1.\u9996\u5148\u8bbe\u7f6e\u6570\u636e\u6e90<\/h2>\n\n\n\ncurl -sS https:\/\/downloads.mariadb.com\/MariaDB\/mariadb_repo_setup | sudo bash<\/pre>\n\n\n\n2.\u66f4\u65b0\u7f13\u5b58<\/h2>\n\n\n\n
yum clean all
yum makecache
yum repolist<\/p>\n\n\n\n
3.\u663e\u793a\u53ef\u5b89\u88c5\u7684\u7248\u672c<\/h2>\n\n\n\n
#\u8fd9\u4e2a\u53ef\u4ee5\u770b\u7248\u672c\u53f7
yum search mariadb –showduplicates
\u6216
yum search mariadb<\/p>\n\n\n\n
4.\u5b89\u88c5<\/h2>\n\n\n\nsudo yum install MariaDB-server galera-4 MariaDB-client MariaDB-shared MariaDB-backup MariaDB-common<\/pre>\n\n\n\n5.\u542f\u52a8\u670d\u52a1<\/h2>\n\n\n\n
systemctl enable mariadb –now<\/p>\n\n\n\n
6.\u914d\u7f6e\u6570\u636e\u5e93<\/p>\n\n\n\n
mysql_secure_installation<\/pre>\n\n\n\n\u9996\u5148\u662f\u8bbe\u7f6e\u5bc6\u7801\uff0c\u4f1a\u63d0\u793a\u5148\u8f93\u5165\u5bc6\u7801<\/p>\n\n\n\n
Enter current password for root (enter for none):<\u2013\u521d\u6b21\u8fd0\u884c\u76f4\u63a5\u56de\u8f66<\/p>\n\n\n\n
\u8bbe\u7f6e\u5bc6\u7801<\/p>\n\n\n\n
Set root password? [Y\/n] <\u2013 \u662f\u5426\u8bbe\u7f6eroot\u7528\u6237\u5bc6\u7801\uff0c\u8f93\u5165y\u5e76\u56de\u8f66\u6216\u76f4\u63a5\u56de\u8f66
New password: <\u2013 \u8bbe\u7f6eroot\u7528\u6237\u7684\u5bc6\u7801
Re-enter new password: <\u2013 \u518d\u8f93\u5165\u4e00\u6b21\u4f60\u8bbe\u7f6e\u7684\u5bc6\u7801<\/p>\n\n\n\n
\u5176\u4ed6\u914d\u7f6e<\/p>\n\n\n\n
Remove anonymous users? [Y\/n] <\u2013 \u662f\u5426\u5220\u9664\u533f\u540d\u7528\u6237\uff0c\u56de\u8f66<\/p>\n\n\n\n
Disallow root login remotely? [Y\/n] <\u2013\u662f\u5426\u7981\u6b62root\u8fdc\u7a0b\u767b\u5f55,\u56de\u8f66,<\/p>\n\n\n\n
Remove test database and access to it? [Y\/n] <\u2013 \u662f\u5426\u5220\u9664test\u6570\u636e\u5e93\uff0c\u56de\u8f66<\/p>\n\n\n\n
Reload privilege tables now? [Y\/n] <\u2013 \u662f\u5426\u91cd\u65b0\u52a0\u8f7d\u6743\u9650\u8868\uff0c\u56de\u8f66<\/p>\n\n\n\n
\u521d\u59cb\u5316MariaDB\u5b8c\u6210\uff0c\u63a5\u4e0b\u6765\u6d4b\u8bd5\u767b\u5f55<\/p>\n\n\n\n
mysql -uroot -ppassword<\/pre>\n\n\n\n\u8bbe\u7f6e\u6570\u636e\u5e93\u5141\u8bb8\u8fdc\u7a0b\u8fde\u63a5\uff1a<\/p>\n\n\n\n
mysql -uroot -p\uff08\u8fdb\u5165\u6570\u636e\u5e93\uff09<\/p>\n\n\n\n
\u67e5\u770bMySQL\u5e93\u4e2d\u7684user\u8868\uff08user\u8868\u4e2d\u5b58\u7740\u94fe\u63a5\u4fe1\u606f\uff09<\/p>\n\n\n\n
select host,user from user;<\/p>\n\n\n\n
\u4f7f\u7528\u66f4\u65b0\u8bed\u53e5\u662froot\u7528\u6237\u53ef\u4ee5\u5728\u4efb\u610fIP\u7684\u7535\u8111\u4e0a\u767b\u5f55<\/p>\n\n\n\n
update user set host=’%’,user=’root’ limit 1;<\/p>\n\n\n\n
\u4f7f\u4fee\u6539\u751f\u6548<\/p>\n\n\n\n
flush privileges;<\/p>\n\n\n\n
\u9000\u51faMariadb\u540e\u5e76\u91cd\u542f mariadb\u670d\u52a1<\/p>\n\n\n\n
systemctl restart mariadb<\/p>\n\n\n\n
\u81f3\u6b64\uff0c\u6570\u636e\u5e93\u5b89\u88c5\u5b8c\u6bd5<\/p>\n\n\n\n
\u5b89\u88c5php<\/h1>\n\n\n\n1.\u9996\u5148\u5b89\u88c5 EPEL \u6e90\uff1a<\/h2>\n\n\n\nyum install epel-release<\/pre>\n\n\n\n2.\u5b89\u88c5 REMI \u6e90\uff1a<\/h2>\n\n\n\nyum install http:\/\/rpms.remirepo.net\/enterprise\/remi-release-7.rpm<\/pre>\n\n\n\n3.\u5b89\u88c5 Yum \u6e90\u7ba1\u7406\u5de5\u5177\uff1a<\/h2>\n\n\n\nyum install yum-utils<\/pre>\n\n\n\n4.\u5b89\u88c5 PHP7.3\uff1a<\/h2>\n\n\n\nyum install -y php73-php-fpm php73-php-cli php73-php-bcmath php73-php-gd php73-php-json php73-php-mbstring php73-php-mcrypt php73-php-mysqlnd php73-php-opcache php73-php-pdo php73-php-pecl-crypto php73-php-pecl-mcrypt php73-php-pecl-geoip php73-php-recode php73-php-snmp php73-php-soap php73-php-xmll<\/pre>\n\n\n\n5.\u542f\u52a8php\uff1a<\/h2>\n\n\n\nsystemctl enable php73-php-fpm\uff08\u5f00\u673a\u81ea\u542f\u52a8\uff09<\/pre>\n\n\n\nsystemctl start php73-php-fpm\uff08\u542f\u52a8\uff09<\/pre>\n\n\n\n\u914d\u7f6eapache\u865a\u62df\u673a<\/h1>\n\n\n\n
