httpd簡介
httpd是Apache超文本傳輸協議(HTTP)服務器的主程序。被設計為一個獨立運行的后台進程,它會建立一個處理請求的子進程或線程的池。
通常,httpd不應該被直接調用,而應該在類Unix系統中由apachectl調用,在Windows中作為服務運行。
httpd版本
主要介紹httpd的兩大版本,httpd-2.2和httpd-2.4。
- CentOS6系列的版本默認提供的是httpd-2.2版本的rpm包
- CentOS7系列的版本默認提供的是httpd-2.4版本的rpm包
httpd特性
httpd有很多特性,下面分別介紹httpd2.2和httpd2.4各自的特性
httpd2.2
- 事先創建進程
- 按需維持適當的進程
- 模塊化設計,核心比較小,各種功能通過模塊添加(包括PHP),支持運行時配置,支持單獨編譯模塊
- 支持多種方式的虛擬主機配置,如基於ip的虛擬主機,基於端口的虛擬主機,基於域名的虛擬主機等
- 支持https協議(通過mod_ssl模塊實現)
- 支持用戶認證
- 支持基於IP或域名的ACL訪問控制機制
- 支持每目錄的訪問控制(用戶訪問默認主頁時不需要提供用戶名和密碼,但是用戶訪問某特定目錄時需要提供用戶名和密碼)
- 支持URL重寫
- 支持MPM(Multi Path Modules,多處理模塊)。用於定義httpd的工作模型(單進程、單進程多線程、多進程、多進程單線程、多進程多線程)
httpd2.4
- MPM支持運行DSO機制(Dynamic Share Object,模塊的動態裝/卸載機制),以模塊形式按需加載
- 支持event MPM,eventMPM模塊生產環境可用
- 支持異步讀寫
- 支持每個模塊及每個目錄分別使用各自的日志級別
- 每個請求相關的專業配置,使用
來配置 - 增強版的表達式分析器
- 支持毫秒級的keepalive timeout
- 基於FQDN的虛擬主機不再需要NameVirtualHost指令
- 支持用戶自定義變量
- 支持新的指令(AllowOverrideList)
- 降低對內存的消耗
工作模型:
- prefork:多進程模型,預先生成進程,一個請求用一個進程響應
一個主進程負責生成n個子進程,子進程也稱為工作進程
每個子進程處理一個用戶請求,即使沒有用戶請求,也會預先生成多個空閑進程,隨時等待請求到達,最大不會超過1024個 - woker:基於線程工作,一個請求用一個線程響應(啟動多個進程,每個進程生成多個線程)
- event:基於事件的驅動,一個進程處理多個請求
httpd2.4新增模塊
- mod_proxy_fcgi:反向代理時支持apache服務器后端協議的模塊
- mod_ratelimit:提供速率限制功能的模塊
- mod_remoteip:基於ip的訪問控制機制被改變,不再支持使用Order,Deny,Allow來做基於IP的訪問控制
httpd基礎
httpd自帶工具
| 工具 | 功能 |
|---|---|
| htpasswd | basic認證基於文件實現時,用到的帳號密碼生成工具 |
| apachectl | httpd自帶的服務控制腳本,支持start,stop,restart |
| apxs | 由httpd-devel包提供的,擴展httpd使用第三方模塊的工具 |
| rotatelogs | 日志滾動工具 |
| suexec | 訪問某些有特殊權限配置的資源時,臨時切換至指定用戶運行的工具 |
| ab | apache benchmark,httpd的壓力測試工具 |
rpm包安裝的httpd程序環境
| 文件/目錄 | 對應的功能 |
|---|---|
| /var/log/httpd/access.log | 訪問日志 |
| /var/log/httpd/error_log | 錯誤日志 |
| /var/www/html/ | 站點文檔目錄 |
| /usr/lib64/httpd/modules/ | 模塊文件路徑 |
| /etc/httpd/conf/httpd.conf | 主配置文件 |
| /etc/httpd/conf.modules.d/*.conf | 模塊配置文件 |
| /etc/httpd/conf.d/*.conf | 輔助配置文件 |
mpm:以DSO機制提供,配置文件為/etc/httpd/conf.modules.d/00-mpm.conf
編譯安裝httpd-2.4
除了編譯安裝外也可以使用yum安裝,這里只是為了演示一下如何編譯安裝httpd
httpd有三個依賴:apr-1.4+,apr-util-1.4+,[apr-icon]
安裝順序:apr -> apr-util -> httpd
#安裝開發環境
[root@lynkser ~]# yum groupinstall "Development Tools"
#添加一個服務用的用戶
[root@lynkser ~]# groupadd -r apache
[root@lynkser ~]# useradd -r -g apache -M -s /bin/nologin apache
#安裝前置工具
[root@lynkser ~]# yum -y install openssl-devel pcre-devel expat-devel libtool
#下載所需的源碼包,各位可以各自從常用的站點下載,我這里已經下好了
[root@lynkser ~]# cd /usr/src
[root@lynkser src]# ls
apr-1.6.3.tar.bz2 apr-util-1.6.1.tar.bz2 debug httpd-2.4.34.tar.bz2 kernels
#解壓源碼包
[root@lynkser src]# tar -xf apr-1.6.3.tar.bz2
[root@lynkser src]# tar -xf apr-util-1.6.1.tar.bz2
[root@lynkser src]# tar -xf httpd-2.4.34.tar.bz2
#修改一下apr的配置文件,避免出問題。
[root@lynkser src]# cd apr-1.6.3/
[root@lynkser apr-1.6.3]# vim configure
cfgfile=${ofile}T
trap "$RM \"$cfgfile\"; exit 1" 1 2 15
# $RM "$cfgfile" #注釋掉這一行
#編譯安裝apr
[root@lynkser apr-1.6.3]# ./configure --prefix=/usr/local/apr
[root@lynkser apr-1.6.3]# make && make install
#編譯安裝apr-util
[root@lynkser apr-1.6.3]# cd /usr/src/apr-util-1.6.1
[root@lynkser apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@lynkser apr-util-1.6.1]# make && make install
#編譯安裝httpd
[root@lynkser src]# cd /usr/src/httpd-2.4.34/
[root@lynkser httpd-2.4.34]# ./configure --prefix=/usr/local/apache \
--sysconfdir=/etc/httpd24 \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util/ \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork
#上面整個都要輸入進去,后面的列表里是我們的依賴和各種要啟動和安裝的模塊
[root@lynkser httpd-2.4.34]# make && make install
httpd常用配置
切換使用MPM
#yum安裝的情況下
[root@lynkser ~]# cd /etc/httpd/conf.modules.d
[root@lynkser conf.modules.d]# ls
00-base.conf 00-lua.conf 00-proxy.conf 01-cgi.conf
00-dav.conf 00-mpm.conf 00-systemd.conf
[root@lynkser conf.modules.d]# vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#編譯安裝的情況下
[root@lynkser ~]# vim /etc/httpd24/httpd.conf
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
訪問控制法則
| 法則 | 功能 |
|---|---|
| Require all granted | 允許所有主機訪問 |
| Require all deny | 拒絕所有主機訪問 |
| Require ip IPADDR | 授權指定來源地址的主機訪問 |
| Require not ip IPADDR | 拒絕指定來源地址的主機訪問 |
| Require host HOSTNAME | 授權指定來源主機名的主機訪問 |
| Require not host HOSTNAME | 拒絕指定來源主機名的主機訪問 |
IPADDR的類型:
- IP:192.168.1.1
- Network/mask:192.168.1.0/255.255.255.0
- Network/Length:192.168.1.0/24
- Net:192.168
HOSTNAME的類型
- FQDN:特定主機的全名
- DOMAIN:指定域名內的所有主機
http-2.4版本默認拒絕所有主機訪問,安裝后必須做顯示授權訪問
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.26.128
Require all granted
</RequireAll>
</Directory>
虛擬主機
虛擬主機有三類:
- 相同IP的不同端口
- 不同IP的相同端口
- 相同IP相同端口的不同域名
#設置主機名
#編譯安裝的情況下
[root@lynkser ~]# vim /etc/httpd24/httpd.conf
#要編輯的內容和其他操作和yum安裝是相同的
#yum安裝的情況下
[root@lynkser ~]# vim /etc/httpd/conf/httpd.conf
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.example.com:80
#在文件最后加上如下內容:
#virtual host 1 #虛擬主機1的配置
<VirtualHost 192.168.26.129:80> #寫自己的IP
ServerName www.lynk.com #寫自己的IP
DocumentRoot "/var/www/html/www"
ErrorLog "/var/log/httpd/www/error_log"
CustomLog "/var/log/httpd/www/access_log" combined
<Directory /var/www/html/www>
<RequireAll>
Require all granted
Require not ip 192.168.1
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 #虛擬主機2的配置
<VirtualHost 192.168.26.129:80> #寫自己的IP
ServerName blog.lynk.com #寫自己的域名
DocumentRoot "/var/www/html/blog"
ErrorLog "/var/log/httpd/blog/error_log"
CustomLog "/var/log/httpd/blog/access_log" combined
<Directory /var/www/html/blog>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
#創建網頁目錄並修改屬主和屬組
[root@lynkser var]# mkdir -p /var/www/html
[root@lynkser var]# cd /var/www/html
[root@lynkser html]# mkdir www blog
[root@lynkser html]# ll
total 0
drwxr-xr-x. 2 root root 6 Jan 16 01:34 blog
drwxr-xr-x. 2 root root 6 Jan 16 01:34 www
[root@lynkser html]# chown -R apache.apache blog
[root@lynkser html]# chown -R apache.apache www
[root@lynkser html]# ll
total 0
drwxr-xr-x. 2 apache apache 6 Jan 16 01:34 blog
drwxr-xr-x. 2 apache apache 6 Jan 16 01:34 www
#創建網頁
[root@lynkser html]# echo "hello world www" > www/index.html
[root@lynkser html]# echo "hello world blog" > blog/index.html
#創建對應網頁的日志目錄
[root@lynkser html]# mkdir -p /var/log/httpd/{www,blog}
[root@lynkser html]# chown -R apache.apache /var/log/httpd/
[root@lynkser html]# ll /var/log/httpd/
total 0
drwxr-xr-x. 2 apache apache 6 Jan 16 01:39 blog
drwxr-xr-x. 2 apache apache 6 Jan 16 01:39 www
#添加防火牆規則
[root@lynkser ~]# firewall-cmd --add-service=http --permanent
[root@lynkser ~]# firewall-cmd --reload
#查看有沒有開啟防火牆的http服務允許規則
[root@lynkser ~]# firewall-cmd --list-services
#啟動服務
#使用yum安裝的情況下
[root@lynkser ~]# systemctl start httpd
#使用編譯安裝的情況下
[root@lynkser ~]# /usr/local/apache/bin/apachectl start
#查看有沒有80端口
[root@lynkser ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
在客戶機上打開瀏覽器驗證
