配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
检查配置语法:
httpd –t
站点网页文档根目录:
/var/www/html
修改监听的IP和Port
Listen [IP:]PORT
模块文件路径:
/etc/httpd/modules
/usr/lib64/httpd/modules
日志文件目录:
/var/log/httpd
access_log: 访问日志
error_log:错误日志
常见配置
ServerTokens显示服务器版本信息
Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full
[root@CentOS7 /etc/httpd/conf]# vim httpd.conf
Include conf.modules.d/*.conf #在以下目录会生效
IncludeOptional conf.d/*.conf
[root@CentOS7 ~]# curl -I 192.168.8.7 #访问显示版本
Server: Apache/2.4.6 (CentOS)
[root@CentOS7 /etc/httpd/conf.d]# cat test.conf
ServerTokens Prod
[root@CentOS7 /etc/httpd/conf.d]# systemctl restart httpd
[root@CentOS7 ~]# curl -I 192.168.8.7 #修改后不显示版本详细信息
Server: Apache
配置 | 对应显示 |
---|---|
ServerTokens Major | Server: Apache/2 |
ServerTokens Minor | Server: Apache/2.4 |
ServerTokens Min[imal] | Server: Apache/2.4.6 |
ServerTokens OS | Server: Apache/2.4.6 (CentOS)系统默认 |
ServerTokens Prod[uctOnly] | Server: Apache |
ServerTokens Full | Server: Apache/2.4.6 (CentOS) |
建议使用:ServerTokens Prod
修改监听的IP和Port
[root@CentOS7 /etc/httpd/conf]# vim httpd.conf
Listen 80
Listen 8080
[root@CentOS7 /etc/httpd/conf.d]# ss -ntl
[::]:8080
[::]:80
持久连接
Persistent Connection:连接建立,每个资源获取完成后不会断开连接,而是继续等待其它的请求完成,默认关闭持久连接
断开条件:时间限制:以秒为单位, 默认5s,httpd-2.4 支持毫秒级
副作用:对并发访问量大的服务器,持久连接会使有些请求得不到响应
折衷:使用较短的持久连接时间
[root@CentOS7 /etc/httpd/conf.d]# cat test.conf
ServerTokens Prod
KeepAliveTimeout 15
测试:telnet WEB_SERVER_IP PORT
GET /URL HTTP/1.1
Host: WEB_SERVER_IP
加载模块配置
[root@CentOS7 /etc/httpd/conf.modules.d]# grep auth *
00-base.conf:LoadModule auth_basic_module modules/mod_auth_basic.so
[root@CentOS7 /etc/httpd/conf.modules.d]# cat 00-base.conf |grep auth
LoadModule auth_basic_module modules/mod_auth_basic.so 生效格式
[root@CentOS7 /etc/httpd/conf.modules.d]# httpd -l 查看静态编译的模块
Compiled in modules:
core.c
mod_so.c
http_core.c
[root@CentOS7 /etc/httpd/conf.modules.d]# httpd -M 查看静态编译及动态装载的模块
MPM( Multi-Processing Module)多路处理模块
prefork, worker, event
[root@CentOS7 /etc/httpd/conf.modules.d]# vim 00-mpm.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #默认启用
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@CentOS7 /etc/httpd/conf.modules.d]# vim ../conf.d/test.conf prefork的配置
StartServers 1000
MinSpareServers 1000
MaxSpareServers 1000
ServerLimit 1000 最多进程数,最大值 20000
MaxClients 1000 最大的并发连接数
MaxRequestsPerChild 4000 子进程最多能处理的请求数量
[root@CentOS7 /etc/httpd/conf.modules.d]# pstree -p |grep httpd |wc -l
1000
[root@CentOS7 /etc/httpd/conf.modules.d]# ps aux|grep httpd |wc -l
1002
[root@CentOS7 ~]# ab -c1000 -n 2000 http://192.168.8.7/test.txt #测试并发性能
[root@CentOS7 /etc/httpd/conf.modules.d]# vim 00-mpm.conf #启用worker
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@CentOS7 /etc/httpd/conf.modules.d]# vim ../conf.d/test.conf worker的配置
ServerLimit 16
StartServers 2
MaxRequestWorkers 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
定义’Main’ server的文档页面路径
[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html" #定义数据库,centos6可以直接注释掉修改路径
[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf
DocumentRoot "/data/html" #访问报错,centos7需要添加权限(以下几行)
<Directory "/data/html">
Require all granted
</Directory>
[root@CentOS7 ~]# curl 192.168.8.7 #修改后访问路径已经改变
/data/html/index.html
[root@CentOS7 /data/html]# mkdir news #该目录下常见目录
[root@CentOS7 /data/html]# echo news >news/index.html
[root@CentOS7 ~]# curl http://192.168.8.7/news/ 能访问
news
[root@CentOS7 /data/html]# mkdir /app/dir -p
[root@CentOS7 /data/html]# echo 'welcome to magedu' >/app/dir/index.html
需要访问/app/dir/index.html,可以软链接方式实现
[root@CentOS7 /data/html]# ln -s /app/dir/ /data/html/sports
[root@CentOS7 ~]# curl http://192.168.8.7/sports/ #可以正常访问
welcome to magedu
外网访问的目录可以在任何地方,只需通过软链接即可
定义站点主页面
以上访问默认找index.html
[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
DirectoryIndex test.txt index.html 修改后先找test.txt没有再找index.html
</IfModule>
[root@CentOS7 /data/html]# echo test > test.txt
[root@CentOS7 /data/html]# ls
index.html news sports test.txt
[root@CentOS7 ~]# curl 192.168.8.7 #显示的时test.txt内容
test
[root@CentOS7 /data/html]# rm -f test.txt
[root@CentOS7 ~]# curl 192.168.8.7 #删除test.txt后显示index.html内容
/data/html/index.html
[root@CentOS7 /data/html]# rm -f index.html
删除后报错,报错的界面配置,报错的页面来自于/usr/share/httpd/noindex/index.html
[root@CentOS7 ~]# vim /etc/httpd/conf.d/welcome.conf
<LocationMatch "^/+$"> #1个以上/
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
[root@CentOS7 ~]# curl 192.168.8.7/// #/多个也能访问
index.html
[root@CentOS7 ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak
welcome.conf移除后彻底报错
You don't have permission to access / on this server.
站点访问控制常见机制
可基于两种机制指明对哪些资源进行何种访问控制
访问控制机制有两种:客户端来源地址,用户账号
文件系统路径:
<Directory “/path">
…
<File “/path/file”>
…
<FileMatch “PATTERN”>
…
URL路径:
<Location “”>
…
<LocationMatch “”>
…
示例:
<FilesMatch “.(gif|jpe?g|png)$”>
<Files “?at.*”> 通配符
<Location /status>
<LocationMatch “/(extra|special)/data”>
Options
Indexes:指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户
FollowSymLinks:允许访问符号链接文件所指向的源文件
None:全部禁用
All: 全部允许
[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html">
Require all granted
Options Indexes FollowSymLinks #添加会出现索引列表
</Directory>
不安全,一般FTP下载相关(aliyun rpm源)的可以使用
AllowOverride
与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令
只对语句有效
AllowOverride All: .htaccess中所有指令都有效
AllowOverride None: .htaccess 文件无效
AllowOverride AuthConfig .htaccess 文件中,除了AuthConfig 其它指令都无法生效
[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
<Directory />
AllowOverride none # .htaccess 文件无效
Require all denied
</Directory>
[root@CentOS7 /data/html]# vim .htaccess
Options Indexes FollowSymLinks #从/etc/httpd/conf.d/test.conf删除,写入.htaccess
不能访问,把AllowOverride none修改AllowOverride yes(生效),可以访问
.htaccess在目录下很危险,但别人不能访问,由于配置原因
<Files ".ht*">
Require all denied
</Files>
可以根据这种禁止访问内容
基于IP的访问控制:
<RequireAll>
Require all granted
Require not ip 172.16.1.1 拒绝特定IP
</RequireAll>
<RequireAny>
Require all denied
require ip 172.16.1.1 允许特定IP
</RequireAny>
[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html">
<RequireAll>
Require all granted
Require not ip 192.168.8.17
