部署httpd,三种不同的虚拟机,https
部署配置httpd
目录
httpd
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
httpd的两大版本,httpd-2.2和httpd-2.4。
- CentOS6系列的版本默认提供的是httpd-2.2版本的rpm包
- CentOS7系列的版本默认提供的是httpd-2.4版本的rpm包
httpd有很多特性,下面就分别来说说httpd-2.2版本和httpd-2.4版本各自的特性。
| 版本 | 特性 |
|---|---|
| 2.2 | 事事先创建进程 按需维持适当的进程 模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块 支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等 支持https协议(通过mod_ssl模块实现) 支持用户认证 支持基于IP或域名的ACL访问控制机制 支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码) 支持URL重写 支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程) |
| 2.4 | httpd-2.4的新特性: MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载 支持event MPM,eventMPM模块生产环境可用 支持异步读写 支持每个模块及每个目录分别使用各自的日志级别 每个请求相关的专业配置,使用 增强版的表达式分析器 支持毫秒级的keepalive timeout 基于FQDN的虚拟主机不再需要NameVirtualHost指令 支持用户自定义变量 支持新的指令(AllowOverrideList) 降低对内存的消耗 |
httpd-2.4新增的模块
httpd-2.4在之前的版本基础上新增了几大模块,下面就几个常用的来介绍一下。
| 模块 | 功能 |
|---|---|
| mod_proxy_fcgi | 反向代理时支持apache服务器后端协议的模块 |
| mod_ratelimit | 提供速率限制功能的模块 |
| mod_remoteip | 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制 |
编译安装httpd
安装开发环境
[root@localhost ~]# dnf -y install gcc gcc-c++ make
[root@localhost ~]# dnf -y groupinstall "Development Tools"
[root@localhost ~]# dnf -y install openssl-devel pcre-devel expat-devel libtool libxml2-devel
下载并编译安装apr-1.7.0+和apr-util-1.6.1+
//下载
[root@localhost ~]# wget http://mirrors.aliyun.com/apache/apr/apr-1.7.0.tar.gz
[root@localhost ~]# wget https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg apr-1.7.0.tar.gz apr-util-1.6.1.tar.gz
//解压
[root@localhost ~]# tar -xf apr-1.7.0.tar.gz -C /usr/local/src/
[root@localhost ~]# tar -xf apr-util-1.6.1.tar.gz -C /usr/local/src/
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# ls
apr-1.7.0 apr-util-1.6.1
//编译安装
[root@localhost ~]# cd /usr/local/src/apr-1.7.0/
[root@localhost apr-1.7.0]# vi configure
cfgfile=${ofile}T
trap "$RM \"$cfgfile\"; exit 1" 1 2 15
# $RM "$cfgfile" //将此行注释掉
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
[root@localhost apr-1.7.0]# make && make install
[root@localhost apr-1.7.0]# ls /usr/local/apr/
bin build-1 include lib
[root@localhost apr-1.7.0]# cd
[root@localhost ~]# cd /usr/local/src/apr-util-1.6.1/
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/
[root@localhost apr-util-1.6.1]# make && make install
[root@localhost apr-util-1.6.1]# ls /usr/local/apr-util/
bin include lib
编译安装httpd
[root@localhost ~]# wget https://mirrors.aliyun.com/apache/httpd/httpd-2.4.54.tar.gz
--2022-10-17 18:38:35-- https://mirrors.aliyun.com/apache/httpd/httpd-2.4.54.tar.gz
Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 119.96.90.243, 58.49.162.242, 58.49.162.241, ...
Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|119.96.90.243|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9743277 (9.3M) [application/octet-stream]
Saving to: 'httpd-2.4.54.tar.gz'
httpd-2.4.54.tar.gz 100%[======================>] 9.29M 1.04MB/s in 9.3s
2022-10-17 18:38:44 (1.00 MB/s) - 'httpd-2.4.54.tar.gz' saved [9743277/9743277]
[root@localhost ~]# ls
anaconda-ks.cfg apr-1.7.0.tar.gz apr-util-1.6.1.tar.gz httpd-2.4.54.tar.gz
[root@localhost ~]# tar -xf httpd-2.4.54.tar.gz -C /usr/local/src/
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# ls
apr-1.7.0 apr-util-1.6.1 httpd-2.4.54
[root@localhost src]# cd /usr/local/src/httpd-2.4.54/
@localhost httpd-2.4.54]# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --withapr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most -enable-mpms-shared=all --with-mpm=prefork
[root@localhost httpd-2.4.54]# make && make install
[root@localhost httpd-2.4.54]# ls /usr/local/apache/
bin cgi-bin error icons logs manual
build conf htdocs include man modules
配置环境变量
[root@localhost httpd-2.4.54]# cd
[root@localhost ~]# echo 'export PATH=/usr/local/apache/bin:$PATH' > /etc/profile.d/apache.sh
[root@localhost ~]# source /etc/profile.d/apache.sh
[root@localhost ~]# which apachectl //查看环境变量是否设置成功
/usr/local/apache/bin/apachectl
[root@localhost ~]# ln -s /usr/local/apache/include/ /usr/inclu[root@localhost ~]# vi /etc/man_db.conf
# every automatically generated MANPATH includes these fields
#
#MANDATORY_MANPATH /usr/src/pvm3/man
#
MANDATORY_MANPATH /usr/man
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/local/share/man
MANDATORY_MANPATH /usr/local/apache/man //添加de/apach //配置软连接
[root@localhost ~]# vi /etc/man_db.conf
# every automatically generated MANPATH includes these fields
#
#MANDATORY_MANPATH /usr/src/pvm3/man
#
MANDATORY_MANPATH /usr/man
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/local/share/man
MANDATORY_MANPATH /usr/local/apache/man //添加
关闭防火墙和selinux
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# apachectl start
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using localhost.localdomain. Set the 'ServerName' directive globally to
suppress this message
[root@localhost ~]# ss -anltup | grep httpd
tcp LISTEN 0 128 *:80 *:* users:
(("httpd",pid=170982,fd=4),("httpd",pid=170981,fd=4),("httpd",pid=170980,fd=4),
("httpd",pid=170979,fd=4),("httpd",pid=170978,fd=4),("httpd",pid=170977,fd=4))
开启apache
[root@localhost ~]# apachectl stop
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using localhost.localdomain. Set the 'ServerName' directive globally to
suppress this message
//随便开关都没有这串代码了
[root@localhost ~]# apachectl start
[root@localhost ~]# apachectl stop
[root@localhost ~]# cd /usr/local/apache/conf/
[root@localhost conf]# ls
extra httpd.conf magic mime.types original
[root@localhost conf]# vi httpd.conf
[root@localhost conf]# cat httpd.conf |grep ServerName
# ServerName gives the name and port that the server uses to identify itself.
ServerName www.example.com:80 //此行注释取消
查看结果
//编写一下主页
[root@localhost ~]# vi /usr/local/apache/htdocs/index.html
[root@localhost ~]# cat /usr/local/apache/htdocs/index.html
<html><body><h1>It works!daxinyu</h1></body></html>
//开启apache服务
[root@localhost ~]# apachectl start
httpd基础
httpd自带的工具程序
| 工具 | 功能 |
|---|---|
| htpasswd | basic认证基于文件实现时,用到的帐号密码生成工具 |
| apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
| apxs | 由httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
| rotatelogs | 日志滚动工具 |
| suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
| ab | apache benchmark,httpd的压力测试工具 |
yum安装httpd
[root@129 ~]# dnf -y install httpd*
[root@129 ~]# systemctl restart httpd //开启httpd服务
[root@129 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
[root@129 ~]# systemctl stop firewalld.service //关闭防火墙
rpm包安装的httpd程序环境
| 文件/目录 | 对应的功能 |
|---|---|
| /var/log/httpd/access.log | 访问日志 |
| /var/log/httpd/error_log | 错误日志 |
| /var/www/html/ | 站点文档目录 |
| /usr/lib64/httpd/modules/ | 模块文件路径 |
| /etc/httpd/conf/httpd.conf | 主配置文件 |
| /etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
| /etc/httpd/conf.d/*.conf | 辅助配置文件 |
[root@129 ~]# cat /var/log/httpd/access_log //查看访问日志
192.168.118.1 - - [21/Jul/2022:16:16:40 +0800] "GET / HTTP/1.1" 403 199691 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.62"
[root@129 ~]# cat /var/log/httpd/access_log //查看错误日志
[Thu Jul 21 16:16:40.239886 2022] [autoindex:error] [pid 106111:tid 139793962870528] [client 192.168.118.1:54753] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
//提醒没有index.html文件
[root@129 ~]# cd /var/www/html/
[root@129 html]# ls
[root@129 html]# echo "hello dada" > index.html //生产一个网址默认首页
[root@129 html]# echo "hello world" > a.html
[root@129 html]# ls
a.html index.html
[root@129 ~]# cd /usr/lib64/httpd/modules/ //查看模块文件
[root@129 modules]# ls
mod_access_compat.so mod_lbmethod_heartbeat.so
mod_actions.so mod_log_config.so
mod_alias.so mod_log_debug.so
...省略
yum安装httpd时,主配置文件
[root@129 ~]# vim /etc/httpd/conf/httpd.conf
#Listen 12.34.56.78:80
Listen 80 //端口,可更改
DocumentRoot "/var/www/html"
//默认网址路径,可能改
模块配置文件,这里都是安全httpd时默认开启的模块配置文件
[root@129 ~]# cd /etc/httpd/conf.modules.d/
[root@129 conf.modules.d]# ls
00-base.conf 00-mpm.conf 00-systemd.conf 10-proxy_h2.conf
00-dav.conf 00-optional.conf 01-cgi.conf README
00-lua.conf 00-proxy.conf 10-h2.conf
辅助配置文件
[root@129 ~]# cd /etc/httpd/conf/
[root@129 conf]# ls
httpd.conf magic
mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf
web相关命令
curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。
curl支持以下功能:
- https认证
- http的POST/PUT等方法
- ftp上传
- kerberos认证
- http上传
- 代理服务器
- cookies
- 用户名/密码认证
- 下载文件断点续传
- socks5代理服务器
- 通过http代理服务器上传文件到ftp服务器
//语法:curl [options] [URL ...]
