一. httpd简介
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。
二. httpd版本
本文主要介绍httpd的两大版本,httpd-2.2和httpd-2.4。
- CentOS6系列的版本默认提供的是httpd-2.2版本的rpm包
- CentOS6系列的版本默认提供的是httpd-2.2版本的rpm包
2.1 httpd的特性
httpd有很多特性,下面就分别来说说httpd-2.2版本和httpd-2.4版本各自的特性。
版本 | 特性 |
---|---|
2.2 | 事先创建进程。按需维持适当的进程模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块。支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等支持https协议(通过mod_ssl模块实现)。支持用户认证。支持基于IP或域名的ACL访问控制机制支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码)。支持URL重写。支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程) |
2.4 | httpd-2.4的新特性:MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载支持event MPM,eventMPM模块生产环境可用支持异步读写支持每个模块及每个目录分别使用各自的日志级别每个请求相关的专业配置,使用来配置增强版的表达式分析器支持毫秒级的keepalive timeout基于FQDN的虚拟主机不再需要NameVirtualHost指令支持用户自定义变量支持新的指令(AllowOverrideList)降低对内存的消耗 |
工作模型 | 工作方式 |
---|---|
prefork | 多进程模型,预先生成进程,一个请求用一个进程响应一个主进程负责生成n个子进程,子进程也称为工作进程每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个 |
worker | 基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程) |
event | 基于事件的驱动,一个进程处理多个请求 |
2.2 httpd-2.4新增的模块
httpd-2.4在之前的版本基础上新增了几大模块,下面就几个常用的来介绍一下。
模块 | 功能 |
---|---|
mod_proxy_fcgi | 反向代理时支持apache服务器后端协议的模块 |
mod_ratelimit | 提供速率限制功能的模块 |
mod_remoteip | 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制 |
三. httpd基础
3.1 httpd自带的工具程序
工具 | 功能 |
---|---|
htpasswd | basic认证基于文件实现时,用到的帐号密码生成工具 |
apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
apxs | 由httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
rotatelogs | 日志滚动工具 |
suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
ab | apache benchmark,httpd的压力测试工具 |
3.2 rpm包安装的httpd程序环境
文件/目录 | 对应的功能 |
---|---|
/var/log/httpd/access.log | 访问日志 |
/var/log/httpd/error_log | 错误日志 |
/var/www/html/ | 站点文档目录 |
/usr/lib64/httpd/modules/ | 模块文件路径 |
/etc/httpd/conf/httpd.conf | 主配置文件 |
/etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
/etc/httpd/conf.d/*.conf | 辅助配置文件 |
mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf
3.3 web相关的命令
3.3.1 curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。
斜体样式curl支持以下功能: //下载和网页认证用的多
- 斜体样式https认证
- http的POST/PUT等方法
- ftp上传
- kerberos认证
- http上传
- 代理服务器
- cookies
- 用户名/密码认证
- 下载文件断点续传
- socks5代理服务器
- 通过http代理服务器上传文件到ftp服务器
//语法:curl [options] [URL …]
//常用的options:
-A/–user-agent //设置用户代理发送给服务器
-basic //使用Http基本认证
–tcp-nodelay //使用TCP_NODELAY选项
-e/–referer //来源网址
–cacert //CA证书(SSL)
–compressed //要求返回时压缩的格式
-H/–header//自定义请求首部信息传递给服务器
-I/–head //只显示响应报文首部信息
–limit-rate //设置传输速度
-u/–user <user[:password]> //设置服务器的用户和密码
-0/–http1 //使用http 1.0版本,默认使用1.1版本。这个选项是数字0而不是字母o
-o/–output //把输出写到文件中
-#/–progress-bar //进度条显示当前的传送状态
//通过curl下载文件
[root@localhost ~]# ls
[root@localhost ~]# curl -o myblog.html http://blog.51cto.com/itchentao
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 67025 0 67025 0 0 87248 0 --:--:-- --:--:-- --:--:-- 87385
[root@localhost ~]# ls
myblog.html
3.3.2 httpd命令
//语法:httpd [options]
//常用的options:-l //查看静态编译的模块,列出核心中编译了哪些模块。
//它不会列出使用LoadModule指令动态加载的模块
-M //输出一个已经启用的模块列表,包括静态编译在服务
//器中的模块和作为DSO动态加载的模块
-v //显示httpd的版本,然后退出
-V //显示httpd和apr/apr-util的版本和编译参数,然后退出
-X //以调试模式运行httpd。仅启动一个工作进程,并且
//服务器不与控制台脱离
-t //检查配置文件是否有语法错误
[root@localhost ~]# httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
[root@localhost ~]# httpd -M
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
auth_basic_module (shared)
......
