httpd初步了解
apache旗下的httpd
目录
#主程序文件
#主进程文件
#帮助文档包
1、显示服务器版本信息
2、修改监听的IP和Port
3、持久连接
4、MPM( Multi-Processing Module)多路处理模块
5、DSO: Dynamic Shared Object
6、定义'Main' server的文档页面路径
7、定义站点主页面
8、站点访问控制常见机制
9、中“基于源地址”实现访问控制
10、日志设定
11、设定默认字符集
12、定义路径别名
13、基于用户的访问控制
14、实现用户家目录的http共享
15、ServerSignature On | Off | EMail
16、ServerType inetd | standalone.
17、status页面
18、虚拟主机
1.1、 cookie和http协议状态码
1.2、curl工具
1.3、https 加密
1.4、实现https
1.5、https跳转
1.6、web服务编译安装
#主程序文件
[root@centos6 ~ ]#rpm -q httpd
httpd-2.2.15-59.el6.centos.x86_64
[root@centos7:~]# rpm -q httpd
httpd-2.4.6-80.el7.centos.x86_64
[root@centos7:~]# rpm -ql httpd
/etc/httpd
/etc/httpd/conf #主配置文件
/etc/httpd/conf.d #子配置文件
/usr/lib64/httpd/modules/mod_mpm_event.so #MPM为独立的模块提供
/usr/lib64/httpd/modules/mod_mpm_prefork.so
/usr/lib64/httpd/modules/mod_mpm_worker.so
/var/log/httpd
/var/www
[root@centos6 ~ ]#rpm -ql httpd
/usr/sbin/httpd #MPM三种工作模型
/usr/sbin/httpd.event
/usr/sbin/httpd.worker
[root@centos7:~]# rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):
# Add the "apache" group and user
/usr/sbin/groupadd -g 48 -r apache 2> /dev/null || :
/usr/sbin/useradd -c "Apache" -u 48 -g apache \
-s /sbin/nologin -r -d /usr/share/httpd apache 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
if [ $1 -eq 1 ] ; then
# Initial installation
systemctl preset httpd.service htcacheclean.service >/dev/null 2>&1 || :
fi
preuninstall scriptlet (using /bin/sh):
[root@centos7:~]# ll /var/www -d
drwxr-xr-x. 5 root root 48 Jul 17 18:49 /var/www #other用户,即apache用户也可以读
[root@centos7:~]# ll /var/www/html/ -d
drwxr-xr-x. 2 root root 24 Aug 7 20:08 /var/www/html/
[root@centos7:~]# ll /var/log/httpd -d #root才能访问,apache运行在子进程,主进程身份为root,运行日志的为主进程
drwx------. 2 root root 173 Aug 7 16:32 /var/log/httpd
# Load config files in the "/etc/httpd/conf.d" directory, if any.
ServerRoot "/etc/httpd" #相对路径
IncludeOptional conf.d/*.conf #子配置文件 ,由于此行在主配置文件的最后一行,所以有自配置文件的时候,子配置文件生效
[root@centos7:~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.31.7. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@centos7:~]# vim /etc/httpd/conf/httpd.conf #去掉#号
#ServerName www.example.com:80
[root@centos7:~]# httpd -t
Syntax OK
[root@centos6 ~ ]#vim /etc/hosts
192.168.31.7 www.example.com
[root@centos6 ~ ]#ping www.example.com
PING www.example.com (192.168.31.7) 56(84) bytes of data.
64 bytes from www.example.com (192.168.31.7): icmp_seq=1 ttl=64 time=0.235 ms
[root@centos7:~]# pstree -p
systemd(1)─
├─httpd(1070)─┬─httpd(1489)
│ ├─httpd(1490)
│ ├─httpd(1491)
│ ├─httpd(1492)
│ ├─httpd(1493)
│ └─httpd(2595)
[root@centos7:~]# ps aux
root 1070 0.0 0.2 238636 5892 ? Ss 09:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 1489 0.0 0.3 242956 7496 ? S 09:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 1490 0.0 0.3 242956 7308 ? S 09:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 1491 0.0 0.3 242956 7484 ? S 09:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 1492 0.0 0.3 242956 6812 ? S 09:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 1493 0.0 0.3 242956 6812 ? S 09:36 0:00 /usr/sbin/httpd -DFOREGROUND
apache 2595 0.0 0.3 242952 6808 ? S 10:35 0:00 /usr/sbin/httpd -DFOREGROUND
#主进程文件
[root@centos7:~]# ll /etc/httpd/run/httpd.pid
-rw-r--r-- 1 root root 5 Aug 8 09:36 /etc/httpd/run/httpd.pid
[root@centos7:~]# cat /etc/httpd/run/httpd.pid
1070 #重启服务,进程号会变
#日志文件目录
[root@centos7:~]# ll /var/log/httpd/
total 200
-rw-r--r-- 1 root root 7596 Aug 8 10:37 access_log
-rw-r--r--. 1 root root 158270 Jul 17 20:31 access_log-20180726
-rw-r--r-- 1 root root 90 Aug 7 16:00 access_log-20180807
-rw-r--r-- 1 root root 2515 Aug 8 09:36 error_log
-rw-r--r--. 1 root root 16883 Jul 26 21:40 error_log-20180726
-rw-r--r-- 1 root root 4055 Jul 29 13:47 error_log-20180729
-rw-r--r-- 1 root root 3498 Aug 7 16:32 error_log-20180807
#帮助文档包
[root@centos7:~]# yum install httpd-manual -y
[root@centos7:~]# rpm -ql httpd-manual
/etc/httpd/conf.d/manual.conf
[root@centos7:~]# cat /etc/httpd/conf.d/manual.conf
#
# This configuration file allows the manual to be accessed at
# http://localhost/manual/ #浏览器访问此页面 192.168.31.7/manual/
#
Alias /manual /usr/share/httpd/manual
<Directory "/usr/share/httpd/manual">
Options Indexes
AllowOverride None
Require all granted
RedirectMatch 301 ^/manual/(?:de|en|fr|ja|ko|ru)(/.*)$ "/manual$1"
</Directory>
[root@centos7:~]# systemctl reload httpd
httpd2.2常见配置 官网已经不更新
Apache httpd 2.2 End-of-Life
[root@centos6 ~ ]#vim /etc/sysconfig/httpd
#HTTPD=/usr/sbin/httpd.worker
==============================================================================
1、显示服务器版本信息
#如图1
[root@centos7:conf.d]# pwd
/etc/httpd/conf.d
[root@centos7:conf.d]# vim test.conf
ServerTokens Prod
[root@centos7:conf.d]# httpd -t
Syntax OK
[root@centos6 ~ ]#curl -I www.example.com
HTTP/1.1 200 OK
Date: Wed, 08 Aug 2018 03:39:54 GMT
Server: Apache
Last-Modified: Wed, 08 Aug 2018 03:27:36 GMT
ETag: "47-572e4178f7e4b"
Accept-Ranges: bytes
Content-Length: 71
Content-Type: text/html; charset=UTF-8
2、修改监听的IP和Port
3、持久连接
[root@centos7:html]# ls
index.html test.html
[root@centos7:html]# pwd
/var/www/html
[root@centos6 ~ ]#telnet 192.168.31.7 80
Trying 192.168.31.7...
Connected to 192.168.31.7.
Escape character is '^]'.
GET /index.html HTTP/1.1 #输入后回车
host: 3.3.3.3 #输入后回车
HTTP/1.1 200 OK
Date: Wed, 08 Aug 2018 06:03:31 GMT
Server: Apache
Last-Modified: Wed, 08 Aug 2018 03:27:36 GMT
ETag: "47-572e4178f7e4b"
Accept-Ranges: bytes
Content-Length: 71
Content-Type: text/html; charset=UTF-8
<h1>这是1号标题</h1>
<font size="6">这是6号字体文本</font>
GET /index.html HTTP/1.1 #输入后回车
host: 8.8.8.8 #输入后回车
<h1>dhydhy</h1>
4、MPM( Multi-Processing Module)多路处理模块
[root@centos7:html]# grep -v "^[ ]*#" /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
[root@centos7:conf.modules.d]# pwd
/etc/httpd/conf.modules.d
[root@centos7:conf.modules.d]# ls
00-base.conf 00-lua.conf 00-proxy.conf 01-cgi.conf
00-dav.conf 00-mpm.conf 00-systemd.conf 10-wsgi.conf
[root@centos7:conf.modules.d]# cat 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #默认模式
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so #worker模式
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so #event模式
5、DSO: Dynamic Shared Object
6、定义'Main' server的文档页面路径
7、定义站点主页面
8、站点访问控制常见机制
可基于两种机制指明对哪些资源进行何种访问控制 访问控制机制有两种:
客户端来源地址,用户账号
9、<Directory>中“基于源地址”实现访问控制
[root@centos7:conf.d]# pwd
/etc/httpd/conf.d
[root@centos7:conf.d]# ls
autoindex.conf cobbler.conf manual.conf README test.conf userdir.conf welcome.conf
[root@centos7:~]# cd /var/www/html
[root@centos7:html]# ls
index.html test.html
[root@centos7:html]# mv index.html index.html.bak
