- mod_flate模塊
- https實(shí)現(xiàn)
- http重定向https
- HSTS
- httpd相關(guān)程序
- httpd-2.4
- 編譯安裝httpd-2.4
一做入、mod_deflate模塊
功能:壓縮頁(yè)面優(yōu)化傳輸速度
開(kāi)啟壓縮功能:
vim /etc/httpd/conf.d/deflate.conf
LoadModule deflate_module modules/mod_deflate.so
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
DeflateCompressionLevel 9
service httpd reload
curl -I 192.168.136.229/large.txt
curl --compressed -I 192.168.136.229/large.txt
二截粗、https實(shí)現(xiàn):
- 前提:本實(shí)驗(yàn)涉及到的主機(jī)有:
httpd服務(wù)器:IP 192.136.136.229
CA服務(wù)器:IP 192.136.136.230
DNS服務(wù)器:IP 192.136.136.130
客戶(hù)端:IP 192.136.136.129
(一)為httpd服務(wù)器申請(qǐng)數(shù)字證書(shū)
通過(guò)創(chuàng)建私有CA簽發(fā)證書(shū)
(a) 創(chuàng)建私有CA
cd /etc/pki/CA/
(umask 066;openssl genrsa -out private/cakey.pem 2048) //創(chuàng)建私鑰
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 //創(chuàng)建自簽名證書(shū)
echo 00 > serial
touch index.txt
(b) 在服務(wù)器創(chuàng)建證書(shū)簽署請(qǐng)求
mkdir /etc/httpd/conf.d/ssl
cd /etc/httpd/conf.d/ssl
(umask 066;openssl genrsa -out httpd.key 2048) //創(chuàng)建私鑰
openssl req -new -key httpd.key -out httpd.csr //創(chuàng)建證書(shū)申請(qǐng)
scp httpd.csr 192.168.136.230:/etc/pki/CA //向CA傳送證書(shū)申請(qǐng)
(c) CA簽證
openssl ca -in httpd.csr -out certs/httpd.crt -days 365 //簽發(fā)證書(shū)
scp certs/httpd.crt cacert.pem 192.168.136.229:/etc/httpd/conf.d/ssl/
//向httpd服務(wù)器傳送證書(shū)和CA的自簽名證書(shū)
(二)配置httpd支持使用ssl
yum -y install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt //httpd服務(wù)器證書(shū)
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key //httpd私鑰
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem //CA自簽名證書(shū)
httpd -t
service httpd reload
(三)配置DNS服務(wù)器
yum install bind
//1. 編輯通用配置文件
vim /etc/named.conf
options {
listen-on port 53 { localhost; }; //修改的行
allow-query { any; }; //修改的行
};
//2. 編輯獨(dú)立分區(qū)解析文件
vim /etc/named.rfc1912.zones
zone "hellopeiyang.com" IN {
type master;
file "hellopeiyang.com.zone";
};
named-checkconf
//3. 編輯解析庫(kù)文件
vim /var/named/hellopeiyang.com.zone
$TTL 1D
@ IN SOA dns1 admin.hellopeiyang.com. (
101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
dns1 A 192.168.136.130
websrv A 192.168.136.229
www CNAME websrv
named-checkzone hellopeiyang.com /var/named/hellopeiyang.com.zone
dig www.hellopeiyang.com @127.0.0.1
(四)服務(wù)器準(zhǔn)備文件
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/app"
vim /app/index.html
<h1>Welcome to hellopeiyang.com</h1>
httpd -t
service httpd reload
scp /etc/httpd/conf.d/ssl/cacert.pem 192.168.136.129:/root //向客戶(hù)端傳送CA自簽名證書(shū)
