httpd

第十九天

httpd

5. httpd常用配置

切换使用MPM（编辑/etc/httpd/conf.modules.d/00-mpm.conf文件）：

//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种，分别是：
    prefork
    event
    worker

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
LoadModule mpm_event_module modules/mod_mpm_event.so
"00-mpm.conf" 23L, 948C 

访问控制法则：

|法则 |功能
|-:😐
|Require all granted |允许所有主机访问
|Require all deny |拒绝所有主机访问
|Require ip IPADDR|授权指定来源地址的主机访问
|Require not ip IPADDR| 拒绝指定来源地址的主机访问
|Require host HOSTNAME |授权指定来源主机名的主机访问
|Require not host HOSTNAME |拒绝指定来源主机名的主机访问

IPADDR的类型

IP：192.168.1.1
Network/mask：192.168.1.0/255.255.255.0
Network/Length：192.168.1.0/24
Net：192.168	

HOSTNAME的类型

FQDN：特定主机的全名
DOMAIN：指定域内的所有主机

注意：httpd-2.4版本默认是拒绝所有主机访问的，所以安装以后必须做显示授权访问
在httpd页面目录下面创建一个zuoye文件

[root@fuwuduan ~]# cd /var/www/html/
[root@fuwuduan html]# ls
zuoye.html
[root@fuwuduan html]# cat zuoye.html 
zuoye

进入httpd的主配置文件添加规则

[root@fuwuduan ~]# vim /etc/httpd/conf/httpd.conf 
162 <Directory "/var/www/html/zuoye">
163         <RequireALL>
164                 Require ip  192.168.244.139
165         </RequireAll>
166 </Directory>

配置完后用httpd -t检查一下有没有错误，并且刷新

[root@fuwuduan ~]# httpd -t
Syntax OK
[root@fuwuduan ~]# systemctl restart httpd

然后用Windows本机访问
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-MTio4KUh-1658412518410)(./1658400523044.png)]

虚拟主机：

虚拟主机有三类：

相同IP不同端口
不同IP相同端口
相同IP相同端口不同域名

相同ip不同端口

[root@fuwuduan ~]# cd /etc/httpd/conf.d/
[root@fuwuduan ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@fuwuduan conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
[root@fuwuduan conf.d]# ls
autoindex.conf     README        welcome.conf
httpd-vhosts.conf  userdir.conf
//直接编辑这个文件，大G下到最底行

[root@fuwuduan ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/123/"
    ServerName www.123.com
    ErrorLog "/var/log/httpd/www.123.com-error_log"
    CustomLog "/var/log/httpd/www.123.com-access_log" common
</VirtualHost>

Listen 81
<VirtualHost *:81>
    DocumentRoot "/var/www/456/"
    ServerName www.456.com
    ErrorLog "/var/log/httpd/www.456.com-error_log"
    CustomLog "/var/log/httpd/www.456.com-access_log" common
</VirtualHost>

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-HEN0tmLu-1658412518411)(./1658408764013.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3NNgL7mu-1658412518412)(./1658408781819.png)]

不同ip相同端口

/先添加一个临时IP地址
[root@fuwuduan ~]# ip addr add 192.168.244.140/24 dev ens33 
//然后修改配置文件
[root@fuwuduan ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.244.139:80>
    DocumentRoot "/var/www/123/"
    ServerName www.123.com
    ErrorLog "/var/log/httpd/www.123.com-error_log"
    CustomLog "/var/log/httpd/www.123.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.244.140:80>
    DocumentRoot "/var/www/456/"
    ServerName www.456.com
    ErrorLog "/var/log/httpd/www.456.com-error_log"
    CustomLog "/var/log/httpd/www.456.com-access_log" common
</VirtualHost>

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ulItM2nT-1658412518412)(./1658409408736.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KEtrYPJG-1658412518413)(./1658409411429.png)]

相同ip相同端口不同域名

修改hosts文件
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-xFPziOqc-1658412518413)(./1658409589475.png)]

