HTTPD 常見配置
文章目錄
- HTTPD 常見配置
- 3.1 指定服務器名
- 3.2 顯示服務器版本信息
- 3.3 設置監聽的 IP 和 PORT 端口
- 3.4 持久連接
- 3.5 DSO(Dymanic Shared Object)配置
- 3.6 MPM(Multi-Processing Module)模塊配置
- 3.7 prefork 模式的相關配置
- 3.8 worker 和 event 模式相關的配置
- 3.9 自定義 Main server 的文檔頁面路徑
- 3.10定義站點主頁面
- 3.11可實現訪問控制的資源
- 3.12針對目錄實現訪問控制
- 3.13基於客戶端IP地址實現訪問控制
- 3.14日誌設定
- 3.15設定默認字符集
- 3.16定義路徑別名
- 3.18基於用戶的訪問控制
- 3.19遠程客戶端和用戶驗證的控制
- 3.20實現用戶家目錄的http共享
- 3.21禁止錯誤頁面版本泄露
- 3.22禁止trace方法
- 3.23status狀態頁
- 3.24多虛擬主機
- 3.25壓縮
- 3.26實現https
- 3.27URL重定向
- 3.28實現HSTS
- 3.29正向代理和方向代理
- 3.30Sendfile機制
3.1 指定服務器名
[root@centos8 ~]#httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using centos8.localdomain. Set the 'ServerName' directive globally to
suppress this message
Syntax OK
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
#ServerName www.example.com:80
servername www.magedu.org
[root@centos8 ~]#httpd -t
Syntax OK
範例:
[root@centos8 ~]#httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using centos8.localdomain. Set the 'ServerName' directive globally to
suppress this message
Syntax OK
3.2 顯示服務器版本信息
指令:ServerTokens Major|Minor|Min[imal]|Prod|OS|Full
ServerTokens Major
在響應頭中顯示服務器的主版本號
ServerTokens Minor
在響應頭中顯示服務器的主版本號和次版本號
ServerTokens Min[imal]
在響應頭中顯示服務器的完整版本號
ServerTokens Prod
只顯示服務器類型----生產建議使用該值
ServerTokens OS
顯示完整版本號和操作系統類型
ServerTokens Full
都顯示,不配置時默認使用 full 值
3.3 設置監聽的 IP 和 PORT 端口
指令:Listen [IP:]PORT
- 1 省略 IP 表示爲本機所有 IP
- 2 Listen 指令至少一個,可重複出現多次
Listen 192.168.1.100:8080
Listen 80
3.4 持久連接
-
持久連接:Persistent Connection,每個資源獲取完成後不會斷開連接,而是繼續等待其它的請求完成,不配置時
默認關閉持久連接 -
連接斷開的條件:
時間限制:以秒爲單位, 默認 5s,httpd-2.4 支持毫秒級
副作用:對併發訪問量大的服務器,持久連接會使有些請求得不到響應
折衷:使用較短的持久連接時間 -
配置持久連接的指令
KeepAlive On|Off
KeepAliveTimeOut 15 # 連接持續15s,可以以ms爲單位,默認值爲5s
MaxKeepAliveRequests 500 # 持久連接最大接收的請求數,默認值100
- 通過 telnet 使用 GET 方法測試
[root@webhost ~]# telnet 172.20.1.67 80
Trying 172.20.1.67...
Connected to 172.20.1.67.
Escape character is '^]'.
GET /index.html HTTP/1.1 # 使用GET方法
HOST:2.2.2.2
HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 13:01:05 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 06 Dec 2019 01:34:30 GMT
ETag: "5e-598ff0c1ecbee"
Accept-Ranges: bytes
Content-Length: 94
Content-Type: text/html; charset=UTF-8
<DOCTYPE html>
<head>
<p1>Hello There!</p1>
</head>
<body>
<a>A test message!!</a>
</body>
# 返回html響應體後並沒有立即斷開連接...
Connection closed by foreign host. # 15秒後無請求,斷開連接
3.5 DSO(Dymanic Shared Object)配置
-
Dynamic Shared Object
加載動態模塊配置,不需重啓即生效
動態模塊所在路徑爲/usr/lib64/httpd/modules/
-
先在主配置文件中
/etc/httpd/conf/httpd.conf
指定加載模塊配置文件
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
- 再到
/etc/httpd/conf.modules.d/
文件夾下添加特定模塊的配置文件和指令
模塊文件路徑可使用相對路徑:相對於 ServerRoot(默認/etc/httpd)
LoadModule <mod_name> <mod_path>
- 例:查看一些模塊的配置文件和加載情況
# 查看默認有哪些模塊的配置文件
[root@webhost ~]# ls -l /etc/httpd/conf.modules.d/
total 28
-rw-r--r-- 1 root root 3739 Aug 6 21:44 00-base.conf
-rw-r--r-- 1 root root 139 Aug 6 21:44 00-dav.conf
-rw-r--r-- 1 root root 41 Aug 6 21:44 00-lua.conf
-rw-r--r-- 1 root root 742 Aug 6 21:44 00-mpm.conf
-rw-r--r-- 1 root root 957 Aug 6 21:44 00-proxy.conf
-rw-r--r-- 1 root root 88 Aug 6 21:44 00-systemd.conf
-rw-r--r-- 1 root root 451 Aug 6 21:44 01-cgi.conf
# 查看httpd通常需要加載的模塊
[root@webhost ~]# cat /etc/httpd/conf.modules.d/00-base.conf
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
......
# 查看靜態編譯的模塊
[root@webhost ~]# httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
# 查看靜態編譯的模塊和動態加載的模塊
[root@webhost ~]# httpd -M
autoindex_module (shared)
cache_module (shared)
cache_disk_module (shared)
data_module (shared)
dbd_module (shared)
deflate_module (shared)
dir_module (shared)
dumpio_module (shared)
echo_module (shared)
env_module (shared)
expires_module (shared)
ext_filter_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
info_module (shared)
log_config_module (shared)
.......
3.6 MPM(Multi-Processing Module)模塊配置
- MPM(Multi-Processing Module)多路處理模塊使得 httpd 支持三種 MPM 工作模式:prefork, worker, event
分別由三個對應的 MPM 模塊來提供對應的工作模式,配置文件位於/etc/httpd/conf.modules.d/00-mpm.conf
[root@webhost ~]# cat /etc/httpd/conf.modules.d/00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
-
centos7 目前默認的爲 prefork 工作模式,啓用 MPM 相關的 LoadModule 指令即可使用相應的工作模式,其它未
啓用的兩項需要在行首加#註釋 -
注意:不要同時啓用多個 MPM 模塊,否則會出現類似下面的錯誤
AH00534: httpd: Configuration error: More than one MPM loaded.
