httpd
提供web服務的軟件apache
官網:http://httpd.apache.org/
yum install httpd
一、Rpm安裝程序環境:
1、配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
2、模塊相關的配置文件:(配置文件模塊化)
/etc/httpd/conf.modules.d/*.conf
3、systemdunit file:
/usr/lib/systemd/system/httpd.service
4、主程序文件:
/usr/sbin/httpd
httpd-2.4支持MPM的動態切換
5、日誌文件:
/var/log/httpd
access_log:訪問日誌
error_log:錯誤日誌
6、站點文檔:
/var/www/html
7、模塊文件路徑:
/usr/lib64/httpd/modules
8、服務控制:
systemctl enable|disable httpd.service
systemctl{start|stop|restart|status} httpd.service
二、主配置文件
/etc/httpd/conf/httpd.conf:
-
[root@centos7-7 conf]#cp httpd.conf{,.origin} 最好複製一份,以免誤刪改
-
配置文件中格式:Directive Value (指令+加值)指令首字母大寫(路徑需注意大小寫)
[root@centos7-7 ~]#vim /etc/httpd/conf/httpd.conf
....
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"(應用程序的基準目錄,所有設置相對路徑的起始位置)
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80 (監聽的套接字,使用所有的IP的80端口)
Listen 172.20.0.61:8080 (可指定IP地址及端口)
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf (配置文件模塊化的組成部分,相對路徑)
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache (以哪個用戶身份運行當前程序,ps aux可查看)
Group apache
三、MPM工作模式
•prefork:多進程I/O模型,每個進程響應一個請求,默認模型
一個主進程:生成和回收n個子進程,創建套接字,不響應請求
多個子進程:工作work進程,每個子進程處理一個請求;系統初始時,預
先生成多個空閒進程,等待請求,最大不超過1024個
prefork的默認配置:
StartServers8
MinSpareServers5
MaxSpareServers20
ServerLimit256 最多進程數,最大20000
MaxClients256 最大併發
MaxRequestsPerChild4000 子進程最多能處理的請求數量。在處理MaxRequestsPerChild個請求之後,子進程將會被父進程終止,這時候子進程佔用的內存就會釋放(爲0時永遠不釋放)
•worker:複用的多進程I/O模型,多進程多線程,IIS使用此模型
一個主進程:生成m個子進程,每個子進程負責生個n個線程,每個線程響
應一個請求,併發響應請求:m*n
worker的默認配置:
StartServers4
MaxClients300
MinSpareThreads25
MaxSpareThreads75
ThreadsPerChild25
MaxRequestsPerChild0 無限制
•event:事件驅動模型(worker模型的變種)
一個主進程:生成m個子進程,每個進程直接響應n個請求,併發響應請求
:m*n,有專門的線程來管理這些keep-alive類型的線程,當有真實請求時
,將請求傳遞給服務線程,執行完畢後,又允許釋放。這樣增強了高併發
場景下的請求處理能力
(最大連接併發數MaxRequestWorkers/ThreadsPerChild應小於等於ServerLimit)
使用event 系統必須支持事件驅動機制
epoll -Linux
kqueue -BSD
event ports -Solaris
/etc/httpd/conf.modules.d/00-mpm.conf
[root@centos7-7 ~]#cd /etc/httpd/conf.modules.d/
[root@centos7-7 conf.modules.d]#ls (00,01文件名前面數字是啓動順序,因爲存在依賴關係,模塊不適用,更改後綴即可)
00-base.conf 00-dav.conf 00-lua.conf 00-mpm.conf 00-proxy.conf 00-systemd.conf 01-cgi.conf
[root@centos7-7 conf.modules.d]#vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so (默認開啓prefork:預生成)
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
(切換注意需重啓纔可生效,生產用利用排幹,灰度方式替換)
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
可直接在此配置文件中自定義相應模塊的參數(注意不能混搭,如prefork寫worker參數)
StartServers8
MinSpareServers5
MaxSpareServers20
ServerLimit256
MaxClients256
MaxRequestsPerChild4000
httpd 選項
httpd -M 可查看啓用的模塊
httpd -t 檢查語法
httpd -l 查看靜態模塊(編譯進去的模塊)
httpd -L 列出所有可用的模塊
四、httpd上主機主要需定義的參數
1、ServerName:主機名,以標識當前主機
2、DocumentRoot:url的根,映射到本地文件系統的路徑 /path/to/somedir
3、對路徑/path/to/somedir下的網頁文件,定義,允許那些人訪問,不允許哪些人訪問,怎麼能夠被訪問,做屬性設定
4、Require:更加精細訪問設置 (-59512)
<Directory "">
Require all granted 所有人可訪問
Require user dadda 只允許dadda訪問
Require 192.168 只允許192.168.0.0網段訪問
</Directory>
<File ""> 指定文件
</File>
<DirectoryMatch "">支持正則表達式
</DiretoryMatch>
<Location " ">url路徑 LocationMatch也支持正則表達式,但是不建議用,會降低性能
</Location " ">
etc/httpd/conf/httpd.conf
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName centos7.dushan.com:80(互聯網名稱DNS解析到當前的主機名)
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied /直接訪問拒絕,不允許任何人更改,只允許訪問documentroot即可
