持久连接
Persistent Connection:连接建立,每个资源获取完成后不会断开连接,而是继续等待其它的请求完成,默认开启持久连接
副作用:对并发访问量大的服务器,持久连接会使有些请求得不到响应
折衷:使用较短的持久连接时间
持久连接相关指令:
KeepAlive On|Off
KeepAliveTimeout 15 #连接持续15s,可以以ms为单位,默认值为5s
MaxKeepAliveRequests 500 #持久连接最大接收的请求数,默认值100
DSO
加载动态模块配置,不需要重启即生效
动态模块所在路径:/usr/lib64/httpd/modules/
主配置 /etc/httpd/conf/httpd.conf 文件中指定加载模块配置文件
配置指定实现模块加载格式:
LoadModule <mod_name> <mod_path>
模块文件路径可使用相对路径:相对与serverRoot(默认/etc/httpd)
查看模块加载的配置文件
[root@igcllq ~]# ls /etc/httpd/conf.modules.d/
00-base.conf 00-dav.conf 00-lua.conf 00-mpm.conf 00-proxy.conf 00-systemd.conf 01-cgi.conf
[root@igcllq ~]# cat /etc/httpd/conf.modules.d/00-base.conf
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
查看静态编译的模块
httpd -l
查看静态编译及动态装载的模块
httpd -M
MPM多路处理模块
httpd支持三种MPM 工作模式:prefprk,worker,event
切换使用的PMP:
#启用要启用的MPM相关的LoadModule 指令即可,其他未启用的两项需要在首行加#注释
vi /etc/httpd/conf.modules.d/00-mpm.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
注意:不要同事开启多个MPM模块,否者会出现一下错误
AH00534: httpd: Configuration error: More than one MPM loaded.
查看CentOS 8 和 CentOS 7 默认的MPM工作模式
httpd -M | grep mpm
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::20c:29ff:fe4c:24ed. Set the 'ServerName' directive globally to suppress this message
mpm_prefork_module (shared)
prefork模式相关配置
StartServers 100
MinSpareServers 50
MaxSpareServers 80
ServerLimit 2560 #最多进程数,最大值 20000
MaxRequestWorkers 2560 #最大的并发连接数,默认256
MaxConnectionsPerChild 4000 #子进程最多能处理的请求数量。在处理MaxRequestsPerChild 个请求之后,子进程将会被父进程终止,这时候子进程占用的内存就会释放(为0时永远不释放)
MaxRequestsPerChild 4000 #从 httpd.2.3.9开始被MaxConnectionsPerChild代替
worker和event模式相关的配置
ServerLimit 16 #最多worker进程数 Upper limit on configurable number of
processes
StartServers 10 #Number of child server processes created at startup
MaxRequestWorkers 150 #Maximum number of connections that will be processed
simultaneously
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25 #Number of threads created by each child process
定义Main server的文档页面路径
DocumentRoot指向的路径为URL路径的起始位置
/path 必须显式授权后才可以访问
DocumentRoot "/path”
<directory /path>
Require all granted
</directory>
#URL和磁盘路径的映射关系
http://HOST:PORT/test/index.html --> /data/html/test/index.html
可实现访问控制的资源
可以针对文件系统和URI的资源进行访问控制
文件系统路径:
#基于目录
<Directory "/path">
...
</Directory>
#基于文件
<File "/path/file”>
...
</File>
#基于文件通配符
<File "/path/*file*”>
...
</File>
#基于扩展正则表达式
<FileMatch "regex”>
...