[root@fuwuduan ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.244.139:80>
    DocumentRoot "/var/www/123/"
    ServerName www.123.com
    ErrorLog "/var/log/httpd/www.123.com-error_log"
    CustomLog "/var/log/httpd/www.123.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.244.139:80>
    DocumentRoot "/var/www/456/"
    ServerName www.456.com
    ErrorLog "/var/log/httpd/www.456.com-error_log"
    CustomLog "/var/log/httpd/www.456.com-access_log" common
</VirtualHost>

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nixuizGX-1658412518414)(./1658409660086.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5R2iYrFM-1658412518414)(./1658409662467.png)]

ssl：

启用模块：编辑/etc/httpd/conf.modules.d/00-base.conf文件，添加下面这行，如果已经有了但是注释了，则取消注释即可

下载ssl服务

[root@fuwuduan ~]# dnf -y install mod_ssl*
[root@fuwuduan conf.d]# ss -antl|grep 443
LISTEN 0      128                *:443              *:*    

配置https步骤

openssl实现私有CA：

CA的配置文件：/etc/pki/tls/openssl.cnf

CA生成一对密钥

[root@fuwuduan ~]# mkdir /etc/pki/CA 
[root@fuwuduan ~]# mkdir /etc/pki/CA/private
[root@fuwuduan ~]# cd /etc/pki/CA/
[root@fuwuduan CA]# ls
private
//生成密钥
[root@fuwuduan CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) 
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
........................+++++
e is 65537 (0x010001)
//提取公钥
[root@fuwuduan CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuMwZqhj9qUx1ydEocRNG
944zA0YGO6YHBe+VDOgPc78ckqFSXL7FArRVDbzR8aL0uXEA3RHVXhEs8ktD3pqo
pk/+I4e6hBdJKIa1I4uRwiyH4iQiwKBhvIPyCHIyv0Z2wGa+r9SZ/HXRUcv6kNYU
bEoWEeqqFS3hn6QUTPRSB5Vew4x6pd/1zSnajsH7KdAU3/qVDwAfX5kSCuvPZ3Mu
05kD+D+wug770bmvfBZuSVSnyKaQTgIWXWES7K649jTUPmREj7xiO311ZXMLbsbt
HxuD2ZK53A0QkBRd/OF56faLPUhhf95O66otAo4tX+2dgNgU+Cc41r0QZOMUoQjA
vQIDAQAB
-----END PUBLIC KEY-----

生成证书请求文件

[root@fuwuduan CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365  
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dly
Organizational Unit Name (eg, section) []:www.123.com
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:1@2.com

生成证书

[root@fuwuduan CA]# openssl x509 -text -in cacert.pem

生成密钥

[root@fuwuduan CA]# mkdir certs newcerts crl
[root@fuwuduan CA]# touch index.txt && echo 01 > serial
[root@fuwuduan CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@fuwuduan ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
...............+++++
e is 65537 (0x010001)
[root@fuwuduan ssl]# ls
httpd.key

客户端生成证书签署请求

[root@fuwuduan ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dly
Organizational Unit Name (eg, section) []:www.123.com
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CA签署客户端提交上来的证书

[root@fuwuduan ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 21 13:54:25 2022 GMT
            Not After : Jul 21 13:54:25 2023 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = hubei
            organizationName          = dly
            organizationalUnitName    = www.123.com
            commonName                = www.123.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C1:AE:24:8C:F5:8F:2A:FB:4D:88:1B:AB:C2:92:08:67:3F:87:D8:9D
            X509v3 Authority Key Identifier: 
                keyid:C7:86:CA:35:A2:0F:80:AC:23:07:7A:2D:20:6A:F5:59:9E:68:FD:97

Certificate is to be certified until Jul 21 13:54:25 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-DT8HqJJ2-1658412549237)(./1658412114867.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0NK9PdfX-1658412518416)(./1658412117710.png)]