HTTP协议和APACHE

其他 2020-08-05 07:38:38 阅读次数: 0

配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
检查配置语法:
httpd –t

站点网页文档根目录:
/var/www/html

修改监听的IP和Port
Listen [IP:]PORT

模块文件路径:
/etc/httpd/modules
/usr/lib64/httpd/modules

日志文件目录:
/var/log/httpd
access_log: 访问日志
error_log:错误日志

常见配置

ServerTokens显示服务器版本信息

Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full

[root@CentOS7 /etc/httpd/conf]# vim httpd.conf
Include conf.modules.d/*.conf           #在以下目录会生效
IncludeOptional conf.d/*.conf

[root@CentOS7 ~]# curl -I 192.168.8.7     #访问显示版本
Server: Apache/2.4.6 (CentOS)        

[root@CentOS7 /etc/httpd/conf.d]# cat test.conf 
ServerTokens Prod
[root@CentOS7 /etc/httpd/conf.d]# systemctl restart httpd

[root@CentOS7 ~]# curl -I 192.168.8.7        #修改后不显示版本详细信息
Server: Apache
配置 对应显示
ServerTokens Major Server: Apache/2
ServerTokens Minor Server: Apache/2.4
ServerTokens Min[imal] Server: Apache/2.4.6
ServerTokens OS Server: Apache/2.4.6 (CentOS)系统默认
ServerTokens Prod[uctOnly] Server: Apache
ServerTokens Full Server: Apache/2.4.6 (CentOS)

建议使用:ServerTokens Prod

修改监听的IP和Port
[root@CentOS7 /etc/httpd/conf]# vim httpd.conf
Listen 80
Listen 8080
[root@CentOS7 /etc/httpd/conf.d]# ss -ntl
 [::]:8080                                                               
 [::]:80
持久连接

Persistent Connection:连接建立,每个资源获取完成后不会断开连接,而是继续等待其它的请求完成,默认关闭持久连接
断开条件:时间限制:以秒为单位, 默认5s,httpd-2.4 支持毫秒级
副作用:对并发访问量大的服务器,持久连接会使有些请求得不到响应
折衷:使用较短的持久连接时间

[root@CentOS7 /etc/httpd/conf.d]# cat test.conf
ServerTokens Prod                                                                                                                                     
KeepAliveTimeout 15

测试:telnet WEB_SERVER_IP PORT
GET /URL HTTP/1.1
Host: WEB_SERVER_IP

加载模块配置
[root@CentOS7 /etc/httpd/conf.modules.d]# grep auth *
00-base.conf:LoadModule auth_basic_module modules/mod_auth_basic.so
[root@CentOS7 /etc/httpd/conf.modules.d]# cat 00-base.conf |grep auth 
LoadModule auth_basic_module modules/mod_auth_basic.so    生效格式

[root@CentOS7 /etc/httpd/conf.modules.d]# httpd -l      查看静态编译的模块
Compiled in modules: 
  core.c
  mod_so.c
  http_core.c
[root@CentOS7 /etc/httpd/conf.modules.d]# httpd -M     查看静态编译及动态装载的模块

MPM( Multi-Processing Module)多路处理模块
prefork, worker, event

[root@CentOS7 /etc/httpd/conf.modules.d]# vim 00-mpm.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so    #默认启用
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so

[root@CentOS7 /etc/httpd/conf.modules.d]# vim ../conf.d/test.conf    prefork的配置
StartServers 1000
MinSpareServers 1000
MaxSpareServers 1000
ServerLimit 1000              最多进程数,最大值 20000
MaxClients 1000               最大的并发连接数                                                                                                                          
MaxRequestsPerChild 4000      子进程最多能处理的请求数量

[root@CentOS7 /etc/httpd/conf.modules.d]# pstree -p |grep httpd |wc -l
1000
[root@CentOS7 /etc/httpd/conf.modules.d]# ps aux|grep httpd |wc -l
1002

[root@CentOS7 ~]# ab -c1000 -n 2000 http://192.168.8.7/test.txt     #测试并发性能

[root@CentOS7 /etc/httpd/conf.modules.d]# vim 00-mpm.conf     #启用worker
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so

[root@CentOS7 /etc/httpd/conf.modules.d]# vim ../conf.d/test.conf    worker的配置
ServerLimit 16
StartServers 2
MaxRequestWorkers 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
定义’Main’ server的文档页面路径
[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html"           #定义数据库,centos6可以直接注释掉修改路径
 
[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf 
DocumentRoot "/data/html"             #访问报错,centos7需要添加权限(以下几行)       
<Directory "/data/html">
    Require all granted                                                                                                                               
</Directory>

[root@CentOS7 ~]# curl 192.168.8.7       #修改后访问路径已经改变
/data/html/index.html

[root@CentOS7 /data/html]# mkdir news       #该目录下常见目录
[root@CentOS7 /data/html]# echo news >news/index.html
            
[root@CentOS7 ~]# curl http://192.168.8.7/news/    能访问
news

[root@CentOS7 /data/html]# mkdir /app/dir -p
[root@CentOS7 /data/html]# echo 'welcome to magedu' >/app/dir/index.html  
需要访问/app/dir/index.html,可以软链接方式实现

[root@CentOS7 /data/html]# ln -s /app/dir/ /data/html/sports

[root@CentOS7 ~]# curl http://192.168.8.7/sports/     #可以正常访问
welcome to magedu
外网访问的目录可以在任何地方,只需通过软链接即可
定义站点主页面

以上访问默认找index.html

扫描二维码关注公众号,回复: 11517308 查看本文章 
[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
    DirectoryIndex test.txt index.html     修改后先找test.txt没有再找index.html
</IfModule>

[root@CentOS7 /data/html]# echo test > test.txt
[root@CentOS7 /data/html]# ls
index.html  news  sports  test.txt

[root@CentOS7 ~]# curl 192.168.8.7     #显示的时test.txt内容
test

[root@CentOS7 /data/html]# rm -f test.txt  
[root@CentOS7 ~]# curl 192.168.8.7       #删除test.txt后显示index.html内容
/data/html/index.html

[root@CentOS7 /data/html]# rm -f index.html     
删除后报错,报错的界面配置,报错的页面来自于/usr/share/httpd/noindex/index.html
[root@CentOS7 ~]# vim /etc/httpd/conf.d/welcome.conf 
<LocationMatch "^/+$">           #1个以上/
    Options -Indexes
    ErrorDocument 403 /.noindex.html
</LocationMatch>
Alias /.noindex.html /usr/share/httpd/noindex/index.html

[root@CentOS7 ~]# curl 192.168.8.7///        #/多个也能访问
index.html 

[root@CentOS7 ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak
welcome.conf移除后彻底报错
You don't have permission to access / on this server.
站点访问控制常见机制

可基于两种机制指明对哪些资源进行何种访问控制
访问控制机制有两种:客户端来源地址,用户账号
文件系统路径:
<Directory “/path">


<File “/path/file”>


<FileMatch “PATTERN”>


URL路径:
<Location “”>


<LocationMatch “”>


示例:
<FilesMatch “.(gif|jpe?g|png)$”>
<Files “?at.*”> 通配符
<Location /status>
<LocationMatch “/(extra|special)/data”>

Options

Indexes:指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户
FollowSymLinks:允许访问符号链接文件所指向的源文件
None:全部禁用
All: 全部允许

[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html">
    Require all granted
    Options Indexes FollowSymLinks          #添加会出现索引列表                                                                                                             
</Directory>
不安全,一般FTP下载相关(aliyun rpm源)的可以使用
AllowOverride

与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令
只对语句有效
AllowOverride All: .htaccess中所有指令都有效
AllowOverride None: .htaccess 文件无效
AllowOverride AuthConfig .htaccess 文件中,除了AuthConfig 其它指令都无法生效

[root@CentOS7 ~]# vim /etc/httpd/conf/httpd.conf 
<Directory />
    AllowOverride none      # .htaccess 文件无效
    Require all denied
</Directory>

[root@CentOS7 /data/html]# vim .htaccess
Options Indexes FollowSymLinks      #从/etc/httpd/conf.d/test.conf删除,写入.htaccess
不能访问,把AllowOverride none修改AllowOverride yes(生效),可以访问

.htaccess在目录下很危险,但别人不能访问,由于配置原因
<Files ".ht*">
    Require all denied
</Files>

可以根据这种禁止访问内容
基于IP的访问控制:

<RequireAll>
Require all granted
Require not ip 172.16.1.1 拒绝特定IP
</RequireAll>

<RequireAny>
Require all denied
require ip 172.16.1.1 允许特定IP
</RequireAny>

[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf 
<Directory "/data/html">
<RequireAll>
Require all granted
Require not ip 192.168.8.17
</RequireAll>                                                                                                                                         
</Directory>
##只有192.168.8.17不能访问
日志设定

访问日志:
定义日志格式:LogFormat format strings

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

使用日志格式:
CustomLog logs/access_log testlog
参考帮助:http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
%h 客户端IP地址
%l 远程用户,启用mod_ident才有效,通常为减号“-”
%u 验证(basic,digest)远程用户,非登录访问时,为一个减号“-”
%t 服务器收到请求时的时间
%r First line of request,即表示请求报文的首行;记录了此次请求的“方法”,“URL”以及协议版本
%>s 响应状态码
%b 响应报文的大小,单位是字节;不包括响应报文http首部
%{Referer}i 请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面的
%{User-Agent}i 请求报文中首部“User-Agent”的值;即发出请求的应用程序

设定字符集

AddDefaultCharset UTF-8 此为默认值
中文字符集:GBK, GB2312, GB18030

定义路径别名
[root@CentOS7 ~]# mkdir /app/forum
[root@CentOS7 ~]# echo "/app/forum/index.html" >/app/forum/index.html
[root@CentOS7 ~]# mkdir /data/html/bbs
##通过192.168.8.7/bbs/访问/app/forum/目录

[root@CentOS7 ~]# vim /etc/httpd/conf.d/test.conf 
alias /bbs /app/forum                                                                                                                                 
<Directory "/app/forum">
require all granted
</Directory>

[root@CentOS7 ~]# curl 192.168.8.7/bbs/
/app/forum/index.html

通过以上配置,web访问路径有真实路径、软链接、别名三种配置方法

基于用户的访问控制

访问192.168.8.7不需验证,访问192.168.8.7/admin需要验证

[root@CentOS7 ~]# cd /etc/httpd/conf.d/
[root@CentOS7 /etc/httpd/conf.d]# htpasswd -c .httpuser bob     创建文件.httpuser,并创建用户bob
[root@CentOS7 /etc/httpd/conf.d]# htpasswd .httpuser alias      创建用户alias
[root@CentOS7 /etc/httpd/conf.d]# htpasswd .httpuser rose
[root@CentOS7 /etc/httpd/conf.d]# htpasswd .httpuser jack
[root@CentOS7 /etc/httpd/conf.d]# cat .httpuser      #查看用户及密码
bob:$apr1$.mOA0wUK$KV9NFnjMTxdUXJOSkkn/h1
alias:$apr1$OsUn4Kfd$2zKxU/U11GhKY1SRa0ua80
rose:$apr1$I9GXKJoS$aEDMHlgHvnbwp8jYPm/kp1
jack:$apr1$u.5ekB21$N0h2PtQDegdMG8541V6hX1

[root@CentOS7 ~]# mkdir /data/html/admin
[root@CentOS7 ~]# echo "/data/html/admin" >/data/html/admin/index.html


[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html">
require all granted
</Directory>

<Directory "/data/html/admin">
AuthType Basic
AuthName "admin page"                   #描述
AuthUserFile "/etc/httpd/conf.d/.httpuser"             #用户文件
Require user rose                   #允许rose访问                                                                                                                                     
</Directory>

[root@CentOS7 /etc/httpd/conf.d]# htpasswd -D .httpuser bob     #删除用户
Deleting password for user bob
可以vim .httpuser直接删除

配置分开放也可以实现

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html/admin">   
allowoverride   authconfig                                                                                                                                
</Directory>

[root@CentOS7 ~]# vim /data/html/.htaccess 
AuthType Basic
AuthName "admin page"                                                                                                                                 
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user rose

允许账号文件中的所有用户登录访问:
Require valid-user

实现组访问验证

[root@CentOS7 /etc/httpd/conf.d]# cat .httpgroup 
g1:bob alice
g2:jack rose

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html/admin">
AuthType Basic                                                                                                                                        
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group g1
</Directory>

二种

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/data/html/admin">
allowoverride   authconfig 
</Directory>

[root@CentOS7 ~]# vim /data/html/.htaccess 
AuthType Basic                                                                                                                                        
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group g1
实现用户家目录的http共享
[root@CentOS7 /etc/httpd/conf.d]# httpd -M |grep user
 userdir_module (shared)

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/userdir.conf
# UserDir disabled                              增加注释
UserDir public_html                             去掉注释
#<Directory "/home/*/public_html">
#  AllowOverride FileInfo AuthConfig Limit Indexes
#  Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#  Require method GET POST OPTIONS
#</Directory>
<Directory "/home/wang/public_html">         新增
Require all granted                                                                                                                                   
</Directory>

[root@CentOS7 /etc/httpd/conf.d]# mkdir /home/wang/public_html
[root@CentOS7 /etc/httpd/conf.d]# echo "/home/wang/public_html/index.html" >/home/wang/public_html/index.html
[root@CentOS7 /etc/httpd/conf.d]# setfacl -m u:apacge:x /home/wang

[root@CentOS7 ~]# curl 192.168.8.7/~wang/       访问
/home/wang/public_html/index.html

所有人都能访问,比较危险,加验证

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/userdir.conf
<Directory "/home/wang/public_html">        
#Require all granted                                 去掉Require all granted                                                                                                              
</Directory>

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<Directory "/home/wang/public_html">
AuthType Basic                                                                                                                                        
AuthName "admin page"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group g1                                                                                                                                      
</Directory>
status页面
[root@CentOS7 /etc/httpd/conf.d]# httpd -M |grep status
 status_module (shared)

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf 
<Location "/status">
SetHandler server-status
</Location>

http://192.168.8.7/status/能够实时监控系统

所有人都能访问太危险,设置成只有192.168.8.0/24网段才能访问

<Location "/status">
SetHandler server-status
<RequireAny>
Require all denied
require ip 192.168.8.0/24
</RequireAny>                                                                                                                                         
</Location>
虚拟主机

基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN

基于IP地址实现虚拟主机
[root@CentOS7 /etc/httpd/conf.d]# mkdir /data/{a,b,c}site
[root@CentOS7 /etc/httpd/conf.d]# echo "/data/asite/index.html" >/data/asite/index.html
[root@CentOS7 /etc/httpd/conf.d]# echo "/data/bsite/index.html" >/data/bsite/index.html
[root@CentOS7 /etc/httpd/conf.d]# echo "/data/csite/index.html" >/data/csite/index.html
[root@CentOS7 /etc/httpd/conf.d]# ip a a 192.168.8.10/24 dev ens33
[root@CentOS7 /etc/httpd/conf.d]# ip a a 192.168.8.20/24 dev ens33
[root@CentOS7 /etc/httpd/conf.d]# ip a a 192.168.8.30/24 dev ens33

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
<VirtualHost 192.168.8.10:80>
DocumentRoot "/data/asite"
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>

<VirtualHost 192.168.8.20:80>
DocumentRoot "/data/bsite"
<Directory "/data/bsite">
require all granted
</Directory>
</VirtualHost>

<VirtualHost 192.168.8.30:80>
DocumentRoot "/data/csite"
<Directory "/data/csite">                                                                                                                             
require all granted
</Directory>
</VirtualHost>

[root@CentOS7 ~]# curl 192.168.8.10
/data/asite/index.html
[root@CentOS7 ~]# curl 192.168.8.20
/data/bsite/index.html
[root@CentOS7 ~]# curl 192.168.8.30
/data/csite/index.html
基于端口实现虚拟主机
[root@CentOS7 /etc/httpd/conf.d]# systemctl restart network    清除临时IP

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf
listen 8080
listen 8070
listen 8090
                                                                                                                                                      
<VirtualHost *:8080>
DocumentRoot "/data/asite"
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>

<VirtualHost *:8090>
DocumentRoot "/data/bsite"
<Directory "/data/bsite">
require all granted
</Directory>
</VirtualHost>

<VirtualHost *:8070>
DocumentRoot "/data/csite"
<Directory "/data/csite">
require all granted
</Directory>
</VirtualHost>


[root@CentOS7 ~]# curl 192.168.8.7:8080
/data/asite/index.html
[root@CentOS7 ~]# curl 192.168.8.7:8090
/data/bsite/index.html
[root@CentOS7 ~]# curl 192.168.8.7:8070
/data/csite/index.html
基于域名(主机头)实现虚拟主机
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/data/asite"
CustomLog "logs/asite_access_log" combined      #添加日志
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www.b.com
DocumentRoot "/data/bsite"
<Directory "/data/bsite">
require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName www.c.com
DocumentRoot "/data/csite"
<Directory "/data/csite">
require all granted                                                                                                                                   
</Directory>
</VirtualHost>

[root@CentOS7 ~]# vim /etc/hosts        #客户机添加解析dns
192.168.8.7 www.a.com
192.168.8.7 www.b.com
192.168.8.7 www.c.com 

[root@CentOS7 ~]# curl www.a.com
/data/asite/index.html
[root@CentOS7 ~]# curl www.b.com
/data/bsite/index.html
[root@CentOS7 ~]# curl www.c.com
/data/csite/index.html
压缩文本

使用mod_deflate模块压缩页面优化传输速度
(1) 节约带宽,额外消耗CPU;同时,可能有些较老浏览器不支持
(2) 压缩适于压缩的资源,例如文本文件
LoadModule deflate_module modules/mod_deflate.so SetOutputFilter DEFLATE
SetOutputFilter DEFLATE
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css

[root@CentOS7 /etc/httpd/conf.d]# httpd -M |grep deflate
 deflate_module (shared)

[root@CentOS7 /etc/httpd/conf.d]# cp /var/log/messages /data/asite/m.txt
[root@CentOS7 /etc/httpd/conf.d]# chmod a+r  /data/asite/m.txt

[root@CentOS7 /etc/httpd/conf.d]# vim /etc/httpd/conf.d/test.conf 
<VirtualHost *:80>
ServerName www.a.com
CustomLog "logs/asite_access_log" combined
DocumentRoot "/data/asite"
AddOutputFilterByType DEFLATE text/plain        #以下三句为添加压缩选项
AddOutputFilterByType DEFLATE text/html
DeflateCompressionLevel 9                       #压缩级别(1-9)
<Directory "/data/asite">
require all granted
</Directory>                                                                                                                                          
</VirtualHost>

[root@CentOS7 ~]# curl -I --compress www.a.com/m.txt
Content-Encoding: gzip            压缩
https

SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书
(2) 服务器端发送证书以及选定的加密方式给客户端
(3) 客户端取得证书并进行证书验证
如果信任给其发证书的CA
(a) 验证证书来源的合法性;用CA的公钥解密证书上数字签名
(b) 验证证书的内容的合法性:完整性验证
© 检查证书的有效期限
(d) 检查证书是否被吊销
(e) 证书中拥有者的名字,与访问的目标主机要一致
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换
(5) 服务用此密钥加密用户请求的资源,响应给客户端

基于mod_ssl实现
[root@CentOS7 /etc/httpd/conf.d]# yum install mod_ssl
[root@CentOS7 /etc/httpd/conf.d]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl

[root@CentOS7 /etc/httpd/conf.d]# cat ssl.conf 
Listen 443 https

[root@CentOS7 /etc/httpd/conf.d]# tree /etc/pki/tls/      已生成相关证书
/etc/pki/tls/
├── cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
├── certs
│   └── localhost.crt
└── private
    └── localhost.key

[root@CentOS7 /etc/httpd/conf.d]# rpm -q --scripts mod_ssl     #查看安装脚本

[root@CentOS7 ~]# systemctl restart httpd

[root@CentOS7 ~]# openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text    #查看自签名证书
利用私有CA实现HTTPS

CA服务器
http服务器
client客户机

[root@CentOS7 ~]# hostname CAserver
建立CA
[root@CAserver ~]# cd /etc/pki/CA/
[root@CAserver /etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096)
[root@CAserver /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 <<EOF
CN
beijing
beijing
magedu
devops
ca.magedu.com
[email protected]
EOF
[root@CAserver /etc/pki/CA]# touch /etc/pki/CA/index.txt
[root@CAserver /etc/pki/CA]# echo 01 > /etc/pki/CA/serial
[root@CAserver /etc/pki/CA]# tree
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

申请证书

[root@CentServer ~]# mkdir /etc/httpd/conf.d/ssl
[root@CentServer ~]# cd /etc/httpd/conf.d/ssl
[root@CentServer /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
CN
beijing
beijing
magedu
devops
www.a.com
[root@CentServer /etc/httpd/conf.d/ssl]# scp httpd.csr 192.168.8.17:/etc/pki/CA

颁发证书

[root@CAserver /etc/pki/CA]# openssl ca openssl ca -in httpd.csr -out certs/httpd.crt -days 100
[root@CAserver /etc/pki/CA]# scp certs/httpd.crt 192.168.8.7:/etc/httpd/conf.d/ssl   
[root@CAserver /etc/pki/CA]# scp cacert.pem 192.168.8.7:/etc/httpd/conf.d/ssl


[root@CentServer ~]# vim /etc/httpd/conf.d/ssl.conf 
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key

SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
http跳转到另一网址

status状态:
Permanent: 返回永久重定向状态码 301(网站将要废弃,启用新网站,用于网站与网站之间)
Temp:返回临时重定向状态码302. 此为默认值 (用于http跳转到https)

访问www.a.com 自动跳转到www.b.com

<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/data/asite"
CustomLog "logs/asite_access_log" combined     
Redirect Permanent / http://www.b.com/
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>

[root@CentClient ~]# curl www.a.com
<title>301 Moved Permanently</title>    301错误

[root@CentClient ~]# curl -L www.a.com
/data/bsite/index.html

访问时先访问www.a.com,www.a.com服务器告诉客户机去访问www.b.com
实际上访问了两次请求

虚拟web跳转https
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/data/asite"
CustomLog "logs/asite_access_log" combined     
Redirect Permanent / https://www.a.com/
<Directory "/data/asite">
require all granted
</Directory>
</VirtualHost>
主机http重定向https

test.conf删除,只有一个主机web,没有虚拟web

[root@CentServer ~]# mv /etc/httpd/conf.d/test.conf /etc/httpd/conf.d/test.conf.bak 

[root@CentServer ~]# vim /etc/httpd/conf.d/test.conf 
DocumentRoot "/var/www/html"
#Redirect temp / https://192.168.8.7/       #会循环跳转,使用下面两行配置
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]                                                                                                         
<Directory "/var/www/html">
Require all granted
</Directory>

[root@CentClient ~]# curl -kL http://192.168.8.7
HSTS

客户端每次访问都请求2次有安全风险,服务器端配置HSTS后,客户机只需第一次请求2次,之后会保存相关信息,以后直接在浏览器访问跳转后的页面

[root@CentServer ~]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
#redirect temp /  https://www.a.com/
Header always set Strict-Transport-Security "max-age=31536000"    #客户机保存时间
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]

[root@proxy ~]# curl -ILk http://192.168.8.7
HTTP/1.1 302 Found
Strict-Transport-Security: max-age=31536000
反向代理

在这里插入图片描述

[root@proxy ~]# vim /etc/httpd/conf.d/test.conf
proxypass "/" "http://192.168.8.7"                                                                                                              
ProxyPassReverse  "/" "http://192.168.8.7"
[root@proxy ~]# echo "/var/www/html/index.html" >/var/www/html/index.html

[root@CentClient ~]# curl  192.168.8.17     跳转
/data/html/index.html
Sendfile机制

默认开启

link

links URL
–dump
–source

wget

wget [option]… [URL]…
-q 静默模式
-c 断点续传
-P /path 保存在指定目录
-O filename 保存为指定文件名,filename 为 – 时,发送至标准输出
–limit-rate= 指定传输速率,单位K,M等

curl

curl [options] [URL…]
-A/–user-agent 设置用户代理发送给服务器
-e/–referer 来源网址
–cacert CA证书 (SSL)
-k/–insecure 允许忽略证书进行 SSL 连接
–compressed 要求返回是压缩的格式
-H/–header 自定义首部信息传递给服务器
-i 显示页面内容,包括报文首部信息
-I/–head 只显示响应报文首部信息
-D/–dump-header 将url的header信息存放在指定文件中
–basic 使用HTTP基本认证
-u/–user <user[:password]>设置服务器的用户和密码
-L 如果有3xx响应码,重新发请求到新位置
-O 使用URL中默认的文件名保存文件到本地
-o 将网络文件保存为指定的文件中
–limit-rate 设置传输速度
-0/–http1.0 数字0,使用HTTP 1.0
-v/–verbose 更详细
-C 选项可对文件使用断点续传功能
-c/–cookie-jar 将url中cookie存放在指定文件中
-x/–proxy <proxyhost[:port]> 指定代理服务器地址
-X/–request 向服务器发送指定请求方法
-U/–proxy-user user:password 代理服务器用户和密码
-T 选项可将指定的本地文件上传到FTP服务器上
–data/-d 方式指定使用POST方式传递数据
-b name=data 从服务器响应set-cookie得到值,返回给服务器

htpasswd

htpasswd:basic认证基于文件实现时,用到的账号密码文件生成工具

apachectl

apachectl:httpd自带的服务控制脚本,支持start和stop

rotatelogs

rotatelogs:日志滚动工具
access.log -->
access.log, access.1.log -->
access.log, acccess.1.log, access.2.log

ab

httpd的压力测试工具
ab, webbench, http_load, seige
Jmeter 开源
Loadrunner 商业,有相关认证
tcpcopy:网易,复制生产环境中的真实请求,并将之保存
ab [OPTIONS] URL
来自httpd-tools包
-n:总请求数
-c:模拟的并行数
-k:以持久连接模式测试
ulimit –n # 调整能打开的文件数

编译httpd-2.4.43(一)

