From: http://aiks.blog.com.cn/archives/2006/1748482.shtml
Apache configuration
Apache configuration is configured by the httpd.conf file, so the following configuration instructions are modified in the httpd.conf file.
Configuration of the main site (basic configuration)
(1) Basic configuration:
ServerRoot "/mnt/software/apache2" #The location where your apache software is installed. If no absolute path is specified for other specified directories, the directory is relative to this directory.
PidFile logs/httpd.pid #The process number file location of the first httpd process (the parent process of all other processes).
Listen 80 #The port number the server listens to.
ServerName www.clusting.com:80 #Main site name (hostname of the website).
ServerAdmin [email protected] #Administrator's email address.
DocumentRoot "/mnt/web/clustering" #The storage location of web pages of the main site.
The following is the access control for the directory of the main site:
<Directory "/mnt/web/clusting">
Options FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
</Directory>
In the above directory attribute configuration, there are mainly the following Options:
Options: Configure which features are used in a specific directory. Common values and basic meanings are as follows:
ExecCGI: Execute CGI scripts in this directory.
FollowSymLinks: Allows the filesystem to use symbolic links in this directory.
Indexes: When the user accesses the directory, if the user cannot find the homepage file specified by DirectoryIndex (such as index.html), the list of files in the directory will be returned to the user.
SymLinksIfOwnerMatch: When using symlinks, access is only possible if the symlink's file owner is the same as the actual file's owner.
For other available values and meanings see: http://www.clusting.com/Apache/ApacheManual/mod/core.html#options
AllowOverride: Allows types of directives in .htaccess files (.htaccess file names can be changed , whose filename is determined by the AccessFileName directive):
None: When AllowOverride is set to None. Do not search for .htaccess files in this directory (can reduce server overhead).
All: All directives are available in .htaccess files.
For other available values and meanings (such as: Options FileInfo AuthConfig Limit, etc.), please refer to: http://www.clusting.com/Apache/ApacheManual/mod/core.html#AllowOverride
Order: Controls both Allow and Deny during access Which one of the access rules takes precedence:
Allow: The list of hosts to allow access (available domain names or subnets, for example: Allow from 192.168.0.0/16).
Deny: A list of hosts that are denied access.
For more detailed usage, please refer to: http://www.clusting.com/Apache/ApacheManual/mod/mod_access.html#order
DirectoryIndex index.html index.htm index.php #Settings of the home page file (in this example, the home page file is set For: index.html, index.htm and index.php)
(2) Optimization of the server (MPM: Multi-Processing Modules)
The main advantage of apache2 is that it supports better multi-processors, and it is used at the same time when compiling -- with-mpm option to determine the working mode of apache2. If you know what working mechanism is used by the current apache2, you can list all apache modules through the httpd -l command, and you can know how it works:
prefork: If httpd -l lists prefork.c, you need to configure the following segments :
<IfModule prefork.c>
StartServers 5 #Number of httpd processes started when apache is started.
MinSpareServers 5 #The minimum number of idle processes kept by the server.
MaxSpareServers 10 #The maximum number of idle processes kept by the server.
MaxClients 150 #Maximum number of concurrent connections.
MaxRequestsPerChild 1000 #How many times each child process is requested for service and then killed. 0 means no limit, the recommended setting is 1000.
</IfModule>
In this working mode, 5 httpd processes are started after the server starts (a total of 6 processes are added to the parent process, which can be seen through the ps -ax|grep httpd command). When there is a user connection, apache will use an idle process to serve the connection, and the parent process will fork a child process. Until the number of idle processes in memory reaches MaxSpareServers. This mode is for compatibility with some older versions of the program. My default compile-time options.
worker: If httpd -l lists worker.c, you need to configure the following segments:
<IfModule worker.c>
StartServers 2 #Number of httpd processes started when apache is started.
MaxClients 150 #Maximum number of concurrent connections.
