httpd2.4 configuration and common instructions

Configuration file

配置文件：
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf

启动文件：
/usr/lib/systemd/system/httpd.service

日志文件：
[root@localhost ~]# ls /var/log/httpd
access_log  error_log  

站点文档：
/var/www/html

模块文件：
/usr/lib64/httpd/modules 

模块相关的配置文件：
/etc/httpd/conf.modules.d/

httpd.conf

[root@localhost ~]# grep -v "#" /etc/httpd/conf/httpd.conf

ServerRoot "/etc/httpd"   # 主配置文件目录
 
Listen 80    #监听的端口

Include conf.modules.d/*.conf   #包含模块文件的配置文件

User apache   #默认运行程序的用户
Group apache   #默认运行程序的组


ServerAdmin root@localhost   #在httpd出现错误时，如何联系管理员，可以使用邮箱地址，也可以使用服务器地址，但是这个服务器应该指向你控制的下一台服务器


<Directory />     
    AllowOverride none
    Require all denied
</Directory>
#Directroy 和 /Directory用于封装一组指令。这些指令仅用于命名的目录以及子目录中的所有文件。Directory后面可以跟完整的路径也可以使用使用通配符来表示，例如：[0-9]{3}、/*/public_html。 而且指令不能嵌套


DocumentRoot "/var/www/html"  # 站点目录

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks

    AllowOverride None

    Require all granted
</Directory>



<IfModule dir_module>     
    DirectoryIndex index.html
</IfModule>

# httpd是模块管理的。通过将特定模块存在一个模块中，可以将配置伪指令包括在内<IfModule>。然而， <IfModule> 块不是必需的，并且在某些情况下可能掩盖了您缺少重要模块的事实。




<Files ".ht*">
    Require all denied
</Files>

#防止用户查看.htaccess和.htpasswd的文件



ErrorLog "logs/error_log"   #错误日志

LogLevel warn    #日志级别

<IfModule log_config_module>   # log模块
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>


    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>


    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz



    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8   # 默认字符集

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>


EnableSendfile on   # sendfile机制

instruction

All the following instructions are placed /etc/httpd/conf.d/test.confin. It is not placed in httpd.conf.

1. Display server version information

If the server displays the program version, it may cause insecurity of the system. We can block the display.

ServerTokens 该指令控制server的显示，总共有以下几个选项
ServerTokens Full  示例：Apache/2.4.2

ServerTokens Prod[uctOnly]  示例： Server: Apache

ServerTokens Major  示例：Server: Apache/2

ServerTokens Minor  示例：Server: Apache/2.4

ServerTokens Min[imal]   示例：Server: Apache/2.4.2

ServerTokens OS   示例：Server: Apache/2.4.2 (Unix)

设置要设置不能低于min的。   prod是最好的，只显示web服务程序。

[root@localhost ~]# cat /etc/httpd/conf.d/test.conf 
ServerTokens Prod

2. The persistent connection
httpd will not close the socket immediately after responding to the request. Instead, it continues to receive requests from the client. The default is to close persistent connections.

启用保持连接：KeepAlive ON
等待客户端持续请求的秒数：KeepAliveTimeout 10
打开时允许允许多少个请求进来：MaxKeepAliveRequests 500 ，0表示无限制，一般建议设大一点。

3. MPM processing module
MPM provides three working modes: worker, prefork, event

worker: httpd generates a main process and m sub-processes. The child process is spawning n threads. A thread receives a request. A total of m*n requests can be received.

prefork: The program generates many child processes in advance and waits for requests from users. The advantage of this is to prevent the frequent generation and destruction of child processes. Each child process has only one thread, and one thread receives one request. The maximum number cannot exceed 1024.

event: Event-driven model (variation of worker model) A main process: spawn m child processes, each process directly responds to n requests, and concurrently responds to requests: m*n, there are special threads to manage these keep-alive threads When there is a real request, the request is passed to the service thread, and after the execution is completed, the release is allowed. This enhances the request processing capability in high concurrency scenarios. It is similar to worker, except that there is a dedicated thread to manage keep-alive.

