Linux http服务
网络服务通信基础:
1、端口号就是进程标识,每个用户最多只能打开1024个进程。
2、MAC地址仅用于局域网内部通信(或本地通信),ip地址用于实现从源主机到目标主机的跨网络通信。
3、端口分配:
0-1023:永久的分配给固定的应用使用;
例:80/http,21/ftp,25/smtp,110/pop3,143/lmap4等;仅root有权限使用特权端口。
1024-41951:为注册端口,但不严格,例:3306/mysql, 11211/memcached等。
41952-65535:客户端程序使用的随机端口,又被称为“动态端口”,或称为私有端口。
/proc/sys/net/ipv4/ip_local_port_range (定义本地端口范围)
4、http协议:
应用层协议:超文本传输
http/0.9
http/1.0:cache, MIME
MIME: multipurpose internet mail extensions (多用途因特网邮件扩展)
http/1.1:缓存功能,条件式请求;
http/2.0:
html语言:
<html>
<head>
<title>MageEdu</title>
</head>
<body>
<h1> NI HAO </h>
</body>
</html>
http协议的实现:
开源实现:httpd(apache), nginx, lighttpd, …
C/S:
C: browser, user agent(用户代理),
图形浏览器:chrome, ie, firefox, safari, opera, …
字符浏览器:elinks, curl, wget, …
S:httpd(apache), nginx, lighttpd, …
通信模型:
请求/响应
无状态连接stateless;追踪用户身份:cookie;胖cookie安装在客户端;
一次完整的Http请求处理过程:
(1) 建立或处理连接请求;
(2) 接收请求;
(3) 解析请求,处理请求;
(4) 加载用户请求的资源;
(5) 构建响应报文;
(6) 发送响应报文;
(7) 记录访问于日志中;
web资源:
url:统一资源定位符;
shceme://host[:port]/URL
URL的根通常要映射为文件系统上的某路径;
DocumentRoot /var/www/html/
/index.html –> /var/www/html/index.html
Alias /images/ /data/imgs/
/images/logo.jpg –> /data/imgs/logo.jpg
衡量网站活跃度的指标:
pv:page view (页面浏览量)
uv:unique view (独立IP对网站的浏览量)
http头部信息事务:request/response
request:
<method> <url> <version>
HEADERS
<body>
response:
<version> <status> <reason-phrase>
HEADERS
<body>
HEADERS:
name: value
name: value
<method>:GET,HEAD,POST, PUT, DELETE, OPTIONS, TRACE, …
<status>:
1xx:消息
2xx: 成功响应
3xx: 重定向响应
4xx: 客户端错误
5xx: 服务端错误
httpd特性:
高度模块化设计:core modules + standard modules + 3rd party modules
DSO: Dynamic Shared Object
MPM: multipath process modules (多路处理模块)
prefork:process(进程)
每进程响应一个请求;
worker: thread(线程)
每线程响应一个请求;
event: thread(线程)
每进程响应多个请求;
丰富功能:
CGI:动态网站;
虚拟主机:IP,PORT,ServerName
反向代理:http, fcgi, wsgi, ajp, …
负载均衡:
…
版本:
httpd程序版本:
httpd-1.x
httpd-2.0
httpd-2.2
httpd-2.4
安装使用httpd:
base(安装软件包优先使用随光盘发行的rpm包)
epel
查看http服务器软件包是否安装:
[root@centos7 ipv4]# yum info httpd
程序环境:
主程序文件:
/usr/sbin/httpd
模块文件:
/usr/lib64/httpd/modules/*.so
主配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
/etc/httpd/conf.modules.d/*.conf
站点文档路径:
/var/www/html
日志文件路径:
/var/log/httpd/
access_log:访问日志
error_log:错误日志
Unit File:
/usr/lib/systemd/system/httpd.service
自带脚本:
/usr/sbin/apachectl
启动http服务:systemctl start httpd.service
开机启动http服务:systemctl enable httpd.service
~]# ss -tnlp | grep ":80\>"
打开firefox浏览器访问http服务:
使用IP地址访问我们会看到http服务的欢迎测试页。
配置文件修改完成后:
(1)测试语法:httpd -t
(2)让服务程序重载配置文件
centos6~]# service httpd reload
centos7~]# systemctl reload httpd.service
监听端口:
监听的地址和端口
Listen [ip:]port
Listen可重复监听多个端口,添加端口时,只需reload服务就可以,如果是更改原有端口需restart服务。
保持连接:
persistent connection:tcp连接建立后,资源获取完成之后不会断开连接,而是继续等待请求其它资源;
如何断开?
