apache2.4.x mpm-itk扩展模块安装配置

mpm-itk扩展模块的用途,使站点可以不同用户运行,结合linux文件系统权限,使当前站点目录即使被攻击,也一定程度上限制攻击的危害波及其它站点。

wget http://mpm-itk.sesse.net/mpm-itk-2.4.7-04.tar.gz
tar -zxvf mpm-itk-2.4.7-04.tar.gz
cd mpm-itk-2.4.7-04
./configure --with-apxs=/usr/local/apache/bin/apxs
make 
make install

输出

chmod 755 /usr/local/apache/modules/mpm_itk.so

在httpd.conf中添加

LoadModule mpm_itk_module modules/mpm_itk.so

的虚拟主机配置增加

<IfModule mpm_itk_module>
AssignUserId 用户 组
</IfModule>

当然要先添加一个用户

useradd -s /sbin/nologin -g www -M abc


<VirtualHost *:80>
    ServerAdmin www.abc.com
    DocumentRoot "/home/public_html/default/"
    ServerName www.abc.com

        <IfModule mpm_itk_module>
                AssignUserId abc www
        </IfModule>

</VirtualHost>

重启apache 死掉

mpm-itk cannot use threaded MPMs; please use prefork.

模式? with-mpm=prefork 因为当下是event

删除原安装源目录 重新解压

cd /usr/tmp/apr
 ./configure --prefix=/usr/local/apr   
make && make install


cd /usr/tmp/apr-util/
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make && make install

进apache安装目录 重新编译

./configure --prefix=/usr/local/apache --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre/  --with-mpm=prefork 
make && make install

/usr/local/apache/bin/apachectl start

`
/usr/local/apache/bin/apachectl -l

Compiled in modules:
  core.c
  mod_so.c
  http_core.c
  prefork.c

再启用那个mpm-itk

LoadModule mpm_itk_module modules/mpm_itk.so

说明:
1.一旦配置了 mpm-itk,进程将以root用户运行
2.不同站点配置的用户,必须在useradd 添加
3.给不同站点配置权限,最好拒绝同组和其它用户的读写执行,以达到好的权限隔离。 即 700
4.关于以root运行进程,个人认为,只有root才能对所有站点和目录和用户进行权限管辖吧。

附:apache + php7 部署日志

groupadd www
useradd -s /sbin/nologin -g www -M www

yum -y install make gcc gcc-c++ gcc-g77 flex bison file libtool libtool-libs autoconf kernel-devel libjpeg libjpeg-devel libpng libpng-devel libpng10 libpng10-devel gd gd-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glib2 glib2-devel bzip2 bzip2-devel libevent libevent-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel gettext gettext-devel ncurses-devel gmp-devel pspell-devel unzip libcap lsof cmake automake autoconf zlib zlib-devel glibc glibc-devel glib2 libxml glib2-devel libxml2 libxml2-devel bzip2 bzip2-devel libXpm libXpm-devel libidn libidn-devel libtool libtool-ltdl-devel* libmcrypt libmcrypt-devel libevent-devel libmcrypt* curl curl-devel perl perl-Net-SSLeay pcre pcre-devel openldap openldap-devel openldap-clients openldap-servers libjpeg libpng libjpeg-devel libjpeg-6b libjpeg-devel-6b libpng-devel libtiff-devel freetype freetype-devel gd gd-devel

wget http://nchc.dl.sourceforge.net/project/pcre/pcre/8.34/pcre-8.34.tar.gz
tar -zxvf pcre-8.34.tar.gz
cd pcre-8.34
./configure
make && make install

cd ../

wget --no-check-certificate https://mirrors.aliyun.com/apache/apr/apr-1.6.3.tar.gz
wget --no-check-certificate https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz
wget --no-check-certificate https://mirrors.aliyun.com/apache/httpd/httpd-2.4.29.tar.gz

tar -zxvf apr-1.6.3.tar.gz
tar -zxvf apr-util-1.6.1.tar.gz
tar -zxvf httpd-2.4.29.tar.gz

cp ./apr-1.6.3 ./httpd-2.4.29/srclib/apr -r
cp ./apr-util-1.6.1 ./httpd-2.4.29/srclib/apr-util -r
cd httpd-2.4.29

./configure --prefix=/usr/local/apache --with-included-apr=/usr/lib64 --with-pcre=/usr/local/pcre/


yum install expat-devel

make  
make && make install

wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
tar zxvf libiconv-1.14.tar.gz
cd libiconv-1.14
./configure --prefix=/usr/local/libiconv
make && make install


cd ../

wget http://nchc.dl.sourceforge.net/project/mhash/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz
tar -zxvf  mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9
./configure
make && make install
cd ../



cd ../
wget http://cn2.php.net/distributions/php-7.2.1.tar.gz
tar -zxvf php-7.2.1.tar.gz
cd php-7.2.1

./configure --prefix=/usr/local/php --with-libxml-dir=/usr/local/libxml2 --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-magic-quotes --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-mbstring --with-mcrypt --enable-ftp --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --without-pear --with-gettext --disable-fileinfo --enable-maintainer-zts

make 
make install

cp php.ini-development /usr/local/php/lib/php.ini

cd /usr/local/apache
cd conf
vim httpd.conf

在LoadModule处添加

LoadModule php7_module modules/libphp7.so
末尾添加
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>

/usr/local/apache/bin/apachectl start













PHP安装redis扩展
以下操作需要在下载的 phpredis 目录中完成:

$ wget https://github.com/phpredis/phpredis/archive/3.1.4.tar.gz
$ cd phpredis-3.1.4                      # 进入 phpredis 目录
$ /usr/local/php/bin/phpize              # php安装后的路径
$ ./configure --with-php-config=/usr/local/php/bin/php-config
$ make && make install
修改php.ini文件
vi /usr/local/php/lib/php.ini
增加如下内容:

extension_dir = "/usr/local/php/lib/php/extensions/no-debug-zts-20090626"

extension=redis.so

----------------------------


设置apache用户为www

标签: apache, linux安全配置

非特殊说明,本博所有文章均为博主原创。

最新文章

发表评论