目录
一.httpd的安装
1.准备工作
[root@localhost ~]# yum groups mark install "Development Tools" //安装开发工具包(预安装,稍后我们需要什么开发工具会自行安装)
[root@localhost ~]# useradd -r -M -s /sbin/nologin apache //创建一个名为apache的系统用户,并且不生成家目录,拒绝登录
[root@localhost ~]# id apache
uid=984(apache) gid=982(apache) 组=982(apache)
[root@localhost ~]# yum -y install openssl-devel pcre-devel expat-devel libtool //安装依赖包
[root@localhost ~]# yum - y install make //安装make,编译时需要make命令
2.下载源码包并解压
下载地址:Index of /https://downloads.apache.org/
[root@localhost ~]# wget https://downloads.apache.org/httpd/httpd-2.4.53.tar.gz
[root@localhost ~]# wget https://downloads.apache.org/apr/apr-1.7.0.tar.gz
[root@localhost ~]# wget https://downloads.apache.org/apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# tar -xf apr-1.7.0.tar.gz
[root@localhost ~]# tar -xf apr-util-1.6.1.tar.gz
[root@localhost ~]# tar -xf httpd-2.4.53.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg apr-util-1.6.1 httpd-2.4.53.tar.gz
apr-1.7.0 apr-util-1.6.1.tar.gz
apr-1.7.0.tar.gz httpd-2.4.53
3.安装源码包
安装顺序为:apr→apr-unit→http
安装apr包
[root@localhost ~]# cd apr-1.7.0/
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
[root@localhost apr-1.7.0]# make && make install
安装apr-unit包
[root@localhost ~]# cd apr-util-1.6.1/
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# make && make install
安装httpd包
[root@localhost ~]# cd httpd-2.4.53/
[root@localhost httpd-2.4.53]# ./configure --prefix=/usr/local/apache \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util/ \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork
[root@localhost httpd-2.4.53]# make && make install
4.设置环境变量
[root@localhost ~]# ls /usr/local/ //安装三个源码包的位置目录
apache apr-util etc include lib64 sbin src
apr bin games lib libexec share
[root@localhost ~]# cd /usr/local/apache/
[root@localhost apache]# ls
bin cgi-bin htdocs include man modules
build error icons logs manual
[root@localhost apache]# cd
//创建环境变量后,httpd命令和apachectl命令即可使用
[root@localhost ~]# echo 'export PATH=/usr/local/apache/bin:$PATH' > /etc/profile.d/apache.sh
[root@localhost ~]# source /etc/profile.d/apache.sh
[root@localhost ~]# which httpd
/usr/local/apache/bin/httpd
[root@localhost ~]# which apachectl
/usr/local/apache/bin/apachectl
配置映射关系与man文档
[root@localhost ~]# ls /usr/local/apache/
bin cgi-bin htdocs include man modules
build conf error icons logs manual
[root@localhost ~]# ln -s /usr/local/apache/include/ /usr/include/apache
[root@localhost ~]# vim /etc/man_db.conf
#MANDATORY_MANPATH /usr/src/pvm3/man
#
MANDATORY_MANPATH /usr/man
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/local/share/man
MANDATORY_MANPATH /usr/local/share/apache 添加这一条
5.配置防火墙并且开启httpd服务
[root@localhost ~]# systemctl disable --now firewalld //关闭防火墙
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# setenforce 0 //关闭selinux(当前)
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# vim /etc/selinux/config //关闭selinux(永久)
SELINUX=disabled //修改为disabled
[root@localhost ~]# ss -antl //查看端口号
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
[root@localhost ~]# apachectl start //启动Apache服务
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[root@localhost ~]# ss -antl //Apache服务默认为80端口,80端口出现Apache服务已启动
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
浏览器访问虚拟机ip
取消警报
我们不管是在开启还是关闭Apache服务,系统都会弹出警告
[root@localhost ~]# apachectl stop
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[root@localhost ~]# cd /usr/local/apache/
[root@localhost apache]# cd conf/ //进到主配置文件中