安装apr-1.4+
cd apr-1.6.2
./configure --prefix=/app/apr
make && make install
安装apr-util-1.4+
cd …/apr-util-1.6.0
./configure --prefix=/app/apr-util --with-apr=/app/apr/
make -j 2 && make install
编译安装httpd-2.4
cd …/httpd-2.4.27
./configure --prefix=/app/httpd24
–enable-so
–enable-ssl
–enable-cgi
–enable-rewrite
–with-zlib
–with-pcre
–with-apr=/app/apr/
–with-apr-util=/app/apr-util/
–enable-modules=most
–enable-mpms-shared=all
–with-mpm=prefork
make -j 4 && make install

编译httpd-2.4.43(二)
[root@CentOS7 /data]# yum install gcc pcre-devel openssl-devel expat-devel -y
[root@CentOS7 /data]# ls
apr-1.7.0.tar.bz2  apr-util-1.6.1.tar.bz2  httpd-2.4.43.tar.bz2
[root@CentOS7 /data]# tar xvf apr-1.7.0.tar.bz2 
[root@CentOS7 /data]# tar xvf apr-util-1.6.1.tar.bz2 
[root@CentOS7 /data]# tar xvf httpd-2.4.43.tar.bz2
[root@CentOS7 /data]# mv apr-1.7.0 httpd-2.4.43/srclib/apr
[root@CentOS7 /data]# mv apr-util-1.6.1 httpd-2.4.43/srclib/apr-util

[root@CentOS7 /data]# cd httpd-2.4.43/
[root@CentOS7 /data/httpd-2.4.43]# ./configure \
> --prefix=/app/httpd24 \
> --enable-so \
> --enable-ssl \
> --enable-cgi \
> --enable-rewrite \
> --with-zlib \
> --with-pcre \
> --with-included-apr \
> --enable-modules=most \
> --enable-mpms-shared=all \
 
[root@CentOS7 /data/httpd-2.4.43]# make -j 4 && make install

[root@CentOS7 /app/httpd24]# echo 'PATH=/app/httpd24/bin:$PATH' >/etc/profile.d/http.sh
[root@CentOS7 /app/httpd24]# source /etc/profile.d/http.sh

[root@CentOS7 /app/httpd24]# apachectl start
[root@CentOS7 /app/httpd24]# apachectl stop
开机启动(一)
[root@CentOS7 /app/httpd24]# vim /etc/rc.d/rc.local
/app/httpd24/bin/apachectl start   
[root@CentOS7 /app/httpd24]# chmod +x /etc/rc.d/rc.local
开机启动(二)
[root@CentOS6 ~]# scp /etc/rc.d/init.d/httpd 192.168.8.7:/etc/rc.d/init.d/httpd   centos6拷贝文件
[root@CentOS7 /app/httpd24]# vim /etc/rc.d/init.d/httpd
apachectl=/app/httpd24/bin/apachectl
httpd=${HTTPD-/app/httpd24/bin/httpd}
pidfile=${PIDFILE-/app/httpd24/logs/httpd.pid}

[root@CentOS7 /app/httpd24]# service httpd start     启动
[root@CentOS7 /app/httpd24]# service httpd stop      停止
[root@CentOS7 /app/httpd24]# chkconfig --level 345 httpd on     开机启动

猜你喜欢

转载自blog.csdn.net/wauzy/article/details/107167220
今日推荐
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
最强开源大模型 Llama 3 上架 Gitee AI
周排行
自媒体文章如何提高原创度以及如何检测原创度
开启qq邮箱的smtp服务
Qt程序单次启动(QSingleApplication类)
国外的外包网站
更新IDEA主题——放飞代码风格
cocos2dx 实现搓牌效果(翻牌效果),包括铺平动画
dict和json之间的互相转换
angular的一些思考
. Fibonacci数列是这样定义的: F[0] = 0 F[1] = 1 for each i ≥ 2: F[i] = F[i-1] + F[i-2] 因此,Fibonacci数列就形如:0, 1
洛谷P1064 金明的预算方案
每日归档
更多
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)
2024-04-16(70)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022