HTTP-2.2
httpd 配置文件的组成: ????grep "Section" /etc/httpd/conf/httpd.conf ???### Section 1: Global Environment ???### Section 2: ‘Main‘ server configuration ???### Section 3: Virtual Hosts配置格式: ???directive value ???directive:不区分字符大小写 ???value:为路径时,是否区分大小写,取决于文件系统httpd2.2程序环境 ???rpm -ql httpd ???????/etc/httpd ???????/etc/httpd/conf ???????/etc/httpd/conf.d ???????/etc/httpd/logs ???????/etc/httpd/modules ???????/etc/httpd/run ???????/etc/logrotate.d/httpd ???????/etc/rc.d/init.d/htcacheclean ???????/etc/rc.d/init.d/httpd ???????/etc/sysconfig/htcacheclean ???????/etc/sysconfig/httpd ???????/usr/lib64/httpd ???????/usr/lib64/httpd/modules ???????/usr/sbin/apachectl ???????/usr/sbin/htcacheclean ???????/usr/sbin/httpd ???????/usr/sbin/httpd.event ???????/usr/sbin/httpd.worker ???????/usr/sbin/httxt2dbm ???????/usr/sbin/rotatelogs ???????/usr/sbin/suexec ???????/usr/share/doc/ ???????/usr/share/man/man8/ ???????/var/cache/mod_proxy ???????/var/lib/dav ???????/var/log/httpd ???????/var/run/httpd ???????/var/www ???????/var/www/cgi-bin ???????/var/www/error ???????/var/www/html ???????/var/www/icons ???????????服务脚本:/etc/rc.d/init.d/httpd ???配置文件: ???????/etc/sysconfig/httpd ???????/etc/httpd/conf/httpd.conf ???服务控制和启动: ???????chkconfig httpd on|off ???????service {start|stop|restart|status|configtest|reload} httpd ???站点网页文档根目录: ???????/var/www/html ???模块文件路径 : ???????/etc/httpd/modules ???????/usr/lib64/httpd/modules ???主程序文件: ???????/usr/sbin/httpd ???????/usr/sbin/httpd.worker ???????/usr/sbin/httpd.event ???主进程文件 : ???????/etc/httpd/run/httpd.pid ???日志文件目录: ???????/var/log/httpd ???????access_log: ?访问日志 ???????error_log :错误日志 ???帮助文档包: ???????httpd-manual ???3)http协议 ???????http 协议 ???????????http/0.9, http/1.0, http/1.1, http/2.0 ???????????stateless 无状态,服务器无法持续追踪访问者来源 ???????解决http 协议无状态方法 ???????????cookie 客户端存放 ???????????session ?服务端存放 ???????http 事务:一次访问的过程 ???????????请求:request ???????????响应:response ???????协议查看或分析的工具: ???????????tcpdump ???????????wireshark ???????????tshark1》显示服务器版本信息 ???ServerTokens ?Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full ???????ServerTokens Prod[uctOnly] :Server: Apache ???????ServerTokens Major: Server: Apache/2 ???????ServerTokens Minor: Server: Apache/2.0 ???????ServerTokens Min[imal]: Server: Apache/2.0.41 ???????ServerTokens OS: Server: Apache/2.0.41 (Unix) ???????ServerTokens Full (or not specified): Server: Apache/2.0.41 ???建议使用 ServerTokens Prod 2》修改监听的IP 和Port ???Listen [IP:]PORT ???省略IP表示为0.0.0.0 ???Listen 指令至少一个,可重复出现多次 ???????Listen 80 ???????Listen 8080 ???修改监听socket ,重启服务进程方可生效3》持久连接 ???Persistent Connection:连接建立,每个资源获取完成后不会断开连接,而是继续等待其它的请求完成,默认关闭持久连接。 ???断开条件:数量限制为100 ???时间限制:以秒为单位,httpd-2.4支持毫秒级 ???副作用:对并发访问量较大的服务器,持久连接功能会使有些请求得不到响应 ???折衷:使用较短的持久连接时间 ???设置: ????????KeepAlive On|Off ???????KeepAliveTimeout 15 ???????MaxKeepAliveRequests 100 ???测试:telnet WEB_SERVER_IP PORT ???????GET /URL HTTP/1.1 ???????Host: WEB_SERVER_IP4》MPM(multi-processing module)多路处理模块。 ???prefork, worker, event(试验阶段) ???httpd-2.2不支持同时编译多个模块,所以只能编译时选定一个。 ???rpm 安装的包提供三个二进制程序文件,分别用于实现对不同MPM机制的支持。 ???1。确认方法: ???????ps aux | grep httpd ???????默认为/usr/sbin/httpd, 即prefork ???2。查看静态编译的模块 ???????httpd -l ???3。查看静态编译及动态装载的模块 ???????httpd –M ???4。动态模块加载时,不需重启即生效。 ???5。动态模块路径 ???????/usr/lib64/httpd/modules/ ???6。更换使用的httpd程序: ???????vim /etc/sysconfig/httpd ???????????HTTPD=/usr/sbin/httpd.worker ???????????重启服务生效 ???????pstree -p|grep httpd 查看进程和线程 ???7。