[root@localhost conf]# ls
extra httpd.conf magic mime.types original
[root@localhost conf]# vim httpd.conf //将这一行的注释取消
ServerName www.example.com:80
[root@localhost conf]# apachectl start //再次开启服务,警告不会出现
[root@localhost conf]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
配置systemctl命令来设置httpd
因为我们使用源码安装httpd而不是yum源安装,是默认不能使用systemctl命令的
同理任何源码安装的服务都默认不能使用
[root@localhost ~]# cd /usr/lib/systemd/system
[root@localhost system]# ls sshd.service
sshd.service
[root@localhost system]# cp sshd.service httpd.service //复制一份该文件,并且改名为httpd.service
[root@localhost system]# vim httpd.service //编辑此文件
[root@localhost system]# cat httpd.service
[Unit]
Description=httpd server daemon
After=network.target sshd-keygen.target
[Service]
Type=forking
ExecStart=/usr/local/apache/bin/apachectl start //设置apachectl的开启路径
ExecStop=/usr/local/apache/bin/apachectl stop //关闭路径
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
[root@localhost system]# systemctl daemon-reload //重新加载服务,让当前配置生效
[root@localhost system]# systemctl status httpd //此时便可使用systemctl命令查看httpd
● httpd.service - httpd server daemon
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset:>
Active: inactive (dead)
[root@localhost system]# systemctl start httpd //重启httpd服务
[root@localhost system]# systemctl enable --now httpd //设为开机自启
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@localhost system]# systemctl status httpd
● httpd.service - httpd server daemon
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; ve>
Active: active (running) since Sun 2022-04-17 21:38:11 CST; 18s ago
Main PID: 157013 (httpd)
Tasks: 6 (limit: 11299)
Memory: 4.6M
CGroup: /system.slice/httpd.service
├─157013 /usr/local/apache/bin/httpd -k start
├─157014 /usr/local/apache/bin/httpd -k start
├─157015 /usr/local/apache/bin/httpd -k start
├─157016 /usr/local/apache/bin/httpd -k start
├─157017 /usr/local/apache/bin/httpd -k start
└─157018 /usr/local/apache/bin/httpd -k start
二.配置三种不同类型的虚拟主机
ip地址直接访问
[root@localhost ~]# cd /usr/local/apache/htdocs/ //此目录为放置网站的目录
[root@localhost htdocs]# mkdir test.example.com //创建一个测试目录存放网站
[root@localhost htdocs]# ls
index.html test.example.com
[root@localhost htdocs]# cd test.example.com
[root@localhost test.example.com]# echo '1234' > 1234.html //向网站内写入信息
[root@localhost test.example.com]# cd
[root@localhost ~]# cd /usr/local/apache/conf/extra/ //此路径为虚拟主机文件存放路径
[root@localhost extra]# ls
httpd-autoindex.conf httpd-mpm.conf
httpd-dav.conf httpd-multilang-errordoc.conf
httpd-default.conf httpd-ssl.conf
httpd-info.conf httpd-userdir.conf
httpd-languages.conf httpd-vhosts.conf
httpd-manual.conf proxy-html.conf
[root@localhost extra]# vim httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/test.example.com" //网站存放的路径
ServerName test.example.com //域名
ErrorLog "logs/test.example.com-error_log" //错误日志的存放路径
CustomLog "logs/test.example.com-access_log" common //日常日志的存放路径
</VirtualHost>
[root@localhost extra]# vim /usr/local/apache/conf/httpd.conf
Include conf/extra/httpd-vhosts.conf //取消注释
[root@localhost extra]# systemctl restart httpd //重启服务
刷新浏览器,即可查看我们刚才写入的测试页面
点击1234.html即可查看
虽然可以访问,但是并不能直接访问到测试页面
[root@localhost htdocs]# cd test.example.com/
[root@localhost test.example.com]# mv 1234.html index.html //将1234.html 改为index.html
[root@localhost ~]# vim /usr/local/apache/conf/httpd.conf
<IfModule dir_module>
DirectoryIndex index.html //主配置文件中规定,只有index.html才能直接跳转页面
</IfModule>
再次刷新浏览器
即可直接查看到测试页面
1.相同ip不同端口号访问