</FileMatch>
针对目录和URL实现访问控制
1、options指令
后跟1个或者多个以空白服分割的选项列表,在选项前的+,-表示增加或者删除指定选项
常见选项:
Indexes: 指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户
FollowSymLinks:允许访问符号链接文件所指向的源文件
None: 全部禁用
All: 全部允许
<Directory /web/docs>
Options -Indexes -FollowSymLinks
<Directory /web/docs/spec>
Options -FollowSymLinks
范例
[root@centos8 ~]#cd /etc/httpd/conf.d/
[root@centos8 conf.d]#mv welcome.conf{,.bak}
[root@centos8 ~]#echo /data/data.html > /data/data.html
[root@centos8 ~]#ln -s /data /var/www/html/datalink
[root@centos8 ~]#mkdir /var/www/html/dir1/
[root@centos8 ~]#echo /var/www/html/dir1/dir1.html >
/var/www/html/dir1/dir1.html
[root@centos8 ~]#echo Test Page > /var/www/html/test.html
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
#Options Indexes FollowSymLinks
Options Indexes #将上面行加注释,修改为此行
[root@centos8 ~]#systemctl restart httpd
(2) AllowOverride指令
与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName 指令指
定,AccessFileName .htaccess 为默认值)文件中,覆盖之前的配置指令,只对语句有效
常见用法:
AllowOverride All: .htaccess中所有指令都有效
AllowOverride None: .htaccess 文件无效,此为httpd 2.3.9以后版的默认值
AllowOverride AuthConfig .htaccess 文件中,除了AuthConfig 其它指令都无法生效
范例
vim /etc/httpd/conf/httpd.conf
#Options Indexes FollowSymLinks
Options Indexes
#AllowOverride None
AllowOverride options=FollowSymLinks,indexes #注释上一行,修改为此行
[root@centos8 ~]#vim /var/www/html/dir1/.htaccess
Options FollowSymLinks indexes #加此行
[root@centos8 ~]#ln -s /app /var/www/html/dir1/applink
[root@centos8 ~]#systemctl restart httpd
范例:.htaccess文件默认被禁止访问
[root@centos7 test2]#grep -Ev '^ *#|^$' /apps/httpd24/conf/httpd.conf |grep -A 2
'ht\*'
<Files ".ht*">
Require all denied
</Files>
基于客户端ip地址实现访问控制
基于客户端的IP地址的访问控制:
无明确授权的目录,默认拒绝
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all denied
控制特定的IP访问:
Require ip IPADDR:授权指定来源的IP访问
Require not ip IPADDR:拒绝特定的IP访问
控制特定的主机访问:
Require host HOSTNAME:授权特定主机访问
Require not host HOSTNAME:拒绝
HOSTNAME:
FQDN:特定主机
domin.tld:指定域名下的所有主机
不能有失败,至少有一个成功匹配才成功,即失败优先
<RequireAll>
Require all granted
Require not ip 172.16.1.1 #拒绝特定IP
</RequireAll>
多个语句有一个成功,则成功,即成功优先
<RequireAny>
Require all denied
require ip 172.16.1.1 #允许特定IP
</RequireAny>
日志设定
httpd有两种日志类型
1、访问日志
2、错误日志
访问日志
LogLevel warn #LogLevel 可选值: debug, info, notice, warn,error, crit, alert,
emerg
ErrorLog logs/error_log
错误日志
定义日志的格式
LogFormat format nickname
使用日志格式
CustomLog file nickname
范例:
LogFormat "%h %l %u %{%F %T}t "%r" %>s %b "%{Referer}i"\"%{User-Agent}i\"" testlog
%h #客户端IP地址
%l #远程用户,启用mod_ident才有效,通常为减号"-”
%u #验证(basic,digest)远程用户,非登录访问时,为一个减号"-”
%t #服务器收到请求时的时间
%r #First line of request,即表示请求报文的首行;记录了此次请求的"方法”,"URL”以及协
议版本
%>s #响应状态码
%b #响应报文的大小,单位是字节;不包括响应报文http首部
%{Referer}i #请求报文中首部"referer”的值;即从哪个页面中的超链接跳转至当前页面的
%{User-Agent}i #请求报文中首部"User-Agent”的值;即发出请求的应用程序
%{VARNAME}i #The contents of VARNAME: header line(s) in the request sent to the server
范例: 通过自定义访问日志格式,实现自定义时间格式
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
logFormat "%h \"%{%F %T}t\" %>s %{User-Agent}i" testlog
CustomLog "logs/access_log" testlog
[root@centos8 ~]#tail -f /var/log/httpd/access_log
10.0.0.7 "2020-06-24 10:26:51" 200 curl/7.29.0
设定默认字符集
设定字符集指令
AddDefaultCharset UTF-8 #此为默认值
中文字符集:GBK, GB2312, GB18030
定义路径别名
格式
Alias /URL/ "/PATH/"
范例
DocumentRoot "/www/htdocs"
#http://www.magedu.com/download/bash.rpm ==>/www/htdocs/download/bash.rpm
Alias /download/ "/rpms/pub/"
#http://www.magedu.com/download/bash.rpm ==>/rpms/pub/bash.rpm
#http://www.magedu.com/images/logo.png ==>/www/htdocs/images/logo.png
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
alias /news /data/html/newsdir/
<directory /data/html/newsdir>
require all granted
</directory>
基于用户的进行认证
1、定义安全域
<Directory "/path">
Options None
AllowOverride None
AuthType Basic
AuthName "String"
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
Require user username1 username2 ...