\u5728\/etc\/httpd\/conf.d\u6587\u4ef6\u5939\u65b0\u5efa\u4e00\u4e2aconf\u914d\u7f6e\u6587\u4ef6\uff0c\u518d\u628a\u4ee5\u4e0b\u5185\u5bb9\u62f7\u8d1d\u5230\u91cc\u9762<\/p>\n\n\n\n
\u4f8b\u5982\uff1a<\/p>\n\n\n\n![\"\"\/](\"http:\/\/oa.yidianhulian.com\/download?key=2010225f9146ea41a43\")
<\/figure>\n\n\n\n
DocumentRoot “\/var\/www\/html\/web\/app\/public_html” #\u9879\u76ee\u6839\u76ee\u5f55
ServerName lottery.yidianhulian.com #\u7ed1\u5b9a\u7684\u57df\u540d
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
DirectoryIndex index.php index.html error\/index.html
ErrorDocument 400 \/error\/400.html
ErrorDocument 403 \/error\/403.html
ErrorDocument 404 \/error\/404.html
ErrorDocument 500 \/error\/500.html
ErrorDocument 501 \/error\/501.html
ErrorDocument 502 \/error\/502.html
ErrorDocument 503 \/error\/503.html
ErrorDocument 504 \/error\/504.html
ErrorDocument 505 \/error\/505.html
ErrorDocument 506 \/error\/506.html
ErrorDocument 507 \/error\/507.html
ErrorDocument 510 \/error\/510.html<\/p>\n\n\n\n
\u914d\u7f6ehttps<\/h1>\n\n\n\n
1.\u4f7f\u7528\u57df\u540d\u53ef\u4ee5\u7533\u8bf7\u514d\u8d39\u7684ssl\u8bc1\u4e66\uff0c\u9009\u62e9apache\u7248\u672c\uff0c\u8bc1\u4e66\u4e00\u5171\u6709\u4e09\u4e2a\u6587\u4ef6\uff0c\u4f8b\u5982:<\/p>\n\n\n\n![\"\"\/](\"http:\/\/oa.yidianhulian.com\/download?key=2010225f914d3419b74\")
<\/figure>\n\n\n\n2.\u5728\u670d\u52a1\u5668\u4e2d\u65b0\u5efa\u4e00\u4e2a\u6587\u4ef6\u5939\uff0c\u628a\u8fd9\u4e09\u4e2a\u6587\u4ef6\u62f7\u8d1d\u5230\u91cc\u9762<\/p>\n\n\n\n
3.\u914d\u7f6ehttps\u5176\u5b9e\u5c31\u662f\u914d\u7f6e\/etc\/httpd\/conf.d\/ssl.conf\u6587\u4ef6\uff0c<\/strong>\u4f7f\u7528yum\u4e0b\u8f7dmod_ssl\u540e\u4f1a\u81ea\u52a8\u751f\u6210\u8fd9\u4e2a\u6587\u4ef6\u3002\u5bf9\u6587\u4ef6\u8fdb\u884c\u914d\u7f6e\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https<\/p>\n\n\n\n
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##<\/p>\n\n\n\n
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin’ is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:\/usr\/libexec\/httpd-ssl-pass-dialog<\/p>\n\n\n\n
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:\/run\/httpd\/sslcache(512000)
SSLSessionCacheTimeout 300<\/p>\n\n\n\n
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms \/dev\/random blocks if not enough entropy
# is available. This means you then cannot use the \/dev\/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a \/dev\/urandom device which doesn’t
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:\/dev\/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:\/dev\/random 512
#SSLRandomSeed connect file:\/dev\/random 512
#SSLRandomSeed connect file:\/dev\/urandom 512<\/p>\n\n\n\n
#
# Use “SSLCryptoDevice” to enable any supported hardware
# accelerators. Use “openssl engine -v” to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec<\/p>\n\n\n\n
##
## SSL Virtual Host Context
##<\/p>\n\n\n\n
#\u627e\u5230\u8fd9\u4e2a\u6807\u7b7e<\/p>\n\n\n\n