(五)客戶(hù)端測(cè)試
vim /etc/sysconfig/network-scripts/ifcfg-eth1
DNS1=192.168.136.130 //增加一行DNS服務(wù)器IP
service network restart
cat /etc/resolv.conf
curl https://www.hellopeiyang.com //直接登錄失敗
curl -k https://www.hellopeiyang.com //-k選項(xiàng)忽略證書(shū)能夠看到網(wǎng)頁(yè)內(nèi)容正確
curl --cacert cacert.pem https://www.hellopeiyang.com //成功連接
- 注意:SSL是基于IP地址實(shí)現(xiàn),單IP的主機(jī)僅可以使用一個(gè)https虛擬主機(jī)
三裹驰、http重定向https
配置格式
Redirect [status] URL-path URL-
status狀態(tài):
- Permanent:永久重定向仇冯,301
- Temp:臨時(shí)重定向质欲,302免绿,默認(rèn)設(shè)置可帽,一般http重定向https選擇temp模式
實(shí)驗(yàn):接上個(gè)實(shí)驗(yàn),實(shí)現(xiàn)訪問(wèn)http://www.hellopeiyang.com重定向?yàn)閔ttps
vim /etc/httpd/conf.d/redirect.conf
Redirect temp / https://www.hellopeiyang.com/
httpd -t
service httpd reload
四鳄袍、HSTS
HSTS: HTTP Strict Transport Security
服務(wù)器端配置支持HSTS后绢要,會(huì)在給瀏覽器返回的HTTP首部中攜帶HSTS字段。瀏覽器獲取到該信息后拗小,會(huì)將所有HTTP訪問(wèn)請(qǐng)求在內(nèi)部做307跳轉(zhuǎn)到HTTPS重罪,而無(wú)需任何網(wǎng)絡(luò)過(guò)程HSTS preload list
Chrome瀏覽器中的HSTS預(yù)載入列表,在該列表中的網(wǎng)站,使用Chrome瀏覽器訪問(wèn)時(shí)剿配,會(huì)自動(dòng)轉(zhuǎn)換成HTTPS搅幅。Firefox、Safari呼胚、Edge瀏覽器也會(huì)采用這個(gè)列表實(shí)驗(yàn):開(kāi)啟HSTS功能
vim /etc/httpd/conf.d/hsts.conf
Header always set Strict-Transport-Security "max-age=15768000"
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
httpd -t
service httpd reload
五茄唐、httpd相關(guān)程序
(一)httpd自帶工具程序
- htpasswd:basic認(rèn)證基于文件實(shí)現(xiàn)時(shí),用到的賬號(hào)密碼文件生成工具
- apachectl:httpd自帶的服務(wù)控制腳本蝇更,支持start和stop
- apxs:httpd-devel包提供沪编,擴(kuò)展httpd使用第三方模塊工具
- rotatelogs:日志滾動(dòng)工具
access.log -->
access.log, access.1.log -->
access.log, acccess.1.log, access.2.log - suexec:訪問(wèn)某些有特殊權(quán)限配置的資源時(shí),臨時(shí)切換至指定用戶(hù)身份運(yùn)行
(二)httpd的壓力測(cè)試工具
- ab(httpd-tools包), webbench, http_load, seige
- Jmeter:開(kāi)源
- Loadrunner:商業(yè)年扩,有相關(guān)認(rèn)證
- tcpcopy:網(wǎng)易蚁廓,復(fù)制生產(chǎn)環(huán)境中的真實(shí)請(qǐng)求,并將之保存
- ab [OPTIONS] URL
-n:總請(qǐng)求數(shù)
-c:模擬的并行數(shù)
-k:以持久連接模式測(cè)試
ulimit -n # 調(diào)整能打開(kāi)的文件數(shù)
六厨幻、httpd-2.4
(一)httpd-2.4的變化
新特性
(1) MPM支持運(yùn)行為DSO機(jī)制相嵌;以模塊形式按需加載
(2) event MPM生產(chǎn)環(huán)境可用
(3) 異步讀寫(xiě)機(jī)制
(4) 支持每模塊及每目錄的單獨(dú)日志級(jí)別定義
(5) 每請(qǐng)求相關(guān)的專(zhuān)用配置
(6) 增強(qiáng)版的表達(dá)式分析式
(7) 毫秒級(jí)持久連接時(shí)長(zhǎng)定義
(8) 基于FQDN的虛擬主機(jī)不需要NameVirutalHost指令
(9) 新指令,AllowOverrideList
(10) 支持用戶(hù)自定義變量
(11) 更低的內(nèi)存消耗修改了一些配置機(jī)制
不再支持使用Order, Deny, Allow來(lái)做基于IP的訪問(wèn)控制新模塊
(1) mod_proxy_fcgi
(2) mod_remoteip