</RequireAll>
</Directory>
##只有192.168.8.17不能访问
日志设定
访问日志:
定义日志格式:LogFormat format strings
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
使用日志格式:
CustomLog logs/access_log testlog
参考帮助:http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
%h 客户端IP地址
%l 远程用户,启用mod_ident才有效,通常为减号“-”
%u 验证(basic,digest)远程用户,非登录访问时,为一个减号“-”
%t 服务器收到请求时的时间
%r First line of request,即表示请求报文的首行;记录了此次请求的“方法”,“URL”以及协议版本
%>s 响应状态码
%b 响应报文的大小,单位是字节;不包括响应报文http首部
%{Referer}i 请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面的
%{User-Agent}i 请求报文中首部“User-Agent”的值;即发出请求的应用程序
设定字符集
AddDefaultCharset UTF-8 此为默认值
中文字符集:GBK, GB2312, GB18030
定义路径别名
[root@CentOS7 ~]# mkdir /app/forum
[root@CentOS7 ~]# echo "/app/forum/index.html" >/app/forum/index.html
[root@CentOS7 ~]# mkdir /data/html/bbs
##通过192.168.8.7/bbs/访问/app/forum/目录
[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf
alias /bbs /app/forum
<Directory "/app/forum">
require all granted
</Directory>
[root@CentOS7 ~]# curl 192.168.8.7/bbs/
/app/forum/index.html
通过以上配置,web访问路径有真实路径、软链接、别名三种配置方法
基于用户的访问控制
访问192.168.8.7不需验证,访问192.168.8.7/admin需要验证
[root@CentOS7 ~]# cd /etc/httpd/conf.d/
[root@CentOS7 /etc/httpd/conf.d]# htpasswd -c .httpuser bob 创建文件.httpuser,并创建用户bob
[root@CentOS7 /etc/httpd/conf.d]# htpasswd .httpuser alias 创建用户alias
[root@CentOS7 /etc/httpd/conf.d]# htpasswd .httpuser rose
[root@CentOS7 /etc/httpd/conf.d]# htpasswd .httpuser jack
[root@CentOS7 /etc/httpd/conf.d]# cat .httpuser #查看用户及密码
bob:$apr1$.mOA0wUK$KV9NFnjMTxdUXJOSkkn/h1
alias:$apr1$OsUn4Kfd$2zKxU/U11GhKY1SRa0ua80
rose:$apr1$I9GXKJoS$aEDMHlgHvnbwp8jYPm/kp1
jack:$apr1$u.5ekB21$N0h2PtQDegdMG8541V6hX1
[root@CentOS7 ~]# mkdir /data/html/admin
[root@CentOS7 ~]# echo "/data/html/admin" >/data/html/admin/index.html
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html">
require all granted
</Directory>
<Directory "/data/html/admin">
AuthType Basic
AuthName "admin page" #描述
AuthUserFile "/etc/httpd/conf.d/.httpuser" #用户文件
Require user rose #允许rose访问
</Directory>
[root@CentOS7 /etc/httpd/conf.d]# htpasswd -D .httpuser bob #删除用户
Deleting password for user bob
可以vim .httpuser直接删除
配置分开放也可以实现
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html/admin">
allowoverride authconfig
</Directory>
[root@CentOS7 ~]# vim /data/html/.htaccess
AuthType Basic
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user rose
允许账号文件中的所有用户登录访问:
Require valid-user
实现组访问验证
[root@CentOS7 /etc/httpd/conf.d]# cat .httpgroup
g1:bob alice
g2:jack rose
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html/admin">
AuthType Basic
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group g1
</Directory>
二种
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html/admin">
allowoverride authconfig
</Directory>
[root@CentOS7 ~]# vim /data/html/.htaccess
AuthType Basic
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group g1
实现用户家目录的http共享
[root@CentOS7 /etc/httpd/conf.d]# httpd -M |grep user
userdir_module (shared)
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/userdir.conf