Httpd 2.4与之不同 ???????以动态模块方式提供 ???????配置文件:/etc/httpd/conf.modules.d/00-mpm.conf ???????httpd –M |grep mpm ???????重启服务生效 ???????pstree -p|grep httpd 查看进程和线程 ???8。prefork的默认配置 ???????<IfModule prefork.c> ???????????StartServers 8 ???????????MinSpareServers 5 ???????????MaxSpareServers 20 ???????????ServerLimit 256 ?最多进程数, 最大20000 ???????????MaxClients 256 ?最大并发 ???????????MaxRequestsPerChild ?4000 子进程最多能处理的请求数量,在处理MaxRequestsPerChild个请求之后, 子进程将会被父进程终止,这时候子进程占用的内存就会释放( 为0时永远不释放) ???????</IfModule> ???9。worker的默认配置 ???????<IfModule worker.c> ???????????StartServers 4 ???????????MaxClients 300 ???????????MinSpareThreads 25 ???????????MaxSpareThreads 75 ???????????ThreadsPerChild 25 ???????????MaxRequestsPerChild 0 ?无限制 ???????</IfModule>5》DSO:Dynamic Shared Object ???????加载动态模块配置 ???????????vim /etc/httpd/conf/httpd.conf ???????????????配置指定实现模块加载格式: ???????????????LoadModule <mod_name> <mod_path> ???????????????模块文件路径可使用相对路径,相对于ServerRoot,默认/etc/httpd ???????示例: ???????????LoadModule auth_basic_module modules/mod_auth_basic.so6》定义‘Main‘ server 的文档页面路径 ???????????DocumentRoot “/path” ???????文档路径映射: ???????????DocumentRoot 指向的路径为URL 路径的起始位置 ???????示例: ???????????DocumentRoot "/app/data“ ???????????http://HOST:PORT/test/index.html --> /app/data/test/index.html ???????注意:SELinux 和iptables7》定义站点主页面 ???????DirectoryIndex index.html index.html.var ???8》站点访问控制常见机制 ???可基于两种机制指明对哪些资源进行何种访问控制。 ???访问控制机制有两种,分别是客户端来源地址,用户账号 ???文件系统路径: ???????<Directory “/path"> ???????... ???????</Directory> ???????<File “/path/file”> ???????... ???????</File> ???????<FileMatch "PATTERN"> ???????... ???????</FileMatch> ???URL 路径: ???????<Location ""> ???????... ???????</Location> ???????<LocationMatch ""> ???????... ???????</LocationMatch> ???示例: ???????<FilesMatch "\.(gif|jpe?g|png)$"> ???????<Files “?at.*”> 通配符 ???????<Location /status> ???????<LocationMatch "/(extra|special)/data"> ???????9》<Directory> 中“基于源地址”实现访问控制 ???????(1) Options: ???????????后跟1个或多个以空白字符分隔的选项列表,在选项前的+ ,- 表示增加或删除指定选项。 ???????????常见选项: ???????????????Indexes:指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户。 ???????????????FollowSymLinks:允许访问符号链接文件所指向的源文件 ???????????????None:全部禁用 ???????????????All:全部允许 ???????????示例: ???????????????<Directory /web/docs> ???????????????????Options Indexes FollowSymLinks ???????????????</Directory> ???????????????<Directory /web/docs/spec> ???????????????????Options FollowSymLinks ???????????????</Directory> ???????????????<Directory /web/docs> ???????????????????Options Indexes FollowSymLinks ???????????????</Directory> ???????????????<Directory /web/docs/spec> ???????????????????Options +Includes -Indexes ???????????????</Directory> ???????(2) AllowOverride: ???????????与访问控制相关的哪些指令可以放在指定目录下的.htaccess (由AccessFileName 指定)文件中,覆盖之前的配置指令,但只对<directory> 语句有效。 ???????????AllowOverride All:所有指令都有效 ???????????AllowOverride None:.htaccess 文件无效 ???????????AllowOverride AuthConfig Indexes:除了AuthConfig和Indexes的其他指令都无法覆盖 ???????(3) order和allow 、deny ???????????order:定义生效次序,写在后面的表示默认法则生效。 ???????????????Order allow,deny ???????????????Order deny,allow ???????????Allow from ???????????Deny from ???????????????????????????allow.denv ?deny.allow ???????????????only allow ?yes ????????yes ???????????????only deny ??no ?????????no ???????????????both ???????no ?????????yes ???????????????none ???????no ?????????yes ???????????来源地址: ???????????????IP ???????????网络: ???????????????172.16 ???????????????172.16.0.0 ???????????????172.16.0.0/16 ???????????????172.16.0.0/255.255.0.0 ???????????????????(4)示例: ???????????<files "*.txt"> ???????????????order deny,allow ???????????????deny from 172.16. 100.100 ???????????????allow from 172.16 ???????????</files> ???????????<files "*.txt"> ???????????????order allow,deny ???????????????deny from 172.16.100.100 ???????????????allow from 172.16 ???????????</files> ???10》日志设定 ???????1。日志类型: ???????????访问日志 ???????????错误日志 ???????2。错误日志: ???????????ErrorLog logs/error_log ???????????LogLevel warn ???????????loglevel 可选值: ???????????????debug, info, notice,warn,error,crit,alert,emerg ???????3。访问日志: ???????????定义日志格式: ???????????????LogFormat format strings LogFormat "%h %l %u %t \"%r\" %>s %b\"%{Referer}i\" \"%{User-Agent}i\"" combined ???????????使用日志格式: ???????????????CustomLog logs/access_log combined ???????????参考帮助: ???????????????http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats ???????????%h 客户端IP地址 ???????????%l 远程用户,启用mod_ident才有效,通常为减号“-” ????????????%u 验证(basic ,digest )远程用户, 非登录访问时,为一个减号“-” ???????????%t 服务器收到请求时的时间 ???????????%r 即表示请求报文的首行,记录了此次请求的“方法”,"URL"以及协议版本 ???????????%>s ?响应状态码 ???????????%b ?响应报文的大小,单位是字节,不包括响应报文http 首部 ???????????%{Referer}i ?请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面的 ???????????%{User-Agent}i ?请求报文中首部“User-Agent”的值,即发出请求的应用程序11》设定默认字符集 ???????AddDefaultCharset UTF-8 ???????中文字符集:GBK, GB2312, GB18030:wq12》定义路径别名 ???????格式:Alias ?/URL/ ?"/PATH/" ???????DocumentRoot "/www/htdocs" ???????http://www.m.com/download/bash.rpm ==>/www/htdocs/download/bash.rpm ???????Alias /download/ "/rpms/pub/" ???????????http://www.m.com/rpms/pub/bash.rpm ==>/www/htdocs/download/bash.rpm ???????13》基于用户的访问控制 ???????1。认证质询:响应码为401,拒绝客户端请求,并说明要求客户端提供账号和密码 ???????2。认证:客户端用户填入账号和密码后再次发送请求报文,认证通过时,则服务器发送响应的资源 ???????3。认证方式两种: ???????????basic:明文 ???????????digest:消息摘要认证, 兼容性差 ???????4。安全域:需要用户认证后方能访问的路径,应该通过名称对其进行标识,以便于告知用户认证的原因。 ???????5。用户的账号和密码 ???????????虚拟账号:仅用于访问某服务时用到的认证标识 ???????????存储:文本文件,SQL 数据库,ldap 目录存储,nis等 ???????6。basic 认证配置示例: ???????????(1)定义安全域 ???????????????<Directory “/path"> ???????????????????Options None ???????????????????AllowOverride None ???????????????????AuthType Basic ???????????????????AuthName "Warning!“:随意写 ???????????????????AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" ???????????????????Require user username1 username2 ... ???????????????</Directory> ???????????????Require valid-user:所有位于AuthUserFile文件中定义的用户都允许登录访问。 ???????????????Require user user1 user2...:仅允许user1,user2等出现AuthUserFile文件中定义的特定几个用户登录,这些用户为虚拟用户,即非系统用户。 ???????????(2) 提供账号和密码存储(文本文件) ???????????????使用专用命令完成此类文件的创建及用户管理 ???????????????htpasswd [options] /PATH/HTTPD_PASSWD_FILE username ???????????????????-c :自动创建文件,仅应该在文件不存在时使用 ???????????????????-m :md5 格式加密 ???????????????????-s: sha 格式加密 ???????????????????-D :删除指定用户 ???????7。基于组账号进行认证 ???????????(1)定义安全域 ???????????????<Directory “/path"> ???????????????????AuthType Basic ???????????????????AuthName "String“ ???????????????????AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" ???????????????????AuthGroupFile "/PATH/HTTPD_GROUP_FILE" ???????????????????Require group grpname1 grpname2 ... ???????????????</Directory> ???????????(2)创建用户账号和组账号文件; ???????????????组文件:每一行定义一个组 ???????????????GRP_NAME: username1 username2 ... ???????????????示例: ???????????????????