# General setup for the virtual host, inherited from global configuration
ServerName lottery.yidianhulian.com #\u914d\u7f6e\u57df\u540d
DocumentRoot \/var\/www\/html\/web\/app\/public_html #\u914d\u7f6e\u9879\u76ee\u6839\u76ee\u5f55<\/p>\n\n\n\n
#\u6dfb\u52a0\u8fd9\u4e2a\u6807\u7b7e\u5141\u8bb8\u8bbf\u95ee\u8be5\u9879\u76ee
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
DirectoryIndex index.php index.html error\/index.html
<\/p>\n\n\n\n
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs\/ssl_error_log
TransferLog logs\/ssl_access_log
LogLevel warn<\/p>\n\n\n\n
# SSL Engine Switch:
# Enable\/Disable SSL for this virtual host.
SSLEngine on<\/p>\n\n\n\n
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3 # \u6dfb\u52a0SSL\u534f\u8bae\u652f\u6301\u534f\u8bae\uff0c\u53bb\u6389\u4e0d\u5b89\u5168\u7684\u534f\u8bae\u3002<\/p>\n\n\n\n
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # \u4fee\u6539\u52a0\u5bc6\u5957\u4ef6\u3002<\/p>\n\n\n\n
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy – if the server’s key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on <\/p>\n\n\n\n
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt
SSLCertificateFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com_public.crt #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com.key #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com_chain.crt #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile \/etc\/pki\/tls\/certs\/ca-bundle.crt<\/p>\n\n\n\n
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10<\/p>\n\n\n\n
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m\/^(EXP|NULL)\/ \\
# and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.” \\
# and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”} \\
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \\
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \\
# or %{REMOTE_ADDR} =~ m\/^192\\.76\\.162\\.[0-9]+$\/
#<\/p>\n\n\n\n
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth\/DBMAuth methods can be used for access control. The
# user name is the `one line’ version of the client’s X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA’.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL\/TLS related `SSL_*’ environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when “SSLRequireSSL” or “SSLRequire” applied even
# under a “Satisfy any” situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars<\/p>\n\n\n\n
# SSL Protocol Adjustments:
# The safe and default but still SSL\/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn’t wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL\/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I\/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL\/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable “nokeepalive” for this.
# Similarly, one has to force some clients to use HTTP\/1.0 to workaround
# their broken HTTP\/1.1 implementation. Use variables “downgrade-1.0” and
# “force-response-1.0” for this.
BrowserMatch “MSIE [2-5]” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0<\/p>\n\n\n\n
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs\/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5b89\u88c5apache 1.\u4f7f\u7528yum\u5b89\u88c5apache: yum install -y httpd 2.\u4e0b\u8f7d\u5b8c\u6210\u540e\u542f … \u7ee7\u7eed\u9605\u8bfb\u5168\u65b0\u5b89\u88c5LAMP\u73af\u5883<\/span>
2.\u66f4\u65b0\u7f13\u5b58<\/h2>\n\n\n\n
yum clean all
yum makecache
yum repolist<\/p>\n\n\n\n
3.\u663e\u793a\u53ef\u5b89\u88c5\u7684\u7248\u672c<\/h2>\n\n\n\n
#\u8fd9\u4e2a\u53ef\u4ee5\u770b\u7248\u672c\u53f7
yum search mariadb –showduplicates
\u6216
yum search mariadb<\/p>\n\n\n\n
4.\u5b89\u88c5<\/h2>\n\n\n\nsudo yum install MariaDB-server galera-4 MariaDB-client MariaDB-shared MariaDB-backup MariaDB-common<\/pre>\n\n\n\n5.\u542f\u52a8\u670d\u52a1<\/h2>\n\n\n\n
systemctl enable mariadb –now<\/p>\n\n\n\n
6.\u914d\u7f6e\u6570\u636e\u5e93<\/p>\n\n\n\n
mysql_secure_installation<\/pre>\n\n\n\n\u9996\u5148\u662f\u8bbe\u7f6e\u5bc6\u7801\uff0c\u4f1a\u63d0\u793a\u5148\u8f93\u5165\u5bc6\u7801<\/p>\n\n\n\n
Enter current password for root (enter for none):<\u2013\u521d\u6b21\u8fd0\u884c\u76f4\u63a5\u56de\u8f66<\/p>\n\n\n\n
\u8bbe\u7f6e\u5bc6\u7801<\/p>\n\n\n\n
Set root password? [Y\/n] <\u2013 \u662f\u5426\u8bbe\u7f6eroot\u7528\u6237\u5bc6\u7801\uff0c\u8f93\u5165y\u5e76\u56de\u8f66\u6216\u76f4\u63a5\u56de\u8f66
New password: <\u2013 \u8bbe\u7f6eroot\u7528\u6237\u7684\u5bc6\u7801
Re-enter new password: <\u2013 \u518d\u8f93\u5165\u4e00\u6b21\u4f60\u8bbe\u7f6e\u7684\u5bc6\u7801<\/p>\n\n\n\n
\u5176\u4ed6\u914d\u7f6e<\/p>\n\n\n\n
Remove anonymous users? [Y\/n] <\u2013 \u662f\u5426\u5220\u9664\u533f\u540d\u7528\u6237\uff0c\u56de\u8f66<\/p>\n\n\n\n
Disallow root login remotely? [Y\/n] <\u2013\u662f\u5426\u7981\u6b62root\u8fdc\u7a0b\u767b\u5f55,\u56de\u8f66,<\/p>\n\n\n\n
Remove test database and access to it? [Y\/n] <\u2013 \u662f\u5426\u5220\u9664test\u6570\u636e\u5e93\uff0c\u56de\u8f66<\/p>\n\n\n\n
Reload privilege tables now? [Y\/n] <\u2013 \u662f\u5426\u91cd\u65b0\u52a0\u8f7d\u6743\u9650\u8868\uff0c\u56de\u8f66<\/p>\n\n\n\n
\u521d\u59cb\u5316MariaDB\u5b8c\u6210\uff0c\u63a5\u4e0b\u6765\u6d4b\u8bd5\u767b\u5f55<\/p>\n\n\n\n
mysql -uroot -ppassword<\/pre>\n\n\n\n\u8bbe\u7f6e\u6570\u636e\u5e93\u5141\u8bb8\u8fdc\u7a0b\u8fde\u63a5\uff1a<\/p>\n\n\n\n
mysql -uroot -p\uff08\u8fdb\u5165\u6570\u636e\u5e93\uff09<\/p>\n\n\n\n
\u67e5\u770bMySQL\u5e93\u4e2d\u7684user\u8868\uff08user\u8868\u4e2d\u5b58\u7740\u94fe\u63a5\u4fe1\u606f\uff09<\/p>\n\n\n\n
select host,user from user;<\/p>\n\n\n\n
\u4f7f\u7528\u66f4\u65b0\u8bed\u53e5\u662froot\u7528\u6237\u53ef\u4ee5\u5728\u4efb\u610fIP\u7684\u7535\u8111\u4e0a\u767b\u5f55<\/p>\n\n\n\n
update user set host=’%’,user=’root’ limit 1;<\/p>\n\n\n\n
\u4f7f\u4fee\u6539\u751f\u6548<\/p>\n\n\n\n
flush privileges;<\/p>\n\n\n\n
\u9000\u51faMariadb\u540e\u5e76\u91cd\u542f mariadb\u670d\u52a1<\/p>\n\n\n\n
systemctl restart mariadb<\/p>\n\n\n\n
\u81f3\u6b64\uff0c\u6570\u636e\u5e93\u5b89\u88c5\u5b8c\u6bd5<\/p>\n\n\n\n
\u5b89\u88c5php<\/h1>\n\n\n\n1.\u9996\u5148\u5b89\u88c5 EPEL \u6e90\uff1a<\/h2>\n\n\n\nyum install epel-release<\/pre>\n\n\n\n2.\u5b89\u88c5 REMI \u6e90\uff1a<\/h2>\n\n\n\nyum install http:\/\/rpms.remirepo.net\/enterprise\/remi-release-7.rpm<\/pre>\n\n\n\n3.\u5b89\u88c5 Yum \u6e90\u7ba1\u7406\u5de5\u5177\uff1a<\/h2>\n\n\n\nyum install yum-utils<\/pre>\n\n\n\n4.\u5b89\u88c5 PHP7.3\uff1a<\/h2>\n\n\n\nyum install -y php73-php-fpm php73-php-cli php73-php-bcmath php73-php-gd php73-php-json php73-php-mbstring php73-php-mcrypt php73-php-mysqlnd php73-php-opcache php73-php-pdo php73-php-pecl-crypto php73-php-pecl-mcrypt php73-php-pecl-geoip php73-php-recode php73-php-snmp php73-php-soap php73-php-xmll<\/pre>\n\n\n\n5.\u542f\u52a8php\uff1a<\/h2>\n\n\n\nsystemctl enable php73-php-fpm\uff08\u5f00\u673a\u81ea\u542f\u52a8\uff09<\/pre>\n\n\n\nsystemctl start php73-php-fpm\uff08\u542f\u52a8\uff09<\/pre>\n\n\n\n\u914d\u7f6eapache\u865a\u62df\u673a<\/h1>\n\n\n\n