如果沒有DNS,需要修改hosts,請自行修改,不做演示
實例
需求:
- 安裝配置httpd,令其可以訪問已有網頁index.html
- 要求來自於192.168.26.0/24的客戶端可以訪問網頁,而其他IP的用戶不可以
[root@lynkser ~]# yum install -y httpd
[root@lynkser ~]# systemctl mask iptables.service ebtables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
Created symlink from /etc/systemd/system/ebtables.service to /dev/null.
[root@lynkser ~]# systemctl stop iptables ebtables
[root@lynkser ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.26.0/24 service name=http accept' --permanent
success
[root@lynkser ~]# firewall-cmd --reload
success
[root@lynkser ~]# systemctl start httpd
[root@lynkser ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
- 為站點配置SSL加密,簽名證書為server30.crt,密鑰為server30.key,證書授權信息為group30.crt
[root@lynkser ~]# yum install -y mod_ssl
[root@lynkser tls]# ls /etc/pki/tls/certs/ |grep server30.crt
server30.crt
[root@lynkser tls]# ls /etc/pki/tls/private/ |grep server30.key
server30.key
[root@lynkser certs]# ls /etc/pki/tls/certs/ |grep group30.crt
group30.crt
[root@lynkser tls]# vim /etc/httpd/conf.d/ssl.conf
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName server30.example.com:443
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/server30.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/server30.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/group30.crt
[root@lynkser tls]# systemctl restart httpd
- 為站點http://www.example.com創建一個虛擬主機
- 配置DocumentRoot為/var/www/virtual
- 將網頁index置於Document下
- 確保zelda用戶能夠在/var/www/virtual下創建文件
[root@lynkser ~]# mkdir /var/www/virtual
[root@lynkser ~]# mv index.html /var/www/virtual/
[root@lynkser ~]# useradd zelda
[root@lynkser ~]# setfacl -m u:zelda:rwx /var/www/virtual/
[root@lynkser ~]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d/
[root@lynkser ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/virtual"
ServerName www.example.com
</VirtualHost>
[root@lynkser tls]# systemctl restart httpd
- 在server上的web服務器的DocumentRoot目錄下創建一個名為private的目錄,將已有的index.html文件放入這個1文件夾
- 在server上,任何人都可以瀏覽private的內容,但是從其他系統不能訪問這個目錄的內容
[root@lynkser ~]# mkdir /var/www/html/private
[root@lynkser ~]# mv index.html /var/www/html/private
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com
<Directory "/var/www/html/private">
Require ip 192.168.26.129
</Directory>
</VirtualHost>
[root@lynkser tls]# systemctl restart httpd
- 在server上實現動態web內容,動態內容有名為alt.example.com的虛擬主機提供
- 虛擬主機偵聽端口為8909
- 動態內容使用腳本webapp.wsgi
13.客戶端訪問http://alt.example.com.8909時,應該收到動態生成的web頁面
14.此http://alt.example.com.8909必須能被192.168.26.0/24內的所有系統訪問
[root@lynkser ~]# mkdir /var/www/wsgi
[root@lynkser ~]# mv webapp.wsgi /var/www/wsgi
[root@lynkser ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
Listen 8909
<VirtualHost *:8909>
WSGIScriptAlias / "/var/www/wsgi/webapp.wsgi"
ServerName alt.example.com
</VirtualHost>
[root@lynkser ~]# yum install -y mod_wsgi
[root@lynkser ~]# yum -y install policycoreutils-python
[root@lynkser ~]# semanage port -a -t http_port_t -p tcp 8909
[root@lynkser ~]# semanage port -l|grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 8909, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@lynkser ~]# systemctl restart htpd
[root@lynkser ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.26.0/24 port protocol=tcp port=8909 accept' --permanent
success
[root@lynkser ~]# firewall-cmd --reload
success