Configuration file:/etc/httpd/conf.modules.d/00-mpm.conf

 LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
 #LoadModule mpm_worker_module modules/mod_mpm_worker.so
 #LoadModule mpm_event_module modules/mod_mpm_event.so

三种工作模式，使用哪一种就将哪一种的\#号注释掉. 默认prefork

default allocation

StartServers 8   #server预先生成几个进程。  worker和event默认是3个， prefork为5个

minspareservers 5   #最小空闲进程数，当空闲进程数小于设置的值后，那么系统将自动以1秒的速度按指数形式生成。直到生成32个子进程。  prefork默认为5。只有非常繁忙的站点才会调优此参数。将此数调大是一个很坏的注意

MaxSpareServers 10 #最大空闲进程数，如果空闲进程数量大于来设置的值，那么将主进程将停止多余的进程。同样参数不宜过大。 prefork默认是10

ServerLimit 256 #最多进程数，最大值为20000。 prefork默认256。worker和event默认是16个。  

MaxClients 256  # 最大并发数

MaxRequestsPerChild 4000 #子进程最多能处理的连接请求。  一个子进程最多处理4000个请求之后会关闭，如果此时的进程数小于预设值，会重新开启一个。

4. Define the document page path of'Main Server'

DocumentRoot "/var/www/html"

5. Define the main page of the site

 DirectoryIndex index.html    #表示输入网址可以直接跳到index.html。

6. Common mechanisms for site access control.
Based on two mechanisms, you can specify which resources to perform which access control.
There are two access control mechanisms: client source address and user account.

1、文件系统路径：
<Directory PATH>
</Directory>

<File FILENAME>
#对指定的文件进行权限设置
</File>

<FileMatch PATTERN>
</FileMatch>


2、URL路径
<Location "">
#针对某一站点进行权限设置
</Location>
<LocationMatch "">
</LocationMatch>

Example:

 <Location "/">
Require all denied
 </Location>
# 访问根下的站点时将会拒绝访问  

7. Access mechanism in <Directroy>

1）

Options: A list of options separated by 1 or more blank characters. The + and-before the options indicate adding or deleting options. There are three options:

• Indexes: If there is no resource that matches the defined main page resource under the specified URL path, return the index list to the user
  

FollowSymLinks: Allow access to the source file pointed to by the symbolic link file

[root@localhost html]# ll
lrwxrwxrwx 1 root root 14 3月  13 22:39 index.html -> test/link.html
#创建软连接后再次访问

None: Disable all
All: Allow all

2) Allowoverride
which commands related to access control can be placed in the .htaccess (specified by AccessFileName) file in the directory, overwriting the previous configuration commands. Only valid for <Directory>
There are three forms:

• Allowoverride all: All instructions are effective
• Allowoverride none: Ignore .htaccess files
• AllowOverride AuthConfig Indexes: Except for AuthConfig and Indexes, other commands cannot be overridden
  
  . It is not recommended to do this in the main configuration file. It is modified for experimentation. Next add the .htaccess file

[root@localhost httpd]# vim /var/www/html/.htaccess 

  1 require all denied

Specify the .htaccess file in the configuration file

[root@localhost httpd]# cat conf.d/test.conf 

AccessFileName ".htaccess"

Change denied in the .htacess file to granted

Of course, it is not recommended to enable .htaccess files. In this way, no matter whether the visited webpage uses this file or not, it will go to the directory to find it again. This will undoubtedly have a certain impact on performance. So use the none option

3) Access control
Use <RequireAll> to encapsulate a set of instructions. At least one succeeds to match, failure takes precedence.
Use <RequireAny> to encapsulate a set of instructions. Multiple sentences can match if one succeeds, that is, success takes precedence.
Can be used in <Directory> or .htaccess

