centos7 httpd配置
標簽(空格分隔): 未分類
隱藏server信息
修改httpd.conf 設置,添加如下兩行
ServerSignature Off
ServerTokens Prod
開啟長連接
KeepAlive on
KeepAliveTimeout 60 #超時時間
MaxKeepAliveRequests 100 #超時時間內達到100個請求也將斷開連接
啟用文件壓縮配置
在conf.d目錄下新建配置文件compress.conf
SetOutputFilter DEFLATE
# mod_deflate configuration
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
# Level of compression (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
# Netscape 4.x has some problems.
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
httpd內置狀態頁面
在conf.d目錄下編輯httpd-info.conf
<Location /server-status>
SetHandler server-status
require all denied
Require ip 172.16.138.1
</Location>
extendedstatus on
配置https
安裝mod_ssl模塊
yum install mod_ssl -y
在conf.d目錄下編輯ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/httpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #購買證書需修改此處配置
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt #自建證書修改配置
#修改上面四行的證書文件路徑,
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
配置http強制跳轉https
在主配置文件中添加如下字段
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
強制301重定向到https
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>
引用:https://blog.csdn.net/ithomer/article/details/78986266
配置basic訪問驗證
<Directory "/var/www/html">
Options Indexes FollowSymLinks #允許索引,和鏈接文件
AllowOverride None
authtype basic #認證類型
authname "test" #瀏覽器彈框提示信息
authuserfile /etc/httpd/.htpass #認證用戶文件
#authgroupfile /etc/httpd/allow.group #認證組文件
#require group test
require valid-user #所有userfile文件的用戶都可以訪問
#require user user1 user2 #user1 user2 可以訪問
</Directory>
htpasswd -m -c /etc/httpd/.htpass tom 添加驗證用戶 #-c創建用戶文件
組文件
mygroup: bob joe anne
配置digest訪問驗證
<Directory "/var/www/html">
Options Indexes FollowSymLinks #允許索引,和鏈接文件
AllowOverride None
authtype digest
authname "digest test"
authdigestprovider file
authuserfile /etc/httpd/.htpass
require valid-user
</Directory>
require valid-user #所有userfile文件的用戶都可以訪問
</Directory>
創建用戶文件
htdigest -c /etc/httpd/.htpass "digest test" tom #此處引號中內容需要與authname定義內容相同
虛擬主機配置
基於主機名的虛擬主機,在conf.d目錄下編輯配置文件vhost-servername.conf
<VirtualHost *:80>
DocumentRoot "/data/vhost1/"
<Directory "/data/vhost1">
<requireall>
require all granted
</requireall>
</Directory>
ServerName a.test.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/vhost.-error_log"
CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/data/vhost2"
<Directory "/data/vhost2">
<requireall>
require all granted
</requireall>
</Directory>
ServerName b.test.com
ErrorLog "logs/vhost2-error_log"
CustomLog "logs/vhost2-access_log" common
</VirtualHost>
基於端口的虛擬主機,在conf.d目錄下編輯配置文件vhost-port.conf
listen 80
listen 8080
<VirtualHost *:8080>
DocumentRoot "/data/vhost1/"
<Directory "/data/vhost1">
<requireall>
require all granted
</requireall>
</Directory>
ServerName a.test.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/vhost.-error_log"
CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/data/vhost2"
<Directory "/data/vhost2">
<requireall>
require all granted
</requireall>
</Directory>
ServerName b.test.com
ErrorLog "logs/vhost2-error_log"
CustomLog "logs/vhost2-access_log" common
</VirtualHost>
基於IP的虛擬主機,在conf.d目錄下編輯配置文件vhost-ip.conf
listen 80
<VirtualHost 192.168.0.100:80>
DocumentRoot "/data/vhost1/"
<Directory "/data/vhost1">
<requireall>
require all granted
</requireall>
</Directory>
ServerName a.test.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/vhost.-error_log"
CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost 192.168.0.200:80>
DocumentRoot "/data/vhost2"
<Directory "/data/vhost2">
<requireall>
require all granted
</requireall>
</Directory>
ServerName b.test.com
ErrorLog "logs/vhost2-error_log"
CustomLog "logs/vhost2-access_log" common
</VirtualHost>
反向代理
在主配置文件中或者虛擬主機中添加如下字段
ProxyRequests off
#<Proxy />
# Order deny,allow
# Allow from all
#</Proxy>
ProxyPass / http://172.16.138.129
ProxyPassReverse / http://172.16.138.129
設置反向代理后端服務器日志記錄真實IP地址
在代理服務器配置中添加如下配置
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 172.16.138.129 #此處地址為后端服務器地址
后端服務器日志格式修改
默認格式為:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
修改為:
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
參考:https://blog.csdn.net/qq_22227087/article/details/91519602
日志字段說明
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
%h:客戶端IP地址;
%l:Remote User, 通常為一個減號(“-”);
%u:Remote user (from auth; may be bogus if return status (%s) is 401);非為登錄訪問時,其為一個減號;
%t:服務器收到請求時的時間;
%r:First line of request,即表示請求報文的首行;記錄了此次請求的“方法”,“URL”以及協議版本;
%>s:響應狀態碼;
%b:響應報文的大小,單位是字節;不包括響應報文的http首部;
%{Referer}i:請求報文中首部“referer”的值;即從哪個頁面中的超鏈接跳轉至當前頁面的;
%{User-Agent}i:請求報文中首部“User-Agent”的值;即發出請求的應用程序;
在線文檔說明
http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats