+++++++httpd-2.4基础特性及SSL,访问控制,MPM[DSO],status
HTTP基本特性
- 0.9
文本,method - 1.0
非持久, method,mime,弱缓存 - 1.1
持久 - 2.0mime, method,
引入spdy优势,缓存加强 2.4较2.2新特性:
1、 MPM
非编译为核心: httpd -M查看2、 event在2.4
生产环境3、 支持
毫秒级别的保持连接(KeepAlive Off KeepAliveTimeout 0.01?)4、 虚拟主机直接配置,不需要(#NameVirtualHost *:80)
5、
async IO(由内核决定什么时候写入磁盘: async)6、 每个模块及每个目录各自独立的日志级别
7、 每请求配置;
8、 增强版的表达式分析器;正则表达式解析速度更快
9、 配置文件中自定义变量
2.4引入模块
mod_proxy_fcgi //httpd以cgi协议与php结合mod_ratelimit //支持速率限制mod_remoteip //远端ip地址的控制
2.4修改配置机制
访问控制指令变化:Order, Deny from, Allow from --><RequireAll>Require [not] ip|hostRequire all grantedRequire all deny</RequireAll>
安装httpd-2.4
httpd2.4依赖:apr-1.4+, apr-util-1.4+, [apr-icon]
- apr
apache portable[环境] runtime[运行]不同OS平台提供的库接口不同,只有调用POSIX规范的库才能跨平台编译,apr运行环境能将库的不同的差异给抹除[即使开发调用的库不支持POSIX规范也能跨平台运行],就能实现不同OS平台运行httpd程序。
CentOS 6安装编译安装httpd-2.4
CentOS 6默认的apr, apr-util程序的版本:1.3,需要编译安装httpd-2.4。
不建议在CentOS 6上使用httpd-2.4,对大规模布署不方便,除非自己定制RPM包。
开发环境
# yum -y groupinstall "Development Tools" "Server Platform Development"
获取源码ASF
apr-1.6.2.tar.bz2
apr-util-1.6.0.tar.gz
httpd-2.4.27.tar.bz2
编译apr-1.4+
# tar xf apr-1.6.2.tar.bz2# ./configure --prefix=/usr/local/apr# make && make install(--prefix=安装路径,方便卸载,避免覆盖已有的程序)
编译apr-util-1.4+
# tar xf apr-util-1.6.0.tar.gz# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/# make && make install(--with-<>=/path/to/somewhere: 针对于哪个包来安装)xml/apr_xml.c
19: error: expat.h: No such file or directoryxml/apr_xml.c
error: expected specifier-qualifier-list before ‘XML_Parser’# yum -y install expat-devel**注意如果出现错误,需要在安装程序包后,删除apr-util-1.6.0目录,重新编译
编译httpd-2.4
确认安装目录内的文件位置
# ls /usr/local/httpd24/bin build cgi-bin error htdocs icons include logs man manual modules
导出PATH环境变量
位置:[全局]
/etc/profile.d/*.sh, [个人]~/.bash_profile# vim /etc/profile.d/httpd24.shexport PATH=/usr/local/httpd24/bin:$PATH# . /etc/profile.d/httpd24.sh
导出库文件
位置:
/etc/ld.so.conf.d/*.conf# vim /etc/ld.so.conf.d/httpd24.conf/usr/local/httpd24/lib# ldconfig [-v]
导出头文件
位置:
/usr/include/NAME# ln -sv /usr/local/httpd24/include /usr/include/httpd24
导出man手册
位置:
/etc/man.conf# vim /etc/man.configMANPATH /usr/manMANPATH /usr/share/manMANPATH /usr/local/manMANPATH /usr/local/share/manMANPATH /usr/X11R6/manMANPATH /usr/local/httpd24/man //添加的条目
添加用户apache
* 如果已经存在apache用户,则不用添加...# groupadd -r apache# useradd -r -g apache apache
安装依赖
# yum -y install pcre-devel
编译
# tar xf httpd-2.4.27.tar.bz2# ./configure --prefix=/usr/local/httpd24 --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-pcre --with-zlib --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-modules=most --enable-mpms-shared=all --with-mpm=event# make && make install--prefix: 安装路径。 方便卸载,避免覆盖已有的程序--with-<>: 针对于哪个包来安装--sysconfdir=<>: 避免覆盖,冲突--enable-so DSO机制--enable-ssl SSL--enable-rewrite URL重写--with-pcre Perl扩展正则表达式--with-zlib zlib提供多种压缩库,支持压缩传输--enable-modules DSO--enable-mpm-shared MPM DSO--with-mpm 默认的MPM
测试启动
