PhpMyAdmin girişini ygtybarly üpjün etmek üçin HTTPS (SSL şahadatnamalary) nädip sazlamaly
Bu maslahaty tanatmak üçin, geliň, müşderi enjamy bilen Debian 8 serweriniň arasynda HTTP traffigini gözden geçireliň, soňky makalamyzda maglumatlar bazasynyň kök ulanyjysynyň şahsyýet maglumatlaryny ulanyp girmekde bigünä ýalňyşlyk goýduk: PhpMyAdmin Giriş URL-ni üýtgediň we ygtybarly ediň
Öňki maslahatda belläp geçişimiz ýaly, şahsyýet maglumatlaryňyzy paş etmek islemeýän bolsaňyz, muny etmäge synanyşmaň. Trafigi ýuwup başlamak üçin aşakdaky buýrugy ýazdyk we Enter basdyk:
# tcpdump port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20
Aşakdaky suratdaky tcpdump-iň kesilen çykyşynda görşüňiz ýaly ulanyjy adynyň we parolynyň simiň üstünden açyk tekst görnüşinde iberilendigine düşünmek üçin köp wagt gerek bolmaz.
Kök parolynyň bir bölegini gök bellik bilen gizledigimize üns bermegiňizi haýyş edýäris:
Munuň öňüni almak üçin, giriş sahypasyny şahadatnama bilen goralyň. Munuň üçin CentOS esasly paýlamalara mod_ssl paketini guruň.
# yum install mod_ssl
Debian/Ubuntu ýoluny we atlaryny ulanarys-da, aşakdaky buýruklary we ýollary CentOS ekwiwalentleri bilen çalyşsaňyz, şol bir prosedura CentOS we RHEL üçin ulanylýar.
Açary we şahadatnamany saklamak üçin katalog dörediň:
# mkdir /etc/apache2/ssl [On Debian/Ubuntu based systems] # mkdir /etc/httpd/ssl [On CentOS based systems]
Açary we şahadatnamany dörediň:
----------- On Debian/Ubuntu based systems ----------- # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt ----------- On CentOS based systems ----------- # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
........................+++ .....................................................+++ writing new private key to '/etc/httpd/ssl/apache.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Maharashtra Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:TecMint Organizational Unit Name (eg, section) []:TecMint Common Name (eg, your name or your server's hostname) []:TecMint Email Address []:[email
Ondan soň açary we şahadatnamany barlaň.
# cd /etc/apache2/ssl/ [On Debian/Ubuntu based systems] # cd /etc/httpd/ssl/ [On CentOS based systems] # ls -l total 8 -rw-r--r--. 1 root root 1424 Sep 7 15:19 apache.crt -rw-r--r--. 1 root root 1704 Sep 7 15:19 apache.key
Debian/Ubuntu-da, Apache-iň deslapky sahypa (/etc/apache2/sites-available/000-default.conf) üçin 443-nji portda diňleýändigine göz ýetiriň we VirtualHost jarnamasynyň içinde SSL bilen baglanyşykly 3 setir goşuň:
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key
CentOS esasly paýlamalarda Apache-e 443-nji portda diňlemegi we /etc/httpd/conf/httpd.conf-da diňlemek görkezmesini gözläň we aşagyndaky ýokardaky setirleri goşuň.
SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt SSLCertificateKeyFile /etc/httpd/ssl/apache.key
Üýtgeşmeleri ýatda saklaň, Debian/Ubuntu paýlamalaryna SSL Apache modulyny ýükläň (CentOS-da bu mod_ssl-i öň guranyňyzda awtomatiki usulda ýüklenýär):
# a2enmod ssl
Phpmyadmin-i SSL ulanmaga mejbur ediň, aşakdaky setiriň /etc/phpmyadmin/config.inc.php ýa-da /etc/phpMyAdmin/config.inc.php faýlynda bardygyna göz ýetiriň:
$cfg['ForceSSL'] = true;
we web serwerini täzeden açyň:
# systemctl restart apache2 [On Debian/Ubuntu based systems] # systemctl restart httpd [On Debian/Ubuntu based systems]
Ondan soň, web brauzeriňizi işe giriziň we aşakda görkezilişi ýaly https:/
ýazyň (PhpMyAdmin giriş URL-ni nädip üýtgetmelidigini öwreniň).
Üns beriň: Diňe öz-özümize gol çeken şahadatnamany ulanýandygymyz üçin birikmäniň ygtybarly däldigini aýdýandygyna üns bermegiňizi haýyş edýäris. “Advanced” -a basyň we howpsuzlyk kadasyny tassyklaň:
Howpsuzlyk kadasyny tassyklandan we girmezden ozal, HTTP we HTTPS traffigini ýuwup başlalyň:
# tcpdump port http or port https -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --line-buffered -B20
Soňra öňki şahsyýetnamalary ulanyp giriň. Traffol süpürijisi diňe iň gowusy gybatçylary ele alar:
Häzirlikçe, indiki makalada PhpMyAdmin-iň ulanyjy ady/paroly bilen girmegini çäklendirmek üçin paýlaşarys, şoňa çenli Tecmint-de habarlaşyň.