Apache的常用配置
原始碼安裝時,httpd命令不能夠直接使用,因為找不到httpd命令,我們需要在/etc/profile.d/目錄下創建一個httpd.sh腳本,在里面寫上apache安裝時的絕對路徑(配置環境變數),
切換使用MPM(編輯/etc/httpd/conf.modules.d/00-mpm.conf檔案)
作業模式有三種分別是:
- prefork
- event
- worker
編譯安裝時,模型已經定下了不能夠更改,但是可以更改配置
[root@localhost /]# vim /etc/httpd24/extra/httpd-mpm.conf
……
StartServers 5 //啟動時候啟動五個行程
MinSpareServers 5 //啟動行程最少五個
MaxSpareServers 10 //啟動行程最多十個
MaxRequestWorkers 250 //請求行程連接數最多250個
MaxConnectionsPerChild 0 //每個子行程最大的連接數,0表示沒有限制
……
訪問控制法則:
| 法則 | 功能 |
|---|---|
| Require all granted | 允許所有主機訪問 |
| Require all deny | 拒絕所有主機訪問 |
| Require ip IPADDR | 授權指定來源地址的主機訪問 |
| Require not ip IPADDR | 拒絕指定來源地址的主機訪問 |
| Require host HOSTNAME | 授權指定來源主機名的主機訪問 |
| Require not host HOSTNAME | 拒絕指定來源主機名的主機訪問 |
| IPADDR的型別 | HOSTNAME的型別 |
|---|---|
| IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主機的全名 DOMAIN:指定域內的所有主機 |
注意:httpd-2.4版本默認是拒絕所有主機訪問的,所以安裝以后時必須要做顯示授權訪問
示例:
<Directory /var/www/html/www> //目錄地址
<RequireAll>
Require not ip 192.168.1.20 //拒絕192.168.1.20的ip訪問
Require all granted //允許所有主機訪問
</RequireAll>
</Directory>
<Directory />
AllowOverride none
Require all denied //拒絕所有主機訪問
</Directory>
<Directory "/usr/local/apache/htdocs"> //httpd的網站的根目錄
Options Indexes FollowSymLinks
Require all granted //允許所有主機訪問
</Directory>
虛擬主機的配置
虛擬主機有三類:
- 相同ip不同埠
- 不同ip相同埠
- 相同ip相同埠不同域名(常用方式)
在配置虛擬主機之前配置
首先將在主組態檔中的vhosts.conf這一行內容的注釋取消掉,使apache的httpd-vhosts.conf啟用
[root@localhost htdocs]# vim /etc/httpd24/httpd.conf
Include /etc/httpd24/extra/httpd-vhosts.conf
httpd-vhosts.conf配置引數的含義
<VirtualHost *:80> //虛擬主機地址和埠號
ServerAdmin webmaster@dummy-host.example.com //管理員郵箱
DocumentRoot "/usr/local/apache/docs/dummy-host.example.com" //網站的根目錄
ServerName dummy-host.example.com //網站的域名
ServerAlias www.dummy-host.example.com //網站的別名
ErrorLog "logs/dummy-host.example.com-error_log" //錯誤日志存放地址,logs在apache的根目錄下
CustomLog "logs/dummy-host.example.com-access_log" common(固定寫法) //正常訪問的日志存放地址
</VirtualHost>
相同ip不通埠的配置方式:
配置相同ip不同埠的虛擬主機
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/test1"
ServerName test1.com
ErrorLog "logs/test1.com-error_log"
CustomLog "logs/test1.com-access_log" common
</VirtualHost>
listen 81
<VirtualHost *:81>
DocumentRoot "/usr/local/apache/htdocs/test2"
ServerName test2.com
ErrorLog "logs/test2.com-error_log"
CustomLog "logs/test2.com-access_log" common
</VirtualHost>
重啟服務然后通過相同的ip和不同的埠訪問
[root@localhost htdocs]# systemctl restart httpd
[root@localhost htdocs]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:81 *:*
LISTEN 0 128 [::]:22 [::]:*
測驗頁面:
不同ip相同埠的配置方式:
首先給網卡配置兩個ip,然后重啟網卡
[root@localhost htdocs]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# ls
ifcfg-ens33
[root@localhost network-scripts]# vim ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR1=192.168.247.137
PREFIX1=24
GATEWAY=192.168.247.2
DNS1=114.114.114.114
IPADDR2=192.168.247.100
PREFIX2=24
[root@localhost network-scripts]# ifdown ens33;ifup ens33
[root@localhost network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:4b:b2:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.247.137/24 brd 192.168.247.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.247.100/24 brd 192.168.247.255 scope global secondary noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4b:b269/64 scope link
valid_lft forever preferred_lft forever
配置不同ip相同埠的虛擬主機,然后重啟服務
[root@localhost htdocs]# vim /etc/httpd24/extra/httpd-vhosts.conf
<VirtualHost 192.168.247.137:80>
DocumentRoot "/usr/local/apache/htdocs/test1"
ServerName test1.com
ErrorLog "logs/test1.com-error_log"
CustomLog "logs/test1.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.247.100:80>
DocumentRoot "/usr/local/apache/htdocs/test2"
ServerName test2.com
ErrorLog "logs/test2.com-error_log"
CustomLog "logs/test2.com-access_log" common
</VirtualHost>
root@localhost htdocs]# systemctl restart httpd
測驗頁面:
相同ip相同埠不通域名的配置方式:
相同ip相同埠不通域名的配置:
[root@localhost htdocs]# vim /etc/httpd24/extra/httpd-vhosts.conf
<VirtualHost 192.168.247.137:80>
DocumentRoot "/usr/local/apache/htdocs/test1"
ServerName test1.com
ErrorLog "logs/test1.com-error_log"
CustomLog "logs/test1.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.247.100:80>
DocumentRoot "/usr/local/apache/htdocs/test2"
ServerName test2.com
ErrorLog "logs/test2.com-error_log"
CustomLog "logs/test2.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.247.100:80>
DocumentRoot "/usr/local/apache/htdocs/test3"
ServerName test3.com
ErrorLog "logs/test3.com-error_log"
CustomLog "logs/test3.com-access_log" common
</VirtualHost>
[root@localhost htdocs]# systemctl restart httpd
修改hosts檔案在本地決議虛擬主機的域名:
將C:\windows\system32\drivers\etc\hosts檔案拖到桌面上,以管理員身份打開,用以下格式寫上對應的域名和ip
192.168.247.100 test2.com test3.com
最后把hosts檔案拖回原來目錄
測驗頁面:
CA證書的配置(https)
啟用ssl模塊:
編輯/etc/httpd24/httpd.conf 檔案,找到以下這兩行取消注釋
LoadModule ssl_module modules/mod_ssl.so
Include /etc/httpd24/extra/httpd-ssl.conf
httpd-ssl.conf檔案引數的含義
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs" //https網站的根目錄
ServerName www.example.com:443 //域名
ServerAdmin you@example.com //管理員郵箱
ErrorLog "/usr/local/apache/logs/error_log" //錯誤日志檔案路徑
TransferLog "/usr/local/apache/logs/access_log" //正確日志檔案路徑
修改httpd-ssl.conf組態檔
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/test2"
ServerName test2.com:443
ErrorLog "/usr/local/apache/logs/test2.com-error_log"
TransferLog "/usr/local/apache/logs/test2.com-access_log"
……
SSLCertificateFile "/etc/httpd24/httpd.crt" //設定證書放置地址
……
SSLCertificateKeyFile "/etc/httpd24/httpd.key" //設定證書放置地址
……
修改完后檢查有沒有語法錯誤
[root@localhost network-scripts]# apachectl -t
AH00526: Syntax error on line 92 of /etc/httpd24/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
[root@localhost network-scripts]# vim /etc/httpd24/extra/httpd-ssl.conf
#SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache
(512000)"
//因為沒有/usr/local/apache/logs/ssl_scache檔案注釋掉就行了
//再次編譯又有報錯因為我們的證書還沒有生成到目標目錄
CA生成密鑰
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........................+++++
...............+++++
e is 65537 (0x010001)
CA生成自簽署證書
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:ha
Organizational Unit Name (eg, section) []:ha
Common Name (eg, your name or your server's hostname) []:test2.com
Email Address []:1@1.com
客戶端生成密鑰
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................+++++
..........................................................................................................................................+++++
e is 65537 (0x010001)
客戶端生成證書簽署請求
[root@localhost CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:ha
Organizational Unit Name (eg, section) []:ha
Common Name (eg, your name or your server's hostname) []:test2.com
Email Address []:1@1.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA簽署客戶端提交上來的證書
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 09:28:43 2021 GMT
Not After : Apr 27 09:28:43 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = ha
organizationalUnitName = ha
commonName = test2.com
emailAddress = 1@1.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:0C:C7:BB:B4:AB:09:53:3D:2A:97:CA:3A:C9:78:F9:C5:7B:99:3E
X509v3 Authority Key Identifier:
keyid:B0:D2:2C:1C:EE:3D:D5:75:E8:A7:09:DF:04:DA:48:50:50:DE:42:6E
Certificate is to be certified until Apr 27 09:28:43 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
將證書移動到設定的目錄下
[root@localhost CA]# mv httpd.key httpd.crt /etc/httpd24/
[root@localhost CA]# systemctl restart httpd
測驗頁面:
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/280938.html
標籤:其他
上一篇:8253 匯編實驗
下一篇:虛擬機如何在net模式下進行聯網