[root@localhost ~]# cd /usr/local/apache/htdocs/
[root@localhost htdocs]# mkdir web.example.com //创建一个新目录存放网站
[root@localhost htdocs]# ls
index.html test.example.com web.example.com
[root@localhost htdocs]# cd web.example.com/
[root@localhost web.example.com]# echo "123" > index.html //创造并写入一个新的测试文件
[root@localhost ~]# cd /usr/local/apache/conf/extra/
[root@localhost extra]# vim httpd-vhosts.conf //修改虚拟主机文件
[root@localhost extra]# cat httpd-vhosts.conf
<VirtualHost *:80> //此为1234.html的网站配置
DocumentRoot "/usr/local/apache/htdocs/test.example.com"
ServerName test.example.com
ErrorLog "logs/test.example.com-error_log"
CustomLog "logs/test.example.com-access_log" common
</VirtualHost>
Listen 81 //添加一个81端口的监听
<VirtualHost *:81> //将端口号修改为81
DocumentRoot "/usr/local/apache/htdocs/web.example.com" //修改配置文件路径
ServerName web.example.com //修改域名
ErrorLog "logs/web.example.com-error_log" //修改路径
CustomLog "logs/web.example.com-access_log" common
</VirtualHost>
[root@localhost extra]# systemctl restart httpd.service //重启服务
[root@localhost extra]# ss -antl //可查看到80,81两个端口
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
再次访问测试页面,并且加上端口号
80端口为默认端口因此不需要添加即可访问
81端口
2.不同ip相同端口
[root@localhost ~]# ip addr add 192.168.12.129/24 dev ens160 //给网卡添加一个新ip
[root@localhost ~]# ip a s ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:81:df:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.12.128/24 brd 192.168.12.255 scope global dynamic noprefixroute ens160
valid_lft 1280sec preferred_lft 1280sec
inet 192.168.12.129/24 scope global secondary ens160
valid_lft forever preferred_lft forever
inet6 fe80::fea:8a40:c17b:e64b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# cd /usr/local/apache/conf/extra/
[root@localhost extra]# vim httpd-vhosts.conf
[root@localhost extra]# cat httpd-vhosts.conf
<VirtualHost 192.168.12.128:80> //将ip地址改为固定ip
DocumentRoot "/usr/local/apache/htdocs/test.example.com"
ServerName test.example.com
ErrorLog "logs/test.example.com-error_log"
CustomLog "logs/test.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.12.129:80> //将新ip地址的端口改为80端口
DocumentRoot "/usr/local/apache/htdocs/web.example.com"
ServerName web.example.com
ErrorLog "logs/web.example.com-error_log"
CustomLog "logs/web.example.com-access_log" common
</VirtualHost>
[root@localhost extra]# systemctl restart httpd //重启服务
使用两个ip去访问测试页面
192.168.12.128
192.168.12.129
3.相同ip相同端口不同域名
[root@localhost extra]# vim httpd-vhosts.conf
[root@localhost extra]# cat httpd-vhosts.conf
<VirtualHost *:80> //修改为所有ip地址,和80端口
DocumentRoot "/usr/local/apache/htdocs/test.example.com"
ServerName test.example.com //域名
ErrorLog "logs/test.example.com-error_log"
CustomLog "logs/test.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/web.example.com"
ServerName web.example.com //域名
ErrorLog "logs/web.example.com-error_log"
CustomLog "logs/web.example.com-access_log" common
</VirtualHost>
此时域名无法访问需修改本机hosts文件
本机路径为:C:\Windows\System32\drivers\etc
在最下方添加IP地址以及域名
添加并且保存之后,访问测试页面
test.example.com
web.example.com
三.访问控制配置
[root@localhost extra]# vim httpd-vhosts.conf
[root@localhost extra]# cat httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/test.example.com"
ServerName test.example.com
ErrorLog "logs/test.example.com-error_log"
CustomLog "logs/test.example.com-access_log" common
</VirtualHost>
<Directory "/usr/local/apache/htdocs/test.example.com"> //将要拒绝访问的网站路径写入
<RequireAll>
Require not ip 192.168.12.1 //写入拒绝ip网段
Require all granted
</RequireAll>
