前言
- Apache HTTP Server 之所以受到众多企业的青睐,得益于其代码开源,跨平台,功能模块化,可灵活定制等诸多优点,其不仅性能稳定,在安全性方面的表现也十分出色
一:Apache配置详解
1.1:Apache连接保持
1.1.1:为什么要保持连接
- HTTP协议是基于TCP协议之上的,在进行HTTP连接之前,要先进行TCP连接,每个TCP连接都要进行三次握手与四次挥手。建立与关闭连接对于HTTP协议而言会消耗很多的内存与CPU资源。
- 解决办法是HTTP连接保持。就是尽量地保持客户端的连接,通过一个TCP连接传送多个HTTP请求响应,对于客户端可以提高50%以上的响应时间,对于服务器可以降低建立与关闭连接时的资源消耗。
1.1.2:保持连接的方式
- Apache连接保持相关参数
KeepAlive
是否打开连接保持,OFF关闭,ON打开 - KeepAliveTimeout
一次连接多次请求之间的最大间隔时间,两次请求超过该时间连接断开 - MaxKeepAliveRequests
一次连接能够传输的最大请求数量
1.2:Apache访问控制
1.2.1:Apache访问控制概述
- 作用
控制对网站资源的访问
为特定的网站目录添加访问授权 - 常用访问控制方式
客户机地址限制
用户授权限制
1.2.2:基于客户端地址的访问控制
-
使用Require配置项实现访问控制,按先后顺序限制
-
可用,,,,配置段中
-
Require配置项的常见语法Require all granted
Require all denied Require local Require [not] host <主机名或域名列表> Require [not] ip <IP地址或网段列表> '//使用not禁止访问时要将其置于<RequireAll></RequireAll>容器中,并在容器中指定相对应的限制策略'
-
举例
[root@localhost ~]# cd /etc/httpd/conf
[root@localhost conf]# ls
httpd.conf magic
[root@localhost conf]# mkdir abc
[root@localhost conf]# ls
abc httpd.conf magic
[root@localhost conf]# cd abc
[root@localhost abc]# vim vhost.conf
<VirtualHost *:80>
...省略内容
<Directory "/var/www/html">
Require not ip 192.168.100.100 '//表示不允许ip192.168.100.100访问'
Require all granted
</Directory>
</VirtualHost>
...省略内容
1.2.3:用户授权限制–创建用户认证数据库
-
创建用户认证数据库
命令基本格式 '//htpasswd命令是httpd自带的' htpasswd -c /etc/httpd/conf/abc webadmin '//为用户webadmin创建密码文件' New password:'//输入密码' Re-type new password:'//重复输入密码' cat /etc/httpd/conf/abc webadmin:加密密码
举例
[root@localhost abc]# htpasswd -c /etc/httpd/conf/aaa ddd New password: Re-type new password: Adding password for user ddd [root@localhost abc]# cat /etc/httpd/conf/aaa ddd:$apr1$zwIklPGy$ZINaIkXsSq36oIk2lAiiJ1 '//添加第二个用户' [root@localhost abc]# htpasswd /etc/httpd/conf/aaa bbb New password: Re-type new password: Adding password for user bbb [root@localhost abc]# cat /etc/httpd/conf/aaa ddd:$apr1$zwIklPGy$ZINaIkXsSq36oIk2lAiiJ1 bbb:$apr1$q7OdS8z1$ELGg2a1AhHP.QfXJXfQTQ1
1.2.4:用户授权限制–添加用户授权配置
'//配置基本格式'
<Directory "/var/www/html">
AuthName "DocumentRoot" '//受保护的领域名称'
AuthType Basic '//认证类型'
AuthUserFile /etc/httpd/conf/qwe '//用户认证账号文件'
Require valid-user '//要求通过认证才能访问'
</Directory>
举例
[root@localhost abc]# vim vhost.conf
...省略内容
<VirtualHost 192.168.197.100:80>
DocumentRoot "/var/www/html/ccc"
ServerName www.ccc.com
Errorlog "logs/www.ccc.com.error_log"
Customlog "logs/www.ccc.com.custom_log" common
<Directory "/var/www/html">
AuthName "DocumentRoot"
AuthType Basic
AuthUserFile /etc/httpd/conf/aaa
Require valid-user
</Directory>
</VirtualHost>
...省略内容
1.3: 实验配置
1.3.1: 实验环境,部署有虚拟主机基于不同地址的Apeche服务,以及域名解析服务
//基于不同地址的虚拟主机
[root@test01 extra]# pwd
/etc/httpd/conf/extra
[root@test01 extra]# vim vhost.conf
<VirtualHost 192.168.100.110:80>
DocumentRoot "/var/www/html/kgc"
ErrorLog "logs/www.kgc.com.error_log"
CustomLog "logs/www.kgc.com.access_log" common
<Directory "/var/www/html">