\u5728\/etc\/httpd\/conf.d\u6587\u4ef6\u5939\u65b0\u5efa\u4e00\u4e2aconf\u914d\u7f6e\u6587\u4ef6\uff0c\u518d\u628a\u4ee5\u4e0b\u5185\u5bb9\u62f7\u8d1d\u5230\u91cc\u9762<\/p>\n\n\n\n
\u4f8b\u5982\uff1a<\/p>\n\n\n\n<\/figure>\n\n\n\n
DocumentRoot “\/var\/www\/html\/web\/app\/public_html” #\u9879\u76ee\u6839\u76ee\u5f55
ServerName lottery.yidianhulian.com #\u7ed1\u5b9a\u7684\u57df\u540d
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
DirectoryIndex index.php index.html error\/index.html
ErrorDocument 400 \/error\/400.html
ErrorDocument 403 \/error\/403.html
ErrorDocument 404 \/error\/404.html
ErrorDocument 500 \/error\/500.html
ErrorDocument 501 \/error\/501.html
ErrorDocument 502 \/error\/502.html
ErrorDocument 503 \/error\/503.html
ErrorDocument 504 \/error\/504.html
ErrorDocument 505 \/error\/505.html
ErrorDocument 506 \/error\/506.html
ErrorDocument 507 \/error\/507.html
ErrorDocument 510 \/error\/510.html<\/p>\n\n\n\n
\u914d\u7f6ehttps<\/h1>\n\n\n\n
1.\u4f7f\u7528\u57df\u540d\u53ef\u4ee5\u7533\u8bf7\u514d\u8d39\u7684ssl\u8bc1\u4e66\uff0c\u9009\u62e9apache\u7248\u672c\uff0c\u8bc1\u4e66\u4e00\u5171\u6709\u4e09\u4e2a\u6587\u4ef6\uff0c\u4f8b\u5982:<\/p>\n\n\n\n<\/figure>\n\n\n\n2.\u5728\u670d\u52a1\u5668\u4e2d\u65b0\u5efa\u4e00\u4e2a\u6587\u4ef6\u5939\uff0c\u628a\u8fd9\u4e09\u4e2a\u6587\u4ef6\u62f7\u8d1d\u5230\u91cc\u9762<\/p>\n\n\n\n
3.\u914d\u7f6ehttps\u5176\u5b9e\u5c31\u662f\u914d\u7f6e\/etc\/httpd\/conf.d\/ssl.conf\u6587\u4ef6\uff0c<\/strong>\u4f7f\u7528yum\u4e0b\u8f7dmod_ssl\u540e\u4f1a\u81ea\u52a8\u751f\u6210\u8fd9\u4e2a\u6587\u4ef6\u3002\u5bf9\u6587\u4ef6\u8fdb\u884c\u914d\u7f6e\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https<\/p>\n\n\n\n
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##<\/p>\n\n\n\n
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin’ is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:\/usr\/libexec\/httpd-ssl-pass-dialog<\/p>\n\n\n\n
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:\/run\/httpd\/sslcache(512000)
SSLSessionCacheTimeout 300<\/p>\n\n\n\n
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms \/dev\/random blocks if not enough entropy
# is available. This means you then cannot use the \/dev\/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a \/dev\/urandom device which doesn’t
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:\/dev\/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:\/dev\/random 512
#SSLRandomSeed connect file:\/dev\/random 512
#SSLRandomSeed connect file:\/dev\/urandom 512<\/p>\n\n\n\n
#
# Use “SSLCryptoDevice” to enable any supported hardware
# accelerators. Use “openssl engine -v” to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec<\/p>\n\n\n\n
##
## SSL Virtual Host Context
##<\/p>\n\n\n\n
#\u627e\u5230\u8fd9\u4e2a\u6807\u7b7e<\/p>\n\n\n\n
# General setup for the virtual host, inherited from global configuration
ServerName lottery.yidianhulian.com #\u914d\u7f6e\u57df\u540d
DocumentRoot \/var\/www\/html\/web\/app\/public_html #\u914d\u7f6e\u9879\u76ee\u6839\u76ee\u5f55<\/p>\n\n\n\n