图2
[root@centos7:conf.d]# ls
autoindex.conf cobbler.conf manual.conf README test.conf userdir.conf welcome.conf
[root@centos7:conf.d]# cat welcome.conf
#
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
[root@centos7:conf.d]# mv welcome.conf welcome.conf.bak
[root@centos7:html]# systemctl reload httpd
图3
Indexes:指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户 #当没有主页面时,指明系统行为 #/etc/httpd/conf.d/test.conf options indexs
10、日志设定
[root@centos7:~]# grep -i errorlog /etc/httpd/conf/httpd.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
ErrorLog "logs/error_log"
[root@centos7:~]# ls /etc/httpd/
conf conf.d conf.modules.d logs modules run
[root@centos7:~]# ll /var/log/httpd/
total 244
-rw-r--r-- 1 root root 43451 Aug 8 15:40 access_log
-rw-r--r-- 1 root root 12000 Aug 8 16:28 error_log
[root@centos7:conf.d]# vim test.conf
LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" testlog
CustomLog "logs/access_log" testlog
11、设定默认字符集
12、定义路径别名
见18、虚拟主机中FQDN中路径别名
13、基于用户的访问控制
basic认证配置示例
1提供账号和密码存储(文本文件)
htpasswd -c /etc/httpd/conf.d/.htpasswd alice
htpasswd /etc/httpd/conf.d/.htpasswd bob
htpasswd /etc/httpd/conf.d/.htpasswd jack
方法1
vim /etc/httpd/conf.d/test.conf
<Directory /data/website/admin>
AuthType Basic
AuthName "Secure login"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require user bob
</Directory>
方法2
[root@centos7 admin]#vim /data/website/admin/.htaccess
AuthType Basic
AuthName "Secure login"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require user bob
vim /etc/httpd/conf.d/test.conf
<Directory /data/website/admin>
AllowOverride authconfig
</Directory>
=======================================================
2基于组账号进行认证
[root@centos7:secret]# pwd
/var/www/html/secret
[root@centos7:secret]# cat index.html
secretdir
[root@centos6 ~ ]#curl http://192.168.31.7/secret/
secretdir
[root@centos7:conf.d]# vim test.conf
ServerTokens Prod
<directory /var/www/html/secret>
AuthType Basic
AuthName "secret dir"
AuthuserFile "/etc/httpd/conf.d/htuser"
AuthGroupFile "/etc/httpd/conf.d/htgroup"
Require group g1
</directory>
[root@centos7:conf.d]# htpasswd -c htuser http1user
New password:
Re-type new password:
Adding password for user http1user
[root@centos7:conf.d]# htpasswd htuser http2user
New password:
Re-type new password:
Adding password for user http2user
[root@centos7:conf.d]# cat htuser
http1user:$apr1$S2fTMeXb$sKNEZK7PPvXVi5XXiCJo60
http2user:$apr1$kejX9wt1$ej2tqm31J28kTGyUL7J/u0
[root@centos7:conf.d]# cat > htgroup
g1:http1user http2user
g2:http1user
[root@centos7:conf.d]# cat htgroup
g1:http1user http2user
g2:http1user
[root@centos7:conf.d]# systemctl reload httpd
[root@centos6 ~ ]#curl -I http://192.168.31.7/secret/
HTTP/1.1 401 Unauthorized
Date: Thu, 09 Aug 2018 11:20:55 GMT
Server: Apache
WWW-Authenticate: Basic realm="secret dir"
Content-Type: text/html; charset=iso-8859-1
如图1
[root@centos7:secret]# cat /var/log/httpd/access_log
192.168.31.1 - http1user [09/Aug/2018:19:20:29 +0800] "GET /secret HTTP/1.1" 301 235 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.31.1 - http1user [09/Aug/2018:19:20:29 +0800] "GET /secret/ HTTP/1.1" 200 10 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.31.1 - - [09/Aug/2018:19:20:29 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0"
192.168.31.6 - - [09/Aug/2018:19:20:55 +0800] "HEAD /secret/ HTTP/1.1" 401 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
如图2 basic明文传输,不安全,需要用https(ssl)实现加密
14、实现用户家目录的http共享
[root@centos7:secret]# useradd test
[root@centos7:secret]# su - test
[test@centos7:~]$ pwd
/home/test
[test@centos7:~]$ mkdir public_html
[test@centos7:~]$ echo test homedir > public_html/index.html
[test@centos7:~]$ httpd -M | grep user
authz_user_module (shared)
userdir_module (shared)
[root@centos7:conf.d]# ls
autoindex.conf htgroup manual.conf test.conf welcome.conf.bak
cobbler.conf htuser README userdir.conf
[root@centos7:conf.d]# vim userdir.conf
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disabled #注释掉此行
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir public_html #取消注释
</IfModule>
[root@centos7:secret]# systemctl restart httpd
#浏览器访问后报错
#http://192.168.31.7/~test/
#Forbidden
#You don't have permission to access /~test/ on this server.
[root@centos7:conf.d]# cat /var/log/httpd/error_log
[Thu Aug 09 20:19:47.521327 2018] [core:error] [pid 12104] (13)Permission denied: [client 192.168.31.1:59615] AH00035: access to /~test/ denied (filesystem path '/home/test/public_html') because search permissions are missing on a component of the path
[test@centos7:~]$ ll /home/test -d
drwx------ 6 test test 147 Aug 9 20:13 /home/test
[test@centos7:~]$ ll /home/test
total 0
drwxrwxr-x 2 test test 24 Aug 9 19:54 public_html
[test@centos7:~]$ setfacl -m u:apache:x /home/test #解决问题
[test@centos7:~]$ ll /home/test -d
drwx--x---+ 6 test test 147 Aug 9 20:13 /home/test
加密只允许特定的人访问
[root@centos7:conf.d]# vim userdir.conf
#<Directory "/home/*/public_html">
# AllowOverride FileInfo AuthConfig Limit Indexes
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# Require method GET POST OPTIONS
#</Directory>
<directory /home/test/public_html>
AuthType Basic
AuthName "test home"
AuthUserFile "/etc/httpd/conf.d/htuser"
require user http1uer
</directory>
如图3
15、ServerSignature On | Off | EMail
http://httpd.apache.org/docs/2.4/mod/core.html#serversignature
ServerSignature Off 默认关闭
[root@centos7:conf.d]# vim test.conf
ServerSignature on #添加此行
[root@centos7:conf.d]# systemctl restart httpd
[root@centos6 ~ ]#curl -I http://192.168.31.7/noexist.html
HTTP/1.1 404 Not Found
Date: Thu, 09 Aug 2018 12:41:44 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 #暴露版本了
Content-Type: text/html; charset=iso-8859-1
16、ServerType inetd | standalone.
standalone 独立服务模式
inetd 非独立服务模式
只适用于Unix平台
17、status页面
http://httpd.apache.org/docs/2.4/mod/mod_status.html
LoadModule status_module modules/mod_status.so
<Location /server-status>
SetHandler server-status #httpd2.2版本淘汰,练习httpd2.4版本
Order allow,deny
Allow from 172.16
</Location>
ExtendedStatus On 显示扩展信息
[root@centos7:secret]# httpd -M |grep status
status_module (shared)
[root@centos7:conf.d]# cat test.conf #httpd2.4
<Location "/server-status">
SetHandler server-status
Require all granted 或者Require ip 192.168.31.6
</Location>
[root@centos7:conf.d]# systemctl restart httpd
http://192.168.31.7/server-status
图5
18、虚拟主机
有三种实现方案:
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN
虚拟主机基于端口实现
[root@centos7:conf.d]# pwd
/etc/httpd/conf.d
[root@centos7:conf.d]# mkdir /data/web{1,2,3}
[root@centos7:conf.d]# echo /data/web1 > /data/web1/index.html
[root@centos7:conf.d]# echo /data/web2 > /data/web2/index.html
[root@centos7:conf.d]# echo /data/web3 > /data/web3/index.html
[root@centos7:conf.d]# cat test.conf
listen 8001
listen 8002
listen 8003
<virtualhost *:8001>
documentroot /data/web1
servername www.a.com
<directory /data/web1>
require all granted
</directory>
</virtualhost>
<virtualhost *:8002>
documentroot /data/web2
servername www.b.com
<directory /data/web2>
require all granted
</directory>
</virtualhost>
<virtualhost *:8003>
documentroot /data/web3
servername www.c.com
<directory /data/web3>
require all granted
</directory>
</virtualhost>
[root@centos6 ~ ]#curl 192.168.31.7:8001
/data/web1
[root@centos6 ~ ]#curl 192.168.31.7:8002
/data/web2
[root@centos6 ~ ]#curl 192.168.31.7:8003
/data/web3
虚拟主机基于ip地址实现
[root@centos7:~]# ip a a 192.168.31.101/24 dev ens33
[root@centos7:~]# ip a a 192.168.31.102/24 dev ens33
[root@centos7:~]# ip a a 192.168.31.103/24 dev ens33