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.100.180:80>
DocumentRoot "/var/www/html/kgc02"
ErrorLog "logs/www.kgc02.com.error_log"
CustomLog "logs/www.kgc02.com.access_log" common
<Directory "/var/www/html">
Require all granted
</Directory>
</VirtualHost>
1.3.2: 基于客户端地址的访问控制----实验
[root@test01 extra]# vim vhost.conf
<VirtualHost 192.168.100.110:80>
DocumentRoot "/var/www/html/kgc"
ErrorLog "logs/www.kgc.com.error_log"
CustomLog "logs/www.kgc.com.access_log" common
<Directory "/var/www/html">
<RequireAll> //标签要打
Require not ip 192.168.100.10 //不允许该地址访问
Require all granted
</RequireAll> //标签成对出现
</Directory>
</VirtualHost>
<VirtualHost 192.168.100.180:80>
DocumentRoot "/var/www/html/kgc02"
ErrorLog "logs/www.kgc02.com.error_log"
CustomLog "logs/www.kgc02.com.access_log" common
<Directory "/var/www/html">
Require all granted
</Directory>
</VirtualHost>
[root@test01 extra]# systemctl restart httpd
实验证明客户机192.168.100.10可以继续访问192.168.100.180 ,不能访问192.168.100.110
1.3.2: 用户授权限制----实验
[root@test01 extra]# which htpasswd
/usr/bin/htpasswd
[root@test01 extra]# cd /etc/httpd
[root@test01 httpd]# htpasswd -c /etc/httpd/conf/pwd jerry
New password: //jerry 用户的访问密码123456
Re-type new password:
Adding password for user jerry
[root@test01 httpd]# pwd
/etc/httpd
[root@test01 httpd]# cd conf
[root@test01 conf]# ls
extra httpd.conf magic pwd
[root@test01 conf]# cat pwd
jerry:$apr1$YtTw7g8I$FvLKv8iid51..l0qMHsYR/
[root@test01 conf]# vim /etc/httpd/conf/extra/vhost.conf
<VirtualHost 192.168.100.110:80>
DocumentRoot "/var/www/html/kgc"
ErrorLog "logs/www.kgc.com.error_log"
CustomLog "logs/www.kgc.com.access_log" common
<Directory "/var/www/html">
<RequireAll>
Require not ip 192.168.100.10
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
<VirtualHost 192.168.100.180:80>
DocumentRoot "/var/www/html/kgc02"
ErrorLog "logs/www.kgc02.com.error_log"
CustomLog "logs/www.kgc02.com.access_log" common
<Directory "/var/www/html">
AuthName "DocumentRoot" //一下四行是添加内容
AuthType Basic
AuthUserFile /etc/httpd/conf/pwd //刚刚创建的密码文件
Require valid-user
</Directory>
</VirtualHost>
[root@test01 conf]# systemctl restart httpd
二:Apache日志管理
2.1:日志分割
- 随着网站的访问量增大,默认情况下Apache的单个日志文件也会越来越大
日志文件占用磁盘空间很大
查看相关信息不方便 - 对日志文件进行分割
Apache自带rotatelogs分割工具实现
第三方工具cronolog分割
2.2:rotatelogs分割工具
-
配置网站的日志文件转交给rotatelogs分割处理
-
配置格式为
ErrorLog "| rotatelogs 命令的绝对路径 -l 日志文件路径/网站名-error_%Y%m%d.log 86400" '//which rotatelogs命令查看绝对路径,%Y%m%d表示年月日,86400表示一天的秒数' CustomLog "| rotatelogs 命令的绝对路径 -l 日志文件路径/网站名-access_%Y%m%d.log 86400" combined 例如 [root@localhost logs]vim /etc/httpd/conf/httpd.conf ErrorLog "| /usr/sbin/rotatelogs -l logs/error_%Y%m%d.log 86400" CustomLog "| /usr/sbin/rotatelogs -l logs/access_%Y%m%d.log 86400" combined
-
日志文件的产生
服务安装后,不会生成日志文件不会产生
服务启动后,生成日志文件
访问服务后,日志文件会生成内容
2.3:rotatelogs日志分割----实操
[root@server ~]# vim /etc/httpd/conf/httpd.conf
.....