#\u6dfb\u52a0\u8fd9\u4e2a\u6807\u7b7e\u5141\u8bb8\u8bbf\u95ee\u8be5\u9879\u76ee
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
DirectoryIndex index.php index.html error\/index.html
<\/p>\n\n\n\n
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs\/ssl_error_log
TransferLog logs\/ssl_access_log
LogLevel warn<\/p>\n\n\n\n
# SSL Engine Switch:
# Enable\/Disable SSL for this virtual host.
SSLEngine on<\/p>\n\n\n\n
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3 # \u6dfb\u52a0SSL\u534f\u8bae\u652f\u6301\u534f\u8bae\uff0c\u53bb\u6389\u4e0d\u5b89\u5168\u7684\u534f\u8bae\u3002<\/p>\n\n\n\n
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # \u4fee\u6539\u52a0\u5bc6\u5957\u4ef6\u3002<\/p>\n\n\n\n
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy – if the server’s key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on <\/p>\n\n\n\n
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt
SSLCertificateFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com_public.crt #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com.key #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com_chain.crt #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile \/etc\/pki\/tls\/certs\/ca-bundle.crt<\/p>\n\n\n\n
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10<\/p>\n\n\n\n
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m\/^(EXP|NULL)\/ \\
# and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.” \\
# and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”} \\
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \\
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \\
# or %{REMOTE_ADDR} =~ m\/^192\\.76\\.162\\.[0-9]+$\/
#<\/p>\n\n\n\n
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth\/DBMAuth methods can be used for access control. The
# user name is the `one line’ version of the client’s X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA’.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL\/TLS related `SSL_*’ environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when “SSLRequireSSL” or “SSLRequire” applied even
# under a “Satisfy any” situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars<\/p>\n\n\n\n
# SSL Protocol Adjustments:
# The safe and default but still SSL\/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn’t wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL\/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I\/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL\/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable “nokeepalive” for this.
# Similarly, one has to force some clients to use HTTP\/1.0 to workaround
# their broken HTTP\/1.1 implementation. Use variables “downgrade-1.0” and
# “force-response-1.0” for this.
BrowserMatch “MSIE [2-5]” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0<\/p>\n\n\n\n
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs\/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5b89\u88c5apache 1.\u4f7f\u7528yum\u5b89\u88c5apache: yum install -y httpd 2.\u4e0b\u8f7d\u5b8c\u6210\u540e\u542f … \u7ee7\u7eed\u9605\u8bfb\u5168\u65b0\u5b89\u88c5LAMP\u73af\u5883<\/span>
5.\u542f\u52a8\u670d\u52a1<\/h2>\n\n\n\n
systemctl enable mariadb –now<\/p>\n\n\n\n
6.\u914d\u7f6e\u6570\u636e\u5e93<\/p>\n\n\n\n
mysql_secure_installation<\/pre>\n\n\n\n\u9996\u5148\u662f\u8bbe\u7f6e\u5bc6\u7801\uff0c\u4f1a\u63d0\u793a\u5148\u8f93\u5165\u5bc6\u7801<\/p>\n\n\n\n
Enter current password for root (enter for none):<\u2013\u521d\u6b21\u8fd0\u884c\u76f4\u63a5\u56de\u8f66<\/p>\n\n\n\n
\u8bbe\u7f6e\u5bc6\u7801<\/p>\n\n\n\n
Set root password? [Y\/n] <\u2013 \u662f\u5426\u8bbe\u7f6eroot\u7528\u6237\u5bc6\u7801\uff0c\u8f93\u5165y\u5e76\u56de\u8f66\u6216\u76f4\u63a5\u56de\u8f66
New password: <\u2013 \u8bbe\u7f6eroot\u7528\u6237\u7684\u5bc6\u7801
Re-enter new password: <\u2013 \u518d\u8f93\u5165\u4e00\u6b21\u4f60\u8bbe\u7f6e\u7684\u5bc6\u7801<\/p>\n\n\n\n\u5176\u4ed6\u914d\u7f6e<\/p>\n\n\n\n
Remove anonymous users? [Y\/n] <\u2013 \u662f\u5426\u5220\u9664\u533f\u540d\u7528\u6237\uff0c\u56de\u8f66<\/p>\n\n\n\n
Disallow root login remotely? [Y\/n] <\u2013\u662f\u5426\u7981\u6b62root\u8fdc\u7a0b\u767b\u5f55,\u56de\u8f66,<\/p>\n\n\n\n
Remove test database and access to it? [Y\/n] <\u2013 \u662f\u5426\u5220\u9664test\u6570\u636e\u5e93\uff0c\u56de\u8f66<\/p>\n\n\n\n