</Directory>
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/web.example.com"
ServerName web.example.com
ErrorLog "logs/web.example.com-error_log"
CustomLog "logs/web.example.com-access_log" common
</VirtualHost>
[root@localhost extra]# systemctl restart httpd
访问测试页面
test写入对主机拒绝访问,因此无法访问
web没有写入,正常访问
四.https配置
启用ssl模块
如果有则取消注释,没有则添加这一行文件配置
[root@localhost ~]# cd /usr/local/apache/conf/
[root@localhost conf]# vim httpd.conf
LoadModule ssl_module modules/mod_ssl.so
1.生成证书
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# mkdir CA
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //在private目录下生成私钥文件
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
...........................................................................+++++
e is 65537 (0x010001)
[root@localhost CA]# ls private/ //查看私钥文件
cakey.pem
CA自生成签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:HB //省份
Locality Name (eg, city) [Default City]:WH //城市
Organization Name (eg, company) [Default Company Ltd]:YouKun //公司
Organizational Unit Name (eg, section) []:YouKun //单位
Common Name (eg, your name or your server's hostname) []:web.example.com //域名
Email Address []:23333@123.com //邮箱
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
客户端生成密钥
[root@localhost ~]# cd /usr/local/apache/conf/
[root@localhost conf]# ls
extra httpd.conf magic mime.types original
[root@localhost conf]# mkdir ssl
[root@localhost conf]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................+++++
............................................................................................+++++
e is 65537 (0x010001)
客户端生成证书签署请求
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:YouKun
Organizational Unit Name (eg, section) []:YouKun
Common Name (eg, your name or your server's hostname) []:web.example.com
Email Address []:23333@123.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
httpd.csr httpd.key
CA签署客户端提交的证书
[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 17 15:51:28 2022 GMT
Not After : Apr 17 15:51:28 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = YouKun
organizationalUnitName = YouKun
commonName = web.example.com
emailAddress = 23333@123.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:53:CE:36:37:90:DB:FC:64:73:9A:E0:E3:66:A8:52:F1:2D:45:18
X509v3 Authority Key Identifier:
keyid:75:D9:11:EE:7D:F0:03:A2:95:7E:E9:CD:DD:B5:83:46:AF:E2:EB:96
Certificate is to be certified until Apr 17 15:51:28 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
2.在httpd-vhosts.conf中配置虚拟主机
[root@localhost ~]# cd /usr/local/apache/conf/
[root@localhost conf]# vim httpd.conf
Include conf/extra/httpd-ssl.conf //取消注释
3.在httpd-ssl.conf中配置证书的位置
[root@localhost conf]# vim extra/httpd-ssl.conf
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/web.example.com" //修改为证书域名
ServerName web.example.com:443 //修改为证书域名
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
SSLCertificateFile "/usr/local/apache/conf/ssl/httpd.crt" //修改httpd.crt的路径
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/httpd.key" //修改httpd.kep的路径
4.检查配置文件是否有语法错误,并且重启或者启动服务
[root@localhost conf]# httpd -t
AH00526: Syntax error on line 92 of /usr/local/apache/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
[root@localhost conf]# vim /usr/local/apache/conf/httpd.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
[root@localhost conf]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@localhost conf]# systemctl restart httpd
5.设置hosts以便用域名访问
此时即可使用https访问