Apache Knowledge
Before doing httpd setting, need disable the selinux
For httpd2.2 no need to set rule by default
For httpd2.4 need to set rule by default
100 - 199 信息提示
200 - 299 成功状态码
300 - 399 重定向
400 - 499 客户端错误
401: 认证失败
402: 找不到请求的资源
403: 对资源没有访问权限
500 - 599 服务端错误
Installation
Install apache with yum : yum install httpd
Manually install apache:
After change config file, check httpd config: service httpd configtest
Only after change port, need to restart service: service httpd restart
Other config change, need to reload: service httpd reload
Httpd config
A. Config file: (rpm -qc httpd --> find config files)
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
/etc/sysconfig/httpd (work module)
B. Program file: (rpm -ql httpd | grep httpd --> find program files)
/usr/sbin/httpd
/usr/sbin/httpd.event
/usr/sbin/httpd.worker
C. Help file: (rpm -qd httpd --> find help files)
D. Log file: /var/log/httpd/access.log; /var/log/httpd/error.log
E. Default website folder: /var/www/html
Default httpd work folder: /var/www
F. /etc/httpd/conf/httpd.conf context (grep '###' httpd.conf)
I. Global Environment
a. KeepAlive: enable long connection or not
b. IfModule --> Mode configuration
<IfModule perfork.c>
StartServers 8 (process number when start)
MinSpareServers 5 (min spare process number)
MaxSpareServers 20 (max spare process number)
ServerLimit 256 (max process number)
MaxClients 256 (max clients request number)
MaxRequestsPerChild 4000 (max handle number for process)
</IfModule>
<IfModule work.c>
StartServers 4 (process number when start)
MaxClients 300 (max clients request number)
MinSpareThreads 25 (min spare thread number)
MaxSpareThreads 75 (max spare thread number)
ThreadsPerChild 25 (process can start thread number)
MaxRequestsPerChild 0 (max handle number of thread)
</IfModule>
c. Listen 80
Can change to listen 80 of specific IP or change to 8080
Check network listen status: ss -tulpn / netstat -tnlp
II. 'Main' Server configuration
a. DocumentRoot
Change and reload
b. Directory visit privilege
i. Depending on local
<Directory "/path/to/some_directory">
Options Indexes FollowSymLinks
Order allow, deny
Allow from 172.16
</Directory>
Options key word:
Indexes: list all files (dangous, not use)
If not sure parent directory has indexes feature or not, set Options -Indexes to remove it.
FollowSymLinks: According to link file to read source file; source file privilege control privilege
Whitelist
Order allow, deny
Allow from 172.16
172.16 = 172.16.0.0/16 = 172.16.0.0 255.255.0.0
Blacklist
Order deny, allow
Deny from 172.16
ii. Depending on URL
<Location "/path/to/some_url">
</Location>
iii. Internal Page
<Location /server-status >
SetHandle server-status
Order deny,allow
Deny from 172.16
</Location>
III. Virtual Hosts
Main server and Virtual hosts can not be used at same time. Default using Main Server
Format
<VirtualHost "IP:PORT">
ServerName
DocumentRoot
ServerAlias
<Directory >
</Directory>
ErrorLog
CustomLog
</VirtualHost>
1. Base on IP Address
/etc/httpd/conf/httpd.conf
Listen 80
/etc/httpd/conf.d/vhost.conf
<VirtualHost 12.11.0.136:80>
ServerName www.test1.com
DocumentRoot "/vhost/www.test1.com"