......
[root@localhost ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59
[root@localhost ~]# httpd -V
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59
Server's Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
四. 编译安装httpd-2.4
httpd依赖于apr-1.4+,apr-util-1.4+,[apr-icon] apr:apache portable runtime
安装开发环境
[root@localhost ~]# yum groups mark install "Development Tools"
[root@localhost ~]# groupadd -r apache
[root@localhost ~]# useradd -r -g apache apache
[root@localhost ~]# yum -y install openssl-devel pcre-devel expat-devel libtool
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction checkyum
---> Package openssl-devel.x86_64 1:1.0.2k-12.el7 will be installed
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.2k-12.el7 for package: 1:openssl-devel-1.0.2k-12.el7.x86_64
......
......
libselinux-utils.x86_64 0:2.5-12.el7 libsepol.x86_64 0:2.5-8.1.el7
libss.x86_64 0:1.42.9-12.el7_5 openssl.x86_64 1:1.0.2k-12.el7
openssl-libs.x86_64 1:1.0.2k-12.el7
Complete!
下载并安装apr-1.4+和apr-util-1.4+
[root@localhost ~]# cd /usr/src/
[root@localhost src]# wget http://mirror.bit.edu.cn/apache/apr/apr-1.6.5.tar.gz
[root@localhost src]# wget http://mirror.bit.edu.cn/apache/apr/apr-util-1.6.1.tar.gz
[root@localhost src]# ls
apr-1.6.5.tar.gz apr-util-1.6.1.tar.gz debug kernels
[root@localhost src]# tar xf apr-1.6.5.tar.gz
[root@localhost src]# tar xf apr-util-1.6.1.tar.gz
[root@localhost src]# ls
apr-1.6.5 apr-1.6.5.tar.gz apr-util-1.6.1 apr-util-1.6.1.tar.gz debug kernels
[root@localhost src]# cd apr-1.6.5
[root@localhost apr-1.6.5]# vim configure
cfgfile="${ofile}T"
trap "$RM \"$cfgfile\"; exit 1" 1 2 15
# $RM "$cfgfile" //将此行加上注释,或者删除此行
//或用sed -i '/$RM "$cfgfile"/s/^/#/g' configure命令
[root@localhost apr-1.6.5]# ./configure --prefix=/usr/local/apr
配置过程略...
[root@localhost apr-1.6.5]# make && make install //make -j 指定核型数
编译安装过程略...
[root@localhost apr-1.6.5]# cd /usr/src/apr-util-1.6.1
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
配置过程略...
[root@localhost apr-util-1.6.1]# make && make install
编译安装过程略...
在root家目录下编译安装httpd
[root@localhost ~]# wget http://mirror.bit.edu.cn/apache/httpd/httpd-2.4.38.tar.gz
//scp httpd-2.4.38.tar.gz root@192.168.131.131
//chmod -x //修改上传的压缩包权限
[root@localhost ~]# ls
httpd-2.4.38.tar.gz
[root@localhost ~]# tar xf httpd-2.4.38.tar.gz
[root@localhost ~]# cd httpd-2.4.38
//./configure --prefix= //指定安装的绝对路径
[root@localhost httpd-2.4.38]# ./configure --prefix=/usr/local/apache \
--sysconfdir=/etc/httpd24 \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util/ \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork
[root@localhost httpd-2.4.38]# make && make install
编译安装过程略...