服务器发起断开连接;
数量限制
时间限制
KeepAlive On|Off 表示是否启用保持连接;
MaxKeepAliveRequests 100 表示一次可以请求多少个资源;
KeepAliveTimeout 10 表示保持连接多久断开;(默认为时间单位:秒 ms:毫秒)
示例:
关闭keepalive保持连接:
vim /etc/httpd/conf.d/keepalive.conf
KeepAlive on
MaxKeepAliveRequests 50
KeepAliveTimeout 5
使用httpd -M查看已加载的所有模块:
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
示例:
[root@centos7 conf.modules.d]# httpd -M
如果想禁用某模块加载,可以去 vim /etc/httpd/conf.modules.d/00-base.conf配置文件中使用“#”注释掉,然后重新加载httpd服务即可:
示例:
[root@centos7 conf.modules.d]# vim /etc/httpd/conf.modules.d/00-base.conf
#LoadModule suexec_module modules/mod_suexec.so //注释掉这个模块
[root@centos7 conf.modules.d]# httpd -M | grep "suexec"
[root@centos7 conf.modules.d]#
Main Server(主服务)相关配置:
(1) DocumentRoot
站点文档根路径;
(2) ServerName
服务器名称;
站点文档访问授权及众多服务特性的配置:
基于文件系统路径:
<Directory "/PATH/TO/DIR">
</Directory>
示例:
更改站点文档根路径:
创建对应的站点文档根路径:
[root@centos7 conf]# mkdir -pv /web/htdocs
编辑网站测试页:
[root@centos7 conf]# vim /web/htdocs/test.html
nihao
重新加载httpd服务:
[root@centos7 conf]# systemctl reload httpd
删除httpd服务默认欢迎页:
[root@centos7 conf.d]# pwd
/etc/httpd/conf.d
[root@centos7 conf.d]# mv welcome.conf welcome.conf.bak
使用links访问:
[root@centos7 conf]# links 10.1.253.56/test.html
Options
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
None
All
Indexes:索引
FollowSymLinks:允许跟踪符号链接
ExecCGI:允许执行CGI脚本
AllowOverride
httpd的访问控制配置,允许每目录单独进行;在每个目录下建立一个.htaccess文件;
AllowOverride表示是否允许目录中的.htaccess文件中的配置来覆盖当前配置段中的配置;
Options FileInfo AuthConfig Limit
All
None
基于源地址的访问控制
允许所有地址访问:Require all granted
拒绝所有地址访问:Require all denied
<RequireAll>
</RequireAll>
基于IP控制:
Require ip ADDRESS
Require not ip ADDRESS
ADDRESS:
ip
network:
10.1.0.0/255.255.0.0
10.1.0.0/16
10.1
基于主机名控制:
Require host HOSTNAME
Require not host HOSTNAME
HOSTNAME:
FQDN
DOMAIN.TLD
示例:
在httpd服务主配置文件中设置拒绝IP10.1.252.238的访问:
vim /etc/httpd//conf/httpd.conf
User/Group
进程的运行者身份
httpd服务运行属主、属组;
User apache
Group apache
httpd-manual :安装httpd自带的官方文档包
# yum -y install httpd-manual
配置文件:conf.d/manual.conf
systemctl reload httpd
查看Apache server status
vim /etc/httpd/conf.d/status.conf
1 <Location /status>
2 SetHandler server-status
3 <RequireAll>
4 Require ip 127.0.0.1
5 Require all denied
6 </RequireAll>
7 </Location>
http://127.0.0.1/status
日志设定:
错误日志:
ErrorLog "/var/log/httpd/error_log"
LogLevel warn
Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
访问日志:
LogFormat "FORMAT_STRINGS" LOG_FORMAT_NAME
CustomLog "/PATH/TO/LOG_FILE" LOG_FORMAT_NAME
format_strings:
%h:Remote hostname. Will log the IP address if HostnameLookups is set to Off, which is the default.
