一、Apache HTTP Server简介

Linux下最有名的、功能最丰富的WEB服务器就属Apache HTTP Server(简称Apache)。

Apache HTTP Server是Apache软件基金会最有名的开源项目之一,它可以在大多数操作系统上运行。

目前官网的主要版本为2.2和2.4。CentOS 6使用2.2版本,CentOS 7使用2.4版本。

目前生产环境中部署2.2版本的居多,但是2.4版本有很多新的特性,下面就简要说明以下:

(1)运行时动态可装载MPM

在2.4版本中,MPM可以被编程成可装载的模块。在运行时,只要配置使用什么MPM即可。

(2)支持Event MPM

正式支持Event MPM,之前是作为试验性的。

(3)更好的异步读写支持

(4)在每模块及每目录分别使用不同的日志级别

(5)基于每一个请求可以使用<If>、<ElseIf>和<Else>配置

(6)增强版的表达式分析器

(7)可以毫秒级控制KeepAliveTimeout

(8)不再需要NameVirtualHost指令

(9)可以在配置中使用自定义变量

(10)比2.2版本使用更少的内存

(11)增加了很多新的Module,例如mod_proxy_fcgi, mode_ratelimit, mod_request, mod_remoteip。同时还增强了很多Module

(12)访问控制的改变

2.2 configuration: 
 
Order deny,allow 
Deny from all 
 
2.4 configuration: 
 
Require all denied 
 
2.2 configuration: 
 
Order allow,deny 
Allow from all 
2.4 configuration: 
 
Require all granted 
 
2.2 configuration: 
 
Order Deny,Allow 
Deny from all 
Allow from example.org 
 
2.4 configuration: 
 
Require host example.org

鉴于V2.4引入了这么多新的功能,生产环境安装V2.4也是非常必要。

 

二、编译安装

(一)准备工作

1、开发库

源代码编译安装需要依赖众多开发库,请使用yum安装。将CentOS光盘挂载到/media/cdrom,配置本地yum源备用。配置yun请参看博主博文 《Linux的程序安装和包管理》,此类博文很多,这里不再赘述。使用下面的语句安装开发环境。

# yum groupinstall "Development tools" "Server Platform Development"

官网下载httpd-2.4.10.tar.bz2

实验环境是CentOS 6.5,默认已经安装了2.2版本,把V2.2停止掉。

[root@www named]# service httpd stop 
[root@www named]# chkconfig httpd off 
[root@www named]# chkconfig --list httpd 
httpd              0:off    1:off    2:off    3:off    4:off    5:off    6:off 
[root@www ~]# tar xf httpd-2.4.10.tar.bz2

2、apr安装

httpd依赖apr(Apache Portable Runtime),且2.4版本依赖较新的apr版本,要求是1.4以上。CentOS 6安装的是1.3.9

http://apr.apache.org下载apr-1.5.1.tar.bz2和apr-util-1.5.3.tar.bz2。

[root@www ~]# tar xf apr-1.5.1.tar.bz2 
[root@www ~]# tar xf apr-util-1.5.3.tar.bz2
 
[root@www ~]# cd apr-1.5.1
[root@www apr-1.5.1]# ./configure --prefix=/usr/local/apr15
[root@www apr-1.5.1]# make && make install
 
[root@www ~]# cd ~/apr-util-1.5.3
[root@www apr-util-1.5.3]# ./configure --prefix=/usr/local/aprutil15 --with-apr=/usr/local/apr15/
[root@www apr-util-1.5.3]# make && make install

3、安装httpd

configure常用选项

名称说明取值
--prefix程序安装目录,默认安装在/usr/local/apache2/usr/local/apache24
--sysconfdir配置文件目录/etc/httpd24
--enable-so启用DSO功能 
--enable-modules空白字符分隔的module列表,也可以是"all" | "most" | "few" | "none" | "reallyall"most
--enable-sslSSL/TLS支持(mod_ssl) 
--enable-cgi支持CGI 
--enable-rewrite服务器端重写 
--with-pcre使用PCRE库 
--with-apr指定apr路径/usr/local/apr15/
--with-apr-util指定apr-util路径/usr/local/aprutil15/
--with-z使用zlib库 
--enable-mpms-shared空白字符分隔的MPM Module动态加载列表,可以是用allall
--with-mpm=MPMApache使用的默认处理模型,MPM={event|worker|prefork|winnt}event
[root@www ~]# cd httpd-2.4.10 
[root@www httpd-2.4.10]# ./configure --prefix=/usr/local/apache24 --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-z --with-pcre --with-apr=/usr/local/apr15/ --with-apr-util=/usr/local/aprutil15/ --enable-mpms-shared=all --with-mpm=event --enable-modules=most 
[root@www httpd-2.4.10]# make && make install

 