[root@centos7:~]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:84:9c:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.31.7/24 brd 192.168.31.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.31.101/24 scope global ens33
valid_lft forever preferred_lft forever
inet 192.168.31.102/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet 192.168.31.103/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::a12f:1465:53a3:13b5/64 scope link noprefixroute
[root@centos7:conf.d]# cat test.conf
<virtualhost 192.168.31.101:80>
documentroot /data/web1
servername www.a.com
<directory /data/web1>
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.31.102:80>
documentroot /data/web2
servername www.b.com
<directory /data/web2>
require all granted
</directory>
</virtualhost>
<virtualhost 192.168.31.103:80>
documentroot /data/web3
servername www.c.com
<directory /data/web3>
require all granted
</directory>
</virtualhost>
[root@centos7:conf.d]# systemctl restart httpd
[root@centos6 ~ ]#curl 192.168.31.101
/data/web1
[root@centos6 ~ ]#curl 192.168.31.102
/data/web2
[root@centos6 ~ ]#curl 192.168.31.103
/data/web3
[root@centos6 ~ ]#curl 192.168.31.7
<h1>这是1号标题</h1>
<font size="6">这是6号字体文本</font>
虚拟主机基于域名FQDN(主机头)实现
[root@centos6 ~ ]#telnet 192.168.31.101 80
Trying 192.168.31.101...
Connected to 192.168.31.101.
Escape character is '^]'.
GET /index.html HTTP/1.1
HOST: www.c.com #主机头不起作用 ,域名未配置
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2018 13:44:02 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Last-Modified: Thu, 09 Aug 2018 13:08:07 GMT
ETag: "b-573005179355c"
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html; charset=UTF-8
/data/web1
#centos7如下,但centos6还需要启动/etc/httpd/conf/httpd.conf中的#NameVirtualHost *:80,即取消注释
[root@centos7:conf.d]# cat test.conf
<virtualhost *:80>
documentroot /data/web1
servername www.a.com
<directory /data/web1>
ServiceAlias a.com *.a.com #多个域名
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
documentroot /data/web2
servername www.b.com
<directory /data/web2>
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
documentroot /data/web3
servername www.c.com
<directory /data/web3>
require all granted
</directory>
</virtualhost>
[root@centos7:conf.d]# systemctl restart httpd
#删除ip或者重启网络服务
[root@centos7:~]# ip a d 192.168.31.103/24 dev ens33
[root@centos7:~]# ip a d 192.168.31.102/24 dev ens33
[root@centos7:~]# ip a d 192.168.31.101/24 dev ens33
[root@centos6 ~ ]#cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.7 www.a.com www.b.com www.c.com a.com b.a.com
[root@centos6 ~ ]#curl a.com
/data/web1
[root@centos6 ~ ]#curl www.b.com
/data/web2
[root@centos6 ~ ]#curl www.a.com
/data/web1
[root@centos6 ~ ]#curl www.b.com
/data/web2
[root@centos6 ~ ]#curl www.c.com
/data/web3
[root@centos6 ~ ]#telnet 192.168.31.7 80
Trying 192.168.31.7...
Connected to 192.168.31.7.
Escape character is '^]'.
GET /index.html HTTP/1.1
HOST: www.b.com
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2018 14:01:49 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Last-Modified: Thu, 09 Aug 2018 13:08:13 GMT
ETag: "b-5730051d00bd4"
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html; charset=UTF-8
/data/web2
[root@centos6 ~ ]#telnet www.a.com 80
Trying 192.168.31.7...
Connected to www.a.com.
Escape character is '^]'.