MinSpareThreads 25 #The minimum number of idle threads the server keeps.
MaxSpareThreads 75 #The maximum number of idle threads the server keeps.
ThreadsPerChild 25 #The number of threads generated by each child process.
MaxRequestsPerChild 0 #How many times each child process is requested for service and then killed. 0 means no limit, the recommended setting is 1000.
</IfModule>
This mode is for the thread to listen for the client's connection. When a new client connects, one of the idle threads accepts the connection. The server starts two processes at startup, and the number of threads generated by each process is fixed (determined by ThreadsPerChild), so there are 50 threads at startup. When 50 threads are not enough, the server will automatically fork a process and generate another 25 threads.
perchild: If httpd -l lists perchild.c, the following section needs to be configured:
<IfModule perchild.c>
NumServers 5 #Number of child processes started when the server starts
StartThreads 5 #Number of threads started when each child process starts
MinSpareThreads 5 #Minimum number of idle threads in memory
MaxSpareThreads 10 #Maximum number of idle threads
MaxThreadsPerChild 2000 #How many threads are requested at most Exit after several times. 0 is unlimited.
MaxRequestsPerChild 10000 #How many times each child process is re-fork after serving. 0 means unlimited.
</IfModule>In
this mode, the number of child processes is fixed and the number of threads is not limited. When the client connects to the server, another idle thread provides the service. If the number of idle threads is not enough, the child process automatically spawns threads to serve new connections. This mode is used for multisite servers.
(3) HTTP header return information configuration:
ServerTokens Prod #This parameter sets the apache version information returned by the http header. The available values and meanings are as follows:
Prod: only the software name, for example: apache
Major: including the major version number, for example: apache/2
Minor: includes the minor version number, eg: apache/2.0
Min: only the full version number of apache, eg: apache/2.0.54
OS: includes the OS type, eg: apache/2.0.54 (Unix)
Full: Include the modules supported by apache and the module version number, for example: Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7g
ServerSignature Off #Whether the server version information appears when the page generates an error. The recommended setting is Off
(4) Persistent connection setting
KeepAlive On #Enable the persistent connection function. That is, when the client connects to the server, it remains connected after downloading the data.
MaxKeepAliveRequests 100 #The maximum number of requests for a connection service.
KeepAliveTimeout 30 #How long to continue the connection, if the connection does not request data again, then disconnect the connection. The default is 15 seconds.
Alias settings
For pages that are not in the directory specified by DocumentRoot, either symbolic links or aliases can be used. Alias settings are as follows:
Alias /download/ "/var/www/download/" #When visiting, you can enter: http://www.custing.com/download/
<Directory "/var/www/download"> #This Directory access control settings
Options Indexes MultiViews
AllowOverride AuthConfig
Order allow, deny
Allow from all
</Directory>
CGI settings
ScriptAlias /cgi-bin/ "/mnt/software/apache2/cgi-bin/" # Access can: http:/ /www.clusting.com/cgi-bin/ . But the CGI script files in this directory need to have executable permissions!
<Directory "/usr/local/apache2/cgi-bin"> #Set directory properties
AllowOverride None
Options None
Order allow, deny
Allow from all
</Directory>
Personal home page settings (public_html)
UserDir public_html (the user's home page is stored in The URL http://www.clusting.com/~bearzhang/file.html in the public_html directory under the user's home directory will read the /home/bearzhang/public_html/file.html file)
chmod 755 /home/bearzhang #Make other users able to read the file.
UserDir /var/html (the URL http://www.clusting.com/~bearzhang/file.html will read /var/html/bearzhang/file.html)
UserDir /var/www/*/docs (the URL http://www.clusting.com/~bearzhang/file.html will read /var/www/bearzhang/docs/file.html)
log settings
(1) error log settings
ErrorLog logs/error_log #Save logs Location
LogLevel warn #The level of the log is
displayed in the following format:
[Mon Oct 10 15:54:29 2005] [error] [client 192.168.10.22] access to /download/ failed, reason: user admin not allowed access
(2) Access log settings
The default log formats are as follows:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r " %>s %b" common #common is the log format name
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log
The parameters in the common format are as follows:
%h --The ip address or hostname of the client
%l --The This is the RFC 1413 identity judged by the client identd, the symbol "-" in the output indicates that the information here is invalid.