安装目录和文件说明

/etc/httpd24配置主目录
/etc/httpd24/extra额外配置目录
/etc/httpd24/httpd.conf主配置文件
/usr/local/apache24/htdocs站点根目录
/usr/local/apache24/error预置的错误文档目录
/usr/local/apache24/cgi-binCGI目录
/usr/local/apache24/include头文件目录,二次开发用,必要时可以导出
/usr/local/apache24/man帮助手册,需要导出
/usr/local/apache24/modulesDSO模块目录
/usr/local/apache24/bin可执行文件目录
/usr/local/apache24/logs日志目录

导出bin目录

[root@www ~]# cd /etc/profile.d/ 
[root@www profile.d]# vim httpd24.sh 
PATH=/usr/local/apache24/bin:$PATH 
export PATH

然后重启连接会话

导出man目录

在/etc/man.config 中加入一条

MANPATH /usr/local/apache24/man

即可生效

导出头文件目录

[root@www /]# ln -s /usr/local/apache24/include/ /usr/include/apache

apachectl

apachectl是/usr/local/apache24/bin下的一个shell脚本。通过它可以控制httpd的启动、关闭、重启、优雅重启动、优雅关闭。

所谓优雅,就是不蛮横,重启或者关闭前如果有连接就不会立即终止连接。

第一次尝试启动

[root@www ~]# apachectl start
 
[root@www ~]# ss -tnlp | grep :80 
LISTEN     0      128                      :::80                      :::*      users:(("httpd",2308,4),("httpd",2309,4),("httpd",2310,4),("httpd",2311,4))
 
[root@www ~]# httpd -D DUMP_MODULES 
Loaded Modules: 
core_module (static) 
so_module (static) 
http_module (static) 
authn_file_module (shared) 
authn_core_module (shared) 
authz_host_module (shared) 
authz_groupfile_module (shared) 
authz_user_module (shared) 
authz_core_module (shared) 
access_compat_module (shared) 
auth_basic_module (shared) 
reqtimeout_module (shared) 
filter_module (shared) 
mime_module (shared) 
log_config_module (shared) 
env_module (shared) 
headers_module (shared) 
setenvif_module (shared) 
version_module (shared) 
mpm_event_module (shared) 
unixd_module (shared) 
status_module (shared) 
autoindex_module (shared) 
dir_module (shared) 
alias_module (shared)

浏览器测试一下

image

 

三、实验

实验规划

虚拟主机规划

(一)虚拟主机

编辑/etc/httpd24/httpd.conf,启用虚拟主机

# Virtual hosts 
Include /etc/httpd24/extra/httpd-vhosts.conf

编辑/etc/httpd24/extra/httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin webmaster@example.com 
    DocumentRoot "/web/vhosts/www.example.com" 
    ServerName www.example.com 
    ErrorLog "logs/www.example.com-error_log" 
    CustomLog "logs/www.example.com-access_log" common 
</VirtualHost>
 
<Directory "/web/vhosts/www.example.com">
        Require all granted 
</Directory>
 
<VirtualHost *:80>
    ServerAdmin admin@www.test.com 
    DocumentRoot "/web/vhosts/www.test.com" 
    ServerName www.test.com 
    ErrorLog "logs/www.test.com-error_log" 
    CustomLog "logs/www.test.com-access_log" common 
</VirtualHost>
 
<Directory "/web/vhosts/www.test.com">
    Require all granted 
</Directory> 
 
 
[root@www ~]# httpd -t 
Syntax OK 
[root@www ~]# apachectl restart

修改浏览器端Windows的C:\Windows\System32\drivers\etc\hosts文件,追加下面2句:

192.168.60.171 www.example.com
192.168.60.171 www.test.com

使用浏览器,分别测试www.example.com和www.test.com,成功。

image

 

(二)server-status处理器

这次在www.test.com中实现server-status

首先查看/etc/httpd24/httpd.conf,确保LoadModule status_module modules/mod_status.so启用。

再查看是否已经加载了该模块

[root@www ~]# httpd -D DUMP_MODULES | grep status 
status_module (shared)

编辑/etc/httpd24/extra/httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin admin@www.test.com 
    DocumentRoot "/web/vhosts/www.test.com" 
    ServerName www.test.com 
    ErrorLog "logs/www.test.com-error_log" 
    CustomLog "logs/www.test.com-access_log" common 
 
    <Location /server-status>
        SetHandler server-status 
        Require all granted 
    </Location>
</VirtualHost>

使用浏览器查看

server-status处理器

 

(三)基于用户的访问控制

使用apache提供的工具htpasswd生成密码文件

[root@www ~]# mkdir /usr/local/apache24/passwd/ -pv 
mkdir: created directory `/usr/local/apache24/passwd/' 
[root@www ~]# htpasswd -cmb /usr/local/apache24/passwd/passwds admin admin 
Adding password for user admin 
[root@www ~]# htpasswd -mb /usr/local/apache24/passwd/passwds test test 
Adding password for user test
 