GET /index.html HTTP/1.1
HOST: www.c.com
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2018 14:02:52 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Last-Modified: Thu, 09 Aug 2018 13:08:19 GMT
ETag: "b-573005233462c"
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html; charset=UTF-8
/data/web3
日志都在一起,需要分开
[root@centos7:~]# grep -i log /etc/httpd/conf/httpd.conf
ErrorLog "logs/error_log"
CustomLog "logs/access_log" combined
[root@centos7:conf.d]# cat test.conf
<virtualhost *:80>
documentroot /data/web1
servername www.a.com
<directory /data/web1>
require all granted
</directory>
ErrorLog "logs/a_error_log"
CustomLog "logs/a_access_log" combined
</virtualhost>
<virtualhost *:80>
documentroot /data/web2
servername www.b.com
<directory /data/web2>
require all granted
</directory>
ErrorLog "logs/b_error_log"
CustomLog "logs/b_access_log" combined
</virtualhost>
<virtualhost *:80>
documentroot /data/web3
servername www.c.com
<directory /data/web3>
require all granted
</directory>
ErrorLog "logs/c_error_log"
CustomLog "logs/c_access_log" combined
</virtualhost>
[root@centos7:conf.d]# systemctl restart httpd
[root@centos7:~]# ll /var/log/httpd
total 284
-rw-r--r-- 1 root root 0 Aug 9 22:07 a_access_log
-rw-r--r-- 1 root root 65791 Aug 9 22:03 access_log
-rw-r--r--. 1 root root 158270 Jul 17 20:31 access_log-20180726
-rw-r--r-- 1 root root 90 Aug 7 16:00 access_log-20180807
-rw-r--r-- 1 root root 0 Aug 9 22:09 a_error_log
-rw-r--r-- 1 root root 0 Aug 9 22:07 b_access_log
-rw-r--r-- 1 root root 0 Aug 9 22:09 b_error_log
-rw-r--r-- 1 root root 0 Aug 9 22:07 c_access_log
-rw-r--r-- 1 root root 0 Aug 9 22:09 c_error_log
-rw-r--r-- 1 root root 28405 Aug 9 22:09 error_log
-rw-r--r--. 1 root root 16883 Jul 26 21:40 error_log-20180726
-rw-r--r-- 1 root root 4055 Jul 29 13:47 error_log-20180729
-rw-r--r-- 1 root root 3498 Aug 7 16:32 error_log-20180807
1.1、 cookie和http协议状态码
见图6
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Status/200 谷歌访问,火狐太慢
-------------------------------------------------
[root@centos7:~]# yum install php
[root@centos7:conf.d]# rm -f test.conf
[root@centos7:conf.d]# cd /var/www/html
[root@centos7:html]# ls
index.html secret test.html
[root@centos7:html]# rpm -ql php
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.modules.d/10-php.conf
/usr/lib64/httpd/modules/libphp5.so
/usr/share/httpd/icons/php.gif
/var/lib/php/session
[root@centos7:html]# mv index.html index.html.bak
[root@centos7:html]# systemctl restart httpd
[root@centos7:html]# ls
index.html.bak index.php secret test.html
[root@centos7:html]# cat index.php
<?php
phpinfo();
?>
#浏览器输入如下网址
#http://192.168.31.7/
#PHP Version 5.4.16
#System Linux centos7 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64
[root@centos7:html]# cat setcookie.php
<?php
setcookie('title','cto');
setcookie('name','dhy',time()+3600*12);
?>
[root@centos7:html]# ls
index.html.bak index.php secret setcookie.php test.html
http://192.168.31.7/setcookie.php
如图8
1.2、curl工具
#mv test.conf test.conf.bak
[root@centos6 ~ ]#curl -A "IE20" 192.168.31.7
<h1>这是1号标题</h1>
<font size="6">这是6号字体文本</font>
[root@centos7:html]# tail -f /var/log/httpd/access_log
192.168.31.6 - - [10/Aug/2018:11:28:42 +0800] "GET / HTTP/1.1" 200 71 "-" "IE20"
[root@centos6 ~ ]#curl -A "IE20" -e "http://www.baidu.com" 192.168.31.7
<h1>这是1号标题</h1>
<font size="6">这是6号字体文本</font>