ErrorLog "| /usr/sbin/rotatelogs -l logs/www.kgc.com.error_%Y%m%d.log 86400"
.....
CustomLog "| /usr/sbin/rotatelogs -l logs/www.kgc.com.access_%Y%m%dlog 86400" combined
.....
[root@server ~]# systemctl restart httpd
[root@server ~]# ls /var/log/httpd
access_log error_log www.kgc.com.error_20200805.log
[root@server ~]# ls /var/log/httpd
access_log www.kgc.com.access_20200805log
error_log www.kgc.com.error_20200805.log
//生成分割的访问日志
2.4: 第三方工具cronolog日分割
-
源码编译安装cronolog工具
-
配置网站日志文件转交给cronolog分割处理
-
配置格式
-
ErrorLog "| cronolog命令的绝对路径 日志文件路径/网站名-error_%Y%m%d.log" //管道符号 CustomLog "| cronolog命令的绝对路径 日志文件路径/网站名_%Y%m%d.log" combined //-l 指定日志文件路径,这里不要用-l 用了会生成不了日志
2.5: 第三方工具cronolog日分割----实操
-
[root@server ~]# cd /opt [root@server opt]# ls rh [root@server opt]# rz -E //上传cronolog软件 rz waiting to receive. [root@server opt]# ls cronolog-1.6.2-14.el7.x86_64.rpm rh [root@server opt]# rpm -ivh cronolog-1.6.2-14.el7.x86_64.rpm 警告:cronolog-1.6.2-14.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, ID 352c64e5: NOKEY 准备中... #################################0%] 软件包 cronolog-1.6.2-14.el7.x86_64 已经安装
[root@server opt]# which cronolog /usr/sbin/cronolog [root@server ~]# cd /var/log/httpd [root@server httpd]# ls access_log www.kgc.com.access_20200805log error_log www.kgc.com.error_20200805.log [root@server httpd]# rm -rf www* [root@server httpd]# ls access_log error_log [root@server httpd]# vim /etc/httpd/conf/httpd.conf CustomLog "| /usr/sbin/cronolog logs/www.kgc.com.access_%Y%m%d.log" combined ..... ErrorLog "| /usr/sbin/cronolog logs/www.kgc.com.error_%Y%m%d.log" ..... [root@server httpd]# systemctl restart httpd [root@server httpd]# ls access_log error_log www.kgc.com.error_20200806.log //客户机访问后才分割访问日志 [root@server httpd]# ls access_log www.kgc.com.access_20200806.log error_log www.kgc.com.error_20200806.log
2.5:AWStats日志分析
2.3.1:AWStats概述
- perl语言(骆驼语言)开发的一款开源日志分析系统
可用来分析Apache,Samba,vsftpd,IIS等服务器的访问日志
信息结合crond等计划任务服务,可对日志内容定期进行分析
2.3.2:部署AWStats环境准备
-
环境部署
VMware软件
一台centos7虚拟机
一台Windows虚拟机
-
环境准备
WindowsDNS解析地址指向centos7
centos7安装bind和httpd
2.3.3:部署AWStats过程
1.安装域名解析与Apache
[root@promote ~]# yum install -y httpd bind
[root@promote named]# vim /etc/named.conf
.......
options {
listen-on port 53 { any; }; //修改为any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //修改为any
.......
