首先,简单说一说http协议。
http:c/s架构,通信协议http(html:超文本标记语言):超文本传输协议
http/1.0引入MIME类型,使得http可以传输图片、动图等各种类型的数据;
http/1.1:改进了cache功能,增加了条件式请求等功能。
客户端将网站主页面等一些轻易不会改变的资源缓存下来,请求时速度会很快,而且也会减小服务器的压力。 浏览器每域名有线程限制
服务器端优化:保证服务器性能更好,使用更多的服务器来响应、同时服务,保证带宽足够用等。。。
http/2.0:只适用于https。
一、持久连接
]# vi /etc/httpd/conf.d/keepalive.conf #新建一个以.conf结尾的文件,
Keepalive off #关闭持久连接 #Keepalive on #开启持久连接 #KeepaliveTimeout 60 #设置超时时长 #MaxKeepAliveRequests 10 #最多允许请求多少个资源(可选项)
测试
使用Telnet请求
]# telnet 10.1.12.12 80
GET /index.html http/1.1 #<method><URL><version> 请求方法、资源、http版本 Host:10.1.12.12 #服务器IP,然后俩次回车
二、自定义日志
http://httpd.apache.org/docs/2.4/mod/mod_log_config.html
可以在官网查看,如果连不上外网,也可以在base仓库下载安装包
]#yum -y install httpd-manual.noarch
http://Server_IP/manual
%h:记录客户端主机名
%l:客户端通过identd登录时使用名称;一般为空
%u:用户认证登录的名字;无登录机制一般为空
%t:收到客户端请求时的时间;
\”:显示引号本身,而不是作为引用符号
%r:请求报文的首行<method><url><version>
%>s:响应状态状态码,如果内部发生变化。则记录最后一次响应的响应码
%b:响应报文的大小
%{Refere}i:记录Http首部Reference对应的值;即访问入口,从哪个页面跳转至此页面
%{User-Agent}i:记录Http首部User-Agent对应的值;即浏览器类型
三、访问控制
<Directory "/var/www/html"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Indexes:目录下的文件都可以访问(除非你建的是下载站,否则这项关闭)
FollowSymLinks:允许跟踪符号链接
AllowOverride:httpd允许在网页文档的各目录下使用隐藏文件.htaccess来各自的访问控制;此指令定义哪此指令可以在.htaccess中定义
Require:
Require all granted
Require all denied
<RequireAll>
Require ip 10.1.0.0/16
Require all denied
</RequireAll> 拒绝所有,读取时从上到下的顺序
Require ip IP|NETWORK
Require not ip IP|NETWORK
Require host HOSTNAME
Require not host HOSTNAME
四、虚拟主机(IP、端口、主机名不同)
1、修改主配置文件,添加端口
2、添加网卡或配置临时IP
3、创建网站文件目录与主页面
4、创建虚拟主机的配置文件
主配置文件:
]# vi /etc/httpd/conf/httpd.conf
Listen 80 Listen 8080 Listen 8088 Listen 8090
虚拟主机配置文件:
]# vi /etc/httpd/conf.d/vhosts.conf
<VirtualHost 192.168.1.2:8080> #第一个虚拟主机 ServerName www.s1.com DocumentRoot "/vhosts/s1" <Directory /vhosts/s1> Options none AllowOverride none Require all granted </Directory> <Directory /vhosts/s1/admin> #隐私文件,配置用户认证(用户访问控制) Options none AllowOverride none AuthType basic #类型 Authname "Admin Area,Please enter your name/password" #提示 Authuserfile "/etc/httpd/conf/.userfile" #路径及文件名 Require valid-user #设置只能文件中给出的用户可以访问 # Require User tom jerry #允许文件中的某几个用户可以访问 </Directory> CustomLog logs/s1_access.log combind #定义访问日志 ErrorLog logs/s1_error.log #定义错误日志 </VirtualHost> <VirtualHost 192.168.1.3:8088> #第二个虚拟主机 ServerName www.s2.com DocumentRoot "/vhosts/s2" <Directory /vhosts/s2> Options none AllowOverride none Require all granted </Directory> CustomLog logs/s2_access.log combind ErrorLog logs/s2_error.log </VirtualHost> <VirtualHost 192.168.1.4:8090> #第三个虚拟主机 ServerName www.s3.com DocumentRoot "/vhosts/s3" Alias /bbs /mnt #定义路径别名 <Directory /vhosts/s3> Options none AllowOverride none Require all granted </Directory> <Directory "/mnt"> #配置路径别名目录的权限 Options none AllowOverride none Require all granted </Directory> CustomLog logs/s3_access.log combind ErrorLog logs/s3_error.log </VirtualHost>
五、status状态页