(3) mod_ratelimit
(二)httpd-2.4的程序環(huán)境
配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf模塊相關(guān)的配置文件:/etc/httpd/conf.modules.d/*.conf
SystemdUnit文件:/usr/lib/systemd/system/httpd.service
主程序文件:
/usr/sbin/httpd
httpd-2.4支持MPM的動(dòng)態(tài)切換日志文件:
/var/log/httpd
access_log:訪問(wèn)日志
error_log:錯(cuò)誤日志站點(diǎn)文檔:
/var/www/html模塊文件路徑:
/usr/lib64/httpd/modules服務(wù)控制:
systemctl enable|disable httpd.service
systemctl {start|stop|restart|status} httpd.service
(三)httpd-2.4的配置
(1)切換使用的MPM
Centos 7環(huán)境:
編輯/etc/httpd/conf.modules.d/00-mpm.conf
啟用要啟用的MPM相關(guān)的LoadModule指令即可
(2)主目錄
DocumentRoot /path
(3)基于IP的訪問(wèn)控制
-
無(wú)明確授權(quán)的目錄克胳,默認(rèn)拒絕
- 允許所有主機(jī)訪問(wèn):Require all granted
- 拒絕所有主機(jī)訪問(wèn):Require all denied
控制特定的IP訪問(wèn):
Require ip IPADDR:授權(quán)特定的IP訪問(wèn)
Require not ip IPADDR:拒絕特定的IP訪問(wèn)控制特定的主機(jī)訪問(wèn):
Require host HOSTNAME:授權(quán)特定主機(jī)訪問(wèn)
Require not host HOSTNAME:拒絕特定主機(jī)訪問(wèn)
HOSTNAME:
FQDN:特定主機(jī)
domin.tld:指定域名下的所有主機(jī)不能有失敗平绩,至少有一個(gè)成功匹配
<RequireAll>
Require all granted
Require not ip IPADDR 拒絕特定IP
</RequireAll>多個(gè)語(yǔ)句有一個(gè)成功,即成功
<RequireAny>
Require all denied
Require ip IPADDR 允許特定IP
</RequireAny>實(shí)驗(yàn):將httpd服務(wù)的主目錄修改為/app漠另,并且只允許192.136.136.130的主機(jī)訪問(wèn)
//1. 修改主目錄
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/app"
<Directory "/app">
Require all granted
</Directory>
httpd -t
systemctl reload httpd
echo "/app/index.html" > /app/index.html
//2. 修改訪問(wèn)權(quán)限
vim /etc/httpd/conf/httpd.conf
<Directory "/app">
<RequireAny>
Require all denied
Require ip 192.168.136.130
</RequireAny>
</Directory>
httpd -t
systemctl reload httpd
(4)虛擬主機(jī)
基于FQDN的虛擬主機(jī)也不再需要NameVirutalHost指令
任意目錄下的頁(yè)面只有顯式授權(quán)才能被訪問(wèn)
實(shí)驗(yàn):httpd 2.4環(huán)境下實(shí)現(xiàn)基于FQDN的主機(jī)
//1. 建立網(wǎng)頁(yè)文件
mkdir /app/website{1..3}
echo "/app/website1/index.html" > /app/website1/index.html
echo "/app/website2/index.html" > /app/website2/index.html
echo "/app/website3/index.html" > /app/website3/index.html
//2. 編輯獨(dú)立配置文件
vim /etc/httpd/conf.d/virtualhost.conf
<Virtualhost *:80>
ServerName www.hello.com
DocumentRoot "/app/website1"
<Directory "/app/website1"> //顯式授權(quán)
Require all granted
</Directory>
</Virtualhost>
<Virtualhost *:80>
ServerName www.hi.cn
DocumentRoot "/app/website2"
<Directory "/app/website2"> //顯式授權(quán)
Require all granted
</Directory>
</Virtualhost>
<Virtualhost *:80>
ServerName www.bye.net
DocumentRoot "/app/website3"
