httpd

httpd简介

• httpd是Apache超文本传输协议（HTTP）服务器的主程序，被设计为一个独立运行的后台进程，它会建立一个处理请求的子进程或线程的池
• 6系列的版本默认提供的是httpd-2.2版本的rpm包；7系列的版本默认提供的是httpd-2.4版本的rpm包

httpd的特性

工作模型	工作方式
prefork	多进程模型，预先生成进程，一个请求用一个进程响应 一个主进程负责生成n个子进程，子进程也称为工作进程 每个子进程处理一个用户请求，即使没有用户请求，也会预先生成多个空闲进程，随时等待请求到达 最大不会超过1024个
worker	基于线程工作，一个请求用一个线程响应（启动多个进程，每个进程生成多个线程）
event	基于事件的驱动，一个进程处理多个请求

• 2.4版本相比之前版本新增的模块

模块	功能
mod_proxy_fcgi	反向代理时支持apache服务器后端协议的模块
mod_ratelimit	提供速率限制功能的模块
mod_remoteip	基于ip的访问控制机制被改变，不再支持使用Order，Deny，Allow来做基于IP的访问控制

httpd相关命令及配置文件

rpm包安装的配置文件

• /var/log/httpd/access.log：访问日志
• /var/log/httpd/error_log：错误日志
• /var/www/html/：站点文档目录（yum）
• /usr/local/apache/htdocs：站点文档目录（源码）
• /usr/lib64/httpd/modules/：模块文件路径
• /etc/httpd/conf/httpd.conf：主配置文件
• /etc/httpd/conf.modules.d/*.conf：模块配置文件
• /etc/httpd/conf.d/*.conf：辅助配置文件

httpd自带的工具程序

• htpasswd：basic认证基于文件实现时，用到的帐号密码生成工具
• apachectl：httpd自带的服务控制脚本，支持start，stop，restart
• apxs：由httpd-devel包提供的，扩展httpd使用第三方模块的工具
• rotatelogs：日志滚动工具
• suexec：访问某些有特殊权限配置的资源时，临时切换至指定用户运行的工具
• ab：apache benchmark，httpd的压力测试工具

相关命令

curl

• curl是基于URL语法在命令行方式下工作的文件传输工具
• 支持FTP，FTPS，HTTP，HTTPS，GOPHER，TELNET，DICT，FILE及LDAP等协议
• 功能有很多：https认证、http的POST/PUT等方法、ftp上传、kerberos认证、http上传、代理服务器、cookies、用户名/密码认证等
• 最常用于下载

语法：curl [options] [URL ...]
-o/--output     //把输出写到文件中
-e/--referer <URL>      //来源网址

[root@localhost ~]# curl -o myblog.html http://blog.51cto.com/itchentao
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 67025    0 67025    0     0  87248      0 --:--:-- --:--:-- --:--:-- 87385
[root@localhost ~]# ls
myblog.html

httpd

httpd [options]
-l	//查看静态编译的模块，列出核心中编译了哪些模块
-M	//输出一个已经启用的模块列表
-v`//显示httpd的版本，然后退出
-V	//显示httpd和apr/apr-util的版本和编译参数，然后退出
-X	//以调试模式运行httpd，ctrl+c退出
-t	//检查配置文件是否有语法错误

编译安装httpd-2.4

准备环境

1. 需yum安装Development Tools
2. 需yum安装openssl-devel、pcre-devel、expat-devel、libtool
3. 需编译安装apr-1.4、apr-util-1.4（1.4以上版本）
4. 编译安装httpd-2.4

[root@l134~]# yum groupinstall "Development Tools"
...
[root@134 ~]# yum -y install openssl-devel pcre-devel expat-devel libtool
...
[root@134 ~]# ls
apr-1.6.5.tar.bz2  apr-util-1.6.1.tar.bz2  httpd-2.4.39.tar.gz
[root@134 ~]# tar -xf apr-1.6.5.tar.bz2 
[root@134 ~]# tar -xf apr-util-1.6.1.tar.bz2 
[root@134 ~]# tar -xf httpd-2.4.39.tar.gz 
[root@134 ~]# ls
apr-1.6.5          apr-util-1.6.1          httpd-2.4.39         
apr-1.6.5.tar.bz2  apr-util-1.6.1.tar.bz2  httpd-2.4.39.tar.gz
[root@134 ~]# cd apr-1.6.5
[root@134 apr-1.6.5]# vim configure
	cfgfile="${ofile}T"
    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
    # $RM "$cfgfile"        //将此行加上注释，或者删除此行   
//编译安装apr-1.6.5
[root@134 apr-1.6.5]# ./configure --prefix=/usr/local/apr
...
[root@134 apr-1.6.5]#make && make install
...
//编译安装apr-util-1.6.1
[root@134 ~]# cd apr-util-1.6.1/
[root@134 apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
...
[root@134 apr-util-1.6.1]#make && make install
...
//编译安装httpd2.4
[root@134 ~]# cd httpd-2.4.39
[root@134 httpd-2.4.39]# ./configure --prefix=/usr/local/apache \
--sysconfdir=/etc/httpd24 \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util/ \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork

[root@134 httpd-2.4.39]# make && make install
[root@134 httpd-2.4.39]# cd /usr/local/apache/
[root@134 apache]# ls
bin  build  cgi-bin  error  htdocs  icons  include  logs  man  manual  modules

//如果安装时不是使用的默认路径，则必须要修改PATH环境变量，以能够识别此程序的二进制文件路径
[root@134 ~]# echo 'export PATH=/usr/local/apache/bin:$PATH' > /etc/profile.d/httpd.sh
[root@134 ~]# cat /etc/profile.d/httpd.sh 
export PATH=/usr/local/apache/bin:$PATH

httpd常用配置

切换使用MPM

• yum安装：/etc/httpd/conf.modules.d/00-mpm.conf：切换使用MPM（工作模型）
  • prefork
  • event
  • worker

#LoadModule mpm_event_module modules/mod_mpm_event.so
//将注释注释去掉，或者修改成需要的工作模型

• 源码安装：就在主配置文件中（/etc/httpd/httpd.conf）
  • 模块文件在/usr/local/apache/modules中以.so结尾的文件

#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

访问控制法则

• 可针对全局设置，也可针对某个目录做访问控制

法则	功能
Require all granted	允许所有主机访问
Require all denied	拒绝所有主机访问
Require ip IPADDR	授权指定来源地址的主机访问
Require not ip IPADDR	拒绝指定来源地址的主机访问
Require host HOSTNAME	授权指定来源主机名的主机访问
Require not host HOSTNAME	拒绝指定来源主机名的主机访问

IPADDR的类型

• IP：192.168.1.1
• Network/mask：192.168.1.0/255.255.255.0
• Network/Length：192.168.1.0/24
• Net：192.168

HOSTNAME的类型

• FQDN：特定主机的全名（如www.baidu.com）
• DOMAIN：指定域内的所有主机（如*.baidu.com）

//拒绝192.168.1.20主机访问，写在主配置文件中
//如果设置只有192.168.1.20主机能访问，则不需要<RequireAll>和Require all granted
<Directory /var/www/html/www>
    <RequireAll>
        Require not ip 192.168.1.20
        Require all granted
    </RequireAll>
</Directory>

注：httpd-2.4版本默认是拒绝所有主机访问的，所以安装以后必须做显示授权访问

虚拟主机

• 相同IP不同端口

[root@134 ~]#vim /etc/httpd/conf/httpd.conf
...
ServerName www.example.com:80	//将此行的注释取消
... 

//因需要在主配置文件中加入示例文件，可用yum安装httpd
//然后查找*vhosts.conf，复制其中示例到源码安装的httpd的主配置文件中
[root@134 ~]# vim /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
<VirtualHost *:@@Port@@>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "@@ServerRoot@@/docs/dummy-host.example.com"
    ServerName dummy-host.example.com
    ServerAlias www.dummy-host.example.com
    ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
    CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost>
//VirtualHost *：*表示所有Ip
//@@Port@@：表示端口号 
//ServerAdmin：表邮箱地址，有故障信息发送给谁，可删除
//DocumentRoot：定义网站存放位置
//ServerName：域名
//ServerAlias：别名，可删除
//ErrorLog ：错误日志
//CustomLog：访问日志

//将以上内容复制到httpd.conf最后面，然后修改
//2.2的版本需要在<VirtualHost *:80>前加NameVirtuaHost
[root@134 ~]# vim /etc/httpd24/httpd.conf
<VirtualHost *:80>
    DocumentRoot "/usr/local/apache/htdocs/aaaa"
    ServerName aaaa.example.com
    ErrorLog "logs/aaaa.example.com-error_log"
    CustomLog "logs/aaaa.example.com-access_log" common
</VirtualHost>
<VirtualHost *:81>
    DocumentRoot "/usr/local/apache/htdocs/bbbb"
    ServerName bbbb.example.com
    ErrorLog "logs/bbbb.example.com-error_log"
    CustomLog "logs/bbbb.example.com-access_log" common
</VirtualHost>
//因为是监听不同端口，所以还需在 Listen 80下加入Listen 81
[root@134 ~]#mkdir /usr/local/apache/htdocs/aaaa
[root@134 ~]#mkdir /usr/local/apache/htdocs/bbbb
[root@134 ~]# apachectl -t
Syntax OK
[root@aaaa]# echo "hello-aaaa" > index.html
[root@bbbb]# echo "hello-bbbb" > index.html

• 不同IP相同端口

//测试，临时给网卡加个ip
[root@134 ~]# ip addr add 192.168.184.135/24 dev ens33
[root@134 ~]# ip a
 ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:ba:de:cc brd ff:ff:ff:ff:ff:ff
    inet 192.168.184.134/24 brd 192.168.184.255 scope global noprefixroute dynamic ens33
       valid_lft 1758sec preferred_lft 1758sec
    inet 192.168.184.135/24 scope global secondary ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::c2b0:554c:2a7c:e651/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
//httpd.conf配置文件中
<VirtualHost 192.168.184.134:80>
    DocumentRoot "/usr/local/apache/htdocs/aaaa"
    ServerName aaaa.example.com
    ErrorLog "logs/aaaa.example.com-error_log"
    CustomLog "logs/aaaa.example.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.184.135:80>
    DocumentRoot "/usr/local/apache/htdocs/bbbb"
    ServerName bbbb.example.com
    ErrorLog "logs/bbbb.example.com-error_log"
    CustomLog "logs/bbbb.example.com-access_log" common
</VirtualHost>