%l:Remote logname (from identd, if supplied). 无有效值时,使用“–”表示;
%u: Remote user if the request was authenticated. May be bogus if return status (%s) is 401 (unauthorized). http协议认证时由客户端输入的用户名;
%t:Time the request was received, in the format [18/Sep/2011:19:18:28 -0400].
%r:First line of request.
%>s:Status. For requests that have been internally redirected, this is the status of the original request. Use %>s for the final status.
%b:Size of response in bytes, excluding HTTP headers.
%{VARNAME}i:记录由VARNAME所表示的请求报文首部的值,例如%{Referer}i,则表示记录请求报文中Referer首部的值;
虚拟主机:
虚拟主机标识方式:
基于IP地址;
基于主机名(ServerName);
基于端口(port);
实验:
搭建基于ip、port、ServerName的虚拟主机:
首先创建“DocumentRoot”站点文档根目录及index.html索引文件;
[root@centos7 httpd]# mkdir -pv /vhost/{,www1,www2,www3}
[root@centos7 httpd]# vim /vhost/www1/index.html (this is www1)
[root@centos7 httpd]# vim /vhost/www2/index.html (this is www2)
[root@centos7 httpd]# vim /vhost/www3/index.html (this is www3)
示例:
基于端口的虚拟主机:
注意:基于端口的虚拟主机需要在/etc/httpd/conf/httpd.conf配置文件中添加监听端口;
Listen 80
Listen 8080
Listen 8088
[root@centos7 httpd]# vim /etc/httpd/conf.d/virtualhost.conf
1 <VirtualHost *:80>
2 ServerName www1.magedu.com
3 DocumentRoot "/vhost/www1"
4 <Directory "/vhost/www1">
5 Options none
6 AllowOverride none
7 Require all granted
8 </Directory>
9 ErrorLog "logs/www1_error_log"
10 CustomLog "logs/www1_access_log" combined
11 </VirtualHost>
12
13 <VirtualHost *:8080>
14 ServerName www2.magedu.com
15 DocumentRoot "/vhost/www2"
16 <Directory "/vhost/www2">
17 Options none
18 AllowOverride none
19 Require all granted
20 </Directory>
21 ErrorLog "logs/www2_error_log"
22 CustomLog "logs/www2_accees_log" combined
23 </VirtualHost>
24
25 <VirtualHost *:8088>
26 ServerName www3.magedu.com
27 DocumentRoot "/vhost/www3"
28 <Directory "/vhost/www3">
29 Options none
30 AllowOverride none
31 Require all granted
32 </Directory>
33 ErrorLog "logs/www3_error_log"
34 CustomLog "logs/www3_accees_log" combined
35 </VirtualHost>
示例:
基于IP地址的虚拟主机:
注意:基于IP地址的虚拟主机,需添加2个ip地址;
[root@centos7 httpd]# ip a add 10.1.253.21 dev eno16777736
[root@centos7 httpd]# ip a add 10.1.253.22 dev eno16777736
[root@centos7 httpd]# vim /etc/httpd/conf.d/virtualhost.conf
1 <VirtualHost *:80>
2 ServerName www1.magedu.com
3 DocumentRoot "/vhost/www1"
4 <Directory "/vhost/www1">
5 Options none
6 AllowOverride none
7 Require all granted
8 </Directory>
9 ErrorLog "logs/www1_error_log"
10 CustomLog "logs/www1_access_log" combined
11 </VirtualHost>
12
13 <VirtualHost 10.1.253.21:80>
14 ServerName www2.magedu.com
