- http: Hyper Text Transfer Protocol, 80/tcp
- 常用 http/1.1
1.支持cache, MIME(支持传送多媒体文件), method
2.POST命令和HEAD命令 ???头信息是 ASCII 码,后面数据可为任何格式。服务器回应时会告诉客户 端,数据是什么格式,即Content-Type字段的作用。这些数据类型总称为 MIME 多用途互联网邮件扩展,每个值包括一级类型和二级类型,预定义的 类型,也可自定义类型
3.持久连接(persistent connection),即TCP连接默认不 关闭,可以被多个请求复用,不用声明Connection: keep-alive 。对于同一个域名,大多数浏览器允许同时建立6个持久连接
4.管道机制(pipelining),即在同一个TCP连接里,客户端 可以同时发送多个请求,进一步改进了HTTP协议的效率
5.支持GET、PUT、PATCH、OPTIONS、DELETE方法- 问题
1.同一个TCP连接里面,所有的数据通信是按次序进行的。服务器 只能顺序处理回应,前面的回应慢,会有许多请求排队,造成" 队头堵塞"(Head-of-line blocking) ?
为避免上述问题,两种方法:一是减少请求数,二是同时多开持 久连接。网页优化技巧,比如合并脚本和样式表、将图片嵌入 CSS代码、域名分片(domain sharding)等 ?
2.HTTP 协议不带有状态,每次请求都必须附上所有信息。请求的 很多字段都是重复的,浪费带宽,影响速度 - http请求基本过程
1、建立连接
2、接收请求
3、处理请求
4、访问资源
5、构建响应报文 ??头部
6、发送响应报文
7、记录日志
- 问题
- 方法介绍
GET:从服务器获取一个资源
HEAD:只从服务器获取文档的响应首部
POST:向服务器输入数据,通常会再由网关程序继续处理 ?例如提交用户密码或者信息
PUT:将请求的主体部分存储在服务器中,如上传文件
DELETE:请求删除服务器上指定的文档
TRACE:追踪请求到达服务器中间经过的代理服务器
OPTIONS:请求服务器返回对指定资源支持使用的请求方法 - 状态码介绍
1xx:100-101 信息提示 ?
2xx:200-206 成功 ?
3xx:300-305 重定向 ?
4xx:400-415 错误类信息,客户端错误 ?
5xx:500-505 错误类信息,服务器端错误
200: 成功,请求数据通过响应报文的entity-body部分发送;OK ?
301: 请求的URL指向的资源已经被删除;但在响应报文中通过首部 Location指明了资源现在所处的新位置;Moved Permanently ?
302: 响应报文Location指明资源临时新位置 Moved Temporarily
304:服务器上的资源未曾发生改变,使用本机缓存
401: 需要输入账号和密码认证方能访问资源;Unauthorized ?
403: 请求被禁止;Forbidden ?
404: 服务器无法找到客户端请求的资源;Not Found ?
500: 服务器内部错误;Internal Server Error ?
502: 代理服务器从后端服务器收到了一条伪响应,如无法连接到网关;Bad Gateway ? 无法连接到调度的服务器
503 – 服务不可用,临时服务器维护或过载,服务器无法处理请求 ?
504 – 网关超时
2.基于httpd实现网站用户访问控制
1.安装httpd服务
2.准备好主页
[root@centos7 ~]#echo ‘welcome to here!‘ > /var/www/html/index.html3.启动服务
[root@centos7 ~]#systemctl start httpd4.测试网页
5.利用htpasswd命令生成用户和密码,注意文件要能被apache账号读取
[root@centos7 conf.d]#htpasswd -c /data/user dcrfanNew password: Re-type new password: Adding password for user dcrfan[root@centos7 conf.d]#htpasswd ?/data/user zhangNew password: Re-type new password: Adding password for user zhang[root@centos7 ~]#chown apache /data/user6.修改httpd配置文件
<Directory "/var/www/html"> ??Options Indexes FollowSymLinks ??AllowOverride None ??AuthType Basic ??#加密类型 ??AuthName "please input your name" ?#提示字符串 ??AuthUserFile ?"/data/user" ???????????#用户密码验证文件 ??????????????????????????????????????????????Require ?user ?dcrfan ???????????????#允许访问用户 </Directory>[root@centos7 conf.d]#systemctl ?restart httpd 7.测试网页
8.其他权限控制选项
Require ?all ?granted ?允许所有主机访问:
Require ?all ?denied 拒绝所有主机访问
Require ?host ?HOSTNAME:授权特定主机访问 ?
Require ?not ?host ?HOSTNAME:拒绝 特定主机访问
Require ?ip ?IPADDR:授权指定来源的IP访问 ??
Require ?not ?ip ?IPADDR:拒绝特定的IP访问
?/不能有失败,至少有一个成功匹配才成功,即失败优先 ?
<RequireAll> ????
Require all granted ?
Require not ip 172.16.1.1 拒绝特定IP ??