Reload privilege tables now? [Y\/n] <\u2013 \u662f\u5426\u91cd\u65b0\u52a0\u8f7d\u6743\u9650\u8868\uff0c\u56de\u8f66<\/p>\n\n\n\n
\u521d\u59cb\u5316MariaDB\u5b8c\u6210\uff0c\u63a5\u4e0b\u6765\u6d4b\u8bd5\u767b\u5f55<\/p>\n\n\n\n
mysql -uroot -ppassword<\/pre>\n\n\n\n\u8bbe\u7f6e\u6570\u636e\u5e93\u5141\u8bb8\u8fdc\u7a0b\u8fde\u63a5\uff1a<\/p>\n\n\n\n
mysql -uroot -p\uff08\u8fdb\u5165\u6570\u636e\u5e93\uff09<\/p>\n\n\n\n
\u67e5\u770bMySQL\u5e93\u4e2d\u7684user\u8868\uff08user\u8868\u4e2d\u5b58\u7740\u94fe\u63a5\u4fe1\u606f\uff09<\/p>\n\n\n\n
select host,user from user;<\/p>\n\n\n\n
\u4f7f\u7528\u66f4\u65b0\u8bed\u53e5\u662froot\u7528\u6237\u53ef\u4ee5\u5728\u4efb\u610fIP\u7684\u7535\u8111\u4e0a\u767b\u5f55<\/p>\n\n\n\n
update user set host=’%’,user=’root’ limit 1;<\/p>\n\n\n\n
\u4f7f\u4fee\u6539\u751f\u6548<\/p>\n\n\n\n
flush privileges;<\/p>\n\n\n\n
\u9000\u51faMariadb\u540e\u5e76\u91cd\u542f mariadb\u670d\u52a1<\/p>\n\n\n\n
systemctl restart mariadb<\/p>\n\n\n\n
\u81f3\u6b64\uff0c\u6570\u636e\u5e93\u5b89\u88c5\u5b8c\u6bd5<\/p>\n\n\n\n
\u5b89\u88c5php<\/h1>\n\n\n\n
1.\u9996\u5148\u5b89\u88c5 EPEL \u6e90\uff1a<\/h2>\n\n\n\n
yum install epel-release<\/pre>\n\n\n\n2.\u5b89\u88c5 REMI \u6e90\uff1a<\/h2>\n\n\n\n
yum install http:\/\/rpms.remirepo.net\/enterprise\/remi-release-7.rpm<\/pre>\n\n\n\n3.\u5b89\u88c5 Yum \u6e90\u7ba1\u7406\u5de5\u5177\uff1a<\/h2>\n\n\n\n
yum install yum-utils<\/pre>\n\n\n\n4.\u5b89\u88c5 PHP7.3\uff1a<\/h2>\n\n\n\n
yum install -y php73-php-fpm php73-php-cli php73-php-bcmath php73-php-gd php73-php-json php73-php-mbstring php73-php-mcrypt php73-php-mysqlnd php73-php-opcache php73-php-pdo php73-php-pecl-crypto php73-php-pecl-mcrypt php73-php-pecl-geoip php73-php-recode php73-php-snmp php73-php-soap php73-php-xmll<\/pre>\n\n\n\n5.\u542f\u52a8php\uff1a<\/h2>\n\n\n\n
systemctl enable php73-php-fpm\uff08\u5f00\u673a\u81ea\u542f\u52a8\uff09<\/pre>\n\n\n\nsystemctl start php73-php-fpm\uff08\u542f\u52a8\uff09<\/pre>\n\n\n\n\u914d\u7f6eapache\u865a\u62df\u673a<\/h1>\n\n\n\n
\u5728\/etc\/httpd\/conf.d\u6587\u4ef6\u5939\u65b0\u5efa\u4e00\u4e2aconf\u914d\u7f6e\u6587\u4ef6\uff0c\u518d\u628a\u4ee5\u4e0b\u5185\u5bb9\u62f7\u8d1d\u5230\u91cc\u9762<\/p>\n\n\n\n
\u4f8b\u5982\uff1a<\/p>\n\n\n\n
DocumentRoot “\/var\/www\/html\/web\/app\/public_html” #\u9879\u76ee\u6839\u76ee\u5f55
ServerName lottery.yidianhulian.com #\u7ed1\u5b9a\u7684\u57df\u540d
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
DirectoryIndex index.php index.html error\/index.html
ErrorDocument 400 \/error\/400.html
ErrorDocument 403 \/error\/403.html
ErrorDocument 404 \/error\/404.html
ErrorDocument 500 \/error\/500.html
ErrorDocument 501 \/error\/501.html
ErrorDocument 502 \/error\/502.html
ErrorDocument 503 \/error\/503.html
ErrorDocument 504 \/error\/504.html
ErrorDocument 505 \/error\/505.html
ErrorDocument 506 \/error\/506.html
ErrorDocument 507 \/error\/507.html
ErrorDocument 510 \/error\/510.html<\/p>\n\n\n\n\u914d\u7f6ehttps<\/h1>\n\n\n\n
1.\u4f7f\u7528\u57df\u540d\u53ef\u4ee5\u7533\u8bf7\u514d\u8d39\u7684ssl\u8bc1\u4e66\uff0c\u9009\u62e9apache\u7248\u672c\uff0c\u8bc1\u4e66\u4e00\u5171\u6709\u4e09\u4e2a\u6587\u4ef6\uff0c\u4f8b\u5982:<\/p>\n\n\n\n
2.\u5728\u670d\u52a1\u5668\u4e2d\u65b0\u5efa\u4e00\u4e2a\u6587\u4ef6\u5939\uff0c\u628a\u8fd9\u4e09\u4e2a\u6587\u4ef6\u62f7\u8d1d\u5230\u91cc\u9762<\/p>\n\n\n\n
3.\u914d\u7f6ehttps\u5176\u5b9e\u5c31\u662f\u914d\u7f6e\/etc\/httpd\/conf.d\/ssl.conf\u6587\u4ef6\uff0c<\/strong>\u4f7f\u7528yum\u4e0b\u8f7dmod_ssl\u540e\u4f1a\u81ea\u52a8\u751f\u6210\u8fd9\u4e2a\u6587\u4ef6\u3002\u5bf9\u6587\u4ef6\u8fdb\u884c\u914d\u7f6e\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https<\/p>\n\n\n\n##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##<\/p>\n\n\n\n# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin’ is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:\/usr\/libexec\/httpd-ssl-pass-dialog<\/p>\n\n\n\n# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:\/run\/httpd\/sslcache(512000)
SSLSessionCacheTimeout 300<\/p>\n\n\n\n# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms \/dev\/random blocks if not enough entropy