15 DocumentRoot "/vhost/www2"
16 <Directory "/vhost/www2">
17 Options none
18 AllowOverride none
19 Require all granted
20 </Directory>
21 ErrorLog "logs/www2_error_log"
22 CustomLog "logs/www2_accees_log" combined
23 </VirtualHost>
24
25 <VirtualHost 10.1.253.22:80>
26 ServerName www3.magedu.com
27 DocumentRoot "/vhost/www3"
28 <Directory "/vhost/www3">
29 Options none
30 AllowOverride none
31 Require all granted
32 </Directory>
33 ErrorLog "logs/www3_error_log"
34 CustomLog "logs/www3_accees_log" combined
35 </VirtualHost>
示例:
基于主机名(ServerName)的虚拟主机:
注意:设置基于主机名的虚拟机时,需有dns如没有,可以写在/etc/hosts中;
[root@centos7 httpd]# vim /etc/hosts
10.1.253.56 www1.magedu.com www2.magedu.com www3.magedu.com
[root@centos7 httpd]# vim /etc/httpd/conf.d/virtualhost.conf
1 <VirtualHost *:80>
2 ServerName www1.magedu.com
3 DocumentRoot "/vhost/www1"
4 <Directory "/vhost/www1">
5 Options none
6 AllowOverride none
7 Require all granted
8 </Directory>
9 ErrorLog "logs/www1_error_log"
10 CustomLog "logs/www1_access_log" combined
11 </VirtualHost>
12
13 <VirtualHost *:80>
14 ServerName www2.magedu.com
15 DocumentRoot "/vhost/www2"
16 <Directory "/vhost/www2">
17 Options none
18 AllowOverride none
19 Require all granted
20 </Directory>
21 ErrorLog "logs/www2_error_log"
22 CustomLog "logs/www2_accees_log" combined
23 </VirtualHost>
24
25 <VirtualHost *:80>
26 ServerName www3.magedu.com
27 DocumentRoot "/vhost/www3"
28 <Directory "/vhost/www3">
29 Options none
30 AllowOverride none
31 Require all granted
32 </Directory>
33 ErrorLog "logs/www3_error_log"
34 CustomLog "logs/www3_accees_log" combined
35 </VirtualHost>
基于用户的访问控制:
Require user USERLIST
Require group GRPLIST
虚拟用户:
认证方式:
basic
digest
http协议认证过程 :
认证质询:
WWW-Authencate:响应码为401,拒绝客户端请求,并说明用户需要输入正确的账号和密码之后方可访问;
认证:
Authorization:客户端填入账号和密码,再次发送请求报文;认证通过,服务器发送响应内容;
用户访问认证授权控制:
<Directory "">
Options None
AllowOverride None
AuthType Basic
AuthName "STRING"
AuthUserFile ""
Require user USER1 USER2 … (valid-user)
</Directory>
账号文件生成工具htpasswd
htpasswd [options] "/PATH/TO/HT_PASSWD_FILE" username
-c:创建此文件;
-m:md5加密密码存放;
-s:sha加密
-D: 删除指定用户
Require的使用方式:
(1) Require valid-user (所有用户)
(2) Require user USER1 USER2 … (指定用户)
实验:
对虚拟主机ServerName www1.magedu.com;做用户授权访问控制。
使用htpasswd命令工具生成认证授权文件和授权用户;
[root@centos7 httpd]# htpasswd -c -m /etc/httpd/conf/.htpasswd zheng
[root@centos7 httpd]# htpasswd -m /etc/httpd/conf/.htpasswd mage
1 <VirtualHost *:80>
2 ServerName www1.magedu.com
3 DocumentRoot "/vhost/www1"
4 <Directory "/vhost/www1">
