您的位置:首页 > 理论基础 > 计算机网络

httpd之apache服务器配置

2017-10-21 18:02 381 查看
centos6.9默认httpd软件为2.2版本,centos7默认为httpd-2.4,二者之间配置基本相同,但是还有部分差别。那么阿拉就先从http2.2的相关配置说起。

httpd-2.2相关文件配置文件 /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/*.conf检查配置语法: httpd -t service httpd configtest服务脚本:/etc/rc.d/init.d/httpd脚本配置文件:/etc/sysconfig/httpd脚本控制和启动: chkconfig httpd on/off (开机启动) service {start|stop|restart|status|configtest|reload} httpd站点网页文档根目录:/var/www/html模块文件路径: /etc/httpd/modules /usr/lib64/httpd/modules(两者为硬链接)主程序文件: /usr/sbin/httpd /usr/sbin/httpd.worker /usr/sbin/httpd.event主进程文件:/etc/httpd/run/httpd.pid (httpd服务没启动时,此文件是不存在的)日志文件目录:/var/log/httpd/ access_log:访问日志 error_log:错误日志帮助文档包:http-manualhttpd配置文件的组成: [root@CentOS6 ~]# grep Section /etc/httpd/conf/httpd.conf ### Section 1: Global Environment ### Section 2: 'Main' server configuration ### Section 3: Virtual Hosts 配置格式:directive value(value根据文件系统不同有时会区分大小写)
httpd2.2功能配置1.显示服务器版本信息vim /etc/httpd/conf/httpd.conf,定位到ServerTokens开头的行ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|FullServerTokens Prod[uctOnly] :Server: ApacheServerTokens Major: Server: Apache/2ServerTokens Minor: Server: Apache/2.0ServerTokens Min[imal]: Server: Apache/2.0.41ServerTokens OS: Server: Apache/2.0.41 (Unix)ServerTokens Full (or not specified): Server: Apache/2.0.41(Unix) PHP/4.2.2 MyMod/1.2This setting applies to the entire server and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.After version 2.0.44, this directive also controls the information presented by the ServerSignature directive.建议使用:ServerTokens Prod默认地,服务器HTTP响应头会包含apache和php版本号。这会让黑客通过知道详细的版本号而发起已知该版本的漏洞攻击。为了阻止这个,需要在httpd.conf设置ServerTokens为Prod,这会在响应头中显示“Server:Apache”而不包含任何的版本信息。2.修改监听的IP和Portvim /etc/httpd/conf/httpd.conf,定位到Listen开头的行Listen [IP:]PORT(1) 省略IP表示为本机所有IP(2) Listen指令至少一个,可重复出现多次Listen 80Listen 8080示例:Listen 192.168.1.100:8080Lsten 803.持久连接Persistent Connection:连接建立,每个资源获取完成后不会断开连接,而是继续等待其它的请求完成,默认关闭持久连接断开条件:数量限制:100时间限制:以秒为单位, httpd-2.4 支持毫秒级副作用:对并发访问量较大的服务器,持久连接功能会使用有些请求得不到响应折衷:使用较短的持久连接时间设置: KeepAlive On|OffKeepAliveTimeout 15MaxKeepAliveRequests 100测试: telnet WEB_SERVER_IP PORTGET /URL HTTP/1.1Host: WEB_SERVER_IP4.MPM( Multi-Processing Module)多路处理模块prefork, worker, event(试验阶段)httpd-2.2不支持同时编译多个模块,所以只能编译时选定一个;rpm安装的包提供三个二进制程序文件,分别用于实现对不同MPM机制的支持。默认为/usr/sbin/httpd, 即prefork模式确认方法:ps aux | grep httpd查看静态编译的模块:httpd -l
查看静态编译及动态装载的模块:httpd –M动态模块加载:不需重启即生效动态模块路径:/usr/lib64/httpd/modules/更换使用的httpd程序:vim /etc/sysconfig/httpdHTTPD=/usr/sbin/httpd.worker 重启服务生效查看进程和线程 pstree -p|grep httpd Httpd 2.4 与之不同以动态模块方式提供配置文件:/etc/httpd/conf.modules.d/00-mpm.confhttpd –M |grep mpm重启服务生效pstree -p|grep httpd 查看进程和线程prefork的默认配置:<IfModule prefork.c>StartServers 8MinSpareServers 5MaxSpareServers 20ServerLimit 256 最多进程数,最大20000MaxClients 256 最大并发MaxRequestsPerChild 4000 子进程最多能处理的请求数量。