-
查看默認的 mpm 工作模式 並改爲 worker 工作模式
[root@webhost ~]# httpd -M |grep mpm
mpm_prefork_module (shared)
[root@webhost ~]# vim /etc/httpd/conf.modules.d/00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
######## 註釋下面的這行
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
######## 取消註釋下面的這行
LoadModule mpm_worker_module modules/mod_mpm_worker.so
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@webhost ~]# systemctl restart httpd
[root@webhost ~]# httpd -M | grep mpm
mpm_worker_module (shared)
3.7 prefork 模式的相關配置
StartServers 2000
MinSpareServers 2000
MaxSpareServers 2000
ServerLimit 2560 # 最多進程數,最大值 20000
MaxRequestWorkers 2560 # 最大的併發連接數,默認256
MaxRequestsPerChild 4000 # 從 httpd.2.3.9開始被MaxConnectionsPerChild代替
MaxConnectionsPerChild 4000 # 子進程最多能處理的請求數量。在處理MaxRequestsPerChild
# 個請求之後,子進程將會被父進程終止,這時候子進程佔用的內存就會釋放(爲0時永遠不釋放)
3.8 worker 和 event 模式相關的配置
ServerLimit 16
StartServers 2
MaxRequestWorkers 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
# 配置示例
[root@webhost ~]#vim etc/httpd/conf.d/custom.conf
ServerLimit 24
StartServers 12
[root@webhost ~]# ps aux | grep /usr/sbin/httpd -w
root 16094 0.1 0.3 230716 5532 ? Ss 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16095 0.0 0.1 230340 2980 ? S 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16096 0.0 0.2 517544 3488 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16097 0.0 0.2 517544 3488 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16098 0.0 0.2 517544 3492 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16099 0.0 0.2 517544 3492 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16100 0.0 0.2 517544 3492 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16101 0.0 0.2 517544 3492 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16102 0.0 0.2 517544 3488 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16103 0.0 0.2 517544 3488 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16105 0.0 0.2 517544 3488 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
apache 16107 0.0 0.2 517544 3492 ? Sl 21:40 0:00 /usr/sbin/httpd -DFOREGROUND
root 16437 0.0 0.0 112712 1000 pts/2 R+ 21:41 0:00 grep --color=auto /usr/sbin/httpd -w # 不是
[root@webhost ~]# ps aux | grep /usr/sbin/httpd -w | wc -l
13
3.9 自定義 Main server 的文檔頁面路徑
- DocumentRoot 指向的路徑爲 URL 路徑的起始位置
/path
必須顯式授權後纔可以訪問
DocumentRoot "/path"
<directory /path>
Require all granted
</directory>
- 例如:
[root@webhost ~]#vim etc/httpd/conf.d/custom.conf
DocumentRoot "/data/html"
<directory /data/html>
Require all granted
</directory>
[root@webhost ~]# httpd -t
Syntax OK
[root@webhost ~]# systemctl restart httpd
[root@webhost ~]# echo Hello,apache. > /data/html/index.html
[root@webhost ~]# curl 172.20.1.67
Hello,apache.
3.10定義站點主頁面
- DirectoryIndex
- index.php
- index.html
3.11可實現訪問控制的資源
可以針對文件系統和URI的資源進行訪問控制
文件系統路徑:
#基於目錄
<Directory “/path">
...
</Directory>
#基於文件
<File “/path/file”>
...
</File>
#基於正則表達式
<FileMatch “regex”>
...
</FileMatch>
<Location "URL">
...
</Location>
<LocationMatch "regex">
...
</LocationMatch>
範例:
//以.gif或.jpg或.jpeg或.png 結尾的文件
<FilesMatch ".+\.(gif|jpe?g|png)$">
# ...
</FilesMatch>
URL路徑:
//URL指的是URI的一部分
<Location "URL">
...
</Location>
<LocationMatch "regex">
...
</LocationMatch>
範例1:
#/private1, /private1/,/private1/file.txt 匹配
#/private1other 不匹配
<Location "/private1">
# ...
</Location>
#/private2/,/private2/file.txt 匹配
#/private2,/private2other 不匹配
<Location "/private2/">
# ...
</Location>
範例2:
<Location /status>
<LocationMatch "/(extra|special)/data">
3.12針對目錄實現訪問控制
[1]Options指令
後跟1個或多個以空白字符分隔的選項列表, 在選項前的+,- 表示增加或刪除指定選項
常見選項:
- Indexes:指明的URL路徑下不存在與定義的主頁面資源相符的資源文件時,返回索引列表給用戶
- FollowSymLinks:允許訪問符號鏈接文件所指向的源文件
- None:全部禁用
- All: 全部允許
//如果此目錄下沒有idnex.html文件
[root@centos7 ~]# ll /var/www/html/
total 0
-------------------------------------
//所以服務會自動讀取默認的歡迎頁面welcome.conf
[root@centos7 ~]# ll /etc/httpd/conf.d/
total 16
-rw-r--r-- 1 root root 2926 Aug 8 19:41 autoindex.conf
-rw-r--r-- 1 root root 366 Aug 8 19:42 README
-rw-r--r-- 1 root root 1252 Aug 6 21:44 userdir.conf
-rw-r--r-- 1 root root 824 Dec 11 15:00 welcome.conf
- 瀏覽器訪問192.168.26.17
//當我們在/var/www/html/下創建目錄,並在目錄下創建文件時,在網站上是可見的
[root@centos7 ~]# mkdir /var/www/html/test
[root@centos7 ~]# touch /var/www/html/test/f1.txt
[root@centos7 ~]# touch /var/www/html/test/f2.txt
- 瀏覽器訪問192.168.26.17/test/
//新建編輯配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
<directory /var/www/html/test>
options -indexes
</directory>
- 重新加載服務systemctl reload httpd.service ,瀏覽器訪問192.168.26.17/test/
//暫時關閉子配置文件下option指令
<directory /var/www/html/test>
#options -indexes # 禁止使用目錄
</directory>
//並在/var/www/html/test/目錄下創建/etc/的軟鏈接test_etc
[root@centos7 ~]# ln -s /etc/ /var/www/html/test/test_etc
- 重新加載服務systemctl reload httpd.service ,瀏覽器訪問192.168.26.17/test/
//編輯子配置文件加入不顯示軟連接指令
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
<directory /var/www/html/test>
options -FollowSymLinks # 禁止使用軟連接
</directory>
- 重新加載服務systemctl reload httpd.service ,瀏覽器訪問192.168.26.17/test/
[2]AllowOverride指令
- 與訪問控制相關的哪些指令可以放在指定目錄下的.htaccess(由AccessFileName 指令指定,AccessFileName .htaccess 爲默認值)文件中,覆蓋之前的配置指令,只對語句有效。
- AllowOverride All: .htaccess中所有指令都有效
- AllowOverride None: .htaccess 文件無效,此爲httpd 2.3.9以後版的默認值
- AllowOverride AuthConfig .htaccess 文件中,除了AuthConfig 其它指令都無法生效