[root@centos7:html]# tail -f /var/log/httpd/access_log
192.168.31.6 - - [10/Aug/2018:11:30:00 +0800] "GET / HTTP/1.1" 200 71 "http://www.baidu.com" "IE20"
#mv test.conf.bak test.conf
[root@centos7:conf.d]# systemctl restart httpd
[root@centos6 ~ ]#curl -H "host:www.a.com" www.c.com
/data/web1
[root@centos6 ~ ]#curl -v -H "host:www.a.com" www.c.com
* About to connect() to www.c.com port 80 (#0)
* Trying 192.168.31.7... connected
* Connected to www.c.com (192.168.31.7) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Accept: */*
> host:www.a.com
[root@centos7:conf.d]# curl www.360buy.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
[root@centos7:conf.d]# curl -L www.360buy.com
[root@centos6 ~ ]#curl -0 www.a.com http/1.0 协议 数字0
/data/web1
[root@centos7:conf.d]# tail -f /var/log/httpd/a_access_log
192.168.31.6 - - [10/Aug/2018:11:40:30 +0800] "GET / HTTP/1.0" 200 11 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
[root@centos7:conf.d]# mv test.conf test.conf.bak
1.3、https 加密
自签名CA
[root@centos7:html]# yum install mod_ssl #生成加密信息,让apache去调用加密信息
[root@centos7:html]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf #通过此模块调用 mod_ssl.so
/usr/lib64/httpd/modules/mod_ssl.so #mod_ssl模块
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl
[root@centos7:html]# httpd -M |grep ssl
ssl_module (shared)
[root@centos7:html]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so #加载加密模块,扩展apache的功能
[root@centos7:html]# systemctl restart httpd
[root@centos7:html]# ss -ntl
LISTEN 0 128 :::443 :::* 浏览器输入https://192.168.31.7/
您的连接并不安全
192.168.31.7 的管理员没有正确配置好此网站。为避免您的信息失窃,Firefox 并未与此网站建立连接。
详细了解…
[root@centos6 ~ ]#curl https://www.a.com
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@centos6 ~ ]#curl -k https://www.a.com #忽略验证
证书的名称为centos7,即主机名,不好,可以自己给自己颁发证书,更改证书名称
[root@centos7:conf.d]# mkdir ssl
[root@centos7:conf.d]# cd ssl/
[root@centos7:ssl]# ls
[root@centos7:ssl]# pwd
/etc/httpd/conf.d/ssl
[root@centos7:ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
............+++
.............+++
e is 65537 (0x10001)
[root@centos7:ssl]# openssl req -new -x509 -key httpd.key -out httpd.crt #先自己给自己颁发一个证书看看
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dhy
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:
[root@centos7:ssl]# ls
httpd.crt httpd.key
[root@centos7:ssl]# sz httpd.crt
桌面打开,如图10
[root@centos7:conf.d]# pwd
/etc/httpd/conf.d
[root@centos7:conf.d]# vim ssl.conf #更改如下两行
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
[root@centos7:conf.d]# systemctl restart httpd
搭建一个CA 拿192.168.31.17当根CA 192.168.31.7当http网站,31.7需想31.17申请证书
[root@cos7-1:CA]# pwd
/etc/pki/CA
[root@cos7-1:CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@cos7-1:CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....+++
..+++
e is 65537 (0x10001)
[root@cos7-1:CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dhy
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.dhy.com
Email Address []:
#客户端
[root@centos7:ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dhy
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7:ssl]# ll
total 12
-rw-r--r-- 1 root root 993 Aug 10 12:49 httd.csr
-rw------- 1 root root 1675 Aug 10 12:30 httpd.key
[root@centos7:ssl]# scp httpd.csr 192.168.31.17:/etc/pki/CA/
[root@cos7-1:CA]# touch index.txt
[root@cos7-1:CA]# echo 01 > serial
[root@cos7-1:CA]# openssl ca -in httpd.csr -out certs/httpd.crt
[root@cos7-1:CA]# tree
.