在处理MaxRequestsPerChild 个请求之后,子进程将会被父进程终止,这时候子进程占用的内存就会释放(为0时永远不释放)</IfModule>worker的默认配置:<IfModule worker.c>StartServers 4MaxClients 300MinSpareThreads 25MaxSpareThreads 75ThreadsPerChild 25MaxRequestsPerChild 0 无限制</IfModule>5.DSO: Dynamic Shared Object加载动态模块配置/etc/httpd/conf/httpd.conf配置指定实现模块加载格式:LoadModule <mod_name> <mod_path>模块文件路径可使用相对路径:相对于ServerRoot(默认/etc/httpd)示例:LoadModule auth_basic_modulemodules/mod_auth_basic.so6.定义'Main' server的文档页面路径DocumentRoot “/path”文档路径映射:DocumentRoot指向的路径为URL路径的起始位置示例:DocumentRoot "/app/data“http://HOST:PORT/test/index.html --> /app/data/test/index.html注意:SELinux和iptables的状态7.定义站点主页面DirectoryIndex index.html index.html.var8.站点访问控制常见机制可基于两种机制指明对哪些资源进行何种访问控制访问控制机制有两种:客户端来源地址,用户账号文件系统路径:<Directory “/path">...</Directory><File “/path/file”>...</File><FileMatch "PATTERN">...</FileMatch>URL路径:<Location "">...</Location><LocationMatch "">...</LocationMatch>示例:<FilesMatch "\.(gif|jpe?g|png)$"><Files “?at.*”> 通配符<Location /status><LocationMatch "/(extra|special)/data"><Files "?at.*">9.<Directory>中“基于源地址”实现访问控制(1) Options:后跟1个或多个以空白字符分隔的选项列表在选项前的+,- 表示增加或删除指定选项常见选项:Indexes:指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户FollowSymLinks:允许访问符号链接文件所指向的源文件None:全部禁用All: 全部允许示例: <Directory /web/docs>Options Indexes FollowSymLinks</Directory><Directory /web/docs/spec>Options FollowSymLinks</Directory><Directory /web/docs>Options Indexes FollowSymLinks</Directory><Directory /web/docs/spec>Options +Includes-Indexes</Directory>(2) AllowOverride与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName指定)文件中,覆盖之前的配置指令只对<directory>语句有效AllowOverride All: 所有指令都有效AllowOverride None:.htaccess 文件无效AllowOverride AuthConfig Indexes 除了AuthConfig和Indexes的其它指令都无法覆盖(3) order和allow、deny放在directory, .htaccess中order:定义生效次序;写在后面的表示默认法则Order allow,denyOrder deny,allowAllow from, Deny from来源地址:IP网络: 172.16172.16.0.0172.16.0.0/16172.16.0.0/255.255.0.0示例:<files "*.txt">order deny,allowdeny from 172.16. 100.100allow from 172.16</files><files "*.txt">order allow,denydeny from 172.16.100.100allow from 172.16</files>10.日志设定日志类型:访问日志 错误日志错误日志:ErrorLog logs/error_logLogLevel warnloglevel 可选值:debug, info, notice, warn,errorcrit, alert, emerg定义日志格式:LogFormat format stringsLogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined%t 服务器收到请求时的时间%r First line of request,即表示请求报文的首行;记录了此次请求的“方法”,“URL”以及协议版本%>s 响应状态码%b 响应报文的大小,单位是字节;不包括响应报文http首部%{Referer}i 请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面的%{User-Agent}i 请求报文中首部“User-Agent”的值;即发出请求的应用程序
设定默认字符集AddDefaultCharset UTF-8中文字符集:GBK, GB2312, GB18030
定义路径别名vim conf.d/test.confalias /bbs /app/bbsdir (后面是源)
基于用户的访问控制认证质询:WWW-Authenticate:响应码为401,拒绝客户端请求,并说明要求客户端提供账号和密码认证:Authorization:客户端用户填入账号和密码后再次发送请求报文;认证通过时,则服务器发送响应的资源认证方式两种:basic:明文digest:消息摘要认证,兼容性差安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便于告知用户认证的原因用户的账号和密码虚拟账号:仅用于访问某服务时用到的认证标识存储:文本文件,SQL数据库,ldap目录存储,nis等basic认证配置示例:(1) 定义安全域、<Directory “/path">Options NoneAllowOverride NoneAuthType BasicAuthName "String“AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"Require user username1 username2 ...</Directory>允许账号文件中的所有用户登录访问:Require valid-user(2) 提供账号和密码存储(文本文件)使用专用命令完成此类文件的创建及用户管理htpasswd [options] /PATH/HTTPD_PASSWD_FILE username-c:自动创建文件,仅应该在文件不存在时使用-m:md5格式加密,默认方式-s: sha格式加密-D:删除指定用户