//在對應控制目錄下創建隱藏文件.htaccess文件,將控制命令放在此文件內
[root@centos7 ~]# vim /var/www/html/test/.htaccess
options -indexes
//編輯子配置文件添加AllowOverride指令
<directory /var/www/html/test>
AllowOverride all #允許.htaccess中的內容覆蓋主配置文件裏的設置
</directory>
- 重新加載服務systemctl reload httpd.service ,瀏覽器訪問192.168.26.17/test/
3.13基於客戶端IP地址實現訪問控制
- 針對各種資源,可以基於以下兩種方式的訪問控制:
- 客戶端來源地址
- 用戶賬號
- 基於客戶端的IP地址的訪問控制:
- 無明確授權的目錄,默認拒絕
- 允許所有主機訪問:Require all granted
- 拒絕所有主機訪問:Require all denied
- 控制特定的IP訪問: Require ip IPADDR:授權指定來源的IP訪問 Require not ip IPADDR:拒絕
- 特定的IP訪問
- 控制特定的主機訪問: Require host HOSTNAME:授權特定主機訪問 Require not host
- HOSTNAME:拒絕 HOSTNAME: FQDN:特定主機 domin.tld:指定域名下的所有主機
//不能有失敗,至少有一個成功匹配才成功,即失敗優先
//先允許所有ip,再拒絕指定ip
<RequireAll>
Require all granted
Require not ip 172.16.1.1 #拒絕特定IP
</RequireAll>
//多個語句有一個成功,則成功,即成功優先
//先拒絕所有ip,再允許指定ip
<RequireAny>
Require all denied
require ip 172.16.1.1 #允許特定IP
</RequireAny>
範例:
<directory /var/www/html/dir>
<requireany>
require all denied
Require ip 192.168.39.0/24
</requireany>
</directory>
3.14日誌設定
httpd服務器上有兩種日誌
- 訪問日誌
- 錯誤日誌
錯誤日誌
- ErrorLog logs/error_log
- LogLevel warn
- LogLevel 可選值: debug, info, notice, warn,error, crit, alert,
emerg
//事件嚴重度,從左到右越來越嚴重
//我們查看一下主配置文件中errorlog的默認路徑
[root@centos7 ~]# grep -i errorlog /etc/httpd/conf/httpd.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
ErrorLog "logs/error_log"
//查看目錄得.logs爲軟鏈接
[root@centos7 ~]# ll /etc/httpd/
total 0
drwxr-xr-x 2 root root 37 Dec 11 15:19 conf
drwxr-xr-x 2 root root 99 Dec 11 15:53 conf.d
drwxr-xr-x 2 root root 146 Dec 11 11:09 conf.modules.d
lrwxrwxrwx 1 root root 19 Dec 11 11:09 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 29 Dec 11 11:09 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 10 Dec 11 11:09 run -> /run/httpd
//其真實得錯誤日誌路徑爲/var/log/httpd/error_log,查看得
[root@centos7 ~]# cat /var/log/httpd/error_log
訪問日誌
- 定義日誌格式
描述: 描述在日誌文件中使用的格式
句法: LogFormat format|nickname [nickname]
默認: LogFormat "%h %l %u %t \"%r\" %>s %b"
內容: 服務器配置,虛擬主機
狀態: 基礎
模塊: mod_log_config
//查看主配置文件定義的格式類型
[root@centos7 ~]# grep -i LogFormat /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
- 使用日誌格式:
描述: 設置日誌文件的文件名和格式
句法: CustomLog file|pipe format|nickname [env=[!]environment-variable| expr=expression]
內容: 服務器配置,虛擬主機
狀態: 基礎
模塊: mod_log_config
- 查看通用日誌文件
//查看主配置文件裏的CustomLog命令的定義的格式
[root@centos7 ~]# grep -i CustomLog /etc/httpd/conf/httpd.conf
# a CustomLog directive (see below).
#CustomLog "logs/access_log" common
CustomLog "logs/access_log" combined
//訪問日誌存放的路徑
[root@centos7 ~]# cat /var/log/httpd/access_log
[自定義日誌格式]:http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
%h 客戶端IP地址
%l 遠程用戶,啓用mod_ident纔有效,通常爲減號“-”
%u 驗證(basic,digest)遠程用戶,非登錄訪問時,爲一個減號“-”
%t 服務器收到請求時的時間
%r First line of request,即表示請求報文的首行;記錄了此次請求的“方法”
“URL”以及協議版本
%>s 響應狀態碼
%b 響應報文的大小,單位是字節;不包括響應報文http首部
%{Referer}i 請求報文中首部“referer”的值;即從哪個頁面中的超鏈接跳轉至當前頁面的
%{User-Agent}i 請求報文中首部“User-Agent”的值;即發出請求的應用程序
3.15設定默認字符集
在配置文件內可設定字符集指令
AddDefaultCharset UTF-8 #此爲默認值
中文字符集:GBK, GB2312, GB18030
3.16定義路徑別名
格式:
Alias /URL/ "/PATH/"
範例:
//創建實驗所需文件數據
[root@centos7 ~]# echo "別名路徑測試" > /data/html/index.html
//編輯修改子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
alias /test/ /data/html/
- 瀏覽器訪問192.168.26.17/test/
//因爲訪問目錄,必須明確授權
//所以我們編輯子配置文件,授權給指定目錄
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
alias /test /data/html/
<directory /data/html/>
require all granted
</directory>
3.18基於用戶的訪問控制
-
認證質詢:WWW-Authenticate,響應碼爲401,拒絕客戶端請求,並說明要求客戶端需要提供賬號和
密碼認證:Authorization,客戶端用戶填入賬號和密碼後再次發送請求報文;認證通過時,則服務器
發送響應的資源 -
認證方式:
- basic:明文
- digest:消息摘要認證,兼容性差
-
安全域:需要用戶認證後方能訪問的路徑;應該通過名稱對其進行標識,以便於告知用戶認證的原因
用戶的賬號和密碼 -
虛擬賬號:僅用於訪問某服務時用到的認證標識
-
存儲:文本文件,SQL數據庫,ldap目錄存儲,nis等
basic認證配置示例:
(1) 定義安全域
<Directory “/path">
Options None #禁止索引,軟鏈接
AllowOverride None #禁止在目錄下啓用.hatccess文件
AuthType Basic #指定驗證方法
AuthName "String“ #驗證時彈出對話框的描述文字
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" #指定用戶名密碼存放地文件路徑
Require user username1 username2 ... #約定AuthUserFile定義的文件內的特定用戶可以訪問
</Directory>
允許賬號文件中的所有用戶登錄訪問:
Require valid-user #只要添加到/PATH/HTTPD_USER_PASSWD_FILE文件裏的用戶都可以訪問
(2) 提供賬號和密碼存儲(文本文件)使用專用命令完成此類文件的創建及用戶管理
- 選項:
- -c 自動創建文件,僅應該在文件不存在時使用(即第一次時加此選項)
- -p 明文密碼
- -d CRYPT格式加密,默認
- -m md5格式加密
- -s sha格式加密
- -D 刪除指定用戶
範例1:
//創建實驗所需頁面
[root@centos7 ~]# mkdir /var/www/html/admin ; echo "/var/www/html/admin/index.html" > /var/www/html/admin/index.html
//創建用戶小王並設置密碼
[root@centos7 ~]# htpasswd -c /etc/httpd/conf.d/.httpuser xiaowang
//添加用戶小李並設置密碼
[root@centos7 ~]# htpasswd /etc/httpd/conf.d/.httpuser xiaoli
//編輯子配置文件
<directory /var/www/html/admin>
AuthType Basic
AuthName "welcome to beijing"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user xiaowang #只允許xiaowang登陸訪問
</directory>
- 瀏覽器訪問192.168.26.17/admin/
//創建實驗所需頁面
[root@centos7 ~]# mkdir /var/www/html/secret ; echo "/var/www/html/secret/index.html" > /var/www/html/secret/index.html
//創建編輯在頁面同一目錄下的.htaccess文件
[root@centos7 ~]# vim /var/www/html/secret/.htaccess
AuthType Basic
AuthName "welcome to beijing"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user xiaoli #只允許用戶xiaoli登錄訪問
//編輯子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
<directory /var/www/html/secret>
allowoverride authconfig
</directory>
(2) 創建用戶賬號和組賬號文件 組文件:每一行定義一個組
GRP_NAME: username1 username2 ...