# UserDir disabled 增加注释
UserDir public_html 去掉注释
#<Directory "/home/*/public_html">
# AllowOverride FileInfo AuthConfig Limit Indexes
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# Require method GET POST OPTIONS
#</Directory>
<Directory "/home/wang/public_html"> 新增
Require all granted
</Directory>
[root@CentOS7 /etc/httpd/conf.d]# mkdir /home/wang/public_html
[root@CentOS7 /etc/httpd/conf.d]# echo "/home/wang/public_html/index.html" >/home/wang/public_html/index.html
[root@CentOS7 /etc/httpd/conf.d]# setfacl -m u:apacge:x /home/wang
[root@CentOS7 ~]# curl 192.168.8.7/~wang/ 访问
/home/wang/public_html/index.html
所有人都能访问,比较危险,加验证
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/userdir.conf
<Directory "/home/wang/public_html">
#Require all granted 去掉Require all granted
</Directory>
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/home/wang/public_html">
AuthType Basic
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group g1
</Directory>
status页面
[root@CentOS7 /etc/httpd/conf.d]# httpd -M |grep status
status_module (shared)
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Location "/status">
SetHandler server-status
</Location>
http://192.168.8.7/status/能够实时监控系统
所有人都能访问太危险,设置成只有192.168.8.0/24网段才能访问
<Location "/status">
SetHandler server-status
<RequireAny>
Require all denied
require ip 192.168.8.0/24
</RequireAny>
</Location>
虚拟主机
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN
基于IP地址实现虚拟主机
[root@CentOS7 /etc/httpd/conf.d]# mkdir /data/{a,b,c}site
[root@CentOS7 /etc/httpd/conf.d]# echo "/data/asite/index.html" >/data/asite/index.html
[root@CentOS7 /etc/httpd/conf.d]# echo "/data/bsite/index.html" >/data/bsite/index.html
[root@CentOS7 /etc/httpd/conf.d]# echo "/data/csite/index.html" >/data/csite/index.html
[root@CentOS7 /etc/httpd/conf.d]# ip a a 192.168.8.10/24 dev ens33
[root@CentOS7 /etc/httpd/conf.d]# ip a a 192.168.8.20/24 dev ens33
[root@CentOS7 /etc/httpd/conf.d]# ip a a 192.168.8.30/24 dev ens33
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<VirtualHost 192.168.8.10:80>
DocumentRoot "/data/asite"
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.8.20:80>
DocumentRoot "/data/bsite"
<Directory "/data/bsite">
require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.8.30:80>
DocumentRoot "/data/csite"
<Directory "/data/csite">
require all granted
</Directory>
</VirtualHost>
[root@CentOS7 ~]# curl 192.168.8.10
/data/asite/index.html
[root@CentOS7 ~]# curl 192.168.8.20
/data/bsite/index.html
[root@CentOS7 ~]# curl 192.168.8.30
/data/csite/index.html
基于端口实现虚拟主机
[root@CentOS7 /etc/httpd/conf.d]# systemctl restart network 清除临时IP
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
listen 8080
listen 8070
listen 8090
<VirtualHost *:8080>
DocumentRoot "/data/asite"
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:8090>
DocumentRoot "/data/bsite"
<Directory "/data/bsite">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:8070>
DocumentRoot "/data/csite"
<Directory "/data/csite">
require all granted
</Directory>
</VirtualHost>