[root@promote named]# vim /etc/named.rfc1912.zones
.....
zone "kgc.com" IN { //添加域名解析
type master;
file "kgc.com.zone";
allow-update { none; };
};
.....
[root@promote ~]# cd /etc/named
[root@promote named]# ls
[root@promote named]# cd /var/named
[root@promote named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@promote named]# cp -p named.localhost kgc.com.zone //从模板复制区域数据配置文件
[root@promote named]# vim kgc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.100.130 //添加域名解析的地址
[root@promote named]# setenforce 0
[root@promote named]# iptables -F
[root@promote named]# systemctl start named
已经可以域名解析
2.配置Apache服务
[root@promote named]# vim /etc/httpd/conf/httpd.conf
......
Listen 192.168.100.130:80
#Listen 80
......
ServerName www.kgc.com:80
......
[root@promote named]# cd /var/www/html
[root@promote html]# vim index.html
......
<h1>this is test web</h1>
.......
[root@promote html]# systemctl restart httpd
3.上传awstats ,并执行启动脚本配置
//上传压缩包到/opt
[root@promote opt]# tar zxvf awstats-7.6.tar.gz
[root@promote opt]# ls
awstats-7.6 awstats-7.6.tar.gz rh
[root@promote opt]# mv awstats-7.6 /usr/local/awstats
[root@promote opt]# cd /usr/local/awstats
[root@promote awstats]# ls
docs README.md tools wwwroot
[root@promote awstats]# cd tools
[root@promote tools]# ls
awstats_buildstaticpages.pl dolibarr maillogconvert.pl xslt
awstats_configure.pl geoip_generator.pl nginx
awstats_exportlib.pl httpd_conf urlaliasbuilder.pl
awstats_updateall.pl logresolvemerge.pl webmin
[root@promote tools]# ./awstats_configure.pl
4.修改配置文件并启动
[root@promote tools]# vim /etc/httpd/conf/httpd.conf
.......
<Directory "/usr/local/awstats/wwwroot">
Options None
AllowOverride None
# Order allow,deny
# Allow from all
Require all granted
</Directory>
[root@promote tools]# cd /etc/awstats/
[root@promote awstats]# ls
awstats.www.kgc.com.conf
[root@promote awstats]# vim awstats.www.kgc.com.conf
......
LogFile="/var/log/httpd/access_log" //修改
DirData="/var/lib/awstats" //默认开启了,后面记得创建这个文件
[root@promote awstats]# mkdir /var/lib/awstats
[root@promote awstats]# httpd restart
5.设置网页更新
[root@promote awstats]# cd /usr/local/awstats
[root@promote awstats]# ls
docs README.md tools wwwroot
[root@promote awstats]# cd tools
[root@promote tools]# ls
awstats_buildstaticpages.pl dolibarr maillogconvert.pl xslt
awstats_configure.pl geoip_generator.pl nginx
awstats_exportlib.pl httpd_conf urlaliasbuilder.pl
awstats_updateall.pl logresolvemerge.pl webmin
[root@promote tools]# ./awstats_updateall.pl now
客户机访问后要重新执行./awstats_updateall.pl now更新
[root@promote tools]# crontab -e
*/5 * * * * /usr/local/awstats/tools/awstats/awstats_updateall.pl now
6.网页优化,自动跳转
[root@promote tools]# cd /var/www/html
[root@promote html]# vim aws.html
<html>
<head>
<meta http-equiv=refresh content="0;url=http://www.kgc.com/awstats/awstats.pl?config=www.kgc.com">
</head>
<body></body>
</html>
会自动跳转