</RequireAll> ??
/多个语句有一个成功,则成功,即成功优先 ??
<RequireAny> ??
Require all denied ?
require ip ?172.16.1.1 ?允许特定IP ??
</RequireAny>
3.基于httpd实现网站虚拟主机
建立测试文件主页
[root@centos7 conf.d]#mkdir /var/www/html/{a,b,c} [root@centos7 conf.d]#echo "a">/var/www/html/a/index.html[root@centos7 conf.d]#echo "b">/var/www/html/b/index.html[root@centos7 conf.d]#echo "c">/var/www/html/c/index.html1.基于port实现虚拟主机
修改配置文件
[root@centos7 conf.d]#vim port.conf ?listen 808 ????????????????????????????????????????????????????????????????????????????????????????????????????listen 8080 ??<virtualhost 192.168.0.109:80> ??servername www.a.com ?documentroot "/var/www/html/a" ??</virtualhost> ??<virtualhost 192.168.0.109:808> servername www.b.com ?documentroot "/var/www/html/b" ?</virtualhost> <virtualhost 192.168.0.109:8080> servername www.c.com ??????????????????????????????????????????????????????????????????????????????????????????documentroot "/var/www/html/c" ?</virtualhost>重启服务并查看端口
[root@centos7 conf.d]#systemctl ?restart httpd ???[root@centos7 ~]#ss -ntlState ??????Recv-Q Send-Q ??????????Local Address:Port ?????????????????????????Peer Address:Port ?????????????LISTEN ?????0 ?????128 ?????????????????????????*:111 ?????????????????????????????????????*:* ?????????????????LISTEN ?????0 ?????128 ?????????????????????????*:41968 ???????????????????????????????????*:* ?????????????????LISTEN ?????0 ?????5 ???????????????192.168.122.1:53 ??????????????????????????????????????*:* ?????????????????LISTEN ?????0 ?????128 ?????????????????????????*:22 ??????????????????????????????????????*:* ?????????????????LISTEN ?????0 ?????128 ?????????????????127.0.0.1:631 ?????????????????????????????????????*:* ?????????????????LISTEN ?????0 ?????100 ?????????????????127.0.0.1:25 ??????????????????????????????????????*:* ?????????????????LISTEN ?????0 ?????128 ????????????????????????:::111 ????????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????128 ????????????????????????:::8080 ???????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????128 ????????????????????????:::80 ?????????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????128 ????????????????????????:::22 ?????????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????128 ???????????????????????::1:631 ????????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????100 ???????????????????????::1:25 ?????????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????128 ????????????????????????:::53952 ??????????????????????????????????:::* ?????????????????LISTEN ?????0 ?????128 ????????????????????????:::808 ????????????????????????????????????:::* ?测试文件
[root@centos7 ~]#curl 192.168.0.109a[root@centos7 ~]#curl 192.168.0.109:808b[root@centos7 ~]#curl 192.168.0.109:8080c~ ???????2.基于ip实现虚拟主机
修改配置文件
<virtualhost 192.168.0.109:80>servername www.a.comdocumentroot "/var/www/html/a"</virtualhost><virtualhost 192.168.0.110:80>servername www.b.comdocumentroot "/var/www/html/b"</virtualhost><virtualhost 192.168.0.111:80>servername www.c.com ????????????????????????????????????????????????????????????????????????????????????????????documentroot "/var/www/html/c"</virtualhost>重启httpd服务
[root@centos7 conf.d]#systemctl ?restart httpd为本机临时添加ip地址
[root@centos7 ~]#ip address add 192.168.0.110/24 dev eth0[root@centos7 ~]#ip address add 192.168.0.111/24 dev eth0查看ip
[root@centos7 ~]#ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 ???link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ???inet 127.0.0.1/8 scope host lo ??????valid_lft forever preferred_lft forever ???inet6 ::1/128 scope host ???????valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 ???link/ether 00:0c:29:53:4d:b3 brd ff:ff:ff:ff:ff:ff ???inet 192.168.0.109/24 brd 192.168.0.255 scope global eth0 ??????valid_lft forever preferred_lft forever ???inet 192.168.0.110/24 scope global secondary eth0 ??????valid_lft forever preferred_lft forever ???inet 192.168.0.111/24 scope global secondary eth0 ??????valid_lft forever preferred_lft forever ???inet6 fe80::47f0:15a7:5a66:13c7/64 scope link ???????valid_lft forever preferred_lft forever测试 ??????????