[root@CentOS7 ~]# curl 192.168.8.7:8080
/data/asite/index.html
[root@CentOS7 ~]# curl 192.168.8.7:8090
/data/bsite/index.html
[root@CentOS7 ~]# curl 192.168.8.7:8070
/data/csite/index.html
基于域名(主机头)实现虚拟主机
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/data/asite"
CustomLog "logs/asite_access_log" combined #添加日志
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.com
DocumentRoot "/data/bsite"
<Directory "/data/bsite">
require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName www.c.com
DocumentRoot "/data/csite"
<Directory "/data/csite">
require all granted
</Directory>
</VirtualHost>
[root@CentOS7 ~]# vim /etc/hosts #客户机添加解析dns
192.168.8.7 www.a.com
192.168.8.7 www.b.com
192.168.8.7 www.c.com
[root@CentOS7 ~]# curl www.a.com
/data/asite/index.html
[root@CentOS7 ~]# curl www.b.com
/data/bsite/index.html
[root@CentOS7 ~]# curl www.c.com
/data/csite/index.html
压缩文本
使用mod_deflate模块压缩页面优化传输速度
(1) 节约带宽,额外消耗CPU;同时,可能有些较老浏览器不支持
(2) 压缩适于压缩的资源,例如文本文件
LoadModule deflate_module modules/mod_deflate.so SetOutputFilter DEFLATE
SetOutputFilter DEFLATE
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
[root@CentOS7 /etc/httpd/conf.d]# httpd -M |grep deflate
deflate_module (shared)
[root@CentOS7 /etc/httpd/conf.d]# cp /var/log/messages /data/asite/m.txt
[root@CentOS7 /etc/httpd/conf.d]# chmod a+r /data/asite/m.txt
[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<VirtualHost *:80>
ServerName www.a.com
CustomLog "logs/asite_access_log" combined
DocumentRoot "/data/asite"
AddOutputFilterByType DEFLATE text/plain #以下三句为添加压缩选项
AddOutputFilterByType DEFLATE text/html
DeflateCompressionLevel 9 #压缩级别(1-9)
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
[root@CentOS7 ~]# curl -I --compress www.a.com/m.txt
Content-Encoding: gzip 压缩
https
SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书
(2) 服务器端发送证书以及选定的加密方式给客户端
(3) 客户端取得证书并进行证书验证
如果信任给其发证书的CA
(a) 验证证书来源的合法性;用CA的公钥解密证书上数字签名
(b) 验证证书的内容的合法性:完整性验证
© 检查证书的有效期限
(d) 检查证书是否被吊销
(e) 证书中拥有者的名字,与访问的目标主机要一致
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换
(5) 服务用此密钥加密用户请求的资源,响应给客户端
基于mod_ssl实现
[root@CentOS7 /etc/httpd/conf.d]# yum install mod_ssl
[root@CentOS7 /etc/httpd/conf.d]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl
[root@CentOS7 /etc/httpd/conf.d]# cat ssl.conf
Listen 443 https
[root@CentOS7 /etc/httpd/conf.d]# tree /etc/pki/tls/ 已生成相关证书
/etc/pki/tls/
├── cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
├── certs
│ └── localhost.crt
└── private
└── localhost.key
[root@CentOS7 /etc/httpd/conf.d]# rpm -q --scripts mod_ssl #查看安装脚本
[root@CentOS7 ~]# systemctl restart httpd
[root@CentOS7 ~]# openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text #查看自签名证书
利用私有CA实现HTTPS
CA服务器
http服务器
client客户机
[root@CentOS7 ~]# hostname CAserver
建立CA
[root@CAserver ~]# cd /etc/pki/CA/
[root@CAserver /etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096)
[root@CAserver /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 <<EOF
CN
beijing
beijing
magedu
devops
ca.magedu.com
admin@magedu.com
EOF