├── cacert.pem
├── certs
│ └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@cos7-1:CA]# scp certs/httpd.crt 192.168.31.7:/etc/httpd/conf.d/ssl/
[root@cos7-1:CA]# scp cacert.pem 192.168.31.7:/etc/httpd/conf.d/ssl/
[root@centos7:ssl]# ll
total 20
-rw-r--r-- 1 root root 1306 Aug 10 12:58 cacert.pem
-rw-r--r-- 1 root root 4423 Aug 10 12:57 httpd.crt
-rw-r--r-- 1 root root 993 Aug 10 12:55 httpd.csr
-rw------- 1 root root 1675 Aug 10 12:30 httpd.key
[root@centos7:conf.d]# pwd
/etc/httpd/conf.d
[root@centos7:conf.d]# vim ssl.conf
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
[root@centos7:html]# systemctl restart httpd
图12
把cacert.pem 放到windows中,更改为cacert.crt并导入根证书
#证书信息
[root@cos7-1:CA]# openssl s_client -connect 192.168.31.7:443 -CAfile cacert.pem
[root@cos7-1:CA]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.7 www.a.com
[root@cos7-1:CA]# curl --cacert cacert.pem https://www.a.com #验证给www.a.com网站颁发的证书
1.4、实现https
1 yum install mod_ssl
2 httpd服务器申请证书
(umask 077;openssl genrsa -out httpd.key 2048)
openssl req -new -x509 -key httpd.key -out httpd.crt
scp httpd.csr caserver:/etc/pki/CA/
3 建立CA并颁发httpd服务器证书
cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
touch index.txt
echo 01 > serial
openssl ca -in httpd.csr -out certs/httpd.crt
scp certs/httpd.crt cacert.pem httpdserver:/etc/httpd/conf.d/ssl/
4 配置httpd实现加密
ls /etc/httpd/conf.d/ssl
cacert.pem httpd.crt httpd.csr httpd.key
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
1.5、https跳转
[root@centos7:conf.d]# mkdir /var/www/ssl
[root@centos7:conf.d]# echo /var/www/ssl > /var/www/ssl/index.html
[root@centos7:html]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/ssl"
[root@centos7:html]# systemctl restart httpd
[root@centos6 ~ ]#curl https://192.168.31.7
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@centos6 ~ ]#curl -k https://192.168.31.7
/var/www/ssl
[root@centos7:conf.d]# vim test2.conf
Redirect temp / https://www.baidu.com/ #临时重定向 premanent 永久
[root@centos6 ~ ]#curl -I 192.168.31.7
HTTP/1.1 302 Found #临时重定向
Date: Fri, 10 Aug 2018 05:53:15 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Location: https://www.baidu.com/
Content-Type: text/html; charset=iso-8859-1
[root@centos7:conf.d]# vim test2.conf
Redirect temp / https://192.168.31.7 #死循环
#浏览器访问https://192.168.31.7/
192.168.31.7 将您重定向的次数过多。
vim /etc/httpd/conftest2.conf
RewriteEngine on
Rewritecond %{SERVER_PORT} !^443
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
[root@centos6 ~ ]#curl -I 192.168.31.7
HTTP/1.1 302 Found
Date: Fri, 10 Aug 2018 06:07:14 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Location: https://192.168.31.7/
Content-Type: text/html; charset=iso-8859-1
HSTS http Strict Transport Security
#压力测试,https较慢
[root@centos6 ~ ]#ab -c 100 -n 2000 http://192.168.31.7/m.html
[root@centos6 ~ ]#ab -c 100 -n 2000 https://192.168.31.7/m.html
1.6、web服务编译安装
[root@cos7:~/srcs ]# pwd
/root/srcs
[root@cos7:~/srcs ]# ls
apr-1.6.3.tar.gz apr-util-1.6.1.tar.gz httpd-2.4.34.tar.bz2
[root@cos7:~/srcs ]# tar xf apr-1.6.3.tar.gz
[root@cos7:~/srcs ]# tar xf apr-util-1.6.1.tar.gz
[root@cos7:~/srcs ]# tar xf httpd-2.4.34.tar.bz2
[root@cos7:~/srcs ]# ls
apr-1.6.3 apr-util-1.6.1 httpd-2.4.34
apr-1.6.3.tar.gz apr-util-1.6.1.tar.gz httpd-2.4.34.tar.bz2
[root@cos7:~/srcs ]# cp -r apr-1.6.3 httpd-2.4.34/srclib/apr
[root@cos7:~/srcs ]# cp -r apr-util-1.6.1 httpd-2.4.34/srclib/apr-util
[root@cos7:~/srcs ]# cd httpd-2.4.34/
[root@cos7:~/srcs/httpd-2.4.34 ]# cd srclib/
[root@cos7:~/srcs/httpd-2.4.34/srclib ]# ls
apr apr-util Makefile.in
1 安装包
yum groupinstall "development tools"
yum install pcre-devel openssl-devel expat-devel -y
2
tar xf apr-1.6.3.tar.gz
tar xf apr-util-1.6.1.tar.gz
tar xf httpd-2.4.34.tar.bz2
cp -r apr-1.6.3 httpd-2.4.34/srclib/apr
cp -r apr-util-1.6.1 httpd-2.4.34/srclib/apr-util
3 cd httpd-2.4.34/
./configure \
--prefix=/app/httpd24 \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-included-apr \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork
4 make -j 4 && make install
5 echo PATH=/app/httpd24/bin:$PATH > /etc/profile.d/httpd.sh
. /etc/profile.d/httpd.sh
6 apachectl start
7开机启动
echo "/app/httpd24/bin/apachectl start" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
[root@cos7:~/srcs/httpd-2.4.34 ]# cat /app/httpd24/build/config.nice