%u -- The name of the client accessing the web page obtained by the HTTP authentication system. It is only valid when there is authentication, and the symbol "-" in the output indicates that the information here is invalid.
%t - The time when the server finished processing the request.
"%r" --In quotation marks is the content of the request sent by the client that contains a lot of useful information.
%>s -- This is the status code returned by the server to the client.
%b -- The last item is the number of bytes returned to the client excluding the response headers.
"%{Referer}i" -- This specifies the page from which the request was submitted.
"%{User-Agent}i" -- This is the browser identification information provided by the client browser.
The following is an example of an access log:
192.168.10.22 - bearzhang [10/Oct/2005:16:53:06 +0800] "GET /download/ HTTP/1.1" 200 1228
192.168.10.22 - - [10/Oct/2005 :16:53:06 +0800] "GET /icons/blank.gif HTTP/1.1" 304 -
192.168.10.22 - - [10/Oct/2005:16:53:06 +0800] "GET /icons/back. gif HTTP/1.1" 304 -
For a detailed explanation of each parameter, please refer to: http://www.clusting.com/Apache/ApacheManual/logs.html
User Authentication Configuration
(1) in the httpd.conf:
AccessFileName .htaccess
. ........
Alias /download/ "/var/www/download/"
<Directory "/var/www/download">
Options Indexes
AllowOverride AuthConfig
<
/usr/local/apache2/bin/htpasswd -c /var/httpuser/passwords bearzhang
(3) configure the server to request a password and tell the server which users are allowed access.
vi /var/www/download/.htaccess:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/httpuser/passwords
Require user bearzhang
#Require valid-user #all valid user
Virtual host configuration
(1) IP address-based virtual host configuration
Listen 80
<VirtualHost 172.20.30.40>
DocumentRoot / www/example1
ServerName www.example1.com
</VirtualHost>
<VirtualHost 172.20.30.50>
DocumentRoot /www/example2
ServerName www.example2.org
</VirtualHost>
(2) IP-based and multi-port virtual host configuration
Listen 172.20.30.40:80
Listen 172.20.30.40:8080
Listen 172.20.30.50:80
Listen 172.20.30.50:8080
<VirtualHost 172.20.30.40:80>
DocumentRoot /www/example1-80
ServerName www.example1.com
</VirtualHost>
< VirtualHost 172.20.30.40:8080>
DocumentRoot /www/example1-8080
ServerName www.example1.com
</VirtualHost>
<VirtualHost 172.20.30.50:80>
DocumentRoot /www/example2-80
ServerName www.example1.org
</VirtualHost>
< VirtualHost 172.20.30.50:8080>
DocumentRoot /www/example2-8080
ServerName www.example2.org
</VirtualHost>
(3) Domain-based virtual host configuration on a server with a single IP address:
# Ensure that Apache listens on port 80
Listen 80
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /www/example1
ServerName www.example1.com
ServerAlias example1.com. *.example1.com
# Other directives here
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /www/example2
ServerName www.example2.org
# Other directives here
</VirtualHost>
(4)在多个IP地址的服务器上配置基于域名的虚拟主机:
Listen 80
# This is the "main" server running on 172.20.30.40
ServerName server.domain.com
DocumentRoot /www/mainserver
# This is the other address
NameVirtualHost 172.20.30.50
<VirtualHost 172.20.30.50>
DocumentRoot /www/example1
ServerName www.example1.com
# Other directives here ...
</VirtualHost>
<VirtualHost 172.20.30.50>
DocumentRoot /www/example2
ServerName www.example2.org
# Other directives here ...
</VirtualHost>
(5) Run different sites on different ports (configure domain-based virtual hosts on multi-port-based servers):
Listen 80
Listen 8080
NameVirtualHost 172.20.30.40:80
NameVirtualHost 172.20. 30.40:8080
<VirtualHost 172.20.30.40:80>
ServerName www.example1.com
DocumentRoot /www/domain-80
</VirtualHost>
<VirtualHost 172.20.30.40:8080>
ServerName www.example1. with
DocumentRoot /www/domain-8080
</VirtualHost>
<VirtualHost 172.20.30.40:80>
ServerName www.example2.org
DocumentRoot /www/otherdomain-80
</VirtualHost>
<VirtualHost 172.20.30.40:8080>
ServerName www.example2.org
DocumentRoot /www/otherdomain-8080
</VirtualHost>
(6) Configuration of mixed virtual host based on domain name and IP:
Listen 80
NameVirtualHost 172.20.30.40
<VirtualHost 172.20.30.40>
DocumentRoot /www/example1
ServerName www.example1.com
< /VirtualHost>
<VirtualHost 172.20.30.40>
DocumentRoot /www/example2
ServerName www.example2.org
</VirtualHost>
<VirtualHost 172.20.30.40>
DocumentRoot /www/example3
ServerName www.example3.net
</VirtualHost>
SSL encryption configuration
First, let's understand some basic concepts before configuration:
The concept of certificate: First, there must be a root certificate, and then use the root certificate to issue server certificates and Client certificate, generally understood: The server certificate and the client certificate are in a level relationship. SSL must have a server certificate installed for authentication. So: in this environment, there must be at least three certificates: root certificate, server certificate, client certificate. Before generating a certificate, there is usually a private key, and the private key is used to generate a certificate request, and then the certificate server's root certificate is used to issue the certificate.
Certificates used by SSL can be generated by yourself or signed by a commercial CA such as Verisign or Thawte.
Issues in issuing certificates: If a commercial certificate is used, please refer to the instructions of the relevant vendor for the specific signing method; if it is a certificate issued by a confidant, you can use the CA.sh script tool that comes with openssl.
If a certificate is not issued for a separate client, the client certificate does not need to be generated, and the client and server use the same certificate.
(1) The main parameters in the conf/ssl.conf configuration file are configured as follows:
Listen 443
SSLPassPhraseDialog buildin
#SSLPassPhraseDialog exec:/path/to/program
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
CustomLog /usr/local/apache2/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
(2) Create and use a self-signed certificate:
a.Create a RSA private key for your Apache server
/usr/local/openssl/bin/openssl genrsa -des3 -out /usr/local/apache2/conf/ssl.key/server.key 1024
b. Create a Certificate Signing Request (CSR)
/usr/local/openssl/bin/openssl req -new -key /usr/local/apache2/conf/ssl.key/server.key -out /usr/local/apache2/conf/ssl.key/server.csr
c. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA
/usr/local/openssl/bin/openssl req -x509 -days 365 -key /usr/local/apache2/conf/ssl.key/server.key -in /usr/local/apache2/conf/ssl.key/server.csr -out /usr/local/apache2/conf/ssl.crt/server.crt
/usr/local/openssl/bin/openssl genrsa 1024 -out server.key
/usr/local/openssl/bin/openssl req -new -key server.key -out server.csr
/usr/local/openssl/bin/openssl req -x509 -days 365 -key server.key -in server.csr -out server.crt
(3) Create your own CA (certificate certificate) and use this CA to sign the server certificate.
mkdir /CA
cd /CA
cp openssl-0.9.7g/apps/CA.sh /CA
./CA.sh -newca
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server. csr
cp server.csr newreq.pem
./CA.sh -sign
cp newcert.pem /usr/local/apache2/conf/ssl.crt/server.crt
cp server.key /usr/local/apache2/conf/ssl. key/