启动apache
[root@localhost]#/usr/local/apache/bin/apachectl start
或者创建软连接的快捷方式
[root@localhost]#echo "export PATH=/usr/local/apache/bin:$PATH" > /etc/profile.d/httpd.sh //设置环境变量
[root@localhost]# . /etc/profile.d/httpd.sh
[root@localhost]# apachectl start
若apachectl命令有错误,则
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
......
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.example.com:80 //取消此行前面的#号
......
五 .httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
[root@localhost ~]# vim /etc/httpd24/httpd.conf
示例:
<Directory "usr/local/apache/htdocs/dz">
Require all denied
</Directory>
[root@localhost ~]# cd /usr/local/apache/htdocs/
[root@localhost htdocs]#ls
index.html
[root@localhost htdocs]# mkdir dz
[root@localhost htdocs]# cd dz/
[root@localhost htdocs]# echo "hello" > index.html
[root@localhost ~]# apachectl restart
IPADDR的类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
虚拟主机:
虚拟主机有三类:
相同IP不同端口 // Listen 81 新添加一个81端口
不同IP相同端口
ip addr add 192.168.100.101 dev eth0 //给主机服务端再添加一个ip为192.168.100.101
ip addr show eth0 //检查是否添加了IP
相同IP相同端口不同域名
配置虚拟主机
1.虚拟机上修改配置文件
[root@localhost ~]# find / -name *vhosts.conf
/etc/httpd24/extra/httpd-vhosts.conf
/etc/httpd24/original/extra/httpd-vhosts.conf
/root/httpd-2.4.38/docs/conf/extra/httpd-vhosts.conf
[root@localhost ~]# vim /etc/httpd24/extra/httpd-vhosts.conf
//复制最后一行,模板修改
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache/docs/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
[root@localhost ~]# vim /etc/httpd24/httpd.conf
//到最后一行粘贴模板进行编写
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<VirtualHost *:80> //* 所有IP :80 80端口
DocumentRoot "/usr/local/apache/one" //网站根目录,没有需要创建哦
ServerName dz.example.com //域名自己编写
ErrorLog "logs/11_error_log"
CustomLog "logs/22_access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/two"
ServerName dzdd.example.com
ErrorLog "logs/22_error_log"
CustomLog "logs/22_access_log" common
</VirtualHost>
[root@localhost ~]# cd /usr/local/apache/htdocs/
[root@localhost htdocs]# mkdir one two
[root@localhost htdocs]# chown -R apache.apache one
[root@localhost htdocs]# chown -R apache.apache two
[root@localhost htdocs]# cd one/
[root@localhost one]# echo "Hello,nice to miss you" > index.html
[root@localhost one]# cd ..
[root@localhost htdocs]# cd two/
[root@localhost two]# echo "Nice to miss you,too" > index.html
[root@localhost two]# cd ..
[root@localhost htdocs]# apachectl -t //检测配置是否正确,是否有语法错误
Syntax OK
2.在本机上修改配置文件
C:\windows\systemd32\drivers\etc\hosts
//在hosts文件下加入上面配置的域名和虚拟机IP
192.168.131.131 dz.example.com
192.168.131.131 dzdd.example.com
3.到虚拟机上重启apachectl服务
[root@localhost ~]# apachectl restart
[root@localhost ~]#
4.到本机网页上测试
如果不行的话就是忘记关闭防火墙,记得要关哦!