</Directory>
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html" 真正訪問的頁面
#
# Relax access to content within /var/www.
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html"> 以下定義訪問/var/www/html規則
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks 訪問網頁時時如何響應,默認鏈接index.html文件,可改爲none
(刪除Indexes 則顯示被拒 注:當沒有index.html文件時)
(刪除FollowSymLinks,則不允許鏈接源文件)
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None 是否允許對應的配置文件覆蓋
#
# Controls who can get stuff from this server.
#
Require all granted
(Require可以做更爲精細設置,Require user和Require ip給出以後就算設置了白名單,其他的則被拒絕)
(若引用Require not,需配合<RequireAll>使用)
...
五、基於用戶的訪問控制
不建議基於ip地址的認證,雖然高效,但是靈活性極差,並且很容易被僞裝
• 認證質詢:WWW-Authenticate:響應碼爲401,拒絕客戶端請求,並說明要求
客戶端提供賬號和密碼
• 認證:Authorization:客戶端用戶填入賬號和密碼後再次發送請求報文;認證
通過時,則服務器發送響應的資源
• 認證方式兩種:
basic:明文
digest:消息摘要認證,兼容性差
• 安全域:需要用戶認證後方能訪問的路徑;應該通過名稱對其進行標識,以便
於告知用戶認證的原因
定義安全域格式:
<Directory “/path">
Options None
AllowOverride None 是否允許覆蓋
AuthType Basic 認證類型
AuthName "String" 認證提示,"string"內容自行修改
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" 認證密碼文件路徑,通過htpasswd生成
Require user username 允許的用戶
</Directory>
Require valid-user 允許賬號文件中的所有用戶登錄訪問
AuthGroupFile "/etc/httpd/conf/.htgroup" 創建組用戶文件訪問(需手動創建)
vim /etc/httpd/conf/.htgroup
(編輯內容disney: tom jerry)
Require group disney
• 用戶的賬號和密碼
虛擬賬號:僅用於訪問某服務時用到的認證標識
存儲:文本文件,SQL數據庫,ldap目錄存儲,nis等
提供賬號和密碼存儲(文本文件)
使用專用命令完成此類文件的創建及用戶管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
-c 自動創建文件,僅應該在文件不存在時使用
-p 明文密碼
-d CRYPT格式加密,默認
-m md5格式加密
-s sha格式加密
-D 刪除指定用戶,或直接刪除文件
-b 使用命令行直接添加密碼
構建實驗
[root@centos7-7 ~]#vim /etc/httpd/conf/httpd.conf
...
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options none (none爲/var/www/html/下,無index.html文件則拒絕訪問)
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
<Directory "/var/www/html/admin">
Options Indexes
AllowOverride none
AuthType basic
AuthName "some private area..."
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Directory>
...
