一下的实验环境都是在httpd-2.4上完成
虚拟主机的配置
虚拟主机就是在同一台物理机上,部署多个站点。虚拟主机的实现方式有3种:基于端口,基于IP地址,基于主机名。由于浏览器的默认访问端口是80,以及目前ipv4的紧缺,所以目前应用最广泛的是基于主机名的虚拟主机。基于端口的虚拟主机通过监听的端口不同,区分对不同主机的访问。基于IP地址的虚拟主机通过访问的IP地址的不同来区分。基于主机名的虚拟主机是通过http请求报文的host首部来区分不同的请求(同一个物理机上的虚拟主机,IP地址相同,主机名不同),host首部记录了请求的服务器和端口号,服务器端通过读取这个首部的内容来提交给不同的虚拟主机。例如:我们我们访问百度网站,在地址栏中输入www.baidu.com回车,这个www.baidu.com就会被记录到http请求报文的host首部。
下面来看一下具体的配置过程,这里就不一一作单独配置,直接用混合模式进行配置,即一台物理机上同时存在这3种模式。
实验环境:
DNS服务器:192.168.1.104
web服务器:192.168.1.112,192.168.1.199
监听的端口:80,8080
首先注销主服务器的站点根路径,在主配置文件中包含httpd-vhosts.conf配置文件。
#ServerName #在httpd-2.4中可以不注销 ........ Include /etc/httpd/extra/httpd-vhosts.conf Listen 80 #监听80和8080端口 Listen 8080
来看一下httpd-vhosts.conf配置文件,第一个和第二个虚拟主机基于不同的主机名实现,第三个虚拟主机和前两个基于不同的监听端口实现,第四个通过和前三个不同的IP地址来实现。
<VirtualHost 192.168.1.112:80> DocumentRoot "/httpd-website/www.xiaoxiao.com" ServerName www.xiaoxiao.com # ErrorLog "logs/dummy-host.example.com-error_log" # CustomLog "logs/dummy-host.example.com-access_log" common </VirtualHost> <VirtualHost 192.168.1.112:80> DocumentRoot "/httpd-website/web.xiaoxiao.com" ServerName web.xiaoxiao.com # ErrorLog "logs/dummy-host2.example.com-error_log" # CustomLog "logs/dummy-host2.example.com-access_log" common </VirtualHost> <VirtualHost 192.168.1.112:8080> DocumentRoot "/httpd-website/ops.xiaoxiao.com" ServerName ops.xiaoxiao.com </VirtualHost> <VirtualHost 192.168.1.199:80> DocumentRoot "/httpd-website/dep.xiaoxiao.com" ServerName dep.xiaoxiao.com </VirtualHost>
配置DNS服务器上对应的域,xiaoxiao.com域的正向解析文件:
$TTL 1800 @ IN SOA ns.xiaoxiao.com. baby.xiaoxiao.com. ( 10006 1H 10M 7D 10M ) @ IN NS ns.xiaoxiao.com. @ IN NS 2ns.xiaoxiao.com. @ IN MX 10 mail.xiaoxiao.com. ns.xiaoxiao.com. IN A 192.168.1.165 2ns.xiaoxiao.com. IN A 192.168.1.206 mail.xiaoxiao.com. IN A 192.168.1.4 www.xiaoxiao.com. IN A 192.168.1.112 web.xiaoxiao.com. IN A 192.168.1.112 ops.xiaoxiao.com. IN A 192.168.1.112 dep.xiaoxiao.com. IN A 192.168.1.199 ttt.xiaoxiao.com IN CNAME www.xiaoxiao.com. baby.xiaoxiao.com. IN A 192.168.1.112
检查配置文件,检查区域文件,然后重新加载服务。
[[email protected] named]# named-checkzone 0.168.192.zone dynamic/ named.empty named.loopback xiaoxiao.com.other.zone data/ named.ca named.localhost slaves/ xiaoxiao.com.zone [[email protected] named]# named-checkzone xiaoxiao.com /var/named/xiaoxiao.com.other.zone zone xiaoxiao.com/IN: loaded serial 10006 OK [[email protected] named]# named-checkconf [[email protected] named]# rndc reload server reload successful
不要忘了对虚拟主机的站点根路径的访问控制权限做一下修改
<Directory "/httpd-website"> Options FollowSymLinks ExecCGI AllowOverride None Require all granted </Directory>
服务器部署在192.168.1.112上,最后一台虚拟主机是基于不同的IP地址实现,还需要在本地网卡上在添加一个IP地址。
[[email protected] extra]# ip addr add 192.168.1.199/24 brd 192.168.1.255 dev eth0 [[email protected] extra]# ip addr show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:f1:21:1b brd ff:ff:ff:ff:ff:ff inet 192.168.1.112/24 brd 192.168.1.255 scope global eth0 inet 192.168.1.199/24 brd 192.168.1.255 scope global secondary eth0 inet6 fe80::20c:29ff:fef1:211b/64 scope link valid_lft forever preferred_lft forever