]#vi /etc/httpd/conf.d/status.conf
<Directory /status> Sethandler server-status Require all granted </Directory>
六、用户认证
1、建立隐私目录
2、修改主配置文件
3、设置访问用户
~]#mkdir /vhost/s1/admin
<Directory"/vhost/s1/admin"> Options none AllowOverride none AuthType basic Authname "Admin Area,Enteryour name/password" Authuserfile"/etc/httpd/conf/.htpasswd" Require valid-user # Require User tom jerry </Directory>
]#htpasswd -c -m /etc/httpd/conf/.htpasswd tom
-c:创建新的文件
-m:用md5方式加密
]#htpasswd -m /etc/httpd/conf/.htpasswdjerry
七、压缩页面优化传输速度
]# vi /etc/httpd/conf.d/deflate.conf
# Restrict compression to these MIME types AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE text/css # Level of compression (Highest 9 - Lowest 1) DeflateCompressionLevel 9 # Netscape 4.x has some problems. BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
八、HTTPS配置
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机
~]# httpd -M |grep ssl #查询有没有ssl模块,如果没有,在base仓库里安装
~]# yum install -y mod_ssl
由于申请证书比较麻烦,这里演示本机私建CA
]# ls /etc/pki/CA/ #下面操作在此目录下,centos 7和6有点区别,6下面目录可能不存在 certs crl newcerts private
①创建私钥
]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...............................................................+++ ..........................+++ e is 65537 (0x10001)
括号是启动子进程,使生成的文件有700的权限,私钥存放目录private,长度2048(只能是2的次方,也可以是1024或者4096)
②自签证书
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem Country Name (2 letter code) [XX]:CN #国家(俩个字符的代码) State or Province Name (full name) []:Beijing #省 Locality Name (eg, city) [Default City]:Beijing #地区 Organization Name (eg, company) [Default Company Ltd]:latiao #公司名 Organizational Unit Name (eg, section) []:Ops #部门 Common Name (eg, your name or your server‘s hostname) []:ca.latiao.com #CA服务器名 Email Address []:admin.latiao.com #邮箱地址
[[email protected] CA]# echo 01 > serial [[email protected] CA]# touch index.txt
③需要获取证书的服务器生成私钥
[[email protected] httpd]# mkdir certs [[email protected] httpd]# cd certs/ [[email protected] certs]# (umask 700;openssl genrsa -out httpd.key 2048)
④需要获取证书的服务武器生成证书签署请求
[[email protected] certs]# openssl req -new -key httpd.key -out httpd.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:latiao Organizational Unit Name (eg, section) []:development Common Name (eg, your name or your server‘s hostname) []:www.latiao.com Email Address []:webadmin.latiao.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
Common Name #推广给客户端,客户端在浏览器中输入的网址,证书持有者的名称和客户访问的网址的名称要一致
⑤将申请证书发送给CA服务商,这里本机是CA服务商,所以自己签署就行
[[email protected] certs]# openssl ca -in httpd.csr -out httpd.crt #后面都是Y同意即可
修改ssl配置文件
[[email protected] conf.d]# vi ssl.conf
SSLEngine on SSLCertificateFile /etc/httpd/certs/httpd.crt SSLCertificateKeyFile /etc/httpd/certs/httpd.key DocumentRoot "/var/www/html" ServerName www.latiao.com
]# systemctl reload httpd.service
httpd支持第三方模块
让httpd接入模块的接口就是apxs,是由httpd-devel软件包提供的
编译第三方模块时必须指明apxs文件的位置
未完待续.....