实验:实现基于basic验证的目录访问
方法一vim conf.d/test.conf<directory /var/www/html/secret>authname "Secret DIR"authtype basicauthuserfile /etc/httpd/conf.d/.httpusersrequire user http1 http2</directory>htpasswd 来自httpd-toolshtpasswd -c /etc/httpd/conf.d/.httpusers http1htpasswd -s /etc/httpd/conf.d/.httpusers http2htpasswd -m /etc/httpd/conf.d/.httpusers http3service httpd reload允许账号文件中的所有用户登录访问:Require valid-user方法2vim secret/.htaccessauthname "Secret DIR"authtype basicauthuserfile /etc/httpd/conf.d/.httpusersrequire valid-uservim conf.d/test.conf<directory /var/www/html/secret>allowoverride authconfig</directory>service httpd reload组帐户访问控制vim .htgroupshttpgroup1:http1 http2httpgroup2:http1 http3vim .htaccess authgroupfile /etc/httpd/conf.d/.htgroupsrequire group httpgroup2
抓包tcpdump -i eth0 -nn -X port 80 > /root/http.log
远程客户端和用户验证的控制Satisfy ALL|Any(httpd.conf)ALL 客户机IP和用户验证都需要通过才可以Any客户机IP和用户验证,有一个满足即可示例:Require valid-userOrder allow,denyAllow from 192.168.1Satisfy Any
status页面查看模块有无打开httpd -M|grep statusvim httpd.confLoadModule status_module modules/mod_status.so<Location /server-status>SetHandler server-statusOrder allow,denyAllow from 192.168.37.0/24</Location>ExtendedStatus On 显示扩展信息访问http://192.168.37.106/server-status
cdncurl -u http1:centos192.168.37.107/secret-A IE20 模拟浏览器类型-e/--refer curl "-H user-agent: EI" -e http://www.baidu.com 192.168.37.106构造请求报文的首部curl -IL 跳转重定向
SetOutputFilter DEFLATEDeflatCompress
实验:实现虚拟主机一个服务器创建多个站点cd /appmkdir sit{1,2,3}echo /app/site1/index.html > site1/index.htmlecho /app/site2/index.html > site2/index.htmlcho /app/site3/index.html > site3/index.htmlip add a 192.168.37.10/24 dev eth0ip add a 192.168.37.20/24 dev eth0ip add a 192.168.37.30/24 dev eth0
基于IP还需要在DNS上配置名字解析,以便对应的域名转化为相应的IP详情见:DNS章节本机测试可以在/etc/hosts文件下添加192.168.37.10 www.a.com 192.168.37.20 www.b.com 192.168.37.30 www.c.com vim /etc/httpd/conf.d/test.conf (参考主配置文件最下面)<virtualhost 192.168.37.10:80>documentroot /app/sist1</virtualhost><virtualhost 192.168.37.20:80>documentroot /app/sist2</virtualhost><virtualhost 192.168.37.30:80>documentroot /app/sist3</virtualhost>server httpd reload访问http://www.a.com http://www.b.com http://www.c.com可看到不同的显示内容 基于PORTvim /etc/httpd/conf.d/test.conf (参考主配置文件最下面)listen 8001listen 8002listen 8003<virtualhost *:8001>documentroot /app/site1</virtualhost><virtualhost *:8002>documentroot /app/site2</virtualhost><virtualhost *:8003>documentroot /app/site3</virtualhost>server httpd reload访问http://www.a.com http://www.a.com:8001/ http://www.a.com:8002/ttp://www.a.com:8003/为不同页面于FQDN实验:实现基于FQDN的虚拟主机原理:http请求报文首部中带有要访问的域名Vim /etc/hosts添加 192.168.37.106 www.a.com www.b.com www.c.com (实际环境中需要在DNS上配置)vim /etc/httpd/conf.d/test.conf (参考主配置文件最下面)按Ip访问的话最上面的为默认站点NameVirtualHost *:80<virtualhost *:80>ocumentroot /app/site1servername www.a.com errorlog logs/a.com.errlogcustomlog logs/a.com.accesslog combined</virtualhost><virtualhost *:80>documentroot /app/site2servername www.b.comerrorlog logs/b.com.errlogcustomlog logs/b.com.accesslog combined</virtualhost>