範例(2):
[root@centos7 ~]# cat /var/www/html/secret/.htaccess
AuthType Basic
AuthName "welcome to beijing"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group webadmins
--------------------------------------------------
[root@centos7 ~]# cat /etc/httpd/conf.d/.httpuser
xiaowang:$apr1$ys/0c5YW$JyCm1yTTCE2qseZVH9zSn1
xiaoli:$apr1$OvI43/u5$.VEtXtKhuI7Iv9Z6Yi//C/
xiaosun:$apr1$TvnalQHF$UoSyF/YgzF8Sn5wytiMQn.
[root@centos7 ~]# cat /etc/httpd/conf.d/.httpgroup
webadmins: xiaosun
----------------------------------------------------
[root@centos7 ~]# cat /etc/httpd/conf.d/test.conf
<directory /var/www/html/secret>
allowoverride authconfig
</directory>
3.19遠程客戶端和用戶驗證的控制
Satisfy ALL|Any
- 說明:
- ALL 客戶機IP和用戶驗證都需要通過纔可以,此爲默認值
- Any 客戶機IP和用戶驗證,有一個滿足即可
#針對/var/www/html/test目錄,來自192.168.1.0/24的客戶可以訪問,其它網絡的用戶需要經過用
戶驗證才能訪問
<Directory "/var/www/html/test">
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory>
#/var/www/private目錄只有用戶驗證才能訪問
<Directory "/var/www/private">
Require valid-user
</Directory>
#/var/www/private/public 不需要用戶驗證,任何客戶都可以訪問
<Directory "/var/www/private/public">
Allow from all
Satisfy Any
</Directory>
3.20實現用戶家目錄的http共享
[root@centos7 ~]# vim /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
# UserDir disabled #禁用
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir html #啓用
</IfModule>
#<Directory "/home/*/public_html"> #註釋
# AllowOverride FileInfo AuthConfig Limit Indexes
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# Require method GET POST OPTIONS
#</Directory> #自己編輯
<Directory /home/sun/html>
require all granted
</Directory>
--------------------------------------------------------
[root@centos7 ~]# su - sun
Last login: Wed Dec 11 21:22:31 CST 2019 on pts/0
[sun@centos7 ~]$ mkdir /home/sun/html/ ; echo "hello world" > /home/sun/html/index.html
[sun@centos7 ~]$ setfacl –m u:apache:x /home/sun/
[sun@centos7 ~]$ su - root
----------------------------------------------------------
[root@centos7 ~]# systemctl reload httpd.service
- 瀏覽器訪問192.168.26.17/~sun
範例:對家目錄共享並實現basic驗證
[root@centos7 ~]# vim /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
# UserDir disabled #禁用
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir html #啓用
</IfModule>
#<Directory "/home/*/public_html"> #註釋
# AllowOverride FileInfo AuthConfig Limit Indexes
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# Require method GET POST OPTIONS
#</Directory> #自己編輯
<Directory /home/sun/html>
AuthType Basic
AuthName "test home"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
require user xiaosun
</Directory>
---------------------------------------------------------
[root@centos7 ~]# htpasswd /etc/httpd/conf.d/.httpuser xiaosun
[root@centos7 ~]# systemctl reload httpd.service
- 瀏覽器訪問192.168.26.17/~sun
3.21禁止錯誤頁面版本泄露
ServerSignature On | Off | EMail
- 默認值Off,當客戶請求的網頁並不存在時,服務器將產生錯誤文檔,如果ServerSignature選項爲on,
錯誤文檔的最後一行將包含服務器名字、Apache版本等信息,如果不對外顯示這些信息,就可將這個
參數設置爲Off,設置爲Email,將顯示ServerAdmin 的Email提示
3.22禁止trace方法
TraceEnable [on|off|extended]
- 是否支持trace方法,默認on,基於安全風險,建議關閉
[root@centos7 ~]# curl -IX options http://127.0.0.1
HTTP/1.1 501 Not Implemented
Date: Wed, 11 Dec 2019 13:57:41 GMT
Server: Apache/2.4.6 (CentOS)
Allow: POST,OPTIONS,GET,HEAD,TRACE
Content-Length: 205
Connection: close
Content-Type: text/html; charset=iso-8859-1
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
[root@centos7 ~]# cat /etc/httpd/conf.d/test.conf
TraceEnable off
[root@centos7 ~]# curl -IX options http://127.0.0.1
HTTP/1.1 501 Not Implemented
Date: Wed, 11 Dec 2019 13:59:00 GMT
Server: Apache/2.4.6 (CentOS)
Allow: POST,OPTIONS,GET,HEAD,TRACE
Content-Length: 205
Connection: close
Content-Type: text/html; charset=iso-8859-1
3.23status狀態頁
- httpd提供了狀態頁,可以用來觀察httpd的運行情況。此功能需要加載mod_status.so模塊才能實現
LoadModule status_module modules/mod_status.so
<Location "/status">
SetHandler server-status
</Location>
ExtendedStatus On #顯示擴展信息,httpd 2.3.6以後版默認爲On
範例:啓動狀態頁
<location "/status">
SetHandler server-status
<RequireAny>
Require all denied
Require ip 172.20.1.11
</RequireAny>
#Order Deny,Allow ? # 此方式也可以控制訪問
#Deny from all
#Allow from 192.168.100
</Location>
ExtendedStatus Off # 如果要詳細信息,設置爲on
[root@centos8 ~]#systemctl restart httpd
- 打開瀏覽器訪問http://httpd服務器192.168.26.17/status即可得到一下畫面
3.24多虛擬主機
-
httpd 支持在一臺物理主機上實現多個網站,即多虛擬主機
-
網站可以使用不同的方式來唯一標識:
IP 相同,但端口不同
IP 不同,但端口均爲默認端口
FQDN 不同 -
多虛擬主機有三種實現方案:
基於 IP:爲每個虛擬主機準備至少一個 ip 地址
基於 PORT:爲每個虛擬主機使用至少一個獨立的 port
基於 FQDN:爲每個虛擬主機使用至少一個 FQDN,識別請求報文中首部記錄Host: www.bokebi.cn
-
注意:httpd 2.4 版本中,基於 FQDN 的虛擬主機不再需要 NameVirutalHost 指令
-
虛擬主機的基本配置方法:配置一般存放在獨立的配置文件中、
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot "/path"
