PhpMyAdmin girişini ygtybarly üpjün etmek üçin HTTPS (SSL şahadatnamalary) nädip sazlamaly


Bu maslahaty tanatmak üçin, geliň, müşderi enjamy bilen Debian 8 serweriniň arasynda HTTP traffigini gözden geçireliň, soňky makalamyzda maglumatlar bazasynyň kök ulanyjysynyň şahsyýet maglumatlaryny ulanyp girmekde bigünä ýalňyşlyk goýduk: PhpMyAdmin Giriş URL-ni üýtgediň we ygtybarly ediň

Öňki maslahatda belläp geçişimiz ýaly, şahsyýet maglumatlaryňyzy paş etmek islemeýän bolsaňyz, muny etmäge synanyşmaň. Trafigi ýuwup başlamak üçin aşakdaky buýrugy ýazdyk we Enter basdyk:

# tcpdump port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20

Aşakdaky suratdaky tcpdump-iň kesilen çykyşynda görşüňiz ýaly ulanyjy adynyň we parolynyň simiň üstünden açyk tekst görnüşinde iberilendigine düşünmek üçin köp wagt gerek bolmaz.

Kök parolynyň bir bölegini gök bellik bilen gizledigimize üns bermegiňizi haýyş edýäris:

Munuň öňüni almak üçin, giriş sahypasyny şahadatnama bilen goralyň. Munuň üçin CentOS esasly paýlamalara mod_ssl paketini guruň.

# yum install mod_ssl

Debian/Ubuntu ýoluny we atlaryny ulanarys-da, aşakdaky buýruklary we ýollary CentOS ekwiwalentleri bilen çalyşsaňyz, şol bir prosedura CentOS we RHEL üçin ulanylýar.

Açary we şahadatnamany saklamak üçin katalog dörediň:

# mkdir /etc/apache2/ssl    [On Debian/Ubuntu based systems]
# mkdir /etc/httpd/ssl      [On CentOS based systems]

Açary we şahadatnamany dörediň:

----------- On Debian/Ubuntu based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

----------- On CentOS based systems ----------- 
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
........................+++
.....................................................+++
writing new private key to '/etc/httpd/ssl/apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint
Organizational Unit Name (eg, section) []:TecMint
Common Name (eg, your name or your server's hostname) []:TecMint
Email Address []:[email 

Ondan soň açary we şahadatnamany barlaň.

# cd /etc/apache2/ssl/   [On Debian/Ubuntu based systems]
# cd /etc/httpd/ssl/     [On CentOS based systems]
# ls -l

total 8
-rw-r--r--. 1 root root 1424 Sep  7 15:19 apache.crt
-rw-r--r--. 1 root root 1704 Sep  7 15:19 apache.key

Debian/Ubuntu-da, Apache-iň deslapky sahypa (/etc/apache2/sites-available/000-default.conf) üçin 443-nji portda diňleýändigine göz ýetiriň we VirtualHost jarnamasynyň içinde SSL bilen baglanyşykly 3 setir goşuň:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

CentOS esasly paýlamalarda Apache-e 443-nji portda diňlemegi we /etc/httpd/conf/httpd.conf-da diňlemek görkezmesini gözläň we aşagyndaky ýokardaky setirleri goşuň.

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Üýtgeşmeleri ýatda saklaň, Debian/Ubuntu paýlamalaryna SSL Apache modulyny ýükläň (CentOS-da bu mod_ssl-i öň guranyňyzda awtomatiki usulda ýüklenýär):

# a2enmod ssl

Phpmyadmin-i SSL ulanmaga mejbur ediň, aşakdaky setiriň /etc/phpmyadmin/config.inc.php ýa-da /etc/phpMyAdmin/config.inc.php faýlynda bardygyna göz ýetiriň:

$cfg['ForceSSL'] = true;

we web serwerini täzeden açyň:

# systemctl restart apache2   [On Debian/Ubuntu based systems]
# systemctl restart httpd     [On Debian/Ubuntu based systems]

Ondan soň, web brauzeriňizi işe giriziň we aşakda görkezilişi ýaly https://my ýazyň (PhpMyAdmin giriş URL-ni nädip üýtgetmelidigini öwreniň).

Üns beriň: Diňe öz-özümize gol çeken şahadatnamany ulanýandygymyz üçin birikmäniň ygtybarly däldigini aýdýandygyna üns bermegiňizi haýyş edýäris. “Advanced” -a basyň we howpsuzlyk kadasyny tassyklaň:

Howpsuzlyk kadasyny tassyklandan we girmezden ozal, HTTP we HTTPS traffigini ýuwup başlalyň:

# tcpdump port http or port https -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20

Soňra öňki şahsyýetnamalary ulanyp giriň. Traffol süpürijisi diňe iň gowusy gybatçylary ele alar:

Häzirlikçe, indiki makalada PhpMyAdmin-iň ulanyjy ady/paroly bilen girmegini çäklendirmek üçin paýlaşarys, şoňa çenli Tecmint-de habarlaşyň.