<virtualhost *:80>documentroot /app/site3servername www.c.com errorlog logs/c.com.errlogcustomlog logs/c.com.accesslog combined</virtualhost>
实验:启用压缩服务器启用压缩httpd -M |grep mod_deflateSetOutputFilter DEFLATEDeflateCompressionLevel 9AddOutputFilterByType DEFLATE text/plainAddOutputFilterByType DEFLATE text/html
实验:实现HTTPS
1 yum install mod_ssl2 vim /etc/httpd/conf.d/ssl.confSSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crtSSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.keySSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
httpd2.4配置
httpd -t 检查语法
更改mpm模块:vim /etc/httpd/conf.modules.d/00-mpm.conf测试性能:/var/www/html/m.txt(建议此文件大一些)ab -c 100 -n 2000 http://192.168.37.107/m.txt更改主目录vim /ect/httpd/conf/httpd.confDocumentRoot "/app/website"systemctl reload httpdcurl -I httpd://192.168.37.107vim /ect/httpd/conf/httpd.confDocumentRoot "/app/website"<directory /app/websit>require all granted/denied 允许/拒绝所有主机</directory>

<directory /app/websit>require ip 192.168.37.106只允许特定Ip访问</directory>
<directory /app/websit><REQUIREALL>require all grantedrequire not ip 192.168.37.106只拒特定IP</requireall></directory>基于虚拟主机FQDNcd /etc/httpd/conf.d/客户端vim /etc/hosts192.168.37.107 www.a.com www.b.com www.c.com

cd /appmkdir website{1,2,3}cd /etc/httpd/conf.d/vim vhosts.conf<virtualhost *:80>documentroot /app/website1servername www.a.com<directory /app/website1>require all granted<directory></virtualhost><virtualhost *:80>documentroot /app/website2servername www.b.com</virtualhost><directory /app/website2>require all granted<directory><virtualhost *:80>documentroot /app/website3ervername www.c.com</virtualhost><directory /app/website3>require all granted<directory>systemctl restart httpd创建证书,httpsyum install mod_sslystemctl restart httpdcd /etc/pki/tls/certs/make httpd.pem单个文件head -n 28 httpd.pem > /etc/httpd/conf.d/httpd.keyvim /etc/httpd/conf.d/httpd.crtvim /etc/httpd/conf.d/ssl.confSSLCert.. /etc/httpd/conf.d/httpd.crtSSLCertifi..key /etc/httpd/conf.d/httpd.key

make httpd.crt(生成俩文件)vim /etc/httpd/conf.d/ssl.confSSLCert.. /etc/pki/tls/certs/httpd.crt
查看sendfilegrep sendfile /etc/httpd/conf/httpd.conf -i
启动反向代理107前端 调度器 反向调理服务器LVS VS virtual server106后端LVS Real Server107:vim test.confProxyPass "/" "http://192.168.37.106/"ProxyPassReverse "/" "http://192.168.37.106/"systemctl restart httpd客户端:访问107即可得到106页面105:bbs服务器107:vim test.conf
ProxyPass "/images" "http://192.168.37.106:8000/images/"ProxyPassReverse "/images" "http://192.168.37.106:8000/images/"ProxyPass "/bbs" "http://192.168.37.106/bbs"ProxyPassReverse "/bbs" "http://192.168.37.106/bbs/"106:下/images/下放图片。105:下放响应内容。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  Linux
相关文章推荐
新的分享
章节导航