//常用的options:
-A/--user-agent <string> //设置用户代理发送给服务器
-basic //使用Http基本认证
--tcp-nodelay //使用TCP_NODELAY选项
-e/--referer <URL> //来源网址
--cacert <file> //CA证书(SSL)
--compressed //要求返回时压缩的格式
-H/--header <line> //自定义请求首部信息传递给服务器
-I/--head //只显示响应报文首部信息
--limit-rate <rate> //设置传输速度
-u/--user <user[:password]> //设置服务器的用户和密码
-0/--http1 //使用http 1.0版本,默认使用1.1版本。这个选项是数字0而不是字母o
-o/--output //把输出写到文件中
-#/--progress-bar //进度条显示当前的传送状态
通过curl下载文件
[root@129 ~]# ls
anaconda-ks.cfg
[root@129 ~]# curl -o myblog.html http://blog.51cto.com/itchentao
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--100 312 100 312 0 0 1457 0 --:--:-- --:--:-- --:--:-- 1457
[root@129 ~]# ls
anaconda-ks.cfg myblog.html
http命令
//语法:httpd [options]
//常用的options:
-l //查看静态编译的模块,列出核心中编译了哪些模块。 \
//它不会列出使用LoadModule指令动态加载的模块
-M //输出一个已经启用的模块列表,包括静态编译在服务 \
//器中的模块和作为DSO动态加载的模块
-v //显示httpd的版本,然后退出
-V //显示httpd和apr/apr-util的版本和编译参数,然后退出
-X //以调试模式运行httpd。仅启动一个工作进程,并且 \
//服务器不与控制台脱离
-t //检查配置文件是否有语法错误
[root@129 ~]# httpd -l //列出重要的核心模块
Compiled in modules:
core.c //核心模块
mod_so.c //共享对象模块
http_core.c //http核心模块
[root@129 ~]# httpd -M //列出所有模块
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.129. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
...省略
[root@129 ~]# httpd -v //显示版本信息
Server version: Apache/2.4.37 (centos)
Server built: Apr 6 2022 14:54:37
[root@129 ~]# httpd -t //用于检测配置文件是否有语法错误
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 0.0.0.129. Set the 'ServerName' directive globally to suppress this message //不是报错
Syntax OK
//解决方法:
[root@129 ~]# vim /etc/httpd/conf/httpd.conf
#ServerName www.example.com:80 //将此条注释取消掉
[root@129 ~]# systemctl restart httpd
[root@129 ~]# httpd -t
Syntax OK
httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
[root@129 ~]# cd /etc/httpd/conf.modules.d/
[root@129 conf.modules.d]# ls
00-base.conf 00-mpm.conf 00-systemd.conf 10-proxy_h2.conf
00-dav.conf 00-optional.conf 01-cgi.conf README
00-lua.conf 00-proxy.conf 10-h2.conf
[root@129 conf.modules.d]# vim 00-mpm.conf
[root@129 conf.modules.d]# cat 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines. See the httpd.conf(5) man