[root@CAserver /etc/pki/CA]# touch /etc/pki/CA/index.txt
[root@CAserver /etc/pki/CA]# echo 01 > /etc/pki/CA/serial
[root@CAserver /etc/pki/CA]# tree
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
申请证书
[root@CentServer ~]# mkdir /etc/httpd/conf.d/ssl
[root@CentServer ~]# cd /etc/httpd/conf.d/ssl
[root@CentServer /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
CN
beijing
beijing
magedu
devops
www.a.com
[root@CentServer /etc/httpd/conf.d/ssl]# scp httpd.csr 192.168.8.17:/etc/pki/CA
颁发证书
[root@CAserver /etc/pki/CA]# openssl ca openssl ca -in httpd.csr -out certs/httpd.crt -days 100
[root@CAserver /etc/pki/CA]# scp certs/httpd.crt 192.168.8.7:/etc/httpd/conf.d/ssl
[root@CAserver /etc/pki/CA]# scp cacert.pem 192.168.8.7:/etc/httpd/conf.d/ssl
[root@CentServer ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
http跳转到另一网址
status状态:
Permanent: 返回永久重定向状态码 301(网站将要废弃,启用新网站,用于网站与网站之间)
Temp:返回临时重定向状态码302. 此为默认值 (用于http跳转到https)
访问www.a.com 自动跳转到www.b.com
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/data/asite"
CustomLog "logs/asite_access_log" combined
Redirect Permanent / http://www.b.com/
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
[root@CentClient ~]# curl www.a.com
<title>301 Moved Permanently</title> 301错误
[root@CentClient ~]# curl -L www.a.com
/data/bsite/index.html
访问时先访问www.a.com,www.a.com服务器告诉客户机去访问www.b.com
实际上访问了两次请求
虚拟web跳转https
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/data/asite"
CustomLog "logs/asite_access_log" combined
Redirect Permanent / https://www.a.com/
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
主机http重定向https
test.conf删除,只有一个主机web,没有虚拟web
[root@CentServer ~]# mv /etc/httpd/conf.d/test.conf /etc/httpd/conf.d/test.conf.bak
[root@CentServer ~]# vim /etc/httpd/conf.d/test.conf
DocumentRoot "/var/www/html"
#Redirect temp / https://192.168.8.7/ #会循环跳转,使用下面两行配置
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
<Directory "/var/www/html">
Require all granted
</Directory>
[root@CentClient ~]# curl -kL http://192.168.8.7
HSTS
客户端每次访问都请求2次有安全风险,服务器端配置HSTS后,客户机只需第一次请求2次,之后会保存相关信息,以后直接在浏览器访问跳转后的页面
[root@CentServer ~]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
#redirect temp / https://www.a.com/
Header always set Strict-Transport-Security "max-age=31536000" #客户机保存时间
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
[root@proxy ~]# curl -ILk http://192.168.8.7
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
反向代理
[root@proxy ~]# vim /etc/httpd/conf.d/test.conf
proxypass "/" "http://192.168.8.7"
ProxyPassReverse "/" "http://192.168.8.7"
[root@proxy ~]# echo "/var/www/html/index.html" >/var/www/html/index.html
[root@CentClient ~]# curl 192.168.8.17 跳转
/data/html/index.html
Sendfile机制
默认开启
link
links URL
–dump
–source
wget
wget [option]… [URL]…
-q 静默模式
-c 断点续传
-P /path 保存在指定目录
-O filename 保存为指定文件名,filename 为 – 时,发送至标准输出
–limit-rate= 指定传输速率,单位K,M等
curl
curl [options] [URL…]
-A/–user-agent 设置用户代理发送给服务器
-e/–referer 来源网址
–cacert CA证书 (SSL)
-k/–insecure 允许忽略证书进行 SSL 连接
–compressed 要求返回是压缩的格式
-H/–header
-i 显示页面内容,包括报文首部信息
