配置虚拟主机和
httpd常用配置
- 切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
//默认是event把他注释掉,取消prefork的注释
[root@zjq ~]# cd /etc/httpd/conf.modules.d/
[root@zjq conf.modules.d]# pwd
/etc/httpd/conf.modules.d
[root@zjq conf.modules.d]# ls
00-base.conf 00-lua.conf 00-optional.conf 00-systemd.conf 10-h2.conf README
00-dav.conf 00-mpm.conf 00-proxy.conf 01-cgi.conf 10-proxy_h2.conf
[root@zjq conf.modules.d]# vim 00-mpm.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
IPADDR的类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip address
Require all granted
</RequireAll>
</Directory>
配置虚拟主机
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
//设置主机名
[root@zjq ~]# vim /etc/httpd/conf/httpd.conf
......
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.example.com:80 //取消此行前面的#号
......
- 配置虚拟主机
//查看虚拟主机配置文件,复制到/etc/httpd/conf.d目录下
[root@zjq ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@zjq ~]# cp /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/
[root@zjq ~]# ls /etc/httpd/conf.d
autoindex.conf httpd-vhosts.conf README userdir.conf welcome.conf
//将下载好的源码包解压
[root@zjq ~]# cd /var/www/html/
[root@zjq html]# ls
zhuawawaji.zip 斗地主.zip
[root@zjq html]# unzip zhuawawaji.zip
[root@zjq html]# unzip 斗地主.zip
[root@zjq html]# ls
'HTML5 canvas移动端斗地主小游戏' jQuery抓娃娃机游戏代码 zhuawawaji.zip 斗地主.zip
[root@zjq html]# mv 'HTML5 canvas移动端斗地主小游戏' doudizhu
[root@zjq html]# mv jQuery抓娃娃机游戏代码 zhualz
[root@zjq html]# ls
doudizhu zhualz
[root@zjq html]# httpd -t //检查语法
Syntax OK
[root@zjq html]# systemctl restart httpd.service //重启httpd
[root@zjq html]# ss -antl //查看端口是否存在
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
- 相同IP不同端口
[root@zjq ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
[root@zjq ~]# tail -15 /etc/httpd/conf.d/httpd-vhosts.conf
#
<VirtualHost *:80>
DocumentRoot "/var/www/html/zhualz"
ServerName www.zhualz.com
ErrorLog "/var/log/httpd/www.zhualz.com-error_log"
CustomLog "/var/log/httpd/zhualz.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/html/doudizhu"
ServerName www.doudizhu.com
ErrorLog "/var/log/httpd/doudizhu.com-error_log"
CustomLog "/var/log/httpd/doudizhu.com-access_log" common
</VirtualHost>
测试访问
- 不同IP相同端口
//临时添加一张网卡
[root@zjq ~]# ip addr add 192.168.159.160/24 dev ens33
[root@zjq ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:79:5f:8d brd ff:ff:ff:ff:ff:ff
inet 192.168.159.158/24 brd 192.168.159.255 scope global dynamic noprefixroute ens33
valid_lft 938sec preferred_lft 938sec
inet 192.168.159.160/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe79:5f8d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//修改虚拟主机配置文件,修改不同ip同一端口
[root@zjq ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
[root@zjq ~]# tail -14 /etc/httpd/conf.d/httpd-vhosts.conf
#
<VirtualHost 192.168.159.158:80>
DocumentRoot "/var/www/html/zhualz"
ServerName www.zhualz.com
ErrorLog "/var/log/httpd/www.zhualz.com-error_log"
CustomLog "/var/log/httpd/zhualz.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.159.160:80>
DocumentRoot "/var/www/html/doudizhu"
ServerName www.doudizhu.com
ErrorLog "/var/log/httpd/doudizhu.com-error_log"
CustomLog "/var/log/httpd/doudizhu.com-access_log" common
</VirtualHost>
[root@zjq ~]# httpd -t
Syntax OK
[root@zjq ~]# systemctl restart httpd.service
测试访问
- 相同IP相同端口不同域名
[root@zjq ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
[root@zjq ~]# tail -13 /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/zhualz"
ServerName www.zhualz.com
ErrorLog "/var/log/httpd/www.zhualz.com-error_log"
CustomLog "/var/log/httpd/zhualz.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/doudizhu"
ServerName www.doudizhu.com
ErrorLog "/var/log/httpd/doudizhu.com-error_log"
CustomLog "/var/log/httpd/doudizhu.com-access_log" common
</VirtualHost>
[root@zjq ~]# httpd -t
Syntax OK
[root@zjq ~]# systemctl restart httpd
//在windows中C:\windows/system32/drivers/etc/hosts下做域名映射
//先把hosts文件拖到桌面修改在拖回去
测试访问
配置https
//下载mod_ssl模块
[root@zjq ~]# yum -y install mod_ssl
[root@zjq ~]# systemctl restart httpd
[root@zjq ~]# httpd -t
Syntax OK
[root@zjq ~]# httpd -M | grep ssl
ssl_module (shared)
//查看端口是否生成
[root@zjq ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
//进入/etc/pki创建CA目录,再进去CA
[root@zjq ~]# cd /etc/pki/
[root@zjq pki]# mkdir CA
[root@zjq pki]# ls
CA ca-trust java rpm-gpg rsyslog tls
[root@zjq pki]# cd CA/
[root@zjq CA]#
//在CA目录下创建private私有目录
[root@zjq CA]# mkdir private
[root@zjq CA]# ls
private
//生成密钥
[root@zjq CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
..................................+++++
e is 65537 (0x010001)
[root@zjq CA]#
//生成自签署证书
[root@zjq CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:nh
Organizational Unit Name (eg, section) []:ss
Common Name (eg, your name or your server's hostname) []:www.zhualz.com
Email Address []:1@2.com
[root@zjq CA]#
[root@zjq CA]# mkdir certs newcerts crl //创建3个目录
[root@zjq CA]# touch index.txt && echo 01 > serial //创建文件
//生成密钥
[root@zjq CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@zjq ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
................+++++
e is 65537 (0x010001)
[root@zjq ssl]#
//生成证书签署请求,选项和之前设置的一样
[root@zjq ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
................+++++
e is 65537 (0x010001)
[root@zjq ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:nh
Organizational Unit Name (eg, section) []:ss
Common Name (eg, your name or your server's hostname) []:www.zhualz.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@zjq ssl]#
//CA签署提交上来的证书,选项全选择y
[root@zjq ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 22 07:53:25 2022 GMT
Not After : Jul 22 07:53:25 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = nh
organizationalUnitName = ss
commonName = www.zhualz.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:B9:7F:67:50:A9:78:BE:E2:02:D5:C6:64:51:80:FA:9A:D2:E7:87
X509v3 Authority Key Identifier:
keyid:C6:8B:86:C2:CF:E1:0A:66:C6:C4:23:58:84:4B:AB:1E:B4:46:1F:AE
Certificate is to be certified until Jul 22 07:53:25 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@zjq ssl]#
//修改ssl配置文件
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/zhualz" //取消注释修改路径
ServerName www.zhualz.com:443 //取消注释修改域名地址
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[root@zjq conf.d]# httpd -t
Syntax OK
[root@zjq conf.d]# systemctl restart httpd
登录测试