查看80是否被占用,Socket会独占端口# ss -tnl启用服务# apachectl start# hash/usr/local/httpd24/bin/apachectl //确保启动是2.4httpd测试# iptables -F# setenforce 0
CentOS 7安装httpd-2.4
CentOS 7 默认安装httpd-2.4。
rpm安装
# yum -y install httpd
CentOS 7 对应配置文件
配置路径:
/etc/httpd/conf/httpd.conf/etc/httpd/conf.d/*.conf
欢迎页:
/etc/httpd/conf.d/welcome.conf
模块路径:
/etc/httpd/conf.modules.d/*.conf/usr/lib64/httpd/modules/mod_mpm_event|prefork|worker
httpd-2.4基本应用
MPM切换及查看
查看编译进核心的模块:
# httpd -l
查看动态装载的模块及编译进核心的模块:
# httpd -Mmpm_event_module (shared)
切换模块
备份配置:# cp -v /etc/httpd24/httpd.conf{,.bak}进入配置,注释event.so,起动prefork或worker:#LoadModule mpm_event_module modules/mod_mpm_event.soLoadModule mpm_prefork_module modules/mod_mpm_prefork.so#LoadModule mpm_worker_module modules/mod_mpm_worker.so退出配置后:# httpd -t# apachectl restart
查看模块
# httpd -Mmpm_prefork_module (shared)
虚拟主机
准备DocumentRoot及默认主页面
# mkdir -p /vhosts/www# echo "www.mykernel.cn" > /vhosts/www/index.html
添加配置
备份配置:# cp -v /etc/httpd24/extra/httpd-vhosts.conf{,.bak}仅在配置添加以下内容# vim /etc/httpd24/extra/httpd-vhosts.conf<VirtualHost *:80>ServerName www.mykernel.cnDocumentRoot /vhosts/wwwErrorLog logs/www.errCustomLog logs/www.access combined<Directory "/vhosts/www">Options NoneAllowOverride NoneRequire all granted</Directory><Location /server-status>SetHandler server-statusRequire all granted</Location>#ExtendedStatus On</VirtualHost>
测试并访问
# httpd -t# apachectl restart在windows的解析库中添加以下内容(C:\Windows\System32\drivers\etc)172.16.100.1 www.mykernel.cn
启用虚拟主机
# vim /etc/httpd24/httpd.conf注释中心主机#DocumentRoot "/usr/local/httpd24/htdocs"# Virtual hostsInclude /etc/httpd24/extra/httpd-vhosts.conf
- 配置虚拟主机
访问控制
本机127.0.0.1访问
安装文本协议浏览工具# yum -y install curl elinks telnet# curl 172.16.100.1www.mykernel.cn# elinks --dump http://172.16.100.1www.mykernel.cn# telnet 172.16.100.1 80Trying 172.16.100.1...Connected to 172.16.100.1.Escape character is '^]'.GET / HTTP/1.1Host: 172.16.100.1HTTP/1.1 200 OKDate: Sun, 10 Sep 2017 00:37:49 GMTServer: Apache/2.4.27 (Unix)Last-Modified: Sun, 10 Sep 2017 00:20:44 GMTETag: "10-558cac7f1211e"Accept-Ranges: bytesContent-Length: 16Content-Type: text/htmlwww.mykernel.cn
在配置文件中修改为禁止本机访问
# vim /etc/httpd24/extra/httpd-vhosts.conf<RequireAll>Require all grantedRequire not ip 172.16.100.1</RequireAll>
测试