-I/–head 只显示响应报文首部信息
-D/–dump-header 将url的header信息存放在指定文件中
–basic 使用HTTP基本认证
-u/–user <user[:password]>设置服务器的用户和密码
-L 如果有3xx响应码,重新发请求到新位置
-O 使用URL中默认的文件名保存文件到本地
-o 将网络文件保存为指定的文件中
–limit-rate 设置传输速度
-0/–http1.0 数字0,使用HTTP 1.0
-v/–verbose 更详细
-C 选项可对文件使用断点续传功能
-c/–cookie-jar 将url中cookie存放在指定文件中
-x/–proxy <proxyhost[:port]> 指定代理服务器地址
-X/–request 向服务器发送指定请求方法
-U/–proxy-user
user:password 代理服务器用户和密码
-T 选项可将指定的本地文件上传到FTP服务器上
–data/-d 方式指定使用POST方式传递数据
-b name=data 从服务器响应set-cookie得到值,返回给服务器
htpasswd
htpasswd:basic认证基于文件实现时,用到的账号密码文件生成工具
apachectl
apachectl:httpd自带的服务控制脚本,支持start和stop
rotatelogs
rotatelogs:日志滚动工具
access.log -->
access.log, access.1.log -->
access.log, acccess.1.log, access.2.log
ab
httpd的压力测试工具
ab, webbench, http_load, seige
Jmeter 开源
Loadrunner 商业,有相关认证
tcpcopy:网易,复制生产环境中的真实请求,并将之保存
ab [OPTIONS] URL
来自httpd-tools包
-n:总请求数
-c:模拟的并行数
-k:以持久连接模式测试
ulimit –n # 调整能打开的文件数
编译httpd-2.4.43(一)
安装apr-1.4+
cd apr-1.6.2
./configure --prefix=/app/apr
make && make install
安装apr-util-1.4+
cd …/apr-util-1.6.0
./configure --prefix=/app/apr-util --with-apr=/app/apr/
make -j 2 && make install
编译安装httpd-2.4
cd …/httpd-2.4.27
./configure --prefix=/app/httpd24
–enable-so
–enable-ssl
–enable-cgi
–enable-rewrite
–with-zlib
–with-pcre
–with-apr=/app/apr/
–with-apr-util=/app/apr-util/
–enable-modules=most
–enable-mpms-shared=all
–with-mpm=prefork
make -j 4 && make install
编译httpd-2.4.43(二)
[root@CentOS7 /data]# yum install gcc pcre-devel openssl-devel expat-devel -y
[root@CentOS7 /data]# ls
apr-1.7.0.tar.bz2 apr-util-1.6.1.tar.bz2 httpd-2.4.43.tar.bz2
[root@CentOS7 /data]# tar xvf apr-1.7.0.tar.bz2
[root@CentOS7 /data]# tar xvf apr-util-1.6.1.tar.bz2
[root@CentOS7 /data]# tar xvf httpd-2.4.43.tar.bz2
[root@CentOS7 /data]# mv apr-1.7.0 httpd-2.4.43/srclib/apr
[root@CentOS7 /data]# mv apr-util-1.6.1 httpd-2.4.43/srclib/apr-util
[root@CentOS7 /data]# cd httpd-2.4.43/
[root@CentOS7 /data/httpd-2.4.43]# ./configure \
> --prefix=/app/httpd24 \
> --enable-so \
> --enable-ssl \
> --enable-cgi \
> --enable-rewrite \
> --with-zlib \
> --with-pcre \
> --with-included-apr \
> --enable-modules=most \
> --enable-mpms-shared=all \
[root@CentOS7 /data/httpd-2.4.43]# make -j 4 && make install
[root@CentOS7 /app/httpd24]# echo 'PATH=/app/httpd24/bin:$PATH' >/etc/profile.d/http.sh
[root@CentOS7 /app/httpd24]# source /etc/profile.d/http.sh
[root@CentOS7 /app/httpd24]# apachectl start
[root@CentOS7 /app/httpd24]# apachectl stop
开机启动(一)
[root@CentOS7 /app/httpd24]# vim /etc/rc.d/rc.local
/app/httpd24/bin/apachectl start
[root@CentOS7 /app/httpd24]# chmod +x /etc/rc.d/rc.local
开机启动(二)
[root@CentOS6 ~]# scp /etc/rc.d/init.d/httpd 192.168.8.7:/etc/rc.d/init.d/httpd centos6拷贝文件
[root@CentOS7 /app/httpd24]# vim /etc/rc.d/init.d/httpd
apachectl=/app/httpd24/bin/apachectl
httpd=${HTTPD-/app/httpd24/bin/httpd}
pidfile=${PIDFILE-/app/httpd24/logs/httpd.pid}
[root@CentOS7 /app/httpd24]# service httpd start 启动
[root@CentOS7 /app/httpd24]# service httpd stop 停止
[root@CentOS7 /app/httpd24]# chkconfig --level 345 httpd on 开机启动