5 Options none
6 AllowOverride none
7 AuthType basic
8 AuthName "please input you are name/passwwd"
9 AuthUserFile "/etc/httpd/conf/.htpasswd"
10 Require valid-user
11 </Directory>
12 ErrorLog "logs/www1_error_log"
13 CustomLog "logs/www1_access_log" combined
14 </VirtualHost>
进行测试:
[root@centos7 httpd]# httpd -t
Syntax OK
[root@centos7httpd]#systemctl reload httpd
基于组账号用户访问认证授权控制:
组账号文件中每行定义一个组;
使用htpasswd命令工具生成认证授权文件和授权用户;
[root@centos7 httpd]# htpasswd -m /etc/httpd/conf/.htpasswd xiaofang
[root@centos7 httpd]# htpasswd -m /etc/httpd/conf/.htpasswd xiaoming
编写用户访问认证授权控制组账号文件:
[root@centos7 httpd]# vim /etc/httpd/conf/.htgroup
1 admins:xiaoming xiaofang
对虚拟主机ServerName www2.magedu.com;做组账号授权访问控制
16 <VirtualHost *:80>
17 ServerName www2.magedu.com
18 DocumentRoot "/vhost/www2"
19 <Directory "/vhost/www2">
20 Options none
21 AllowOverride none
22 AuthType basic
23 AuthName "please input you are name/passwwd"
24 AuthUserFile "/etc/httpd/conf/.htpasswd"
25 AuthGroupFile "/etc/httpd/conf/.htgroup"
26 Require group admins
27 </Directory>
28 ErrorLog "logs/www2_error_log"
29 CustomLog "logs/www2_accees_log" combined
30 </VirtualHost>
进行测试:
[root@centos7 httpd]# httpd -t
Syntax OK
[root@centos7httpd]#systemctl reload httpd
实验:
示例:
拒绝IP:10.1.253.56访问www1.magedu.com:
1 <VirtualHost *:80>
2 ServerName www1.magedu.com
3 DocumentRoot "/vhost/www1"
4 <Directory "/vhost/www1">
5 Options none
6 AllowOverride none
7 AuthType basic
8 AuthName "please input you are name/passwwd"
9 AuthUserFile "/etc/httpd/conf/.htpasswd"
10 Require valid-user
11 <RequireAll>
12 Require not ip 10.1.253.56
13 Require all granted
14 </RequireAll>
15 </Directory>
16 ErrorLog "logs/www1_error_log"
17 CustomLog "logs/www1_access_log" combined
18 </VirtualHost>
curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE及LDAP等协议。curl支持HTTPS认证,并且支持HTTP的POST、PUT等方法, FTP上传, kerberos认证,HTTP上传,代理服务器, cookies, 用户名/密码认证, 下载文件断点续传,上载文件断点续传, http代理服务器管道( proxy tunneling), 甚至它还支持IPv6, socks5代理服务器,,通过http代理服务器上传文件到FTP服务器等等,功能十分强大。
curl [options] [URL…]
curl的常用选项:
-A/–user-agent <string> 设置用户代理发送给服务器
–basic 使用HTTP基本认证
-e/–referer <URL> 来源网址
–cacert <file> CA证书 (SSL)
–compressed 要求返回是压缩的格式
-H/–header <line>自定义首部信息传递给服务器
-I/–head 只显示响应报文首部信息
–limit-rate <rate> 设置传输速度
-u/–user <user[:password]>设置服务器的用户和密码
-0/–http1.0 使用HTTP 1.0
-X, –request <command>:自定义请求方法
elinks命令:
elinks [OPTION]… [URL]…
-dump: 不进入交互式模式,而直接将URL的内容输出至标准输出;
使用mod_deflate模块页面压缩优化传输速度;
适用场景:
(1) 节约带宽,额外消耗CPU;同时,可能有些较老浏览器不支持;
(2) 压缩适于压缩的资源,例如文件文件;
