第十九天
httpd
5. httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
LoadModule mpm_event_module modules/mod_mpm_event.so
"00-mpm.conf" 23L, 948C
访问控制法则:
|法则 |功能
|-:😐
|Require all granted |允许所有主机访问
|Require all deny |拒绝所有主机访问
|Require ip IPADDR|授权指定来源地址的主机访问
|Require not ip IPADDR| 拒绝指定来源地址的主机访问
|Require host HOSTNAME |授权指定来源主机名的主机访问
|Require not host HOSTNAME |拒绝指定来源主机名的主机访问
IPADDR的类型
IP:192.168.1.1
Network/mask:192.168.1.0/255.255.255.0
Network/Length:192.168.1.0/24
Net:192.168
HOSTNAME的类型
FQDN:特定主机的全名
DOMAIN:指定域内的所有主机
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
在httpd页面目录下面创建一个zuoye文件
[root@fuwuduan ~]# cd /var/www/html/
[root@fuwuduan html]# ls
zuoye.html
[root@fuwuduan html]# cat zuoye.html
zuoye
进入httpd的主配置文件添加规则
[root@fuwuduan ~]# vim /etc/httpd/conf/httpd.conf
162 <Directory "/var/www/html/zuoye">
163 <RequireALL>
164 Require ip 192.168.244.139
165 </RequireAll>
166 </Directory>
配置完后用httpd -t检查一下有没有错误,并且刷新
[root@fuwuduan ~]# httpd -t
Syntax OK
[root@fuwuduan ~]# systemctl restart httpd
然后用Windows本机访问
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-MTio4KUh-1658412518410)(./1658400523044.png)]
虚拟主机:
虚拟主机有三类:
相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名
相同ip不同端口
[root@fuwuduan ~]# cd /etc/httpd/conf.d/
[root@fuwuduan ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@fuwuduan conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
[root@fuwuduan conf.d]# ls
autoindex.conf README welcome.conf
httpd-vhosts.conf userdir.conf
//直接编辑这个文件,大G下到最底行
[root@fuwuduan ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/123/"
ServerName www.123.com
ErrorLog "/var/log/httpd/www.123.com-error_log"
CustomLog "/var/log/httpd/www.123.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/456/"
ServerName www.456.com
ErrorLog "/var/log/httpd/www.456.com-error_log"
CustomLog "/var/log/httpd/www.456.com-access_log" common
</VirtualHost>
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-HEN0tmLu-1658412518411)(./1658408764013.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3NNgL7mu-1658412518412)(./1658408781819.png)]
不同ip相同端口
/先添加一个临时IP地址
[root@fuwuduan ~]# ip addr add 192.168.244.140/24 dev ens33
//然后修改配置文件
[root@fuwuduan ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.244.139:80>
DocumentRoot "/var/www/123/"
ServerName www.123.com
ErrorLog "/var/log/httpd/www.123.com-error_log"
CustomLog "/var/log/httpd/www.123.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.244.140:80>
DocumentRoot "/var/www/456/"
ServerName www.456.com
ErrorLog "/var/log/httpd/www.456.com-error_log"
CustomLog "/var/log/httpd/www.456.com-access_log" common
</VirtualHost>
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ulItM2nT-1658412518412)(./1658409408736.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KEtrYPJG-1658412518413)(./1658409411429.png)]
相同ip相同端口不同域名
修改hosts文件
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-xFPziOqc-1658412518413)(./1658409589475.png)]
[root@fuwuduan ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.244.139:80>
DocumentRoot "/var/www/123/"
ServerName www.123.com
ErrorLog "/var/log/httpd/www.123.com-error_log"
CustomLog "/var/log/httpd/www.123.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.244.139:80>
DocumentRoot "/var/www/456/"
ServerName www.456.com
ErrorLog "/var/log/httpd/www.456.com-error_log"
CustomLog "/var/log/httpd/www.456.com-access_log" common
</VirtualHost>
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nixuizGX-1658412518414)(./1658409660086.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5R2iYrFM-1658412518414)(./1658409662467.png)]
ssl:
启用模块:编辑/etc/httpd/conf.modules.d/00-base.conf文件,添加下面这行,如果已经有了但是注释了,则取消注释即可
下载ssl服务
[root@fuwuduan ~]# dnf -y install mod_ssl*
[root@fuwuduan conf.d]# ss -antl|grep 443
LISTEN 0 128 *:443 *:*
配置https步骤
openssl实现私有CA:
CA的配置文件:/etc/pki/tls/openssl.cnf
CA生成一对密钥
[root@fuwuduan ~]# mkdir /etc/pki/CA
[root@fuwuduan ~]# mkdir /etc/pki/CA/private
[root@fuwuduan ~]# cd /etc/pki/CA/
[root@fuwuduan CA]# ls
private
//生成密钥
[root@fuwuduan CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
........................+++++
e is 65537 (0x010001)
//提取公钥
[root@fuwuduan CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuMwZqhj9qUx1ydEocRNG
944zA0YGO6YHBe+VDOgPc78ckqFSXL7FArRVDbzR8aL0uXEA3RHVXhEs8ktD3pqo
pk/+I4e6hBdJKIa1I4uRwiyH4iQiwKBhvIPyCHIyv0Z2wGa+r9SZ/HXRUcv6kNYU
bEoWEeqqFS3hn6QUTPRSB5Vew4x6pd/1zSnajsH7KdAU3/qVDwAfX5kSCuvPZ3Mu
05kD+D+wug770bmvfBZuSVSnyKaQTgIWXWES7K649jTUPmREj7xiO311ZXMLbsbt
HxuD2ZK53A0QkBRd/OF56faLPUhhf95O66otAo4tX+2dgNgU+Cc41r0QZOMUoQjA
vQIDAQAB
-----END PUBLIC KEY-----
生成证书请求文件
[root@fuwuduan CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dly
Organizational Unit Name (eg, section) []:www.123.com
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:1@2.com
生成证书
[root@fuwuduan CA]# openssl x509 -text -in cacert.pem
生成密钥
[root@fuwuduan CA]# mkdir certs newcerts crl
[root@fuwuduan CA]# touch index.txt && echo 01 > serial
[root@fuwuduan CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@fuwuduan ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
...............+++++
e is 65537 (0x010001)
[root@fuwuduan ssl]# ls
httpd.key
客户端生成证书签署请求
[root@fuwuduan ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dly
Organizational Unit Name (eg, section) []:www.123.com
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA签署客户端提交上来的证书
[root@fuwuduan ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 21 13:54:25 2022 GMT
Not After : Jul 21 13:54:25 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hubei
organizationName = dly
organizationalUnitName = www.123.com
commonName = www.123.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C1:AE:24:8C:F5:8F:2A:FB:4D:88:1B:AB:C2:92:08:67:3F:87:D8:9D
X509v3 Authority Key Identifier:
keyid:C7:86:CA:35:A2:0F:80:AC:23:07:7A:2D:20:6A:F5:59:9E:68:FD:97
Certificate is to be certified until Jul 21 13:54:25 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-DT8HqJJ2-1658412549237)(./1658412114867.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0NK9PdfX-1658412518416)(./1658412117710.png)]