </body>
</html>

保存文件并关闭它。

对于新安装的Apache服务器,默认虚拟主机配置文件是 etc/apache2/sites-available/000-default.conf。但是最好为每个虚拟主机创建单独的配置文件
因此,我们现在创建一个新的虚拟主机文件 /etc/apache2/sites-available/webhost.theitroad.com.conf

sudo nano /etc/apache2/sites-available/webhost.theitroad.com.conf

将以下配置添加到虚拟主机文件。

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName webhost.theitroad.com
    #ServerAlias www.webhost.theitroad.com
    DocumentRoot /var/www/webhost
    <Directory /var/www/webhost>
       Allowoverride all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

默认情况下,Apache读取/etc/apache2/sites-available目录下的虚拟主机配置文件。使用工具a2ensite启用此虚拟主机:

sudo a2ensite webhost.theitroad.com.conf

上面的命令将创建一个符号链接webhost.theitroad.com.conf文件到站点可用目录。

完成后,运行以下命令以验证配置文件:

sudo apache2ctl configtest

重新启动Apache服务使更改生效:

sudo systemctl restart apache2

浏览器访问http://webhost.theitroad.com查看配置是否正确,

第4步-配置 Let’s Encrypt SSL

我们使用加密SSL证书来保护apacheweb服务器上的网站。Certbot是用于加密证书的命令行实用程序。运行以下命令以安装certbot二进制文件:

sudo apt install python3-certbot-apache

这将安装certbot所需的所有包。

一旦安装过程完成。运行下面的命令请求颁发机构 let’s encrypt 为我们的域(webhost.theitroad.com)颁发证书. 可以使用单独的“-d”参数添加多个域或子域。

certbot -d webhost.theitroad.com

向导将要求电子邮件地址发送更新。然后接受服务条款继续。以下是完整的命令日志:]

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):   **Hyman@theitroad**  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:  ** A**  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:  ** Y**  
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for webhost.theitroad.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/webhost.theitroad.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/webhost.theitroad.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/webhost.theitroad.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):  ** 2**  
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/webhost.theitroad.com.conf to ssl vhost in /etc/ap                         ache2/sites-available/webhost.theitroad.com-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://webhost.theitroad.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=webhost.theitroad.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/webhost.theitroad.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/webhost.theitroad.com/privkey.pem
   Your cert will expire on 2020-07-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

我们已使用SSL证书成功配置域。现在,我们可以通过https协议访问域:

https://webhost.theitroad.com

第五步-调整防火墙规则

我们可以使用“http”或“https”之类的服务名称来允许在FirewallD中使用。要在FirewallD中打开HTTP和HTTPS端口,请运行以下命令:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

添加规则后,使用以下命令重新加载更改。

sudo firewall-cmd --reload

第6步-管理Apache服务

现在,我们已经启动并运行了apacheweb服务器,让我们继续使用Apache服务管理命令。

如何停止Apache web服务器

sudo systemctl stop apache2

如何启动Apache web服务器

sudo systemctl start apache2

如何重启Apache web服务

sudo systemctl restart apache2

使用reload选项应用配置文件更改而不中断当前连接,而不是停止然后启动正在运行的服务器。但这不会读取任何新的配置文件:

sudo systemctl reload apache2

禁用Apache服务以在系统引导时自动启动:

sudo systemctl disable apache2

使Apache服务在系统引导时自动启动

sudo systemctl enable apache2