# page for more information on changing the MPM.
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
#
# NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux
# boolean should be enabled, to allow graceful stop/shutdown.
#
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so //想用prefork把这行注释取消掉就好
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so //同理
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
LoadModule mpm_event_module modules/mod_mpm_event.so //默认使用的event
访问控制
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip IPADDR | 授权指定来源地址的主机访问 |
| Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
| Require host HOSTNAME | 授权指定来源主机名的主机访问 |
| Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
| IPADDR的类型 | HOSTNAME的类型 |
|---|---|
| IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
配置访问控制
[root@129 ~]# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/dada">
<RequireALL>
Require not ip 192.168.118.1 //拒绝主机访问
Require all granted //允许所有访问
</RequireALL>
</Directory>
[root@129 ~]# httpd -t //检测语法没问题
Syntax OK
[root@129 ~]# systemctl restart httpd
[root@129 ~]# curl http://192.168.118.129/dada/a.html //测试本机能访问
hello world
主机上被拒绝了
配置三种虚拟主机
虚拟主机需求:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
系统中安装了有http,就会有一个模板文件。
[root@localhost ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run state
[root@localhost httpd]# cd conf.d/
[root@localhost conf.d]# ls
README autoindex.conf userdir.conf welcome.conf
[root@localhost conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf . //将模板文件复制到辅助配置文件
[root@localhost conf.d]# ls
README autoindex.conf httpd-vhosts.conf userdir.conf welcome.conf
[root@localhost conf.d]# vim httpd-vhosts.conf
[root@localhost conf.d]# cat httpd-vhosts.conf
...省略
//虚拟主机示例
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com //服务的邮箱
DocumentRoot "/var/www/dummy-host.example.com" //网站根目录
ServerName dummy-host.example.com //域名
ServerAlias www.dummy-host.example.com //域名别名
ErrorLog "/var/log/httpd/dummy-host.example.com-error_log" //错误日志
CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common //访问日志
</VirtualHost>
相同ip不同端口
[root@localhost conf.d]# cat httpd-vhosts.conf
...省略
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji.com
ErrorLog "/var/log/httpd/www.feiji.com-error_log"
CustomLog "/var/log/httpd/www.feiji.com-access_log" common
</VirtualHost>
Listen 81
<VirtualHost *:81>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
//创建目录
[root@localhost conf.d]# cd
[root@localhost ~]# cd /var/www/html/
[root@localhost html]# mkdir feiji tanke
[root@localhost html]# ls
feiji tanke
//将这两个游戏的文件上传到目录下,在此之前我上传了,复制过来
[root@localhost html]# cd
[root@localhost ~]# ls
anaconda-ks.cfg feijidazhan tanke.zip
doudizhu feijiedazhan.zip zhuawawaji
doudizhu.zip tanke
[root@localhost ~]# cp -r tanke/* /var/www/html/tanke/
[root@localhost ~]# cp -r feijidazhan/* /var/www/html/feiji/
[root@localhost ~]# cd /var/www/html/feiji/
[root@localhost feiji]# ls
css img index.html js
[root@localhost feiji]# cd /var/www/html/tanke/
[root@localhost tanke]# ls
audio css images index.html js
//检查配置文件没有问题,并重启服务,关闭防火墙。
[root@localhost ~]# cd /var/www/html/
[root@localhost html]# ls
feiji index.html tanke
[root@localhost html]# httpd -t
Syntax OK
[root@localhost html]# systemctl restart httpd
[root@localhost ~]# systemctl stop firewalld
访问默认80端口
访问81端口
不同ip相同端口
添加一个临时IP
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:16:06:1e brd ff:ff:ff:ff:ff:ff
inet 192.168.118.129/24 brd 192.168.118.255 scope global dynamic noprefixroute ens33
valid_lft 1310sec preferred_lft 1310sec
inet6 fe80::20c:29ff:fe16:61e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# ip addr add 192.168.118.130/24 dev ens33
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:16:06:1e brd ff:ff:ff:ff:ff:ff
inet 192.168.118.129/24 brd 192.168.118.255 scope global dynamic noprefixroute ens33
valid_lft 1214sec preferred_lft 1214sec
inet 192.168.118.130/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe16:61e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# ping 192.168.118.130
PING 192.168.118.130 (192.168.118.130) 56(84) bytes of data.