• Allow all hosts to access: Require all granted
• Deny access to all hosts: Require all denied
• Allow specified source ip access: Require ip IP-ADDR
• Deny specific ip access: Require not ip IP-ADDR
• Allow specific host access: Require host HOSTNAME
• Deny access to a specific host: Require not host HOSTNAME

[root@localhost httpd]# cat conf.d/test.conf 
<Directory "/var/www/html">
	<RequireAll>
		Require all granted
		Require not ip 192.168.199.215
	</RequireAll>
</Directory>

[root@localhost httpd]# cat conf.d/test.conf 
<Directory "/var/www/html">
	<RequireAny>
		Require all denied 
		Require  ip 192.168.199.215
	</RequireAny>
</Directory>

8. Set the character set

The default is UTF-8.

9, define the path alias

format: Alias /URL/ "/PATH/"

[root@localhost httpd]# cat conf.d/test.conf 
alias "/index.html" "/data/html/index.html"
<Directory /data/html/>
	Require all granted
</Directory>

[root@localhost httpd]# cat /data/html/index.html
alias page

10. User-based access control
Authentication challenge: the response code is 410, the client’s request is rejected, and the client is required to provide the account and password

Authentication: The client fills in the account number and password to send a request message. When the authentication is passed, the server will send the corresponding resource

verification method:

• basic: plaintext
• digest: message digest authentication, poor compatibility

Security domain: the path that the user can access after authentication, which should be identified by name, so that the user can be informed of the reason for authentication

Use htpasswd to generate a file storing account and password

Example:
1) Use htpasswd to generate account and password

[root@localhost httpd]# htpasswd -c  conf.d/.htpasswd htuser
New password: 
Re-type new password: 
Adding password for user htuser
[root@localhost httpd]# cat conf.d/.htpasswd
htuser:$apr1$fhgaKKey$GKqB/Xj23gVsOzlHtouT4/

2) Prepare the configuration file

<Directory /var/www/html>
	Authtype Basic
	Authname "pleases input user and password"
	Authuserfile "/etc/httpd/conf.d/.htpasswd"
	Options none
	Allowoverride none
	Require user htuser   # 允许文件中的用户访问，允许所有用户require valid-user 		
</Directory>

3) Access test

4) Enter account password

Group-based access control
1) Create configuration files

<Directory /var/www/html>
	AuthType Basic
	AuthName "pleases input user and password"
	AuthUserFile "/etc/httpd/conf.d/.htpasswd"
	AuthGroupFile "/etc/httpd/conf.d/.htgroup"
	Options none
	Allowoverride none
	Require group ht1
</Directory>

2) Use htpasswd to add users

[root@localhost httpd]# htpasswd conf.d/.htpasswd htuser2
New password: 
Re-type new password: 
Adding password for user htuser2

3) Create group access files

[root@localhost httpd]# cat conf.d/.htgroup 
ht1:htuser
ht2:htuser2

4) Test visit

5) Use users in the ht2 group to access

Unable to access, you will be prompted to enter the account password consistently

12. Realize user home directory sharing The
user home directory depends on mod_userdir.so. After installation, the configuration file is in conf.d/userdir.conf.

Modify the configuration file

[root@localhost httpd]# grep -v '#' conf.d/userdir.conf 
<IfModule mod_userdir.c>
   #UserDir disabled   注销此项
   UserDir public_html    #启用这项
</IfModule>

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Create public_html in the user's home directory

[root@localhost httpd]# mkdir /home/ydong/public_html

Create default web page index.html

[root@localhost httpd]# echo 'ydong page'>/home/ydong/public_html/index.html

Provide the apache user with execution permissions for the directory

[root@localhost httpd]# setfacl -m u:apache:x ~ydong /home/ydong/public_html/

Test visit

13, status page

status_modlues provides a status page, allowing the server to view a status of the current page. 2.4 By default, as long as the status module is loaded, the command is already set ExtendedStatus on. So you can directly define location for access

<location "/server-status">
 	SetHandler server-status
	require all granted
</location>