</VirtualHost>
範例:基於端口的虛擬主機
[root@centos7 ~]# mkdir /data/website{1,2,3}
[root@centos7 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@centos7 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@centos7 ~]# echo /data/website3/index.html > /data/website3/index.html
--------------------------------------------------------
//新建編輯修改子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
listen 8001
listen 8002
listen 8003
<virtualhost *:8001>
documentroot /data/website1/
Customlog logs/website1_access.log combined
<directory /data/website1/>
require all granted
</directory>
</virtualhost>
<virtualhost *:8002>
documentroot /data/website2/
Customlog logs/website2_access.log combined
<directory /data/website2/>
require all granted
</directory>
</virtualhost>
<virtualhost *:8003>
documentroot /data/website3/
Customlog logs/website3_access.log combined
<directory /data/website3/>
require all granted
</directory>
</virtualhost>
-----------------------------------------------
//語法檢查
[root@centos7 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::7a63:4abc:9540:e640. Set the 'ServerName' directive globally to suppress this message
Syntax OK
-----------------------------------------------
//啓動服務
[root@centos7 ~]# systemctl reload httpd.service
-----------------------------------------------
//查看生成的日誌文件
[root@centos7 ~]# ll /var/log/httpd/
total 24
-rw-r--r-- 1 root root 11432 Dec 12 08:04 access_log
-rw-r--r-- 1 root root 10173 Dec 12 08:21 error_log
-rw-r--r-- 1 root root 0 Dec 12 08:21 website1_access.log
-rw-r--r-- 1 root root 0 Dec 12 08:21 website2_access.log
-rw-r--r-- 1 root root 0 Dec 12 08:21 website3_access.log
-----------------------------------------------
#瀏覽器訪問不同端口,得到不同的頁面
http://192.168.26.17:8001/
http://192.168.26.17:8002/
http://192.168.26.17:8003/
範例:基於ip的虛擬主機
[root@centos7 ~]# mkdir /data/website{1,2,3}
[root@centos7 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@centos7 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@centos7 ~]# echo /data/website3/index.html > /data/website3/index.html
------------------------------------------------------
//在指定網卡創建多個ip地址,並且給定不同的標籤
[root@centos7 ~]# ip a a 10.0.0.8/24 dev eth1 label eth1:1
[root@centos7 ~]# ip a a 10.0.0.18/24 dev eth1 label eth1:2
[root@centos7 ~]# ip a a 10.0.0.28/24 dev eth1 label eth1:3
[root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:16:9f:68 brd ff:ff:ff:ff:ff:ff
inet 172.20.2.139/16 brd 172.20.255.255 scope global noprefixroute dynamic eth0
valid_lft 2591716sec preferred_lft 2591716sec
inet6 fe80::7a63:4abc:9540:e640/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:16:9f:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.26.17/24 brd 192.168.26.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet 10.0.0.8/24 scope global eth1:1
valid_lft forever preferred_lft forever
inet 10.0.0.18/24 scope global secondary eth1:2
valid_lft forever preferred_lft forever
inet 10.0.0.28/24 scope global secondary eth1:3
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe16:9f72/64 scope link
valid_lft forever preferred_lft forever
---------------------------------------------------------
//新建編輯子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
<virtualhost 10.0.0.8:80>
documentroot /data/website1/
Customlog logs/website1_access.log combined
<directory /data/website1/>
require all granted
</directory>
</virtualhost>
<virtualhost 10.0.0.18:80>
documentroot /data/website2/
Customlog logs/website2_access.log combined
<directory /data/website2/>
require all granted
</directory>
</virtualhost>
<virtualhost 10.0.0.28:80>
documentroot /data/website3/
Customlog logs/website3_access.log combined
<directory /data/website3/>
require all granted
</directory>
</virtualhost>
-------------------------------------------------
//語法檢查
[root@centos7 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::7a63:4abc:9540:e640. Set the 'ServerName' directive globally to suppress this message
Syntax OK
-------------------------------------------------
//重新加載配置文件
[root@centos7 ~]# systemctl reload httpd.service
-------------------------------------------------
//分別瀏覽不同ip,得到不同頁面
[root@centos7 ~]# curl 10.0.0.8
/data/website1/index.html
[root@centos7 ~]# curl 10.0.0.18
/data/website2/index.html
[root@centos7 ~]# curl 10.0.0.28
/data/website3/index.html
範例:基於FQDN虛擬主機
//創建存放頁面
[root@centos7 ~]# mkdir /data/{a,b,c}.com
[root@centos7 ~]# echo /data/a.com/index.html > /data/a.com/index.html
[root@centos7 ~]# echo /data/b.com/index.html > /data/b.com/index.html
[root@centos7 ~]# echo /data/c.com/index.html > /data/c.com/index.html
----------------------------------------
