httpd
文章目录
1. httpd简介
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。
2. httpd版本
本文主要介绍httpd的两大版本,httpd-2.2和httpd-2.4。
- CentOS6系列的版本默认提供的是httpd-2.2版本的rpm包
- CentOS7系列的版本默认提供的是httpd-2.4版本的rpm包
2.1 httpd的特性
httpd有很多特性,下面就分别来说说httpd-2.2版本和httpd-2.4版本各自的特性。
版本 | 特性 |
---|---|
2.2 | 事先创建进程 按需维持适当的进程 模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块 支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等 支持https协议(通过mod_ssl模块实现) 支持用户认证 支持基于IP或域名的ACL访问控制机制 支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码) 支持URL重写 支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程) |
2.4 | httpd-2.4的新特性: MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载 支持event MPM,eventMPM模块生产环境可用 支持异步读写 支持每个模块及每个目录分别使用各自的日志级别 每个请求相关的专业配置,使用<If>来配置 增强版的表达式分析器 支持毫秒级的keepalive timeout 基于FQDN的虚拟主机不再需要NameVirtualHost指令 支持用户自定义变量 支持新的指令(AllowOverrideList) 降低对内存的消耗 |
工作模型 | 工作方式 |
---|---|
prefork | 多进程模型,预先生成进程,一个请求用一个进程响应 一个主进程负责生成n个子进程,子进程也称为工作进程 每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个 |
worker | 基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程) |
event | 基于事件的驱动,一个进程处理多个请求 |
2.2 httpd-2.4新增的模块
httpd-2.4在之前的版本基础上新增了几大模块,下面就几个常用的来介绍一下。
模块 | 功能 |
---|---|
mod_proxy_fcgi | 反向代理时支持apache服务器后端协议的模块 |
mod_ratelimit | 提供速率限制功能的模块 |
mod_remoteip | 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制 |
3、httpd基础
3.1 httpd自带的工具程序
工具 | 功能 |
---|---|
htpasswd | basic认证基于文件实现时,用到的帐号密码生成工具 |
apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
apxs | 由httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
rotatelogs | 日志滚动工具 |
suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
ab | apache benchmark,httpd的压力测试工具 |
3.2 rpm包安装的httpd程序环境
文件/目录 | 对应的功能 |
---|---|
/var/log/httpd/access.log | 访问日志 |
/var/log/httpd/error_log | 错误日志 |
/var/www/html/ | 站点文档目录 |
/usr/lib64/httpd/modules/ | 模块文件路径 |
/etc/httpd/conf/httpd.conf | 主配置文件 |
/etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
/etc/httpd/conf.d/*.conf | 辅助配置文件 |
mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf
3.3 web相关的命令
3.3.1 curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。
curl支持以下功能:
- https认证
- http的POST/PUT等方法
- ftp上传
- kerberos认证
- http上传
- 代理服务器
- cookies
- 用户名/密码认证
- 下载文件断点续传
- socks5代理服务器
- 通过http代理服务器上传文件到ftp服务器
//语法:curl [options] [URL ...]
//常用的options:
-A/--user-agent <string> //设置用户代理发送给服务器
-basic //使用Http基本认证
--tcp-nodelay //使用TCP_NODELAY选项
-e/--referer <URL> //来源网址
--cacert <file> //CA证书(SSL)
--compressed //要求返回时压缩的格式
-H/--header <line> //自定义请求首部信息传递给服务器
-I/--head //只显示响应报文首部信息
--limit-rate <rate> //设置传输速度
-u/--user <user[:password]> //设置服务器的用户和密码
-0/--http1 //使用http 1.0版本,默认使用1.1版本。这个选项是数字0而不是字母o
-o/--output //把输出写到文件中
-#/--progress-bar //进度条显示当前的传送状态
3.3.2 httpd命令
//语法:httpd [options]
//常用的options:
-l //查看静态编译的模块,列出核心中编译了哪些模块。 \
//它不会列出使用LoadModule指令动态加载的模块
-M //输出一个已经启用的模块列表,包括静态编译在服务 \
//器中的模块和作为DSO动态加载的模块
-v //显示httpd的版本,然后退出
-V //显示httpd和apr/apr-util的版本和编译参数,然后退出
-X //以调试模式运行httpd。仅启动一个工作进程,并且 \
//服务器不与控制台脱离
-t //检查配置文件是否有语法错误
4、编译安装httpd-2.4
(1)安装必要组件
[root@hezhichen ~]# yum -y groupinstall "Development Tools"
[root@hezhichen ~]# yum -y install wget expat-devel pcre* openssl-devel
(2)下载解压源码包
[root@hezhichen ~]# wget http://64.123.28.150/files/1208000000F8C33A/mirror.bit.edu.cn/apache//httpd/httpd-2.4.39.tar.bz2 http://mirror.bit.edu.cn/apache//apr/apr-1.6.5.tar.bz2 http://mirror.bit.edu.cn/apache//apr/apr-util-1.6.1.tar.bz2
[root@hezhichen ~]# mkdir /app
[root@hezhichen ~]# mv *.bz2 /app
[root@hezhichen ~]# cd /app
[root@hezhichen app]# ls *.tar.bz2 | xargs -n1 tar xjf
[root@hezhichen app]# ls
apr-1.6.5 apr-1.6.5.tar.bz2 apr-util-1.6.1 apr-util-1.6.1.tar.bz2 httpd-2.4.39 httpd-2.4.39.tar.bz2
(3)编译安装apr
