Theory + experiment-Apache configuration and application

1. Apache connection retention

■ Apache connection keeping related parameters

• KeepAlive
  ◆ Whether to open the connection keep, OFF to close, ON to open
• KeepAlive Timeout
  ◆ The maximum interval time between multiple requests for one connection, and the time between two requests for the wok is disconnected
• MaxKeepAliveRequests
  ◆ The maximum number of requests that can be transmitted in a field link

Two, Apache's access control

• Function
  ◆ Control access to website resources
  ◆ Add access authorization for specific website directories
• Common access control methods
  ◆ Client address restrictions
  ◆ User authorization restrictions

2.1 Client address restrictions

Through the Require configuration item, you can decide whether to allow the client to access according to the client's host name or IP address.
The Require configuration item can be used in the <Location >, <Directory >, <Files >, and <Limit> configuration sections of the main configuration file of the httpd service to control client access. When using the Require configuration item, you need to set the client address to form a complete restriction policy. The address format is IP address, network address, host or domain name.
Common syntax of Require configuration items:

• Require all granted
• Require all denied All hosts are denied access
• Require local only allows local host access
• Require [not] host <host name or domain name list>
• Require [not] ip <IP address or network segment list>

When using not to prohibit access, place it in the <RequireAll></RequireAll> container and specify the corresponding restriction strategy in the container

Experiment 1

#####例子1###默认目录允许所有
<Directory " /usr/local/httpd/htdocs">
######省略部分内容
Require all granted
</Directory>

Experiment 2

When defining a restriction strategy, multiple Require configuration statements without "not" have an "or" relationship, that is, any Require configuration statement can be accessed if the conditions are met. If both the Require configuration statement without "not" and the Require configuration statement with "not" appear, the relationship between the configuration statements is "and", that is, access can only be achieved when all Require configuration statements are satisfied at the same time.
When you need to use the "allow only" restriction strategy, you should use the quire configuration statement to explicitly set the allow strategy to allow only a part of the host to access. For example, if you only want the host with the IP address 192.168.10.2 to be able to access, the directory area should be

####例子2####
<Directory "/usr/local/httpd/htdocs/bbs">
......//省略部分内容
Require ip 192.168.10.2  ## 只允许让 192.168.10.2 可以通过访问
</Directory>

Experiment 3

Conversely, when you need to use the "reject only" restriction strategy, you can flexibly use the Require and Require not configuration statements to set the deny access strategy to only prohibit access to some hosts. When using not to prohibit access, place it in the container and set the corresponding restriction policy in the container. For example, if you only want to prohibit access to hosts from the two intranet segments 192.168.100.0/24 and 192.168.1.0/24, but allow access from any other host, you can use the following restriction policy

#####例子3###
<Directory "/usr/local/httpd/htdocs/bbs">
......//省略部分内容
<RequireAll>
Require all granted
Require not ip 192.10.0.0/24 192.10.1.0/24
</RequireAll>
</Directory>
当未被授权的客户机访问网站目录时，将会被拒绝访问。

2.2 User authorization restrictions

The basic authentication of httpd judges whether the user is allowed to access by checking the user name and password combination. The user account authorized to access needs to be established in advance and saved in a fixed data file. Using a special htpasswd tool program, you can create authorized user data files and maintain user accounts in them.
When using the htpasswd tool, you must specify the location of the user data file. Adding the "-c" option means that this file is newly created. For example, perform the following operations to create a new data file /usr/local/httpd/conf/.awspwd, which contains a user information named webadmin

[root@localhost ~]# cd /usr/local/httpd/
[root@localhost httpd]# htpasswd -c /usr/local/httpd/conf/.awspwd webadmin
New password:
Re-type new password:
Adding password for user webadmin

Add user authorization configuration After
having an authorized user account, you also need to modify the httpd.conf configuration file to add authorization configuration in a specific directory area to enable basic authentication and set which users are allowed to access. For example, if only any user in the .awspwd data file is allowed to access the system, you can perform the following operations:

  [root@localhost ~]# vim /usr/local/httpd/conf/httpd.conf
<Directory "/usr/local/httpd/htdocs">
AuthName "DocumentRoot"
AuthType Basic
AuthUserFile /usr/local/httpd/conf/.awspwd
Require valid-user
</Directory>
[root@localhost ~]# systemctl restart httpd    ####重启服务使配置生效

In the above configuration content, the meanings of related configuration items are as follows:

• AuthName: Define the name of the protected realm, which will be displayed in the authentication dialog box popped up by the browser
• AuthType: Set the type of authentication, Basic means basic authentication.
• AuthUserFile: Set the authentication file path used to save the user account and password.
• require valid-user: requires only valid users in the authentication file to access. Among them, valid-user means all legal users, if only a single user is authorized, it can be changed to the specified user name (such as webadmin)

Verify user access authorization

Enter the account password, it will display:

Three, Apache log segmentation

With the increasing number of visits to the website, the single log file generated by the Apache server by default will also become larger and larger. If the log is not split, then if the log file takes up a lot of disk space, the entire log file is bound to be Delete, this also loses a lot of valuable information for the website, and these logs can be used for access analysis, network security monitoring, network operation monitoring, etc. In addition, if the server encounters a failure, the operation and maintenance personnel have to open the log file for analysis, the opening process will take a long time, and it will inevitably increase the time to deal with the failure. Therefore, the management of these massive logs is of great significance to the website. We will automatically split the Apache logs according to the date of each day. Both methods are described below.

1. Apache comes with rotatelogs segmentation tool

First, we open the main Apache configuration file httpd.conf, and transfer the log file of the configuration website to rotatelogs for split processing

[root@localhost ~]# mkdir /var/log/httpd/
[root@www ~]# vim /usr/local/httpd/conf/httpd.conf
......####省略部分内容
ErrorLog "/usr/local/bin/rotatelogs-l/var/log/httpd/error_%Y%m%d.log 86400"
CustomLog "/usr/local/bin/rotatelogs-l/var/log/httpd/access_%Y%m%d.log 86400" common
[root@localhost ~]# systemctl restart httpd
[root@localhost~]#l/var/log/httpd/
-rw-r-r- 1 root root 18147月717:54 access_20180707.log
-rw-r-r- 1 root root 584 7月717:55 error_20180707.log

The ErrorLog line is the error log. Don't pay too much attention to it, and generally won't record the wrong access. -l means to use local time instead of GMT time as the time base. Note: Using -l in an environment that changes the GMT offset (such as daylight saving time) will cause unpredictable results.
The CustomLog line defines the format of the access log. 86400 means one day, that is, a new log file is generated every day. Restart the Apache service and check whether the log file has been split by date

2. Use a third-party tool cronolog to split

In addition to the rotatelogs segmentation tool that comes with Apache, you can also use the third-party tool cronolog to segment Apache logs. The specific operations are as follows:

 ##1、编译安装cronolog工具##
[root@localhost ~]# tar zxvf cronolog-1.6.2.tar.gz
[root@localhost ~]# cd cronolog-1.6.2
[root@localhost cronolog-1.6.2]#./configure
[root@localhost cronolog-1.6.2]# make &&make install

##2、设置cronolog工具工具分割apache日志##
[root@localhost ~]# vim /usr/local/httpd/conf/httpd.conf
ErrorLog "|/usr/local/sbin/cronolog /var/log/httpd/www.51xit.top-error_%Y%m%d.log"
CustomLog "/usr/local/sbin/cronolog /var/log/httpd/www.51xit.top-access%Y%m%d.log" common
[root@localhost~]# systemctl restart httpd

Fourth, AWStats log analysis

An open source log analysis system developed by Perl language
can be used to analyze access logs of servers such as Apache, Samba, Vsftpd, lIS, etc.
Combined with scheduled task services such as crond, log content can be analyzed regularly

1. Deploy AWStats

(1) Install AWStats software package

First, the Apache service is installed on the virtual machine (refer to the previous blog!)

[root@localhost ~]# yum -y install wget  ## 安装 wget 软件
[root@localhost ~]# wget http://awstats.org/files/awstats-7.6.tar.gz  在线下载awstats软件包
[root@localhost ~]# tar zxvf awstats-7.6.tar.gz  ## 解压软件包
[root@localhost ~]# mv awstats-7.6 /usr/local/awstats  ## 移动到 /usr/local/awstats 目录

(2) Establish configuration files for the sites to be counted

[root@localhost ~]# cd /usr/local/awstats/tools/
[root@localhost tools]# ll
total 168
-rwxr-xr-x 1 tx tx 19788 Aug 27  2016 awstats_buildstaticpages.pl
-rwxr-xr-x 1 tx tx 25990 Aug 27  2016 awstats_configure.pl
-rwxr-xr-x 1 tx tx 12593 Jan 30  2016 awstats_exportlib.pl
-rwxr-xr-x 1 tx tx  5389 Sep 23  2014 awstats_updateall.pl
drwxr-xr-x 2 tx tx    23 Sep 23  2014 dolibarr
-rwxr-xr-x 1 tx tx 16357 Sep 23  2014 geoip_generator.pl
-rw-r--r-- 1 tx tx   855 Sep 23  2014 httpd_conf
-rwxr-xr-x 1 tx tx 33291 Aug 27  2016 logresolvemerge.pl
-rwxr-xr-x 1 tx tx 27771 Aug 27  2016 maillogconvert.pl
drwxr-xr-x 2 tx tx    74 Dec  3  2016 nginx
-rwxr-xr-x 1 tx tx  9755 Sep 23  2014 urlaliasbuilder.pl
drwxr-xr-x 2 tx tx    64 Dec  3  2016 webmin
drwxr-xr-x 2 tx tx   161 Sep 23  2014 xslt

[root@localhost tools]# chmod +x awstats_configure.pl   ## 给目录进行提权操作，提升执行权
[root@localhost tools]# ./awstats_configure.pl ## 配置脚本将查找并识别httpd服务的主配置文件，以便自动添加相关配置内容

Config file path ('none' to skip web server setup):
> /usr/local/httpd/conf/httpd.conf            ##输入httpd.conf配置文件的路径

Warning: You Apache config file contains directives to write 'common' log files
This means that some features can't work (os, browsers and keywords detection).
Do you want me to setup Apache to write 'combined' log files [y/N] ? y   ## 这里当提示是否修改日志类型时，建议选择“y”，然后配置脚本，将会自动修改 httpd.conf 配置文件，以添加访问 AWAstats 系统的相关配置内容

-----> Need to create a new config file ?
Do you want me to build a new AWStats config/profile
file (required if first install) [y/N] ? y   ## 这边选择“y”，确认新的站点配置文件

-----> Define config file name to create
What is the name of your web site or profile analysis ?
Example: www.mysite.com
Example: demo
Your web site, virtual server or profile name:
> www.51xit.com   ## 指定要统计的目标网站名称

-----> Define config file path
In which directory do you plan to store your config file(s) ?
Default: /etc/awstats
Directory path to store config file(s) (Enter for default): ## 这边默认回车就可以了

-----> Create config file '/etc/awstats/awstats.www.51xit.com.conf'
 Config file /etc/awstats/awstats.www.51xit.com.conf created.
 ## 这边的配置文件已经完成了

Configure httpd and restart

[root@localhost tools]# vi /usr/local/httpd/conf/httpd.conf
<IfModule !mpm_prefork_module>
        LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
        LoadModule cgi_module modules/mod_cgi.so
</IfModule>  ##将#去掉##
<Directory "/usr/local/awstats/wwwroot">
    Options None
    AllowOverride None
#    Order allow,deny
#    Allow from all
    Require all granted
</Directory>   ###在合适位置添加##
[root@localhost tools]# systemctl restart httpd

(3) Modify the site statistics configuration file

[root@localhost tools]# vi /etc/awstats/awstats.www.51xit.com.conf
LogFile="/usr/local/httpd/logs/access_log"
DirData="/var/lib/awstats"
[root@localhost ~]# mkdir /var/lib/awstats
[root@localhost ~]# cd /usr/local/awstats/
[root@localhost awstats]# cd tools/
[root@localhost tools]# chmod +x awstats_updateall.pl 
[root@localhost tools]# ./awstats_updateall.pl now ##运行，而后在浏览器中访问##

(4) Perform log analysis and set up cron scheduled tasks

Run every five minutes

[root@localhost ~]# crontab -e
*/5 * * * * /usr/local/awstats/tools/awstats_updateall.pl now
[root@localhost ~]# systemctl start crond
[root@localhost ~]# systemctl enable crond

2. Visit AWStats analysis system

Now enter http://20.0.0.21/awstats/awstats.pl?config=www.51xit.com in the browser. The following URL will appear, the

experiment is successful, and optimization can be performed.
When accessing the AWStats system, you need to formulate information such as the awstats directory and script location, which is not easy to remember, and it is very troublesome to input. We can simplify the operation and create an automatically redirected HTML page in the Web directory. Users only need to visit www.51xit.com/awb.html to automatically jump to the AWStats log analysis page of www.51xit.com.

[root@localhost tools]# vi /usr/local/httpd/htdocs/awb.html
<html>
<head>
<meta http-equiv=refresh content="0;
url=http://20.0.0.6/awstats/awstats.pl?config=www.51xit.com">
</head>
<body></body>
</html>