</Directory>
允许账号文件中所有用户登录访问:
Require valid-user
提供账号和密码存储(文本文件)
使用专用命令完成此类文件的创建及用户管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
#需要确保apache用户对此文件要有read权限
setfacl -m u:apache:r /PATH/HTTPD_PASSWD_FILE
-c 自动创建文件,仅应该在文件不存在时使用
-p 明文密码
-d CRYPT格式加密,默认
-m md5格式加密
-s sha格式加密
-D 删除指定用户
方法一、
[root@centos8 html]#mkdir admin
[root@centos8 html]#echo /var/www/html/admin/index.html > admin/index.html
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
#Require user xiaoming xiaohong
require valid-user
</directory>
[root@centos8 ~]#htpasswd -c /etc/httpd/conf.d/.httpuser xiaoming
New password:
Re-type new password:
Adding password for user xiaoming
[root@centos8 ~]#htpasswd /etc/httpd/conf.d/.httpuser xiaohong
New password:
Re-type new password:
Adding password for user xiaohong
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpuser
xiaoming:$apr1$UWsEVknf$pR2fwEGRq/k8Xt0p3zolZ0
xiaohong:$apr1$PLPPnYtJ$tZ9yYwYh6h44nyRxBDMOJ.
[root@centos8 ~]#systemctl reload httpd
[root@centos8 ~]#curl http://xiaoming:centos@10.0.0.7/secret/
/data/html/secret/index.html
[root@centos8 ~]#curl -u xiaohong:centos http://10.0.0.7/secret/
/data/html/secret/index.html
范例:方法2
[root@centos8 ~]#mkdir /var/www/html/secret
[root@centos8 ~]#echo /var/www/html/secret/index.html >
/var/www/html/secret/index.html
[root@centos8 ~]#cd /var/www/html/secret/
[root@centos8 secret]#ls
index.html
[root@centos8 secret]#vim .htaccess
[root@centos8 ~]#cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user xiaoming
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/admin>
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
#Require user xiaoming xiaohong
require valid-user
</directory>
<directory /var/www/html/secret>
allowoverride authconfig
</directory>
[root@centos8 ~]#systemctl reload httpd
基于组账号进行认证
1、定义安全域
<Directory "/path">
AuthType Basic
AuthName "String"
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
AuthGroupFile "/PATH/HTTPD_GROUP_FILE"
Require group grpname1 grpname2 ...
</Directory>
(2) 创建用户账号和组账号文件
组文件:每一行定义一个组
GRP_NAME: username1 username2 ...
范例
[root@centos8 ~]#cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/secret>
allowoverride authconfig
</directory>
[root@centos8 ~]#cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "FBI warning"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group webadmins
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpuser
xiaoming:$apr1$UWsEVknf$pR2fwEGRq/k8Xt0p3zolZ0
xiaohong:$apr1$PLPPnYtJ$tZ9yYwYh6h44nyRxBDMOJ.