SetOutputFilter DEFLATE
# mod_deflate configuration
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
# Level of compression (Highest 9 – Lowest 1)
DeflateCompressionLevel 9
# Netscape 4.x has some problems.
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
测试实验:
示例
使用mod_deflate模块页面压缩,优化传输速度,节省带宽。
1)找个大点的文本文件copy到/var/www/html/text.txt文件中。
[root@centos7 log]# cp -a /var/log/messages /var/www/html/text.tx
[root@centos7 log]# ll /var/www/html/text.txt
-rw——- 1 root root 76765 oct 13 10:20 /var/www/html/text.txt
[root@centos7 log]#
2)由于/var/www/html/text.txt文件是600权限,所以要给普通用户加读权限。
[root@centos7 log]# chmod +r /var/www/html/text.txt
[root@centos7 log]# ll /var/www/html/text.txt
-rw-r–r– 1 root root 76765 oct 13 10:20 /var/www/html/text.txt
[root@centos7 log]#
3)使用curl -I请求http报文首部信息;
[root@centos7 html]# curl -I http://192.168.3.11/text.txt
HTTP/1.1 200 OK
Date: Thu, 13 Oct 2016 14:49:39 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 13 Oct 2016 14:20:01 GMT
ETag: "1bba90-53ebfce1bf0b9"
Accept-Ranges: bytes
Content-Length: 76765 //内容长度为:76765
Content-Type: text/plain; charset=UTF-8
[root@centos7 html]#
4)这时我们启用页面压缩mod_deflate模块功能;
[root@centos7 html]# httpd -M | grep "deflate"
deflate_module (shared)
[root@centos7 html]#
[root@centos7 html]# vim /etc/httpd/conf.d/deflate.conf
[root@centos7 html]# systemctl reload httpd
5)再次进行curl 命令并且使用compressed压缩选项测试;
[root@centos7 html]# curl –compressed -I http://192.168.3.11/text.txt
HTTP/1.1 200 OK
Date: Thu, 13 Oct 2016 15:29:15 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 13 Oct 2016 15:23:14 GMT
ETag: "12bdd-53ec0b02e05ae-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 7056
Content-Type: text/plain; charset=UTF-8
[root@centos7 html]#
配置httpd支持https:
OpenSSL:
libcrpyto, libssl (ssl/tls), openssl
PKI:
CA,
SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书;
(2) 服务器端发送证书以及选定的加密方式给客户端;
(3) 客户端取得证书并进行证书验正:
如果信任给其发证书的CA:
(a) 验正证书来源的合法性;用CA的公钥解密证书上数字签名;
(b) 验正证书的内容的合法性:完整性验正
(c) 检查证书的有效期限;
(d) 检查证书是否被吊销;
(e) 证书中拥有者的名字,与访问的目标主机要一致;
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换;
(5) 服务用此密钥加密用户请求的资源,响应给客户端;
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机;
配置httpd支持https:
(1) 为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(b) 在服务器创建证书签署请求
(c) CA签证
(2) 配置httpd支持使用ssl,及使用的证书;
# yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
(3) 测试基于https访问相应的主机;
# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
实验测试:
搭建httpd支持https:
*根据openssl的配置文件:/etc/pki/tls/openssl.cnf中定义的文件路径来创建所需文件。
(1)创建所需的文件:
[root@centos7 ~]# touch /etc/pki/CA/index.txt //创建CA数据库文件
[root@centos7 ~]# echo "01" > /etc/pki/CA/serial //创建CA数据库索引编号文件
[root@centos7 ~]# cat /etc/pki/CA/serial
01
[root@centos7 ~]#
(2)CA自签证书:
1)生成私钥;
[root@centos7 ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
…………………………………………………………………………………………………………………………+++
……….+++
e is 65537 (0x10001)
[root@centos7 ~]#
2)生成自签名证书;
1)[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:m20-1
Common Name (eg, your name or your server's hostname) []:centos7.1
Email Address []:admin@magedu.com
root@centos7 ~]#
3)给www.magedu.com主机颁发证书:
(1)首先在/etc/httpd/创建建一个certs目录。以便存放网站证书文件;
[root@centos7 httpd]# mkdir -p /etc/httpd/certs
(2)给www.magedu.com主机创建私钥文件;