</VirtualHost>
<VirtualHost 12.11.0.137:80>
ServerName www.test2.com
DocumentRoot "/vhost/www.test2.com"
</VirtualHost>
2. Base on Port
/etc/httpd/conf/httpd.conf
Listen 80
Listen 8080
/etc/httpd/conf.d/vhost.conf
<VirtualHost 12.11.0.136:8080>
ServerName www.test3.com
DocumentRoot "/vhost/www.test3.com"
</VirtualHost>
<VirtualHost 12.11.0.137:8080>
ServerName www.test4.com
DocumentRoot "/vhost/www.test4.com"
</VirtualHost>
3. Base on Domain Name
NameVirtualHost 12.11.0.138:80
<VirtualHost 12.11.0.138:80>
ServerName www.test5.com
DocumentRoot "/vhost/www.test5.com"
</VirtualHost>
<VirtualHost 172.16.100.8:80>
ServerName www.jiuiren.org
DocumentRoot "/vhost/www.test6.com"
</VirtualHost>
Curl Command
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE及LDAP等协议。curl支持HTTPS认证,并且支持HTTP的POST、PUT等方法, FTP上传, kerberos认证,HTTP上传,代理服务器, cookies, 用户名/密码认证, 下载文件断点续传,上载文件断点续传,,http代理服务器管道( proxy tunneling), 甚至它还支持IPv6, socks5代理服务器,,通过http代理服务器上传文件到FTP服务器等等,功能十分强大。
curl的常用选项:
-A/--user-agent <string> 设置用户代理发送给服务器
-basic 使用HTTP基本认证
--tcp-nodelay 使用TCP_NODELAY选项
-e/--referer <URL> 来源网址
--cacert <file> CA证书 (SSL)
--compressed 要求返回是压缩的格式
-H/--header <line>自定义头信息传递给服务器
-I/--head 只显示响应报文首部信息
--limit-rate <rate> 设置传输速度
-u/--user <user[:password]>设置服务器的用户和密码
-0/--http1.0 使用HTTP 1.0
用法:curl [options] [URL...]
Httpd Characters
1. MPM (Multipath Processing Mode) (/etc/sysconfig/httpd)
A. Prefork (default) : stable; Max concurrent number is 1024; One request to one process
a. 8 hours request process: 1024*60*60*8 = 29491200
b. 1 page contains 100 resources: 29491200 / 100 = 294912
B. Worker: One process generate multi threads; One request to one threads; Pre-create several threads;
C. Event: httpd2.2 beta; httpd2.4 production
Check current model of httpd: ps -aux | grep httpd
2. httpd modules
Check module of httpd: httpd -M / httpd.worker -M / httpd.event -M
Check core module of httpd: httpd -l
Can dynamic add/remove shared modules
Module directory: /etc/httpd/modules --> /usr/lib64/httpd/modules
Undeploy module: Add # before LoadModule ...
VPS: virtual system with public IP address
3. Virtual Host: multi web folder
1 virtual system can handle 10 virtual websites
Base on host, IP, port to setup virtual hosts
4. Reverse Proxy
5. Load Balance
6. Directory Alias
7. Use Authenation
Remove the error when restart httpd service:
1. Add dns record into /etc/hosts
<local ip address> <domain name>
2. Change hostname to domain name
hostname <domain name>
Example:
192.168.199.183 www.baidu.com
hostname www.baidu.com
3. Restart httpd service
HTTPS
SSL会话简化过程:
(1) 客户端发送请求证书;
(2) 发送证书以给客户端;
(3) 生成临时会话密钥,并使用服务器的公钥加密发送给服务器商;
(4) 双方进行安全通信
x509证书格式:
证书版本号
证书序列号
证书签名算法ID
证书颁发者
有效期限
主体名称
主体公钥
CA的惟一ID
主体的惟一ID
扩展信息
CA签名
HTTPS Config
1. Install and config CA Server
#yum install openssl
#cd /etc/pki/CA/
#(umask 077; openssl genrsa -out private/cakey.pem 2048)
#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Input all the information for each item, Common Name can be www.ca.com
#echo 01 > serial
#touch index.txt
2. Apply Cert for HTTPD Server
#cd /etc/httpd
#mkdir certs/
#(umask 077; openssl genrsa -out httpd.key 2048)