[root@centos8 ~]#cat /etc/httpd/conf.d/.httpgroup
webadmins: xiaoming xiaohong
远程客户端和用户验证的控制
Satisfy ALL|Any
#针对/var/www/html/test目录,来自192.168.1.0/24的客户可以访问,其它网络的用户需要经过用户
验证才能访问
<Directory "/var/www/html/test">
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory
#/var/www/private目录只有用户验证才能访问
<Directory "/var/www/private">
Require valid-user
</Directory>
#/var/www/private/public 不需要用户验证,任何客户都可以访问
<Directory "/var/www/private/public">
Allow from all
Satisfy Any
</Directory>
实现用户家目录的http共享
基于模块 mod_userdir.so 实现
相关设置:
vim /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
#UserDir disabled #将此行注释
UserDir public_html #将此行注释取消,指定共享目录的名称
</IfModule>
#准备目录
su – wang;
mkdir ~/public_html
setfacl –m u:apache:x ~wang
#访问
http://localhost/~wang/index.html
范例:对家目录共享
[root@centos8 ~]#su - zhao
[wang@centos8 ~]$mkdir html
[wang@centos8 ~]$echo /home/zhao‘/html/index.html > html/index.html
[wang@centos8 ~]$setfacl -m u:apache:x /home/wang
[root@centos8 ~]#vim /etc/httpd/conf.d/userdir.conf
[root@centos8 ~]#grep -v '^ *#' /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
UserDir html
</IfModule>
<directory /home/zhao/html>
require all granted
</directory>
浏览器访问
http://localhost/~wang/
范例:对家目录共享并实现basic验证
Vi /etc/httpd/conf.d/userdir.conf centos7
<IfModule mod_userdir.c>
#UserDir disabled
UserDir public_html
</IfModule>
#注释下面几行
#<Directory "/home/*/public_html">
# AllowOverride FileInfo AuthConfig Limit Indexes
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# Require method GET POST OPTIONS
#</Directory>
Vi /etc/httpd/conf.d/userdir.conf
#加下面几行,实现匿名访问
<Directory "/home/test/public_html">
Require all granted
</Directory>
#准备目录和网页文件
su – test
mkdir ~/public_html
echo testhomewebsite > ~/public_html/index.html
#加权限才成功
setfacl –m u:apache:x ~test
#访问
http://localhost/~test/index.html
#删除上面行,增加下面行实现认证功能
Vi /etc/httpd/conf.d/userdir.conf
<directory /home/test/public_html>
AuthType Basic
AuthName "test home"
AuthUserFile "/etc/httpd/conf.d/htuser"
require user http1
</directory>
Systemctl restart httpd
#新建密码文件
htpasswd -c -m /etc/httpd/conf/.htpasswd test
#再次访问
http://localhost/~test/index.html
隐藏服务器版本信息
ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full
范例:
ServerTokens Prod[uctOnly] :Server: Apache
ServerTokens Major: Server: Apache/2
ServerTokens Minor: Server: Apache/2.0
ServerTokens Min[imal]: Server: Apache/2.0.41
ServerTokens OS: Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified): Server: Apache/2.0.41 (Unix) PHP/4.2.2
MyMod/1.2
禁止错误网页版本泄露
ServerSignature On | Off | EMail
默认值Off,如果ServerTokens 使用默认值,并且ServerSignature选项为on,当客户请求的网页并不存
在时,服务器将产生错误文档,错误文档的最后一行将包含服务器名字、Apache版本等信息,如果不
对外显示这些信息,就可将这个参数设置为Off, 如果设置为Email,将显示ServerAdmin 的Email提示
ServerSignature on
禁止trace方法
TraceEnable [on|off|extended]
默认on,基于安全风险,建议关闭
范例:关闭 trace方法
[root@centos8 ~]#curl -IX OPTIONS http://www.apache.org
HTTP/1.1 200 OK
Date: Wed, 24 Jun 2020 06:02:45 GMT
Server: Apache/2.4.18 (Ubuntu)
Allow: GET,HEAD,POST,OPTIONS
Cache-Control: max-age=3600
Expires: Wed, 24 Jun 2020 07:02:45 GMT
Content-Length: 0
Content-Type: text/html
[root@centos8 ~]#curl -IX OPTIONS http://127.0.0.1
HTTP/1.1 200 OK
Date: Wed, 24 Jun 2020 06:04:45 GMT
Server: Apache/2.4.37 (centos)
Allow: POST,OPTIONS,HEAD,GET,TRACE
Content-Length: 0
Content-Type: httpd/unix-directory
[root@centos8 ~]#vim /etc/httpd/conf.d/test.conf
TraceEnable off
[root@centos8 ~]#curl -IX OPTIONS http://127.0.0.1
HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 04:09:41 GMT
Server: Apache/2.4.37 (centos)
Allow: GET,POST,OPTIONS,HEAD
Content-Length: 0
Content-Type: text/html; charset=UTF-8