apr编译(编辑configure这个文件,将 $RM $cfgfile 那行注释掉 )
[root@hezhichen apr-1.6.5]#./configure --prefix=/usr/local/apr
[root@hezhichen apr-1.6.5]# make && make install
(4)编译安装apr-util
[root@hezhichen apr-1.6.5]# cd /app/apr-util-1.6.1
[root@hezhichen apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@hezhichen apr-util-1.6.1]# make && make install
(5)编译安装httpd
[root@hezhichen apr-util-1.6.1]# cd /app/httpd-2.4.39
[root@hezhichen httpd-2.4.39]# ./configure --prefix=/usr/local/apache \
> --sysconfdir=/etc/httpd24 \
> --enable-so \
> --enable-ssl \
> --enable-cgi \
> --enable-rewrite \
> --with-zlib \
> --with-pcre \
> --with-apr=/usr/local/apr \
> --with-apr-util=/usr/local/apr-util/ \
> --enable-modules=most \
> --enable-mpms-shared=all \
> --with-mpm=prefork
[root@hezhichen httpd-2.4.39]# make && make install
(6)修改环境变量并加入系统服务
[root@hezhichen ~]# echo 'export PATH=/usr/local/apache/bin:$PATH' > /etc/profile.d/httpd.sh
[root@hezhichen ~]# . /etc/profile.d/httpd.sh
[root@hezhichen ~]# httpd -v
Server version: Apache/2.4.39 (Unix)
Server built: Apr 18 2019 06:15:39
编辑启动脚本
[root@hezhichen ~]# vim httpd
[root@hezhichen ~]# cat httpd
#!/bin/bash
# chkconfig: 12345 80 90
function start_http()
{
/usr/local/apache/bin/apachectl start
}
function stop_http()
{
/usr/local/apache/bin/apachectl stop
}
case "$1" in
start)
start_http
;;
stop)
stop_http
;;
restart)
stop_http
start_http
;;
*)
/usr/bin/echo "Usage : start | stop | restart"
;;
esac
[root@hezhichen /]# systemctl daemon-reload
[root@hezhichen /]# systemctl start httpd
[root@hezhichen /]# chkconfig --add httpd
5、httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
IPADDR的类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.1.20
Require all granted
</RequireAll>
</Directory>
6、虚拟主机配置
6.1 相同IP不同端口虚拟主机
(1)编辑配置文件
[root@hezhichen /]# vim /etc/httpd24/httpd.conf
//加入监听端口 Listen 81
//虚拟主机配置
#virtual host 1 # 虚拟主机1的配置
<VirtualHost *:80>
ServerName www.tom.com
DocumentRoot "/usr/local/apache/htdocs/tom"
ErrorLog "logs/tom_error_log"
CustomLog "logs/tom_access_log" combined
<Directory /usr/local/apache/htdocs/jerry>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 # 虚拟主机2的配置
<VirtualHost 192.168.98.100:81>
ServerName www.jerry.com
DocumentRoot "/usr/local/apache/htdocs/jerry"
ErrorLog "logs/jerry_error_log"
CustomLog "logs/jerry_access_log" combined
<Directory /usr/local/apache/htdocs/jerry>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
(2)编辑主页内容
[root@hezhichen htdocs]# echo 'JERRY' > jerry/index.html
[root@hezhichen htdocs]# echo 'TOM' > tom/index.html
(3)重启服务访问网页
6.2 不同IP相同端口虚拟主机
(1)新加临时Ip地址
[root@hezhichen /]# ip addr add 192.168.98.150/24 dev ens32
[root@hezhichen /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:35:ac:b3 brd ff:ff:ff:ff:ff:ff
inet 192.168.98.100/24 brd 192.168.98.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
inet 192.168.98.150/24 scope global secondary ens32
valid_lft forever preferred_lft forever
inet6 fe80::94ce:84d3:7078:5e3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
(2)编辑配置文件
[root@hezhichen /]# vim /etc/httpd24/httpd.conf
//虚拟主机配置
#virtual host 1 # 虚拟主机1的配置
<VirtualHost 192.168.98.100:80>
ServerName www.tom.com
DocumentRoot "/usr/local/apache/htdocs/tom"
ErrorLog "logs/tom_error_log"
CustomLog "logs/tom_access_log" combined
<Directory /usr/local/apache/htdocs/jerry>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 # 虚拟主机2的配置
<VirtualHost 192.168.98.150:80>
ServerName www.jerry.com
DocumentRoot "/usr/local/apache/htdocs/jerry"
ErrorLog "logs/jerry_error_log"
CustomLog "logs/jerry_access_log" combined
<Directory /usr/local/apache/htdocs/jerry>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
(2)编辑主页内容
[root@hezhichen htdocs]# echo 'JERRY' > jerry/index.html