• 相同IP相同端口不同域名（实际环境最常用）

<VirtualHost *:80>
    DocumentRoot "/usr/local/apache/htdocs/aaaa"
    ServerName aaaa.example.com
    ErrorLog "logs/aaaa.example.com-error_log"
    CustomLog "logs/aaaa.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot "/usr/local/apache/htdocs/bbbb"
    ServerName bbbb.example.com
    ErrorLog "logs/bbbb.example.com-error_log"
    CustomLog "logs/bbbb.example.com-access_log" common
</VirtualHost>

//现在用另一台主机访问httpd服务机
[root@140 ~]# vim  /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.184.134 aaaa.example.com
192.168.184.134 bbbb.example.com

[root@140 ~]# curl http://aaaa.example.com
hello-aaaa
[root@140 ~]# curl http://bbbb.example.com
hello-bbbb

配置https步骤

1、启用ssl模块

编辑/etc/httpd/conf.modules.d/00-base.conf文件；yum安装
编辑/etc/httpd24/http.conf主配置文件；源码安装
添加，或取消注释以下行
LoadModule ssl_module modules/mod_ssl.so

2、生成证书（实际环境证书需购买）

[root@140 ~]# cd /etc/pki/CA/
//生成秘钥
[root@140 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
//提取公钥
[root@140 CA]# openssl rsa -in private/cakey.pem -pubout
//CA生成自签署证书
[root@140 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:aaaa.example.com
Organizational Unit Name (eg, section) []:aaaa.example.com
Common Name (eg, your name or your server's hostname) []:aaaa.example.com
Email Address []:abc@qq.com

[root@140 CA]# touch index.txt && echo 01 > serial
[root@140 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

//由于证书是给网站服务器用，所以此时的客户端就是网站服务器，需在网站服务器生成秘钥
[root@134 ~]# cd /etc/httpd24/
[root@134 httpd24]# mkdir ssl && cd ssl
[root@134 ssl]# ls
[root@134 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
//客户端生成证书签署请求
[root@134 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:aaaa.example.com
Organizational Unit Name (eg, section) []:aaaa.example.com
Common Name (eg, your name or your server's hostname) []:aaaa.example.com
Email Address []:abc@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//客户端把证书签署请求文件发送给CA
[root@134 ssl]# ls
httpd.csr  httpd.key
[root@134 ssl]# scp httpd.csr root@192.168.184.140:/root

//服务端中
[root@140 ~]# ls
httpd.csr
[root@140 ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 20 06:01:16 2019 GMT
            Not After : Apr 19 06:01:16 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HuBei
            organizationName          = aaaa.example.com
            organizationalUnitName    = aaaa.example.com
            commonName                = aaaa.example.com
            emailAddress              = abc@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:01:34:9A:8E:6D:D5:0C:1A:7E:68:3E:C6:74:3A:8D:1E:C6:2B:62
            X509v3 Authority Key Identifier: 
                keyid:EF:98:CD:4B:7C:09:02:46:52:E1:92:A6:02:64:D8:CE:4D:EC:E2:17

Certificate is to be certified until Apr 19 06:01:16 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
//生成证书httpd.crt
[root@140 ~]# ls
httpd.crt  httpd.csr
//将证书传回给客户端
[root@140 ~]# scp httpd.crt root@192.168.184.134:/root
[root@134 ~]# mv httpd.crt /etc/httpd24/ssl/
[root@134 ~]# ll /etc/httpd24/ssl/
-rw-r--r--. 1 root root 4689 4月  20 14:05 httpd.crt
-rw-r--r--. 1 root root 1074 4月  20 13:55 httpd.csr
-rw-------. 1 root root 1675 4月  20 13:51 httpd.key

配置https

[root@134 ~]# /etc/httpd24/http.conf
Include /etc/httpd24/extra/httpd-ssl.conf取消注释

[root@134 httpd24]# vim /etc/httpd24/extra/httpd-ssl.conf
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"//此行注释

DocumentRoot "/usr/local/apache/htdocs/aaaa"
ServerName aaaa.example.com:443
ErrorLog "/usr/local/apache/logs/aaaa.example.com-error_log"
TransferLog "/usr/local/apache/logs/aaaa.example.com-access_log"

SSLCertificateFile "/etc/httpd24/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key"

总结
1、生成证书
2、主配置文件

• 取消LoadModule ssl_module modules/mod_ssl.so注释
• 取消Include /etc/httpd24/extra/httpd-ssl.conf注释
• 取消Include /etc/httpd24/extra/httpd-vhosts.conf注释

3、相关配置

• /etc/httpd24/extra/httpd-ssl.conf配置证书位置；Include
• /etc/httpd24/extra/httpd-vhosts.conf配置虚拟主机
• 设置hosts以便用域名访问