[root@centos7 ~]#curl 192.168.0.109a[root@centos7 ~]#curl 192.168.0.110b[root@centos7 ~]#curl 192.168.0.111c3.基于FQDN实现虚拟主机
修改配置文件并重启服务
<virtualhost *:80>servername www.a.comdocumentroot "/var/www/html/a"</virtualhost><virtualhost *:80>servername www.b.comdocumentroot "/var/www/html/b"</virtualhost><virtualhost *:80> ??????????????????????????????????????????????????????????????????????????????????????????????servername www.c.com ????????????????????????????????????????????????????????????????????????????????????????????documentroot "/var/www/html/c"</virtualhost>修改测试客户端host文件,让其能解析这三个地址
[root@centos7 ~]#cat /etc/hosts ??????127.0.0.1 ??localhost localhost.localdomain localhost4 localhost4.localdomain4::1 ????????localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.0.109 www.a.com www.b.com www.c.com测试
[root@centos7 ~]#curl www.a.coma[root@centos7 ~]#curl www.b.comb[root@centos7 ~]#curl www.c.comc注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机, 一般先禁用main主机 ?
禁用方法:注释中心主机的DocumentRoot指令即可
还可以定制各自日志文件
ErrorLog "logs/host.example.com-error_log"
TransferLog "logs/host.example.com-access_log"
4.基于httpd实现网站https加密
要实现https加密需要搭建CA服务器实现加密通讯,安装mod_ssl模块,服务以443端口监听
1.在192.168.0.112搭建ca
[root@localhost ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus.......................................+++.......+++e is 65537 (0x10001)[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem ?-days 7200 -out /etc/pki/CA/cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:gdLocality Name (eg, city) [Default City]:gzOrganization Name (eg, company) [Default Company Ltd]:dcrfanOrganizational Unit Name (eg, section) []:dcrfan.cnCommon Name (eg, your name or your server‘s hostname) []:dcrfanEmail Address []:[root@localhost ~]# echo 01 > /etc/pki/CA/serial[root@localhost ~]# touch /etc/pki/CA/index.txt2.在192.168.0.109生成密钥
root@centos7 ~]# (umask 066; openssl genrsa -out /etc/httpd/httpd.key 2048) ??????Generating RSA private key, 2048 bit long modulus.............................................................................................+++.............................+++e is 65537 (0x10001)[root@centos7 ~]# openssl req -new -key /etc/httpd/httpd.key ?-out /etc/httpd/httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:gdLocality Name (eg, city) [Default City]:gzOrganization Name (eg, company) [Default Company Ltd]:dcrfan ?Organizational Unit Name (eg, section) []:dcrfan.cnCommon Name (eg, your name or your server‘s hostname) []:www.a.com #与网站域名一致Email Address []:Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@centos7 ~]#scp /etc/httpd/httpd.csr 192.168.0.112:/data/3.在192.168.0.112签名证书
[root@localhost ~]# openssl ca -in /data/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 160 ??????????Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: ???????Serial Number: 1 (0x1) ???????Validity ???????????Not Before: Feb ?7 02:40:31 2019 GMT ???????????Not After : Jul 17 02:40:31 2019 GMT ???????Subject: ???????????countryName ??????????????= cn ???????????stateOrProvinceName ??????= gd ???????????organizationName ?????????= dcrfan ???????????organizationalUnitName ???= dcrfan.cn ???????????commonName ???????????????= www.a.com ???????X509v3 extensions: ???????????X509v3 Basic Constraints: ????????????????CA:FALSE ???????????Netscape Comment: ????????????????OpenSSL Generated Certificate ???????????X509v3 Subject Key Identifier: ????????????????48:30:32:22:C2:7F:68:A5:45:C6:99:3B:46:B5:6B:08:7F:94:86:DB ???????????X509v3 Authority Key Identifier: ???????????????keyid:29:BE:1C:83:B6:3E:49:D0:12:3F:80:A5:64:CB:17:02:8C:43:3B:1ACertificate is to be certified until Jul 17 02:40:31 2019 GMT (160 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@localhost ~]# scp /etc/pki/CA/certs/httpd.crt /etc/pki/CA/cacert.pem ?192.168.0.109:/etc/httpd/4.安装模块
[root@centos7 ~]#yum install mod_ssl5.修改httpd配置文件
[root@centos7 ~]#ls /etc/httpd cacert.pem ?conf ?conf.d ?conf.modules.d ?httpd.crt ?httpd.csr ?httpd.key ?logs ?modules ?run[root@centos7 ~]#vim /etc/httpd/conf.d/ssl.conf ??DocumentRoot ??"/var/www/html/" ?ServerName ??www.a.com ?SSLCertificateFile ???/etc/httpd/cacert.pem ??#指定ca证书位置 ??SSLCertificateKeyFile ?/etc/httpd/httpd.key ?#指定自己的私钥位置 ??SSLCACertificateFile ?/etc/httpd/httpd.crt ???#指定ca签名的证书位置6.实现HSTS,让网址自动应用https
vim /etc/httpd/conf/httpd.conf Header always set Strict-Transport-Security "maxage=31536000"RewriteEngine on RewriteRule ^(/.*)$ ?https://%{HTTP_HOST}$1 [redirect=302] 7.修改测试服务器/etc/hosts
192.168.0.109 www.a.com
8.测试(在浏览器添加ca证书)
http协议
原文地址:http://blog.51cto.com/6289984/2348866