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld //禁止开机自启
[root@localhost ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled //改为禁止启用
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost ~]# setenforce 0 //关闭防火墙
六. 生成密钥认证
环境说明:
服务端 | 客户端 |
---|---|
192.168.131.131 | 192.168.131.130 |
// openssl实现私有CA:
CA的配置文件:/etc/pki/tls/openssl.cnf
1. CA生成一对密钥
[root@30 ~]# cd /etc/pki/CA
[root@30 CA]# ls
certs crl newcerts private
[root@30 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
................+++
e is 65537 (0x10001)
[root@30 CA]# openssl rsa -in private/cakey.pem -pubout
2. CA生成自签署证书
[root@30 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:runtime.example.com
Organizational Unit Name (eg, section) []:runtime.example.com
Common Name (eg, your name or your server's hostname) []:runtime.example.com
Email Address []:1@2.com
[root@30 CA]# openssl x509 -text -in cacert.pem //读出证书的内容
内容略。。。。
[root@30 CA]# mkdir certs newcerts crl //创建目录
[root@30 CA]# touch index.txt && echo 01 > serial
[root@30 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@30 CA]# cat serial
01
3. 服务端生成密钥
[root@31 ~]# cd /etc/httpd24 && mkdir ssl && cd ssl
[root@31 ssl]#
[root@31 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
................+++
e is 65537 (0x10001)
[root@31 ssl]#
4. 服务端生成证书签署请求
[root@31 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:runtime.example.com
Organizational Unit Name (eg, section) []:runtime.example.com
Common Name (eg, your name or your server's hostname) []:runtime.example.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //不设置密码直接回车
An optional company name []:
[root@31 ssl]#
5. 服务端把证书签署请求文件发送给CA
[root@31 ssl]# scp httpd.csr root@192.168.131.130:/root
httpd.csr 100% 1082 21.2KB/s 00:00
[root@31 ssl]#
[root@30 CA]# cd
[root@30 ~]# ls
httpd.csr
6. CA签署服务端提交上来的证书
[root@30 ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
[root@30 ~]# ls
httpd.crt httpd.csr
7. CA把签署好的证书httpd.crt发给服务端
[root@30 ~]# scp httpd.crt root@192.168.131.131:/root/
[root@31 ~]# ls
httpd.crt
[root@31 ~]# mv httpd.crt /etc/httpd24/ssl/
[root@31 ~]# cd /etc/httpd24/ssl/
[root@31 ssl]# ls
httpd.crt httpd.csr httpd.key
[root@31 ssl]#
七. ssl配置
// 配置虚拟主机
[root@31 ~]# vim /etc/httpd24/extra/httpd-ssl.conf
/DocumentRoot //搜索
修改为以下内容:
DocumentRoot "/usr/local/apache/htdocs/runtime"
ServerName runtime.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/runtime.example.com-error_log"
TransferLog "/usr/local/apache/logs/runtime.example.com-access_log"
紧接着将
SSLCertificateFile "/etc/httpd24/server.crt" 改为 SSLCertificateFile "/etc/httpd24/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd24/server.key" 改为 SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key"
//配置完成之后检查一下配置文件是否有语法错误:
[root@31 httpd24]# apachectl -t
Syntax OK
[root@31 httpd24]# vim httpd.conf
Include /etc/httpd24/extra/httpd-ssl.conf //将此行的注释取消
LoadModule ssl_module modules/mod_ssl.so //将此行的注释取消
[root@31 httpd24]# vim extra/httpd-ssl.conf
#SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" //此行添加注释
//修改完成之后检查一下配置文件是否有语法错误:
[root@31 httpd24]# apachectl -t
Syntax OK
//重启服务
[root@31 httpd24]# apachectl restart
//查看https端口(443)起来没有
[root@31 httpd24]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 50 *:139 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 50 *:445 *:*
LISTEN 0 128 *:44643 *:*
LISTEN 0 50 :::139 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::443 :::* //443端口起来了
修改客户端的hosts文件
C:\Windows\System32\drivers\etc\hosts
192.168.131.131 runtime.example.com