httpd练习.md

需求说明

分别用httpd-2.2和httpd-2.4 实现以下功能:

  • 两个虚拟主机,名字为www.a.comwww.b.org
  • www.a.com 页面文件为/opt/a.com/htdocs,访问日志文件路径/var/log/httpd/a.com/access.log,错误日志文件路径/var/log/httpd/a.com/error.log。两种日志做好按天切割日志。
  • www.b.org 页面文件为/opt/b.org/htdocs,访问日志文件路径/var/log/httpd/b.org/access.log,错误日志文件路径/var/log/httpd/b.org/error.log。两种日志做好按天切割日志。
  • 通过www.a.com/server-status输出其状态信息,且要求只允许提供账号的用户访问;
  • wwww.a.com/server-status只允许192.168.5.0/24 网络中的主机访问。
  • 同时为这两个虚拟主机提供https服务。

说明:测试中的httpd全部为yum安装,httpd-2.2会在CentOS 6中演示,httpd-2.4会在CentOS 7中演示。

httpd-2.2 配置

安装

安装可以使用yum安装也可以使用编译安装,但是CentOS 6中系统yum源默认的是httpd-2.2版本,这个需要注意。

#yum install -y httpd httpd-devel mod_ssl

ssl证书签署

以下操作是在CA机器上进行的操作。

生成CA证书

# yum install -y openssl openssl-devel
# cd /etc/pki/CA/
#  (umask 077; openssl genrsa 2048 > private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www.example.com
Email Address []:[email protected]
#  touch index.txt serial
# echo 01 > serial

a.com域名证书签署

# mkdir /opt/ssl/a.com -p
# (umask 077 ;openssl genrsa 2048 > a.key)
#  openssl req -new -key a.key -out a.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www.a.com
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in a.csr -out a.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 28 08:05:37 2016 GMT
            Not After : Nov 28 08:05:37 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShangHai
            organizationName          = example
            organizationalUnitName    = ops
            commonName                = www.a.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AD:30:DE:CC:1A:BC:2B:91:B0:B0:25:E0:48:92:1A:1B:45:38:5D:90
            X509v3 Authority Key Identifier:
                keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06

Certificate is to be certified until Nov 28 08:05:37 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

签署b.org域名的证书

# mkdir /opt/ssl/b.org/
# cd /opt/ssl/b.org/
# (umask 077 ;openssl genrsa 2048 > b.key)
# openssl req -new -key b.key -out b.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www.b.org
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#  openssl ca -in b.csr -out b.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Nov 28 08:12:01 2016 GMT
            Not After : Nov 28 08:12:01 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShangHai
            organizationName          = example
            organizationalUnitName    = ops
            commonName                = www.b.org
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                93:8A:3D:19:32:67:D3:3A:3D:1B:FE:15:04:C2:A0:42:FC:13:3A:7E
            X509v3 Authority Key Identifier:
                keyid:63:44:A4:35:9B:BA:F3:D1:85:99:60:6B:56:84:5B:E4:F5:83:25:06

Certificate is to be certified until Nov 28 08:12:01 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

复制证书到httpd主机

# scp -r  /opt/ssl/* [email protected]:/etc/httpd/ssl/

注意httpd服务器上ssl目录的创建。

查看签署信息

# cat serial
03
# cat index.txt
V   171128080537Z       01  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.a.com/[email protected]
V   171128081201Z       02  unknown /C=CN/ST=ShangHai/O=example/OU=ops/CN=www.b.org/[email protected]

httpd配置

以下操作是在httpd服务器上进行的操作。

# vim /etc/httpd/conf.d/www.conf
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
#CustomLog logs/a.com/access_log combined
CustomLog "|rotatelogs /var/log/httpd/a.com/access_%Y%m%d.log 86400 480" combined
ErrorLog "|rotatelogs /var/log/httpd/a.com/error_%Y%m%d.log 86400 480"
<Location /server-status>
SetHandler server-status
Order allow,Deny
Allow from 192.168.5
AuthType Basic
AuthName "a.com basic"
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user bols
</Location>
</VirtualHost>

<VirtualHost *:80>
ServerName www.b.org
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog "|rotatelogs /var/log/httpd/b.org/access_%Y%m%d.log 86400 480" combined
ErrorLog "|rotatelogs /var/log/httpd/b.org/error_%Y%m%d.log 86400 480"
#CustomLog logs/b.org/access_log combined
#ErrorLog logs/b.org/error_log
</VirtualHost>

<VirtualHost *:443>
ServerName www.b.org:443
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/b.org/access_ssl.log combined
ErrorLog /var/log/httpd/b.org/error_ssl.log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
</VirtualHost>

<VirtualHost *:443>
ServerName www.a.com:443
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/a.com/access_ssl.log combined
ErrorLog /var/log/httpd/a.com/error_ssl.log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
</VirtualHost>