<Directory "/app/website3"> //顯式授權(quán)
Require all granted
</Directory>
</Virtualhost>
httpd -t
systemctl reload httpd
//3. 配置DNS服務(wù)器或者編輯hosts文件
//4. 測(cè)試
curl www.hello.com
curl www.hi.cn
curl www.bye.net
(5)sendfile機(jī)制
傳統(tǒng)網(wǎng)絡(luò)傳輸過(guò)程:
硬盤(pán)>> kernel buffer >> user buffer >> kernel socket buffer >> 協(xié)議棧
過(guò)程中經(jīng)歷四次上下文切換捏雌,四次拷貝,拷貝的內(nèi)容基本相同使用sendfile傳輸過(guò)程:
硬盤(pán)>> kernel buffer (快速拷貝到kernel socket buffer) >> 協(xié)議棧
過(guò)程中沒(méi)有上下文切換笆搓,只有一次拷貝性湿,提高了性能開(kāi)啟sendfile功能
vim /etc/httpd/conf/httpd.conf
EnableSendfile on
(6)反向代理
- 語(yǔ)法:
ProxyPass "/" "http://www.example.com/"
ProxyPassReverse "/" "http://www.example.com/"
- 實(shí)驗(yàn):
接上個(gè)實(shí)驗(yàn)的環(huán)境,將發(fā)至www.hello.com (ip: 192.168.136.230)的請(qǐng)求轉(zhuǎn)發(fā)至192.168.136.129
//1. 編輯獨(dú)立配置文件
vim /etc/httpd/conf.d/virtualhost.conf
<Virtualhost *:80>
ServerName www.hello.com
DocumentRoot "/app/website1"
<Directory "/app/website1">
Require all granted
</Directory>
ProxyPass "/" "http://192.168.136.129/" //修改的部分
ProxyPassReverse "/" "http://192.168.136.129/" //修改的部分
</Virtualhost>
httpd -t
systemctl reload httpd
//2. 建立網(wǎng)頁(yè)文件(ip: 192.168.136.129)
echo "welcome to hellopeiyang's home" > /var/www/html/index.html
//3. 測(cè)試
curl www.hello.com
curl 192.168.136.230
curl 192.168.136.129
七满败、編譯安裝httpd-2.4
(一)APR
APR(Apache Portable Run-time libraries肤频,Apache可移植運(yùn)行庫(kù))主要為上層的應(yīng)用程序提供一個(gè)可以跨越多操作系統(tǒng)平臺(tái)使用的底層支持接口庫(kù)
APR負(fù)責(zé)解決不同操作系統(tǒng)平臺(tái)的細(xì)節(jié),根據(jù)系統(tǒng)平臺(tái)使用相應(yīng)的系統(tǒng)調(diào)用
Apache httpd依賴(lài)于APR算墨,httpd-2.4需要APR 1.4以上版本
(二)CentOS 7環(huán)境下源碼編譯安裝httpd-2.4
(1)安裝前準(zhǔn)備:
安裝開(kāi)發(fā)包組:
yum groupinstall "development tools"安裝必要的軟件開(kāi)發(fā)包:
yum install apr-devel apr-util-devel pcre-devel openssl-devel下載安裝包宵荒,并解壓縮
tar xvf httpd-2.4.27.tar.bz2 -C /usr/local/src
(2)編譯安裝過(guò)程
進(jìn)入解壓縮后的源碼目錄
cd /usr/local/src/httpd-2.4.27/檢查編譯環(huán)境,生成makefile文件
./configure --prefix=/app/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork編譯并安裝
make -j 4 && make install
(3)安裝后配置
建立系統(tǒng)賬號(hào)apache
useradd -r -d /app/httpd24/htdocs/ -s /sbin/nologin apache修改運(yùn)行httpd程序的用戶(hù)和組
vim /app/httpd24/conf/httpd.conf
User apache
Group apache
- 增加環(huán)境變量值
vim /etc/profile.d/httpd24.sh
PATH=/app/httpd24/bin:$PATH
. /etc/profile.d/httpd24.sh
- 設(shè)置httpd服務(wù)開(kāi)機(jī)自啟動(dòng)
vim /etc/rc.d/rc.local
/app/httpd24/bin/apachectl start
chmod +x /etc/rc.d/rc.local
- 啟動(dòng)httpd服務(wù)