最后去对应的目录下创建站点文件。检查配置文件,无误之后,启动服务。
[[email protected] httpd-website]# ls baby.xiaoxiao.com cgi-bin dep.xiaoxiao.com ops.xiaoxiao.com web.xiaoxiao.com www.xiaoxiao.com [[email protected] httpd-website]# cat */index.html <html><body><h1>baby.xiaoxiao.com</h1></body></html> <html><body><h1>dep.xiaoxiao.com</h1></body></html> <html><body><h1>ops.xiaoxiao.com</h1></body></html> <html><body><h1>web.xiaoxiao.com</h1></body></html> <html><body><h1>www.xiaoxiao.com</h1></body></html> [[email protected] httpd-website]# httpd -t Syntax OK [[email protected] httpd-website]# service httpd start Starting httpd: [ OK ]
检查端口
[[email protected] extra]# ss -tunl | grep 80 tcp LISTEN 0 128 :::8080 :::* tcp LISTEN 0 128 :::80 :::*
完成!!!
访问控制
这里只介绍基于IP的访问控制。
先在/httpd-website/web.xiaoxiao.com/test目录下创建测试页面,然后对test目录进行访问控制。
[[email protected] test]# pwd /httpd-website/web.xiaoxiao.com/test [[email protected] test]# cat test.html <html><body><h1>test.html</h1></body></html>
在对应的虚拟主机中进行配置,拒绝所有请求访问该目录。
<VirtualHost 192.168.1.112:80> DocumentRoot "/httpd-website/web.xiaoxiao.com" ServerName web.xiaoxiao.com # ErrorLog "logs/dummy-host2.example.com-error_log" # CustomLog "logs/dummy-host2.example.com-access_log" common <Directory "/httpd-website/web.xiaoxiao.com/test"> Require all denied #拒绝所用请求 </Directory> </VirtualHost>
当然也可以对特定的ip进行访问控制,进队192.168.1.107进行限制。
<VirtualHost 192.168.1.112:80> DocumentRoot "/httpd-website/web.xiaoxiao.com" ServerName web.xiaoxiao.com ErrorLog "logs/dummy-host2.example.com-error_log" CustomLog "logs/dummy-host2.example.com-access_log" common <Directory "/httpd-website/web.xiaoxiao.com/test"> <RequireAll> Require all granted Require not ip 192.168.1.107 </RequireAll> </Directory> </VirtualHost>
上面涉及到httpd2.4的新特性,Require not ip 需要放在<RequireAll>容器中才能生效。
相关配置说明:
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all deny
控制某特定主机的访问:
Require ip IPADDR
Require not ip IPADDR
Require host HOSTNAME
Require not host HOSTNAME
IPADDR可包括:
单个ip
Network/Netmask #192.168.1.107/255.255.255.0
Network/Length #192.168.1.107/24
Net:172.16 #对该网段内的所有IP生效
HOSTNAME:
FQDN:具体的主机
DOMAIN:域内的所有主机
除了<Directory "">还有<File [~] "">,<Location [~] ""> 也可以实现访问控制
<File [~] ""> #对单个文件进行访问控制,若加上~,既模式匹配,下面也一样
<Location [~] ""> #对URL的访问进行访问控制 可以替代为<LocationMatch "">
<Location "/test"> Require all denied </Location>
https
为服务器生成私钥,并提供证书。
[[email protected] extra]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus ..........................................................................................................+++ ............................................................+++ e is 65537 (0x10001) [[email protected] extra]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZJ Locality Name (eg, city) [Default City]:NB Organization Name (eg, company) [Default Company Ltd]:XIAOXIAO Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server‘s hostname) []:www.xiaoxiao.com Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] ssl]# scp httpd.csr 192.168.1.104:/root/ #把请求发送给CA服务器