测试

  • 创建网站测试的文件
[[email protected] ~]# cat /opt/a.com/htdocs/index.html
<h1>www.a.com</h1>
[[email protected] ~]# cat /opt/b.org/htdocs/index.html
<h1>www.b.org</h1>
  • 导入根证书

请将CA 证书中的cacert.pem 文件导入到浏览器中的受信任的根证书中。

  • 相关所需文件的创建
# mkdir /var/log/httpd/a.com/
# mkdir /var/log/httpd/b.org/
# /etc/init.d/httpd start
# htpasswd -cm /etc/httpd/conf/.htpasswd bols
  • 测试

测试前请在hosts文件写入域名和想对应的解析IP:

# curl  http://www.a.com/index.html
<h1>www.a.com</h1>
# curl  http://www.b.org/index.html
<h1>www.b.org</h1>

# openssl s_client -connect www.b.org:443 -CAfile /etc/pki/CA/cacert.pem
......
GET /index.html HTTP/1.1
Host:www.b.org

HTTP/1.1 200 OK
Date: Mon, 28 Nov 2016 09:58:20 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 23 Nov 2016 09:17:33 GMT
ETag: "2405e-13-541f45be79532"
Accept-Ranges: bytes
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8

<h1>www.b.org</h1>
closed

# openssl s_client -connect www.a.com:443 -CAfile /etc/pki/CA/cacert.pem
......
GET /index.html HTTP/1.1
Host:www.a.com

HTTP/1.1 200 OK
Date: Mon, 28 Nov 2016 09:57:39 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 23 Nov 2016 09:17:04 GMT
ETag: "2405f-13-541f45a2f779e"
Accept-Ranges: bytes
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8

<h1>www.a.com</h1>
closed

[[email protected] ~]# curl -I --user bols:bols http://www.a.com/server-status
HTTP/1.1 200 OK
Date: Mon, 28 Nov 2016 11:05:37 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 2536
Connection: close
Content-Type: text/html; charset=ISO-8859-1

安装配置出现问题:

  • 语法检测时出现警告
# httpd -t
httpd: apr_sockaddr_info_get() failed for db-02
httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Mon Nov 28 16:44:58 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Syntax OK

首先第一个是httpd的配置文件中ServerName 没有指定:

# vim /etc/httpd/conf/httpd.conf +276
ServerName *:80

之后在检测开始报错:

# httpd -t
[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 80, the first has precedence
[Mon Nov 28 16:45:42 2016] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Syntax OK

这个是由于NameVirtualHost 没有指定:

vim /etc/httpd/conf/httpd.conf +991
NameVirtualHost *:80
NameVirtualHost *:443
  • 配置日志滚动时出现滚动日志失败

原因:问题原因不清楚,但是解决方法是将日志文件使用绝对路径,不要使用相对路径。

httpd-2.4

安装

# yum install -y httpd httpd-devel mod_ssl

CA证书配置

ssl证书还是用于在CentOS 6系统中创建的,并把文件拷贝至/etc/httpd/ssl目录中,注意这个目录需要手动创建。

网站测试文件创建

# cat /opt/a.com/htdocs/index.html
<h1>www.a.com</h1>
# cat /opt/b.org/htdocs/index.html
<h1>www.b.org</h1>

认证文件创建

htpasswd 命令的使用请自行谷歌。

# htpasswd -cm /etc/httpd/conf/htpasswd bols

配置

<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/a.com/access.log  combined
ErrorLog  /var/log/httpd/a.com/error.log
<Directory "/opt/a.com/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
<Location /server-status>
SetHandler server-status
Options None
AuthType Basic
AuthName "a.com basic"
AuthUserFile "/etc/httpd/conf/htpasswd"
Require user bols
</Location>
</VirtualHost>

<VirtualHost *:80>
ServerName www.b.org
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/b.org/access.log combined
ErrorLog /var/log/httpd/b.org/error.log
<Directory "/opt/b.org/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:443>
ServerName www.b.org:443
DocumentRoot "/opt/b.org/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/b.org/access_ssl.log combined
ErrorLog /var/log/httpd/b.org/error_ssl.log
<Directory "/opt/b.org/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/b.org/b.crt
SSLCertificateKeyFile /etc/httpd/ssl/b.org/b.key
</VirtualHost>

<VirtualHost *:443>
ServerName www.a.com:443
DocumentRoot "/opt/a.com/htdocs"
DirectoryIndex index.html index.htm
CustomLog /var/log/httpd/a.com/access_ssl.log combined
ErrorLog /var/log/httpd/a.com/error_ssl.log
<Directory "/opt/a.com/htdocs">
Options None
AllowOverride None
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/a.com/a.crt
SSLCertificateKeyFile /etc/httpd/ssl/a.com/a.key
</VirtualHost>

测试

测试和CentOS 6中一样,测试的结果就不在贴出。

说明

在CentOS 7 中的配置和使用和CentOS 6有以下几个区别(个人总结):

  • 启动httpd不在是用service命令而是使用systemctl命令。
  • 任意目录下的页面只有显式授权才能被访问。
  • 访问控制配置如下:
    • 允许所有主机访问:Require all granted
    • 拒绝所有主机访问:Require all deny
    • 授权指定来源的IP访问:Require ip IPADDR
    • 拒绝指定来源的IP访问:Require not ip IPADDR
    • 授权指定来源的主机访问:Require host HOSTNAME
    • 拒绝指定来源的主机访问:Require not host HOSTNAME

关于日志滚动的说明:

  • httpd 日志滚动可以用rotatelogs、cronolog或者脚本滚动。
  • 日志滚动可以用rotatelogs 是httpd自带的日志滚动工具,自己测试在httpd-2.4中没有成功。
  • cronolog 是在epel源中的一个日志滚动工具,需要安装。
  • 脚本控制滚动这个看自己业务需求进行写了。
时间: 2024-10-18 23:33:56

httpd练习.md的相关文章

httpd配置.md

httpd-2.2 配置 监听端口和IP 配置文件: Listen [IP:]PORT 省略IP表示为0.0.0.0 Listen指令可重复出现多次 修改监听socket,重启服务进程方可生效 可以监听在指定的IP地址的端口上,但这么操作必须重启服务 持久连续 我们知道http是无状态.无连接的,无连接的含义是限制每次连接只处理一个请求.服务器处理完客户的请求,并收到客户的应答后,即断开连接.采用这种方式可以节省传输时间.无状态是指协议对于事务处理没有记忆能力.缺少状态意味着如果后续处理需要前面

httpd详解

_3_2HTTPD和http.md #APACHE ##相关概念 URI:统一资源标识符,全局范围内.路径. URL:统一资源定位符. PV:page view 每天页面访问量 UV:user view每天独立IP访问量 超链接:跳转文档 端口: 0-1023:众所周知,永久地分配给固定的应用使用,特权端口: 1024-41951:亦为注册端口,但要求不是特别严格,分配给程序注册为某应用使用:3306/tcp, 11211/tcp: 41952+:客户端程序随机使用的端口,动态端口,或私有端口:

Nginx为什么比Apache Httpd高效:原理篇

一.进程.线程? 进程是具有一定独立功能的,在计算机中已经运行的程序的实体.在早期系统中(如linux 2.4以前),进程是基本运作单位,在支持线程的系统中(如windows,linux2.6)中,线程才是基本的运作单位,而进程只是线程的容器.程序 本身只是指令.数据及其组织形式的描述,进程才是程序(那些指令和数据)的真正运行实例.若干进程有可能与同一个程序相关系,且每个进程皆可以同步(循 序)或异步(平行)的方式独立运行.现代计算机系统可在同一段时间内以进程的形式将多个程序加载到存储器中,并借

centos7,监控httpd运行状态

#!/bin/bash # 获取运行状态 http=$(systemctl status httpd | grep Active | awk '{print $2}') # 判断运行状态 if [ "$http" != "active" ];then # 运行状态为失败时尝试重启并发出重启成功信息,如果运行失败发出失败警告! systemctl restart httpd && echo "httpd Restart successfull

Mac OS X取消Apache(httpd)开机启动

关闭http开机启动 sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist 开机启动 sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

httpd搭建及知识点

http 的默认端口:80/tcphttps 的默认端口:443/tcp http协议的版本:    http/0.9    http/1.0    http/1.1    http/2.0 socket:BSD是 socket ipc的一种实现,允许在不同的主机上的进程之间相互通信的解决方式基于套接字有三中通信:    tcp套接字    udp套接字    裸套接字套件字的使用格式    ipv4    ipv6    unix sock 工作的模式: 一次完整http事务:请求 -- 响应

linux服务之http协议和httpd的配置(一)

http协议和httpd的配置 URL:Unifrom Resource Locator URL方案:scheme 服务器地址:ip:port 资源路径: http://www.magedu.com:80/bbs/index.php, https:// 基本语法: <scheme>://<user>:<password>@<host>:<port>/<path>;<params>?<query>#<fra

linux服务之http协议和httpd的配置(二)

httpd-2.2的常见配置(2) 14.curl命令 curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE及LDAP等协议.curl支持HTTPS认证,并且支持HTTP的POST.PUT等方法, FTP上传, kerberos认证,HTTP上传,代理服务器, cookies, 用户名/密码认证, 下载文件断点续传,上载文件断点续传, http代理服务器管道( proxy tunnel

linux服务之http协议和httpd的配置(三)

httpd的基本应用(3) httpd-2.4: 新特性: (1) MPM支持运行为DSO机制:以模块形式按需加载: (2) event MPM生产环境可用: (3) 异步读写机制: (4) 支持每模块及每目录的单独日志级别定义: (5) 每请求相关的专用配置: (6) 增强版的表达式分析式: (7) 毫秒级持久连接时长定义: (8) 基于FQDN的虚拟主机也不再需要NameVirutalHost指令: (9) 新指令,AllowOverrideList: (10) 支持用户自定义变量: (11