apachectl start
(三)CentOS 6環(huán)境下源碼編譯安裝httpd-2.4(方法一)
(1)安裝前準(zhǔn)備:
- 安裝開(kāi)發(fā)包組和相關(guān)開(kāi)發(fā)軟件包
yum groupinstall "development tools"
yum install pcre-devel openssl-devel expat-devel
- 下載1.4版本以上的apr和apr-util以及httpd2.4的軟件包净嘀,并解壓縮
tar xvf apr-1.6.2.tar.gz -C /usr/local/src/
tar xvf apr-util-1.6.0.tar.gz -C /usr/local/src/
tar xvf httpd-2.4.27.tar.bz2 -C /usr/local/src/
(2)編譯安裝apr
進(jìn)入解壓縮的源碼目錄
cd /usr/local/src/apr-1.6.2/檢查編譯環(huán)境报咳,并生成makefile文件
./configure --prefix=/app/apr
- 編譯并安裝
make && make install
(3)編譯安裝apr-util
進(jìn)入解壓縮的源碼目錄
cd /usr/local/src/apr-util-1.6.0/檢查編譯環(huán)境,并生成makefile文件
./configure --prefix=/app/apr-util --with-apr=/app/apr
- 編譯并安裝
make && make install
(4)編譯安裝httpd-2.4
添加系統(tǒng)賬號(hào)apache
useradd -r -d /app/website -s /sbin/nologin apache進(jìn)入解壓縮的源碼目錄
cd /usr/local/src/httpd-2.4.27/檢查編譯環(huán)境挖藏,并生成makefile文件
./configure --prefix=/app/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/app/apr/ --with-apr-util=/app/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork
- 編譯并安裝
make -j 4 && make install
(5)安裝后配置
- 修改運(yùn)行httpd程序的用戶(hù)和組暑刃,修改文件存放根目錄
vim /app/httpd24/conf/httpd.conf
User apache //修改的行
Group apache //修改的行
DocumentRoot "/app/website" //修改的行
<Directory "/app/website"> //修改的行
mkdir /app/website
- 增加環(huán)境變量值
vim /etc/profile.d/httpd24.sh
PATH=/app/httpd24/bin:$PATH
. /etc/profile.d/httpd24.sh
- 編輯服務(wù)腳本,并設(shè)置為開(kāi)機(jī)啟動(dòng)
scp /etc/init.d/httpd 192.168.136.129:/etc/init.d/httpd24 //參考httpd-2.2的服務(wù)腳本進(jìn)行修改
vim /etc/init.d/httpd24
apachectl=/app/httpd24/bin/apachectl //修改的行
httpd=${HTTPD-/app/httpd24/bin/httpd} //修改的行
pidfile=${PIDFILE-/app/httpd24/logs/httpd.pid} //修改的行
lockfile=${LOCKFILE-/var/lock/subsys/httpd24} //修改的行
chkconfig --add httpd24
chkconfig httpd24 on
service httpd24 start
echo "/app/website/index.html" > /app/website/index.html
(6)測(cè)試
curl 192.168.136.129
(四)CentOS 6環(huán)境下源碼編譯安裝httpd-2.4(方法二)
方法二只在編譯安裝過(guò)程與方法一不同膜眠,其他安裝前準(zhǔn)備工作和安裝后的配置都與方法一相同
方法二編譯過(guò)程:一次性編譯httpd及其依賴(lài)的apr, apr-util
//將apr, apr-util的源碼目錄復(fù)制到httpd源碼的srclib子目錄下岩臣,注意需要重命名
cd /usr/local/src/
cp -r apr-1.6.2/ httpd-2.4.27/srclib/apr
cp -r apr-util-1.6.0/ httpd-2.4.27/srclib/apr-util
//執(zhí)行configure腳本時(shí)不需再指定apr和apr-util的安裝路徑溜嗜,代替以--with-included-apr
cd httpd-2.4.27/
./configure --prefix=/app/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-included-apr --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork
make -j 4 && make install