CA服务器签署证书
[[email protected] ~]# openssl ca -in httpd.csr -out httpd.crt -days 3655 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok ...... [[email protected] ~]# scp httpd.crt 192.168.1.112:/etc/httpd/ssl/ #发回证书
Include相关的配置文件
Include /etc/httpd/extra/httpd-ssl.conf
然后对该文件进行相关的配置
DocumentRoot "/httpd-website/www.xiaoxiao.com" ServerName SSLCertificateFile "/etc/httpd/ssl/httpd.crt" SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key"
在该文件的最上面会指明若要启动ssl需要加载的模块,加载对应模块即可。
# Required modules: mod_log_config, mod_setenvif, mod_ssl, # socache_shmcb_module (for default value of SSLSessionCache)
LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule log_config_module modules/mod_log_config.so
mod_ssl和socache_shmcb_module需要手动加载,其余两个默认就加载了。
[[email protected] extra]# httpd -t Syntax OK [[email protected] extra]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [[email protected] extra]# ss -tuln | grep 443 tcp LISTEN 0 128 :::443 :::*
服务已监听在443号端口
.................^_^
CGI功能
CGI(Common Gateway Interface) 是WWW技术中最重要的技术之一,有着不可替代的重要地位。CGI是外部应用程序(CGI程序)与Web服务器之间的接口标准,是在CGI程序和Web服务器之间传递信息的规程。CGI规范允许Web服务器执行外部程序,并将它们的输出发送给Web浏览器,CGI将Web的一组简单的静态超媒体文档变成一个完整的新的交互式媒体。绝大多数的CGI程序被用来解释处理来自表单的输入信息,并在服务器产生相应的处理,或将相应的信息反馈给浏览器。CGI程序使网页具有交互功能。(参考自某度百科)
下面来看一个关于CGI的例子:
启用CGI模块
LoadModule cgid_module modules/mod_cgid.so LoadModule cgi_module modules/mod_cgi.so
<Directory "/httpd-website"> Options FollowSymLinks ExecCGI AllowOverride None Require all granted </Directory> ScriptAlias /cgi-bin/ "/httpd-website/cgi-bin/"
添加上ExecCGI允许执行CGI格式的脚本页面。
编辑CGI脚本
#!/bin/bash /bin/cat << EOF Content-Type: text/html #这里一定要留空格 <pre> now time is `/bin/date +"%Y-%m-%d %H:%M:%S"` </pre> EOF
然后重新加载服务
压缩功能
压缩功能既对发送的http报文进行压缩,从而减小带宽。
首先复制一个日志文件到web.xiaoxiao.com目录下用于测试
[[email protected] www.xiaoxiao.com]# pwd /httpd-website/www.xiaoxiao.com [[email protected] www.xiaoxiao.com]# ll -h total 28K -rw-r--r--. 1 root root 52 Jul 2 20:09 index.html -rw-r--r--. 1 root root 24K Jul 2 19:06 log.html
然后配置压缩功能在来看一下Content-Length的大小
LoadModule deflate_module modules/mod_deflate.so
配置文件
SetOutputFilter DEFLATE #设置过滤器 # Restrict compression to these MIME types AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE text/css # Level of compression (Highest 9 - Lowest 1) #设置压缩等级 DeflateCompressionLevel 9 # Netscape 4.x has some problems. BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
检查配置文件,重新加载服务。在重新测试之前,最好清理一下浏览器的缓存。
[[email protected] extra]# httpd -t Syntax OK [[email protected] extra]# service httpd reload Reloading httpd:
压缩成功
status页面
这是一个httpd的内嵌handler,通过status可查看当前服务器的状态。
LoadModule status_module modules/mod_status.so ....... Include /etc/httpd/extra/httpd-info.conf
<Location /server-status> SetHandler server-status Require host localhost Require ip 127.0.0.1 192.168.1.107 </Location>
重新加载服务后,测试。
这个一般不允许所有用户查看需要做一下访问控制!!!
.................^_^