# is available. This means you then cannot use the \/dev\/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a \/dev\/urandom device which doesn’t
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:\/dev\/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:\/dev\/random 512
#SSLRandomSeed connect file:\/dev\/random 512
#SSLRandomSeed connect file:\/dev\/urandom 512<\/p>\n\n\n\n#
# Use “SSLCryptoDevice” to enable any supported hardware
# accelerators. Use “openssl engine -v” to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec<\/p>\n\n\n\n##
## SSL Virtual Host Context
##<\/p>\n\n\n\n#\u627e\u5230\u8fd9\u4e2a\u6807\u7b7e<\/p>\n\n\n\n
# General setup for the virtual host, inherited from global configuration
ServerName lottery.yidianhulian.com #\u914d\u7f6e\u57df\u540d
DocumentRoot \/var\/www\/html\/web\/app\/public_html #\u914d\u7f6e\u9879\u76ee\u6839\u76ee\u5f55<\/p>\n\n\n\n#\u6dfb\u52a0\u8fd9\u4e2a\u6807\u7b7e\u5141\u8bb8\u8bbf\u95ee\u8be5\u9879\u76ee
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
DirectoryIndex index.php index.html error\/index.html
<\/p>\n\n\n\n# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs\/ssl_error_log
TransferLog logs\/ssl_access_log
LogLevel warn<\/p>\n\n\n\n# SSL Engine Switch:
# Enable\/Disable SSL for this virtual host.
SSLEngine on<\/p>\n\n\n\n# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3 # \u6dfb\u52a0SSL\u534f\u8bae\u652f\u6301\u534f\u8bae\uff0c\u53bb\u6389\u4e0d\u5b89\u5168\u7684\u534f\u8bae\u3002<\/p>\n\n\n\n# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM # \u4fee\u6539\u52a0\u5bc6\u5957\u4ef6\u3002<\/p>\n\n\n\n# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy – if the server’s key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on <\/p>\n\n\n\n# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt
SSLCertificateFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com_public.crt #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com.key #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile \/etc\/httpd\/cert\/4520877_lottery.yidianhulian.com_chain.crt #\u8bc1\u4e66\u6240\u5728\u76ee\u5f55\u3002\u8981\u4e00\u4e00\u5bf9\u5e94\uff0c\u6ce8\u610f\u770b\u6587\u4ef6\u540d<\/p>\n\n\n\n# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile \/etc\/pki\/tls\/certs\/ca-bundle.crt<\/p>\n\n\n\n# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10<\/p>\n\n\n\n# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m\/^(EXP|NULL)\/ \\
# and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.” \\
# and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”} \\
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \\
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \\
# or %{REMOTE_ADDR} =~ m\/^192\\.76\\.162\\.[0-9]+$\/
#<\/p>\n\n\n\n# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth\/DBMAuth methods can be used for access control. The
# user name is the `one line’ version of the client’s X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA’.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL\/TLS related `SSL_*’ environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when “SSLRequireSSL” or “SSLRequire” applied even
# under a “Satisfy any” situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars<\/p>\n\n\n\n# SSL Protocol Adjustments:
# The safe and default but still SSL\/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn’t wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL\/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I\/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL\/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable “nokeepalive” for this.
# Similarly, one has to force some clients to use HTTP\/1.0 to workaround
# their broken HTTP\/1.1 implementation. Use variables “downgrade-1.0” and
# “force-response-1.0” for this.
BrowserMatch “MSIE [2-5]” \\
nokeepalive ssl-unclean-shutdown \\
downgrade-1.0 force-response-1.0<\/p>\n\n\n\n# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs\/ssl_request_log \\
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\”%r\\” %b”<\/p>\n","protected":false},"excerpt":{"rendered":"\u5b89\u88c5apache 1.\u4f7f\u7528yum\u5b89\u88c5apache: yum install -y httpd 2.\u4e0b\u8f7d\u5b8c\u6210\u540e\u542f … \u7ee7\u7eed\u9605\u8bfb\u5168\u65b0\u5b89\u88c5LAMP\u73af\u5883<\/span>