[root@www ~]# cat /usr/local/apache24/passwd/passwds 
admin:$apr1$GTF5UfZ2$Y66fn/HsTFWBNKRVGVyql/ 
test:$apr1$wGS5AyJJ$dCx6XjHj3LsK3bZG4BZ/k0

对server-status进行控制,修改/etc/httpd24/extra/httpd-vhosts.conf文件

<VirtualHost *:80>
    ServerAdmin admin@www.test.com 
    DocumentRoot "/web/vhosts/www.test.com" 
    ServerName www.test.com 
    ErrorLog "logs/www.test.com-error_log" 
    CustomLog "logs/www.test.com-access_log" common 
 
    <Location /server-status>
        SetHandler server-status 
#        Require all granted 
        AuthType Basic 
        AuthName "Restricted Files" 
        # (Following line optional) 
        AuthBasicProvider file 
        AuthUserFile /usr/local/apache24/passwd/passwds 
        Require user admin 
    </Location>
</VirtualHost>

重启httpd服务,验证配置

http://192.168.60.171/server-status,返回404错误

http://www.example.com/server-status,返回404错误

http://www.test.com/server-status,提示输入用户名和密码。

基于用户访问控制

由于只允许admin用户登录,输入后,打开server-status网页,不再演示。

 

(四)HTTPS配置

LoadModule ssl_module modules/mod_ssl.so

# Secure (SSL/TLS) connections 
Include /etc/httpd24/extra/httpd-ssl.conf

然后编辑/etc/httpd24/extra/httpd-ssl.conf,其中<Directory>指令很重要,指定目录的访问权限。否则即使以下所有步骤成功,也无法登录页面,返回403错误。

Listen 443
<VirtualHost _default_:443>
 
#   General setup for the virtual host
DocumentRoot "/web/vhosts/www.ssl.com"
ServerName www.ssl.com
ServerAdmin master@ssl.com
ErrorLog "/usr/local/apache24/logs/ssl_error_log"
TransferLog "/usr/local/apache24/logs/ssl_access_log"
 
<Directory "/web/vhosts/www.ssl.com">
        Require all granted
</Directory>
 
SSLCertificateFile "/etc/httpd24/server.crt"
SSLCertificateKeyFile "/etc/httpd24/server.key"

本地已经搭好了一个CA中心,使用openssl生成密钥,同时生成证书申请,CA来签发。放在指定的目录

[root@www ~]# cd /etc/httpd24/
 
[root@www httpd24]# (umask 077;openssl genrsa -out /etc/httpd24/server.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
............................................................................+++
e is 65537 (0x10001)
 
[root@www httpd24]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [JS]:JS
Locality Name (eg, city) [NJ]:NJ
Organization Name (eg, company) [NJU]:NJU
Organizational Unit Name (eg, section) [Heyuan]:Heyuan
Common Name (eg, your name or your server's hostname) []:www.ssl.com
Email Address []:webmaster@ssl.com 
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
[root@www httpd24]# openssl ca -in server.csr -out server.crt -days 1500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 3 (0x3)
        Validity
            Not Before: Aug 10 05:03:20 2014 GMT
            Not After : Sep 18 05:03:20 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = JS
            organizationName          = NJU
            organizationalUnitName    = Heyuan
            commonName                = www.ssl.com
            emailAddress              = webmaster@ssl.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                40:8C:41:3D:C2:A6:AA:4E:05:54:D8:A0:4C:84:B6:1F:60:70:6B:83
            X509v3 Authority Key Identifier: 
                keyid:96:FC:F0:32:D4:A4:47:D0:77:D3:1D:C1:A4:56:44:4D:48:01:7A:B6 
 
Certificate is to be certified until Sep 18 05:03:20 2018 GMT (1500 days)
Sign the certificate? [y/n]:y 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
 

证书和密钥放到了指定的位置,下面做配置文件的语法检查,出错了。mod_socache_shmcb模块没有安装,启用LoadModule socache_shmcb_module modules/mod_socache_shmcb.so。重启服务,OK通过。

[root@www ~]# httpd -t
AH00526: Syntax error on line 73 of /etc/httpd24/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
 
[root@www ~]# httpd -t
Syntax OK
[root@www ~]# apachectl restart
 
[root@www httpd24]# httpd -D DUMP_MODULES | grep ssl
 ssl_module (shared)

同样配置本地Windows的C:\Windows\System32\drivers\etc\hosts文件,追加如下记录:

192.168.60.171 www.ssl.com

好了,现在开始测试一下。已经安装过CA证书。

https测试

 

至此,所有实验完成。