<Directory "/www/htdocs/admin"> ???????????????????????Options None ???????????????????????AllowOverride None ???????????????????????AuthType Basic ???????????????????????AuthName "Administator private" ???????????????????????AuthUserFile "/etc/httpd/conf.d/.htpasswd" ???????????????????????AuthGroupFile "/etc/httpd/conf.d/.htgroup" ???????????????????????Require group webadmins ???????????????????</Directory> ???????????????????vim /etc/httpd/conf.d/.htgroup ???????????????????????webadmins:wang mage ???????????(3)远程客户端和用户验证的控制 ???????????????Satisfy ALL|Any ???????????????????ALL ?客户机IP和用户验证都需要通过才可以 ???????????????????Any ?客户机IP和用户验证, 有一个满足即可 ???????????????示例: ???????????????????Require valid-user ???????????????????Order allow,deny ???????????????????Allow from 192.168.1 ???????????????????Satisfy Any14》虚拟主机 ???????1。站点标识:socket ???????????IP 相同,但端口不同 ???????????IP 不同,但端口均为默认端口 ???????2。FQDN 不同; ???????????请求报文中首部 ???????????Host: www.m.com ???????3。有三种实现方案: ???????????基于ip :为每个虚拟主机准备至少一个ip 地址 ???????????基于port :为每个虚拟主机使用至少一个独立的port ???????????基于FQDN :为每个虚拟主机使用至少一个FQDN ???????4。注意: ???????????一般虚拟机不要与main主机混用,因此要使用虚拟主机,一般先禁用main主机。 ???????????禁用方法:注释中心主机的DocumentRoot。 ???????????这是因为其在后面,配置文件中默认是后面的配置会覆盖前面。 ???????????使用servername时要注意dns问题。 ???????5。虚拟主机的配置方法: ???????????<VirtualHost IP:PORT> ???????????????ServerName FQDN ???????????????DocumentRoot “/path" ???????????</VirtualHost> ???????????建议:上述配置存放在独立的配置文件中 ???????6。其它可用指令: ???????????ServerAlias:虚拟主机的别名,可多次使用 ???????????ErrorLog:错误日志 ???????????CustomLog:访问日志 ???????????<Directory “/path"> ???????????</Directory> ???????????Alias ???????7。基于IP 的虚拟主机示例: ???????????<VirtualHost 172.16.100.6:80> ???????????????DocumentRoot "/htdocs1" ???????????</VirtualHost> ???????????<VirtualHost 172.16.100.7:80> ???????????????DocumentRoot "htdocs2" ???????????</VirtualHost> ???????????<VirtualHost 172.16.100.8:80> ???????????????DocumentRoot "htdocs3" ???????????</VirtualHost> ???????????注意: ???????????当你使用httpd -t进行检查时会出现报错,而报的错误是servername没有,这个不用在意,因为没有写。 ???????????本机要配上所有ip地址并能够用于通信。 ???????8。基于端口的虚拟主机:可和基于IP的虚拟主机混和使用 ???????????listen 808 ???????????listen 8080 ???????????<VirtualHost 172.16.100.6:80> ???????????????ServerName www.a.com ???????????????DocumentRoot "htdocs1" ???????????</VirtualHost> ???????????<VirtualHost 172.16.100.6:808> ???????????????ServerName www.b.net ???????????????DocumentRoot "htdocs2" ???????????</VirtualHost> ???????????<VirtualHost 172.16.100.6:8080> ???????????????ServerName www.c.org ???????????????DocumentRoot "htdocs3" ???????????</VirtualHost> ???????????注意: ???????????httpd要监听这里指明的所有端口。 ???????????使用servername时要注意DNS。 ???????????要不就不使用虚拟机的dns,自己配置好dns。 ???????????要不就使用虚拟机的dns,并在/etc/hosts中配好。 ???????????????????????9。基于FQDN的虚拟主机: ???????????NameVirtualHost *:80,httpd2.4 不需要此指令 ???????????<VirtualHost *:80> ???????????????ServerName www.a.com ???????????????DocumentRoot "htdocs1" ???????????</VirtualHost> ???????????<VirtualHost *:80> ???????????????ServerName www.b.net ???????????????DocumentRoot "htdocs2" ???????????</VirtualHost> ???????????<VirtualHost *:80> ???????????????ServerName www.c.org ???????????????DocumentRoot "htdocs3" ???????????</VirtualHost> ???????????注意:同样是注意dns。 ???15》status页面 ???????LoadModule status_module modules/mod_status.so ???????<Location /server-status> ???????????SetHandler server-status ???????????Order allow,deny ???????????Allow from 172.16 ???????</Location> ???????ExtendedStatus On 显示扩展信息