64 bytes from 192.168.118.130: icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from 192.168.118.130: icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from 192.168.118.130: icmp_seq=3 ttl=64 time=0.037 ms
^C
--- 192.168.118.130 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2047ms
rtt min/avg/max/mdev = 0.033/0.044/0.064/0.015 ms
[root@localhost ~]#
配置文件
[root@localhost ~]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# ls
README autoindex.conf httpd-vhosts.conf userdir.conf welcome.conf
[root@localhost conf.d]# vim httpd-vhosts.conf
[root@localhost conf.d]# cat httpd-vhosts.conf
...省略
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost 192.168.118.129:80>
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji.com
ErrorLog "/var/log/httpd/www.feiji.com-error_log"
CustomLog "/var/log/httpd/www.feiji.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.118.130:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
验证并重启服务
[root@localhost conf.d]# httpd -t
Syntax OK
[root@localhost conf.d]# systemctl restart httpd
查看ip为192.168.118.129
查看ip为192.168.118.130
相同IP相同端口不同域名
配置文件
[root@localhost conf.d]# vim httpd-vhosts.conf
[root@localhost conf.d]# cat httpd-vhosts.conf
...省略
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji.com
ErrorLog "/var/log/httpd/www.feiji.com-error_log"
CustomLog "/var/log/httpd/www.feiji.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
//验证并重启服务
[root@localhost conf.d]# httpd -t
Syntax OK
[root@localhost conf.d]# systemctl restart httpd
域名映射:
Linux系统和mac系统: /etc/hosts
windows: C:/windows/system32/drivers/etc/hosts
先把hosts文件拖到桌面进行修改,修改完以后再拖回去
1.买一个域名
2.本机配置一个host文件,本机局域网下可以访问
3.装一个dns服务,做一个正反射解析,也只能在本机局域网下使用
在windows上配置host文件
先找到host文件
将文件拖到桌面后进行配置保存后再放进文件夹
测试访问域名www.feiji.com
测试访问域名www.tanke.com
配置访问控制
修改配置文件
将www.feiji.com域名禁止主机访问
[root@localhost ~]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# ls
README autoindex.conf httpd-vhosts.conf userdir.conf welcome.conf
[root@localhost conf.d]# vim httpd-vhosts.conf
[root@localhost conf.d]# cat httpd-vhosts.conf
...省略
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji.com
ErrorLog "/var/log/httpd/www.feiji.com-error_log"
CustomLog "/var/log/httpd/www.feiji.com-access_log" common
<Directory "/var/www/html/feiji">
<RequireAll>
Require not ip 192.168.118.1
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke.com
ErrorLog "/var/log/httpd/www.tanke.com-error_log"
CustomLog "/var/log/httpd/www.tanke.com-access_log" common
</VirtualHost>
[root@localhost conf.d]#
//测试语法没问题,重启服务
[root@localhost conf.d]# httpd -t
Syntax OK
[root@localhost conf.d]# systemctl restart httpd
测试访问不到文件内容
配置https
ssl模块
先检查一下有没有ssl模块,没有列出任何文件就没有安装ssl模块
[root@localhost ~]# httpd -M | grep ssl
安装ssl模块后重启服务,查到有ssl模块
[root@localhost ~]# dnf install -y mod_ssl
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# httpd -M |grep ssl
ssl_module (shared)
//代表加载成功并启用
[root@localhost conf.modules.d]# cat 00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
https证书
CA生成密钥
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# mkdir CA
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir private
[root@localhost CA]# ls
private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
...............................+++++
e is 65537 (0x010001)
[root@localhost CA]# cd private/
[root@localhost private]# ls
cakey.pem
CA生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:peixun
Common Name (eg, your name or your server's hostname) []:www.feiji.com
Email Address []:317134@^H
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
客户端(例如httpd服务器)生成密钥
[root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................+++++
.................................................................................................................................................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
httpd.key
客户端生成证书签署请求,和之前自签证书要一模一样
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:peixun
Common Name (eg, your name or your server's hostname) []:www.feiji.com
Email Address []:317134@^H
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]#
客户端把证书签署请求文件发送给CA (两台主机做这个)
scp httpd.csr root@CA端IP:/root
CA签署客户端提交上来的证书
[root@localhost ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 09:08:01 2022 GMT
Not After : Jul 24 09:08:01 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = runtime
organizationalUnitName = peixun
commonName = www.feiji.com
emailAddress = 317134@\08
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
72:91:9D:FC:74:9D:E7:21:BA:C4:4B:25:CC:23:B6:20:BB:A4:DA:4D
X509v3 Authority Key Identifier:
keyid:51:F1:D2:13:04:10:31:15:5B:34:6F:38:06:ED:D7:F7:5D:94:F6:C0
Certificate is to be certified until Jul 24 09:08:01 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]#
httpd.crt httpd.csr httpd.key
配置https
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# cd /etc/httpd/conf.d
[root@localhost conf.d]# ls
README httpd-vhosts.conf userdir.conf
autoindex.conf ssl.conf welcome.conf
[root@localhost conf.d]# vim ssl.conf
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji.com:443 //取消掉这两条注释并改域名和文件路径
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //更改文件路径
[root@localhost conf.d]# httpd -t
Syntax OK
[root@localhost conf.d]# systemctl restart httpd
[root@localhost conf.d]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
查看效果
用https访问,点击继续访问