[root@hezhichen htdocs]# echo 'TOM' > tom/index.html
(3)重启服务访问网页
6.3 相同IP相同端口虚拟主机
(1)编辑配置文件
[root@hezhichen /]# vim /etc/httpd24/httpd.conf
//虚拟主机配置
#virtual host 1 # 虚拟主机1的配置
<VirtualHost *:80>
ServerName www.tom.com
DocumentRoot "/usr/local/apache/htdocs/tom"
ErrorLog "logs/tom_error_log"
CustomLog "logs/tom_access_log" combined
<Directory /usr/local/apache/htdocs/jerry>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 # 虚拟主机2的配置
<VirtualHost *:80>
ServerName www.jerry.com
DocumentRoot "/usr/local/apache/htdocs/jerry"
ErrorLog "logs/jerry_error_log"
CustomLog "logs/jerry_access_log" combined
<Directory /usr/local/apache/htdocs/jerry>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
(2)编辑主页内容
[root@hezhichen htdocs]# echo 'JERRY' > jerry/index.html
[root@hezhichen htdocs]# echo 'TOM' > tom/index.html
(3)编辑host,重启服务访问网页
192.168.98.100 www.tom.com
192.168.98.100 www.jerry.com
7、https配置
(1)CA生成一对密钥
[root@client ~]# cd /etc/pki/CA
[root@client CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......+++
.................................................................................................................+++
e is 65537 (0x10001) #生成密钥,括号必须要
[root@client CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VRuAkwm5CuymfKUNGRG
dGFwRE3EUSbCsMsIZEJrOXNcrBOnb+AQepEgLic0ijx69lnTXGDg1UWl3Z2ClrJ9
z+AVYWYRgzWyZaVSwp0N6kSXM9dbUYVHPRGXHu2NFXi8eudlZS90PNOOxskKgbXL
2JPi923DY+/cnBJ9t+gEB/XMaBp4XwUUrhqrhBnjDCVeuUdFpofZre+em+y68X+B
PCjRLiJ5IJMttJOnvLa0NeZq8xcNLiqgQy2eMD70K5C+c3qFV6G+psB+nbqzQwee
QaW7ifqsTamPB/m7f9WyOW7Fby7EiKu85iTsEi7+/eZC3C6lhmalIrngzg/HfACH
CwIDAQAB
-----END PUBLIC KEY----- #提取公钥
(2) CA生成自签署证书
[root@client CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:www.tom.com
Organizational Unit Name (eg, section) []:www.tom.com
Common Name (eg, your name or your server's hostname) []:www.tom.com
Email Address []:1@2.com
[root@client CA]# touch index.txt && echo 01 > serial
(3)httpd服务器生成密钥
[root@hezhichen /]# cd /etc/httpd24 && mkdir ssl && cd ssl
[root@hezhichen ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................................................................+++
.....................................+++
e is 65537 (0x10001)
(4)客户端生成证书签署请求
[root@hezhichen ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:www.tom.com
Organizational Unit Name (eg, section) []:www.tom.com
Common Name (eg, your name or your server's hostname) []:www.tom.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(5)客户端把证书签署请求文件发送给CA
[root@hezhichen ssl]# scp httpd.csr root@192.168.98.200:/root
(6)CA签署客户端提交上来的证书
openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 21 14:03:50 2019 GMT
Not After : Apr 20 14:03:50 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = HuBei
organizationName = www.tom.com
organizationalUnitName = www.tom.com
commonName = www.tom.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A1:E1:BB:D9:06:E1:5E:E2:00:93:96:54:C1:C1:F5:D3:4E:22:C2:E8
X509v3 Authority Key Identifier:
keyid:49:71:BF:98:3C:98:46:9D:A4:16:68:8D:8A:95:AC:4B:1C:E8:8A:59
Certificate is to be certified until Apr 20 14:03:50 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(7)CA把签署好的证书httpd.crt发给客户端
[root@client ~]# scp httpd.crt root@192.168.98.100:/etc/httpd24/ssl/
[root@hezhichen ssl]# ls
httpd.crt httpd.csr httpd.key
(8)配置httpd服务端ssl
[root@hezhichen /]# cd /etc/httpd24/extra
[root@hezhichen extra]# vim httpd-ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/tom"
ServerName www.tom.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/tom_error_log"
TransferLog "/usr/local/apache/logs/tom_access_log"
取消/etc/http24/httpd.conf中
Include /etc/httpd24/extra/httpd-ssl.conf 注释
(9)重启服务并验证