#openssl req -new -key httpd.key -out httpd.csr -days 365
Input all the information for each item, Common Name can be www.example.com
Copy the httpd.csr to CA Server
CA Server
#openssl ca -in httpd.csr -out httpd.crt -days 365
Copy the httpd.crt back to httpd Server
3. HTTPD Server config
# yum install mod_ssl
(Installed file /etc/httpd/conf.d/ssl.conf; /usr/lib64/httpd/modules/mod_ssl.so)
# vim /etc/httpd/conf.d/ssl.conf
LoadModule
Listen 443
<VirtualHost IP:PORT>
ServerName
DocumentRoot
SSLEngine on
SSLCertificateFile
SSLCertificateKeyFile
</VirtualHost>
# service httpd restart
HTTPD Tools
httpd -t: 配置文件语法测试
httpd -M: 列出所有已经装载的模块
httpd -l: 列出所有的静态模块
httpd -S:列出所有的虚拟主机
apachectl: shell脚本,httpd服务控制
apxs: httpd得以扩展使用第三方模块的工具接口;
rotatelogs: 不关闭httpd而切换其使用到的日志文件
access_log, access_log.1, access_log.2
HTTPD 2.4 Character
1) MPM支持运行时装载
--enable-mpms-shared=all --with-mpm=prefork|worker|event
2) 支持event MPM
3) 异步读写
4) 支持每模块及每目录分别使用不同的日志级别
5) 增强版的表达式分析器;
6) 支持毫秒级keepalive timeout;
7) 基于FQDN(域名)的虚拟主机不再需要NameVirtualHost;
8) 支持用户使用自定义变量;
新增一些模块:mod_proxy_fcgi, mod_ratelimit, mod_request, mod_remoteip
修改了一些配置机制:不再支持使用order, allow, deny来实现基于IP的访问控制;
HTTPD 2.4 Binary Install
1. Download packages:
apr-1.5.0.tar.bz2
apr-util-1.5.3.tar.bz2
httpd-2.4.9.tar.bz2
2. Install package: yum install gcc pcre-devel openssl-devel
3. Install package:
#tar xvf apr-1.5.0.tar.bz2
#tar xvf apr-util-1.5.3.tar.bz2
#tar xvf httpd-2.4.9.tar.bz2
#./configure --prefix=/usr/local/apr (--prefix指定apr安装的目录)
#make
#make install
#./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
#make & make install
# ./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork
#make & make install
Introduction of httpd 2.4 paramters
--sysconfdir=/etc/httpd24 指定配置文件路径
--enable-so 启动模块动态装卸载
--enable-ssl 编译ssl模块
--enable-cgi 支持cgi机制(能够让静态web服务器能够解析动态请求的一个协议)
--enable-rewrite 支持url重写
--with-zlib 支持数据包压缩
--with-pcre 支持正则表达式
--with-apr=/usr/local/apr 指明依赖的apr所在目录
--with-apr-util=/usr/local/apr-util/ 指明依赖的apr-util所在的目录
--enable-modules=most 启用的模块
--enable-mpms-shared=all 以共享方式编译的模块
--with-mpm=prefork 指明httpd的工作方式为prefork
服务脚本:/etc/rc.d/init.d/httpd24
service httpd24 start
apachectl
HTTPD 2.4 Visit Control List
1. Base on IP address:
Allow all: Require all granted
Deny all: Require all denied
Specific IP address: Require ip IPPADDR(单个IP / Network/Mask / Network/Length / Net: 172.16)
Example1: Only allow 192.168.199.183
<Directory "/web/vhosts/www1">
Require ip 192.168.199.183
Require all denied
</Directory>
Example2: Only allow 192.168.199.0 subnet
<Directory "/web/vhosts/www1">
Require ip192.168.199
Require all denied
</Directory>
2. Base on Hostname:
Require host HOSTNAME(FQDN:特定主机 / DOMAIN: 域内的所有主机)
HTTPD2.4 Switch work mode: Change the module in /etc/httpd/conf/httpd.conf
LoadModule mpm_event_module modules/mod_mpm_event.so
Attachments
1. httpd2.2 config files
A. httpd2.2_httpd.conf : /etc/httpd/conf/httpd.conf
B. httpd2.2_vhost.conf: /etc/httpd/conf.d/vhost.conf
2. httpd2.4 config files
A. httpd2.4_httpd.conf: /etc/httpd/httpd.conf
B, httpd2.4_httpd_vhosts.conf: /etc/httpd/extra/httpd_vhosts.conf
C. httpd2.4_httpd_ssl.conf: /etc/httpd/extra/httpd_ssl.conf
Comments
Post a Comment