//新建編輯文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
<virtualhost *:80>
Servername www.a.com
documentroot /data/a.com/
ErrorLog "logs/a_error_log"
Customlog logs/a_access.log combined
<directory /data/a.com/>
Options None
AllowOverride None
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
Servername www.b.com
documentroot /data/b.com/
ErrorLog "logs/b_error_log"
Customlog logs/b_access.log combined
<directory /data/b.com/>
Options None
AllowOverride None
require all granted
</directory>
</virtualhost>
<virtualhost *:80>
Servername www.c.com
documentroot /data/c.com/
ErrorLog "logs/c_error_log"
Customlog logs/c_access.log combined
<directory /data/c.com/>
Options None
AllowOverride None
require all granted
</directory>
</virtualhost>
------------------------------------------------
//編輯本地dns解析文件,添加
192.168.26.17 www.a.com
192.168.26.17 www.b.com
192.168.26.17 www.c.com
------------------------------------------------
//語法檢查
[root@centos7 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::7a63:4abc:9540:e640. Set the 'ServerName' directive globally to suppress this message
Syntax OK
------------------------------------------------
//重新加載配置文件
[root@centos7 ~]# systemctl reload httpd.service
------------------------------------------------
//分別瀏覽不同域名,得到不同頁面
[root@centos7 ~]# curl www.a.com
/data/a.com/index.html
[root@centos7 ~]# curl www.b.com
/data/b.com/index.html
[root@centos7 ~]# curl www.c.com
/data/c.com/index.html
3.25壓縮
- 壓縮功能需要另一個模塊來實現,使用 mod_deflate 模塊壓縮頁面優化傳輸速度
LoadModule deflate_module modules/mod_deflate.so SetOutputFilter
[root@centos7 ~]# grep "deflate" /etc/httpd/conf.modules.d/*
/etc/httpd/conf.modules.d/00-base.conf:LoadModule deflate_module modules/mod_deflate.so
- 壓縮適用場景
- 節約帶寬,額外消耗 CPU;同時,可能有些較老瀏覽器不支持
- 壓縮適於壓縮的資源,例如文本文件
//可選項
SetOutputFilter DEFLATE
//指定對哪種MIME類型進行壓縮,必須指定項
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
#壓縮級別 (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
#排除特定舊版本的瀏覽器,不支持壓縮
#Netscape 4.x 只壓縮text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
#Netscape 4.06-08 三個版本 不壓縮
BrowserMatch ^Mozilla/4\.0[678] no-gzip
#Internet Explorer標識本身爲“Mozilla / 4”,但實際上是能夠處理請求的壓縮。如果用戶代理首部
匹配字符串“MSIE”(“B”爲單詞邊界”),就關閉之前定義的限制
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
//隨便找一個大點的文件
[root@centos7 ~]# cp -a /etc/ /var/www/html/etc.txt
//新建編輯子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain
DeflateCompressionLevel 9 支持的壓縮比1-9
--------------------------------------------
//重啓服務
[root@centos7 ~]# systemctl restart httpd.service
- 瀏覽器訪問192.168.26.17/etc.txt,瀏覽器頁面按F2刷新可顯示是壓縮後的文件
3.26實現https
- https: http over ssl,實現驗證和加密 http 的數據傳輸
- https 的工作過程
- 客戶端發送可供選擇的加密方式,並向服務器請求證書
- 服務器端發送證書以及選定的加密方式給客戶端
- 客戶端取得證書並進行證書驗證,如果信任給其發證書的 CA
(a) 驗證證書來源的合法性;用 CA 的公鑰解密證書上數字簽名
(b) 驗證證書的內容的合法性:完整性驗證
(c) 檢查證書的有效期限
(d) 檢查證書是否被吊銷
(e) 證書中擁有者的名字,與訪問的目標主機要一致 - 客戶端生成臨時會話密鑰(對稱密鑰),並使用服務器端的公鑰加密此數據發送給服務器,完成密鑰交換
- 服務用此密鑰加密用戶請求的資源,響應給客戶端
-
注意:SSL 是基於 IP 地址實現,單 IP 的 httpd 主機,僅可以使用一個 https 虛擬主機
-
https 大致實現過程
- 爲服務器申請數字證書用於測試證書:可以通過私建 CA 頒發證書實現
(a) 創建私有 CA
(b) 在服務器創建證書籤署請求
(c) CA 簽署證書
實際使用中需要購買證書,個人可以使用免費證書 - 配置 httpd 支持使用 ssl,及使用的證書
- 例 1:使用自簽證書實現 https
//安裝服務
[root@centos8 ~]# yum -y install httpd
//查看模塊是已加載
[root@centos8 ~]# httpd -M | grep ssl
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::de18:1128:8f0:e603. Set the 'ServerName' directive globally to suppress this message
//查看模塊說明
[root@centos8 ~]# dnf info mod_ssl
Last metadata expiration check: 0:01:37 ago on Fri 13 Dec 2019 05:00:34 AM CST.
Available Packages
Name : mod_ssl
Epoch : 1
Version : 2.4.37
Release : 12.module_el8.0.0+185+5908b0db
Arch : x86_64
Size : 130 k
Source : httpd-2.4.37-12.module_el8.0.0+185+5908b0db.src.rpm
Repo : AppStream
Summary : SSL/TLS module for the Apache HTTP Server
URL : https://httpd.apache.org/
License : ASL 2.0
Description : The mod_ssl module provides strong cryptography for the
: Apache Web server via the Secure Sockets Layer (SSL)
: and Transport Layer Security (TLS) protocols.
//安裝模塊
[root@centos8 ~]# dnf -y install mod_ssl
//查看模塊
[root@centos8 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/70/221b67fd81b65321f5220d22dcb99c36d3841c
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl
[root@centos8 ~]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
//啓動服務
[root@centos8 ~]# systemctl start httpd.service
//查看生成的自簽名證書
[root@centos8 ~]# ls /etc/pki/tls/certs/localhost.crt
/etc/pki/tls/certs/localhost.crt
//查看生成的私鑰
[root@centos8 ~]# ls /etc/pki/tls/private/
localhost.key
//查看自簽名證書
[root@centos8 ~]# openssl x509 -in /etc/pki/tls/certs/localhost.crt -n