[root@centos7-7 ~]#htpasswd -b -c -m /etc/httpd/conf/.htpasswd tom dushan 創建tom用戶設置密碼dushan
Adding password for user tom
[root@centos7-7 ~]#htpasswd -b -m /etc/httpd/conf/.htpasswd jerry shandu 第二次注意不需添加-c選項
Adding password for user jerry
[root@centos7-7 ~]#tail /etc/httpd/conf/.htpasswd
tom:$apr1$aX9.XL42$dzjpLk5MB5ivprfjiY/1D0
jerry:$apr1$E21f3YMg$TTaviG84A8bzaQXxwsGK01
[root@centos7-7 ~]#cd /var/www/html/
[root@centos7-7 html]#mkdir admin
[root@centos7-7 html]#cp index.html.origin /var/www/html/admin/admin.html
瀏覽器瀏覽http://192.168.32.7/admin/admin.html輸入用戶名及密碼即可訪問
六、定義路徑別名
訪問不是DocumentRoot子路徑下的html頁面則需設置別名
[root@centos7-7 ~]#cd /app
[root@centos7-7 app]#cp /var/www/html/index.html /app/biemiing/
[root@centos7-7 bbs]#cat >index.html<<EOF
> This is /app/bieming/index.html !!!
> EOF
[root@centos7-7 bbs]#vim /etc/httpd/conf/httpd.conf
...
Alias /bieming/ /app/bieming/
<Directory "/app/bieming/">
Options none
AllowOverride none
Require all granted
</Directory>
...
[root@centos7-7 ~]#httpd -t
Syntax OK
[root@centos7-7 ~]#systemctl restart httpd
瀏覽器訪問http://192.168.32.7/bieming/ 顯示/app/bieming/index.html內容及成功
注意:/var/www/html路徑下(document路徑下若文件夾有和Alias重名的,優先顯示Alias頁面)
七、日誌文件
/var/log/httpd/access_log
訪問日誌
[root@centos7-7 ~]#tail /var/log/httpd/access_log
···
192.168.32.1 - - [18/Oct/2018:07:03:00 +0800] "GET /bbs/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64;
1 2 3 4 5 6 7
···
1.哪個客戶端
2.時間
3.請求報文的起始行(方法:GET,請求/bbs/這個URL,基於hTTP/1.1版本)
4.響應碼
5.響應內容長度
6.表示從什麼位置跳轉來的
7.用戶代理
/var/log/httpd/error_log
錯誤日誌
[root@centos7-7 ~]#tail /var/log/httpd/error_log
···
[Thu Oct 18 07:00:24.356714 2018] [lbmethod_heartbeat:notice] [pid 4114] AH02282: No slotmem from mod_heartmonitor
1 2 3 4
···
1.時間
2.加載的模塊
3.進程
4.哪裏出的問題
定義日誌格式:LogFormat format strings
LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" testlog
•使用日誌格式:
CustomLog logs/access_log testlog
參考幫助:http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
•%h 客戶端IP地址
•%l 遠程用戶,啓用mod_ident纔有效,通常爲減號“-”
•%u 驗證(basic,digest)遠程用戶,非登錄訪問時,爲一個減號“-”
•%t 服務器收到請求時的時間
•%r First line of request,即表示請求報文的首行;記錄了此次請求的“
方法”,“URL”以及協議版本
•%>s 響應狀態碼
•%b 響應報文的大小,單位是字節;不包括響應報文http首部
•%{Referer}i 請求報文中首部“referer”的值;即從哪個頁面中的超鏈
接跳轉至當前頁面的
•%{User-Agent}i 請求報文中首部“User-Agent”的值;即發出請求的
應用程序,瀏覽器型號
[root@centos7-7 ~]#vim /etc/httpd/conf/httpd.conf
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 系統第一種格式 ,需引號注意轉譯\
LogFormat "%h %l %u %t \"%r\" %>s %b" common 系統第二種格式
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common (兩種格式可切換)
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined (默認啓用)
</IfModule>
...
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log" 錯誤日誌路徑
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn 錯誤日誌級別
八、虛擬主機
-
站點標識: socket
IP相同,但端口不同
IP不同,但端口均爲默認端口
FQDN不同: 請求報文中首部 Host: www.baidu.com -
有三種實現方案:
基於ip:爲每個虛擬主機準備至少一個ip地址
基於port:爲每個虛擬主機使用至少一個獨立的port
基於FQDN:爲每個虛擬主機使用至少一個FQDN
!!!注意:一般虛擬機不要與main主機混用;因此,要使用虛擬主機,
一般先禁用main主機
禁用方法:註釋中心主機的DocumentRoot指令即可!!!
虛擬主機的配置方法:
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot “/path"
</VirtualHost>
建議:上述配置存放在獨立的配置文件中 /etc/httpd/conf.d/子配置文件中
•其它可用指令:
ServerAlias:虛擬主機的別名;可多次使用
ErrorLog: 錯誤日誌
CustomLog:訪問日誌
<Directory “/path">
</Directory>
Alias
基於IP的虛擬主機示例:
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.7:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.8:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
基於端口的虛擬主機:可和基於IP的虛擬主機混和使用
listen 808
listen 8080
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:808>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:8080>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
基於FQDN的虛擬主機:http2.2版本需添加一句 NameVirtualHost *:80
NameVirtualHost *:80 httpd2.4不需要此指令
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
構建實驗
[root@centos7-7 ~]#cd /etc/httpd
[root@centos7-7 httpd]#ls
conf conf.d conf.modules.d logs modules run
[root@centos7-7 httpd]#vim conf.d/www.conf
<VirtualHost 192.168.32.7:80>
ServerName www.dushan.com
DocumentRoot "/vhosts/www/htdocs"
<Direcotry "/vhosts/www/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
ErrorLog "/vhosts/logs/www_access_log"
CustomLog "/vhosts/logs/www_error_log" combined
</VirtualHost>
[root@centos7-7 httpd]#cp conf.d/www.conf conf.d/bbs.conf
[root@centos7-7 httpd]#vim conf.d/bbs.conf
<VirtualHost 192.168.32.77:80>
ServerName bbs.dushan.com
DocumentRoot "/vhosts/bbs/htdocs"
<Direcotry "/vhosts/bbs/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
CustomLog "/vhosts/logs/bbs_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/bbs_access_log"
</VirtualHost>
[root@centos7-7 httpd]#mkdir -pv /vhosts/{www,bbs}/htdocs /vhosts/logs
[root@centos7-7 httpd]#vim /vhosts/bbs/htdocs/index.html
/vhost/bbs/htdocs/index.html
[root@centos7-7 httpd]#vim /vhosts/www/htdocs/index.html
/vhosts/www/htdocs/index.html
[root@centos7-7 httpd]#ifconfig eth0:1 192.168.32.77/24 up
[root@centos7-7 httpd]#systemctl restart httpd
構建實驗(只夠一個ip地址都使用80端口時,名字至關重要,不一樣就可以)
[root@centos7-7 httpd]#vim conf.d/www.conf
<VirtualHost *:80>
ServerName www.dushan.com 使用名字到達
ServerAlias wwws.dushan.com 也可設置別名,這樣兩個名字都可
DocumentRoot "/vhosts/www/htdocs"
<Direcotry "/vhosts/www/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
CustomLog "/vhosts/logs/www_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/www_access_log"
</VirtualHost>
[root@centos7-7 httpd]#vim conf.d/bbs.conf
<VirtualHost *:80>
ServerName bbs.dushan.com 設置名字
DocumentRoot "/vhosts/bbs/htdocs"
<Direcotry "/vhosts/bbs/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
CustomLog "/vhosts/logs/bbs_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/bbs_access_log"
[root@centos7-7 ~]#vim /etc/hosts
192.168.32.7 www.dushan.com wwws.dushan.com bbs.dushan.com
九、keepAlive 保持持久連接,以滿足上百個資源加載時提升性能
服務器負載很輕時可打開,服務器負載較重時注意關閉。
KeepAlive on下包含兩個方面:
1、KeepAliveTimeout #ms 保持連接超時時長
2、MaxKeepAliveRequests 100 最大併發請求數量
兩者同時生效,哪個先到達,遵循哪個
[root@centos7-7 ~]# vim /etc/httpd/conf/httpd.conf
...
KeepAlive on
KeepAlive Timeout 10s
MaxKeepAliveRequests 100
[root@centos7-7 ~]#httpd -t
Syntax OK
[root@centos7-7 ~]#!sys
systemctl restart httpd
十、mod_deflate 模塊
1、使用mod_deflate模塊壓縮頁面優化傳輸速度
2、適用場景:
(1) 節約帶寬,額外消耗CPU;同時,可能有些較老瀏覽器不支持。
(2) 壓縮適於壓縮的資源,例如文本文件
LoadModule deflate_module modules/mod_deflate.so 裝載模塊
SetOutputFilter DEFLATE 利用過濾器指定哪些類型
類型:
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
3、Level of compression (Highest 9 - Lowest 1) 設定壓縮比DeflateCompressionLevel 9
指定命令
4、排除特定舊版本的瀏覽器,不支持壓縮
1)Netscape 4.x 只壓縮text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
2)Netscape 4.06-08三個版本 不壓縮
BrowserMatch ^Mozilla/4\.0[678] no-gzip
3)Internet Explorer標識本身爲“Mozilla / 4”,但實際上是能夠處理請求的壓縮。
如果用戶代理首部匹配字符串“MSIE”(“B”爲單詞邊界”),就關閉之前定
義的限制
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
實驗環境
[root@centos7-7 ~]#httpd -M |grep deflate 查看是否加載
deflate_module (shared)
[root@centos7-7 ~]#vim /etc/httpd/conf.d/deflate.conf
SetOutputFilter DEFLATE
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
DeflateCompressionLevel 6
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
[root@centos7-7 ~]#httpd -t
Syntax OK
[root@centos7-7 ~]#!sys
systemctl restart httpd
[root@centos7-7 ~]#cp /var/log/messages /var/www/html/
admin/ index.html index.html.origin
[root@centos7-7 ~]#cp /var/log/messages /var/www/html/index.html
cp: overwrite ‘/var/www/html/index.html’? y
[root@centos7-7 ~]#ll /var/www/html/
total 1296
drwxr-xr-x 2 root root 24 Oct 19 12:33 admin
-rw-r--r-- 1 root root 1321814 Oct 19 22:03 index.html 注意權限,若無讀權限則apache用戶無法訪問chmod +r /var/www/html/index.html
十一、https
1、https:http over ssl 基於ssl的http
2、SSL會話的簡化過程
(1) 客戶端發送可供選擇的加密方式,並向服務器請求證書
(2) 服務器端發送證書以及選定的加密方式給客戶端
(3) 客戶端取得證書並進行證書驗證
如果信任給其發證書的CA
(a) 驗證證書來源的合法性;用CA的公鑰解密證書上數字簽名
(b) 驗證證書的內容的合法性:完整性驗證
(c) 檢查證書的有效期限
(d) 檢查證書是否被吊銷
(e) 證書中擁有者的名字,與訪問的目標主機要一致
(4) 客戶端生成臨時會話密鑰(對稱密鑰),並使用服務器端的公鑰加密此數據發送給服務器,完
成密鑰交換
(5) 服務用此密鑰加密用戶請求的資源,響應給客戶端
• 注意:SSL是基於IP地址實現,單IP的主機僅可以使用一個https虛擬主機
3、https實現
• (1) 爲服務器申請數字證書
測試:通過私建CA發證書
(a) 創建私有CA
(b) 在服務器創建證書籤署請求
(c) CA簽證
• (2) 配置httpd支持使用ssl,及使用的證書
yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
• (3) 測試基於https訪問相應的主機
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
實驗環境,直接生成一個祕鑰舉例
[root@centos7-7 ~]#cd /etc/httpd
[root@centos7-7 httpd]#ls
conf conf.d conf.modules.d logs modules run
[root@centos7-7 httpd]#mkdir ssl
[root@centos7-7 httpd]#cd ssl/
[root@centos7-7 ssl]#(umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
......................................................................................................................+++
..................................+++
e is 65537 (0x10001)
[root@centos7-7 ssl]#ll
total 4
-rw------- 1 root root 1675 Oct 19 22:25 httpd.key
[root@centos7-7 ssl]#openssl req -new -x509 -key ./httpd.key -out httpd.crt -subj "/CN=www.dushan.com/0=dushan" -days 3650
[root@centos7-7 ssl]#yum install mod_ssl
[root@centos7-7 ssl]#cd /etc/httpd/conf.d/
[root@centos7-7 conf.d]#vim ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt 更改路徑
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key 更改路徑
十二、http重定向https
將http請求轉發至https的URL
-
重定向
Redirect [status] URL-path URL -
status狀態:
• Permanent: 返回永久重定向狀態碼 301
• Temp:返回臨時重定向狀態碼302. 此爲默認值
添加至配置文件結尾即可:
vim /etc/httpd/conf/httpd.conf 或 /etc/httpd/conf.d/*.conf
Redirect temp / https://www.dushan.com/