[root@centos7 httpd]# (umask 077;openssl genrsa -out /etc/httpd/certs/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
……+++
……………….+++
e is 65537 (0x10001)
[root@centos7 httpd]#
(3)生成证书申请文件:
[root@centos6 Desktop]# openssl req -new -key /etc/httpd/certs/httpd.key -days 365 -out /etc/httpd/certs/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:m20-1
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:root@magedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos6 Desktop]#
(4)CA签署证书,并将证书颁发给请求者;
[root@centos7 CA]# openssl ca -in /etc/httpd/certs/httpd.csr -out/etc/httpd/certs/httpd.crt
-days 365
查看:
[root@centos7 certs]# cd /etc/httpd/certs/
[root@centos7 certs]# ls
httpd.crt httpd.csr httpd.key
[root@centos7 certs]#
(5)安装mod_ssl模块:
配置httpd支持使用ssl,及使用的证书;
# yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
示例:
重启httpd服务:
systemctl restart httpd
在/etc/hosts文件中添加IP与域名的对应关系:
[root@centos7 conf.d]# vim /etc/hosts
10.1.253.56 www.magedu.com
192.168.3.11 www.magedu.com
我们也可以使用IE浏览器进行测试:
我们需要编辑windows的hosts文件
Windows–>system32—>drivers—–>etc—->hosts;添加IP对应的域名。
我们把根CA的证书导到IE浏览器的“受信任的根证书颁发机构”中。
工具—->internet选项—–>内容——->证书——->受信任的根证书颁发机构—导入
使用IE浏览器进行测试:
httpd自带的应用程序:
htpasswd:basic认证基于文件实现,用于生成账号和密码的程序;
htdbm
htdigest
apachectl:httpd自带的服务控制脚本,支持start和stop等子命令;
apxs:– APache eXtenSion tool
apxs:由httpd-devel程序包提供;
为httpd增添模块的;
rotatelogs:
access_log,
access_log, access_log.1, …
ab – web service的压力测试工具
ab [OPTIONS] [http[s]://]hostname[:port]/path
请求数:[ -n requests ]
并发数:[ -c concurrency ]
长连接:[ -k ] 执行倍数请求,特别快;
示例:
ab -n 1000 -c 100 https://www.magedu.com/index.html
ab -n 1000 -c 100 http://192.168.3.11/index.html
httpd-2.2与httpd-2.4的不同之处:
httpd-2.4的MPM模块为shared模块;
MPM:多路处理模块;
prefork:进程模型,两级结构,master/worker, 每worker处理一个请求;
worker:线程模型,三级结构,master/worker/thread,每thread处理一个请求;
event:事件驱动的线程模型,两级结构,master/worker,每worker响应多个请求;
httpd-2.2的MPM模块为static模块,而非shared模块;
要更改centos6上的MPM模块需编辑/etc/sysconfig/httpd配置文件:
[root@centos6 ~]# vim /etc/sysconfig/httpd
HTTPD=/usr/sbin/{httpd|httpd.worker|httpd.event}
注意:centos6 httpd-2.2 httpd.event不可用 httpd.worker不可取。
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>
<IfModule worker.c>
StartServers 4
MaxClients 300
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
基于IP的访问控制机制:
httpd-2.4:
require ip, require not ip, require host, require not host
httpd-2.2:
allow from, deny from
order allow,deny, order deny,allow
注意:order allow,deny 第二项表示是默认的。
示例:httpd-2.2拒绝ip192.168.3.2访问网站:
基于主机名的虚拟主机:
httpd-2.2:须使用NameVirtualHost;
httpd-2.4:无须使用;
各映射的本地文件系统路径内的资源:
httpd-2.4:须做显式授权
httpd-2.2:无须显式授权
示例:
在httpd-2.2上做的基于主机名的虚拟主机
注意:在httpd-2.2上做基于域名的虚拟主机时需指定NameVirtualHost *:80
示例:
在httpd-2.2上做的基于ip的虚拟主机:
示例:
在httpd-2.2上做的基于端口的虚拟主机:
编辑/etc/httpd/conf/httpd.conf主配置文件监听8080端口
资源类型:
静态资源:原始形式与响应给客户端的结果一致;
动态资源:原始形式通常为程序文件(为某种编程语言开发),需要运行后将生成的结果展示给客户端;
客户端技术:javascript
服务端技术:php, jsp, …
CGI:Common Gateway Interface(通用网关接口协议)
CGI是一种协议,定义了客户端(web服务器程序)与服务端(特定的应用程序服务进程)进行数据交换的一种规范;
php:编程语言,嵌入式编程语言,高度模块化(extensions),配置文件(/etc/php.ini, /etc/php.d/*.ini);
<html>
…
<?php
phpinfo();
?>
…
</html>
httpd+php:
CGI
Module
prefork:libphp
worker, event:libphp-zts
示例:安装php
yum -y install php
vim /var/www/html/php.php
原创文章,作者:zhengyibo,如若转载,请注明出处:http://www.178linux.com/59598