oout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5055589927373660778 (0x46291040d726626a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Unspecified, OU = ca-516777335850016332, CN = centos8, emailAddress = root@centos8
Validity
Not Before: Dec 12 21:06:18 2019 GMT
Not After : Dec 16 22:46:18 2020 GMT
Subject: C = US, O = Unspecified, CN = centos8, emailAddress = root@centos8
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:fb:f4:08:86:08:00:a4:32:b2:3b:a0:d6:86:
c3:6f:50:d7:65:e3:fd:33:73:7c:d0:03:f8:89:89:
81:06:d5:b2:0e:ee:d7:65:83:f2:41:3f:8a:56:fd:
fa:65:66:b3:7f:58:e2:3f:11:44:62:e1:e8:c8:09:
d0:04:74:64:7d:1e:05:44:0c:21:54:92:9a:a7:89:
a3:4a:fe:f5:f2:77:88:e5:69:6d:07:cd:72:b4:df:
c1:28:3b:f5:e4:8f:d7:b3:15:49:a1:9c:f6:0d:29:
e9:a9:9f:30:3a:05:57:f7:0d:52:5d:fa:61:3e:2d:
d4:ec:e8:0c:c6:98:f8:cf:e6:e1:82:ca:d8:4f:71:
e3:ce:2d:70:02:64:a8:8f:c8:40:d7:64:4b:03:ab:
62:ac:88:33:6a:75:46:3e:0d:e5:0c:9f:ac:59:cc:
1e:c1:01:d3:8e:0a:02:0b:a9:db:f8:90:18:5c:4c:
83:4a:c6:8a:02:dd:04:0c:4d:ce:f4:ac:f7:a6:d5:
94:4c:60:29:b2:b3:40:ab:7d:fc:85:85:e0:ea:46:
94:2d:65:66:e5:26:5e:c7:92:5c:c0:97:47:00:ba:
70:56:d9:5b:f3:4b:84:49:30:a7:00:cd:95:87:99:
eb:ce:88:61:33:78:93:7b:be:2f:b7:5c:c6:56:6a:
89:49
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:centos8
X509v3 Authority Key Identifier:
keyid:26:E4:66:F8:CC:8A:DA:DA:13:83:BA:22:AD:0E:66:8D:DE:61:BB:C6
Signature Algorithm: sha256WithRSAEncryption
91:09:6b:9a:84:25:09:71:3e:14:f2:09:83:2c:dd:5c:1b:94:
8e:c6:fd:be:d2:ee:90:62:51:3a:6b:ca:35:af:7e:ae:9a:cf:
54:34:13:3c:8d:79:92:80:87:15:3c:aa:09:a5:c1:fe:71:7e:
8a:51:e4:27:e2:14:9b:31:77:01:b7:a7:44:47:80:c1:b3:be:
4a:d9:1b:48:b9:95:d0:86:ca:16:43:7a:2d:85:58:b4:38:2d:
6f:89:5d:0f:19:f7:f9:c1:34:ab:f7:52:79:ca:c6:60:73:4e:
2f:c9:db:7d:b3:d2:3a:f3:48:56:25:1e:3f:81:c2:15:e7:d8:
99:5f:f2:72:7e:50:35:91:35:33:c1:5c:6d:72:1e:aa:2b:10:
af:96:8a:12:10:59:1f:57:72:80:6c:f8:14:87:07:7d:d8:10:
25:e2:d6:64:04:90:d1:ab:3c:6a:9f:02:52:e2:5b:86:8f:fb:
c4:95:a5:f0:d6:18:b0:b9:25:f8:c8:a1:71:ca:18:34:6b:fe:
5a:b1:34:fa:01:cf:2b:d6:85:cf:34:60:f7:e3:2b:e3:03:3b:
5e:2f:c8:65:e2:a8:da:34:f1:2b:05:77:c2:28:fa:9e:3b:4b:
39:00:b0:53:fc:25:10:cc:5e:c3:26:1a:1c:8b:c5:f6:34:1e:
62:61:cb:ae:31:cd:0f:74:42:84:01:7f:ae:b2:f4:e6:75:82:
a4:9f:75:46:6b:54:09:fd:2f:55:2f:68:7d:b4:a5:51:8f:96:
84:cb:b8:50:1b:44:e0:a2:ec:7f:05:df:3e:a0:52:57:6c:a0:
f3:54:35:fe:a1:9f:41:2c:7f:ab:ea:7d:cf:0e:52:55:59:a4:
d7:c1:b4:23:31:81:98:ef:7b:56:11:65:7e:44:cb:d9:b4:2a:
fa:8b:74:f9:38:ad:f5:86:ea:59:be:5f:cc:c9:a2:4a:9c:7d:
72:6a:7c:42:45:a9:40:8b:64:af:9c:f0:64:46:05:69:c7:e5:
62:6f:57:99:2a:04:33:23:e9:63:43:a5:ec:7b:67:0f:bf:8f:
3b:ef:ce:43:10:58:cf:6d:8f:8a:9f:52:89:9d:3a:fe:c2:d7:
4f:03:0a:7b:5f:71:46:ef:37:a6:2f:cc:ab:10:b0:4f:9f:67:
b2:7a:8d:ca:4c:ad:5b:98:c2:48:a0:8c:b8:f6:80:e1:20:4e:
54:2c:5b:b1:16:d1:bd:41:60:11:8b:29:cd:4c:96:45:40:cd:
b5:af:d1:ac:13:aa:08:f4:f3:93:6c:4d:b1:10:be:8b:cb:57:
a6:d1:d1:26:89:fd:20:34:38:d9:37:14:f4:e9:74:28:9d:f0:
02:27:bc:88:9b:c2:6e:0e
- 瀏覽器訪問https://192.168.26.18,因爲是自簽名證書所以會得以下界面
範例(二): 在centos8上實現
- 在centos7/etc/pki/tls/certs/Makefile去掉下列參數
//查看Makefile文件
[root@centos7 ~]# cd /etc/pki/tls/certs/
[root@centos7 certs]# ls
ca-bundle.crt make-dummy-cert renew-dummy-cert
ca-bundle.trust.crt Makefile
//修改文件,如上圖
[root@centos7 certs]# vim Makefile
//發送至centos8 192.168.26.18 主機上繼續實驗
[root@centos7 certs]# scp Makefile 192.168.26.18:/etc/pki/tls/certs/
//dnf -y install make
[root@centos8 certs]# dnf -y install make
//使用make生成證書
[root@centos8 certs]# make bokebi.cn.crt
umask 77 ; \
/usr/bin/openssl genrsa 2048 > bokebi.cn.key
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
......................................................................................+++++
e is 65537 (0x010001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key bokebi.cn.key -x509 -days 365 -out bokebi.cn.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M39
Common Name (eg, your name or your server's hostname) []:www.bokebi.cn
Email Address []:
[root@centos8 certs]# ls
bokebi.cn.crt ca-bundle.crt localhost.crt
bokebi.cn.key ca-bundle.trust.crt Makefile
//查看生成得證書文件
[root@centos8 certs]# openssl x509 -in bokebi.cn.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:0e:a6:4e:fd:a0:80:e6:2d:a2:f3:12:12:eb:7f:55:13:5f:84:fa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = M39, CN = www.bokebi.cn
Validity
Not Before: Dec 12 21:37:17 2019 GMT
Not After : Dec 11 21:37:17 2020 GMT
Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = M39, CN = www.bokebi.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d2:a9:36:d9:a2:d5:cb:7f:61:d8:6b:5a:c4:69:
2b:86:9e:d0:85:88:ee:c9:0c:15:ba:a3:22:48:5f:
f7:3c:33:fc:33:6a:b2:ad:ae:72:ed:ab:36:ab:41:
e8:db:2c:91:f4:d8:b8:c2:b3:55:4b:9a:11:10:dd:
dc:1e:aa:8c:00:38:76:58:c1:03:41:a3:4d:ea:7f:
b8:86:15:e9:b5:d3:98:97:b2:f3:e3:da:0a:77:c0:
ee:48:41:93:ce:e4:98:4a:cc:c4:84:16:fb:31:ca:
01:2f:c8:75:89:7c:96:b8:7e:df:d2:31:79:7a:84:
f7:60:3f:96:37:46:57:f3:a6:3d:cc:bc:a0:5f:74:
bc:38:7d:e2:7d:35:07:12:48:41:00:a9:3e:83:19:
bf:36:45:c8:0a:dd:be:e7:3f:3e:50:21:67:9f:ba:
eb:3b:51:d0:b0:2d:7b:1f:da:e5:50:85:ba:3b:4c:
ce:04:dc:76:2a:cd:4a:e3:26:2f:0d:38:df:d1:06:
30:fb:60:a5:e2:f6:4d:e4:28:8f:58:18:46:02:5d:
6a:0e:c9:17:b8:93:af:7c:b8:ef:46:a2:1a:27:4b:
d3:e4:97:2e:38:54:33:40:df:22:bc:7c:09:ab:74:
b3:2b:1f:bb:e4:25:87:c7:99:dd:99:fd:be:62:51:
0a:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:FA:32:E1:B6:D7:28:BB:B3:AA:DE:69:F0:E5:25:E7:49:E5:34:82
X509v3 Authority Key Identifier:
keyid:E5:FA:32:E1:B6:D7:28:BB:B3:AA:DE:69:F0:E5:25:E7:49:E5:34:82
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
c8:5f:2e:b5:1e:f1:bc:8f:d1:96:97:88:d9:fe:46:75:c5:a3:
25:b2:56:f4:5f:ef:5a:bc:95:c8:e5:7a:10:d7:85:8a:26:77:
5c:63:6e:22:44:91:44:78:6e:dc:f1:91:e0:f9:59:b5:10:e1:
f2:bf:fe:c2:4a:62:17:2f:5e:da:d3:6a:58:4b:61:72:13:ea:
6f:24:be:04:c6:08:21:c2:80:c4:ee:dd:42:61:b9:2f:49:70:
48:4c:6b:f8:bf:4a:65:01:40:13:c8:c7:06:7f:6e:dc:48:f7:
04:65:d5:4b:41:69:43:f1:0d:91:a3:fe:9d:b7:1f:0f:74:59:
27:c0:3e:2a:2f:28:0b:76:39:fc:48:fa:6c:71:3f:b6:01:14:
20:cd:0a:ef:3f:0f:3f:1e:79:29:6f:aa:5c:6f:30:3f:98:fe:
b1:2c:46:30:78:65:0b:3c:fc:d1:0e:ce:98:ed:cd:f9:f3:65:
99:0c:5c:ec:bb:ea:7d:2d:9d:2c:fb:33:9e:20:4f:fc:3f:92:
27:a3:1f:87:a9:01:62:f0:e5:ec:19:76:ea:44:27:d9:be:55:
ce:16:0a:15:74:22:03:e0:e3:e7:3e:28:15:c5:ad:24:fd:41:
a3:e9:b4:b4:83:07:df:cc:81:4c:bc:12:43:1c:4d:b6:c6:1b:
b7:eb:c6:db
//將生成得證書和密鑰移動至常用工作目錄
[root@centos8 certs]# mkdir /etc/httpd/conf.d/ssl
[root@centos8 certs]# mv /etc/pki/tls/certs/bokebi.cn.* /etc/httpd/conf.d/ssl
//修改配置文件
[root@centos8 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/70/221b67fd81b65321f5220d22dcb99c36d3841c
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl
[root@centos8 ~]# vim /etc/httpd/conf.d/ssl.conf
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf.d/ssl/bokebi.cn.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/bokebssl/i.cn.key
- 瀏覽器訪問https://192.168.26.18,可得到下畫面,說明證書頒發成功
3.27URL重定向
-
URL 重定向,即將客戶端請求的 URL 轉發至另一個的 URL
指令Redirect [status] URL-path URL
status
permanent
:返回永久重定向狀態碼 301
temp
:返回臨時重定向狀態碼 302. 此爲默認值 -
例如:
[root@webhost ~]# vim /etc/httpd/conf.d/custom.conf
Redirect temp / https://www.suosuoli.com/
[root@webhost ~]# systemctl restart httpd
3.28實現HSTS
- HSTS:HTTP Strict Transport Security , 服務器端配置支持HSTS後,會在給瀏覽器返回的HTTP首部中攜帶HSTS字段。瀏覽器獲取到該信息後,會將所有HTTP訪問請求在內部做307跳轉到HTTPS。而無需任
何網絡過程,實現更高的安全性 - HSTS preload list: 是Chrome瀏覽器中的HSTS預載入列表,在該列表中的網站,使用Chrome瀏覽器訪
問時,會自動轉換成HTTPS。Firefox、Safari、Edge瀏覽器也會採用這個列表
vim /etc/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=31536000" #自動跳轉時間
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
3.29正向代理和方向代理
-
正向代理
主要作用:主要服務於用戶,提供緩存功能 -
啓用反向代理
主要作用:主要用於服務器調度
ProxyPass "/" "http://www.example.com/"
ProxyPassReverse "/" "http://www.example.com/"
- 特定 URL 反向代理
ProxyPass "/images" "http://www.example.com/" connectiontimeout=5 timeout=30
ProxyPassReverse "/images" http://www.example.com/
- 例如:
<VirtualHost *>
ServerName www.bokebi.cn
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
3.30Sendfile機制
指令EnableSendfile On
-
sendfile 機制介紹
-
不用 sendfile 的傳統網絡傳輸過程: read(file, tmp_buf, len) write(socket, tmp_buf, len) 硬盤 >>
kernel buffer >> user buffer >> kernel socket buffer >> 協議棧 -
一般網絡應用通過讀硬盤數據,寫數據到 socket 來完成網絡傳輸,底層執行過程:
- 系統調用 read() 產生一個上下文切換:從 user mode 切換到 kernel mode,然後 DMA 執行拷貝,把文件數據
從硬盤讀到一個 kernel buffer 裏。 - 數據從 kernel buffer 拷貝到 user buffer,然後系統調用 read() 返回,這時又產生一個上下文切換:從 kernel mode
切換到 user mode - 系統調用 write() 產生一個上下文切換:從 user mode 切換到 kernel mode,然後把步驟 2 讀到 user buffer 的數據
拷貝到 kernel buffer(數據第 2 次拷貝到 kernel buffer),不過這次是個不同的 kernel buffer,這個 buffer
和 socket 相關聯。 - 系統調用 write() 返回,產生一個上下文切換:從 kernel mode 切換到 user mode(第 4 次切換),然後 DMA 從
kernel buffer 拷貝數據到協議棧(第 4 次拷貝)
上面 4 個步驟有 4 次上下文切換,有 4 次拷貝,如果能減少切換次數和拷貝次數將會有效提升性能
- linux 在 kernel 2.0+ 版本中,系統調用 sendfile() 就是用來簡化上面步驟提升性能的。sendfile() 不但能減少
切換次數而且還能減少拷貝次數 - 用 sendfile() 來進行網絡傳輸的過程:
sendfile(socket, file, len)
;
硬盤 —> kernel buffer (快速拷貝到 kernel socket buffer) —> 協議棧
- 系統調用 sendfile() 通過 DMA 把硬盤數據拷貝到 kernel buffer,然後數據被 kernel 直接拷貝到另外一個與 socket
相關的 kernel buffer。 這裏沒有 user mode 和 kernel mode 之間的切換,在 kernel 中直接完成了從一個 buffer 到
另一個 buffer 的拷貝 - DMA 把數據從 kernel buffer 直接拷貝給協議棧,沒有切換,也不需要數據從 user mode 拷貝到 kernel mode,
因爲數據就在 kernel 裏