# httpd -t# apachectl restart# curl -I 172.16.100.1HTTP/1.1 403 ForbiddenDate: Sun, 10 Sep 2017 00:45:04 GMTServer: Apache/2.4.27 (Unix)Content-Type: text/html; charset=iso-8859-1# elinks --dump 172.16.100.1ForbiddenYou don't have permission to access / on this server.# telnet 172.16.100.1 80Trying 172.16.100.1...Connected to 172.16.100.1.Escape character is '^]'.GET / HTTP/1.1Host: 172.16.100.1HTTP/1.1 403 ForbiddenDate: Sun, 10 Sep 2017 00:46:02 GMTServer: Apache/2.4.27 (Unix)Content-Length: 209Content-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /on this server.<br /></p></body></html>
mod_ssl
自建CA
# dir=/etc/pki/CA# touch $dir/index.txt# echo "01" > $dir/serial# (umask 077;openssl genrsa -out $dir/private/cakey.pem 2048)# openssl req -new -x509 -key $dir/private/cakey.pem -out $dir/cacert.pem -days 7300(SC, ChengDu, ChengDu, MageEdu Ltd, Ops, ca.mykernel.cn, caadmin@mykernel.cn)
生成请求
# mkdir /etc/httpd24/ssl && cd /etc/httpd24/ssl# (umask 077;openssl genrsa -out httpd.key 2048)# openssl req -new -key httpd.key -out httpd.csr -days 7300(SC, ChengDu, ChengDu, MageEdu Ltd, Ops, www.mykernel.cn, admin@mykernel.cn)
本机签署
# openssl ca -in httpd.csr -out $dir/certs/www.mykernel.cn.crt -days 365
获取证书
# cp -a /etc/pki/CA/certs/www.mykernel.cn.crt .
启用mod_ssl
# vim /etc/httpd24/httpd.confLoadModule ssl_module modules/mod_ssl.so //2.4默认不启用LoadModule socache_shmcb_module modules/mod_socache_shmcb.so# Secure (SSL/TLS) connectionsInclude /etc/httpd24/extra/httpd-ssl.conf
启用ssl虚拟主机
# cp -v /etc/httpd24/extra/httpd-ssl.conf{,.bak}# vim /etc/httpd24/extra/httpd-ssl.conf<VirtualHost *:443>DocumentRoot "/vhosts/www"ServerName www.mykernel.cnSSLCertificateFile "/etc/httpd24/ssl/www.mykernel.cn.crtSSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key
测试语法
# httpd -t# apachectl restart //需要监听新的端口
测试ssl会话是否能建立
在Linux主机:在CA所在主机的/etc/hosts文件中添加如下行:172.16.100.1 www.mykernel.cn测试# openssl s_client -connect www.mykernel.cn:443 -CAfile /etc/pki/CA/cacert.pemCertificate chainServer certificatesubjectissuerNo client certificate CA names sentNew, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384Compression: NONEExpansion: NONESSL-Session: TLSv1.2在Windows主机:在windows的C:\Windows\System32\drivers\etc文件中添加172.16.100.1 www.mykernel.cn将CA证书[公钥]导入受信任的颁发机构,在浏览器中的输入:https://www.mykernel.cn即可访问
服务脚本
bash shell编程的资深专家,以rpm,为蓝本,修改修改即可
# cp -v /etc/rc.d/init.d/httpd{,24}
修改
# vim /etc/rc.d/init.d/httpd24apachectl=/usr/local/httpd24/bin/apachectlhttpd=${HTTPD-/usr/local/httpd24/bin/httpd}prog=httpdpidfile=${PIDFILE-/var/run/httpd/httpd24.pid}lockfile=${LOCKFILE-/var/lock/subsys/httpd24}# vim /etc/httpd24/httpd.confPidFile "/var/run/httpd/httpd24.pid"
测试使用
# chkconfig --add httpd24# killall httpd# service httpd24 {start|stop|restart|status}
#
本文转自 lccnx 51CTO博客,原文链接:http://blog.51cto.com/sonlich/1969602,如需转载请自行联系原作者
曾经终败给现在
Myth丶恋晨
今天药忘吃喽~
╰+攻爆jí腚メ
àì夳堔傛蜴生んèń
还没有评论,来说两句吧...