httpd常用配置和配置https步骤
httpd常用配置
apache源码安装
切换使用MPM(编辑/etc/httpd24/extra/httpd-mpm.conf文件):
//IfModule mpm_name_module
//NAME有三种,分别是:
prefork
event
worker
[root@localhost ~]# vim /etc/httpd24/extra/httpd-mpm.conf
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxRequestWorkers 250
MaxConnectionsPerChild 0
</IfModule>
StartServers: 数量的服务器进程开始
MinSpareServers: 最小数量的服务器进程
MaxSpareServers: 最大数量的服务器进程
MaxRequestWorkers: 最大数量的服务器进程允许开始
MaxConnectionsPerChild: 最大连接数的一个服务器进程服务
设置环境变量
[root@localhost ~]# vim /etc/prelink.conf.d/httpd.sh
[root@localhost ~]# cat /etc/prelink.conf.d/httpd.sh
export PATH=/usr/local/apache/bin/:$PATH
[root@localhost ~]# source /etc/prelink.conf.d/httpd.sh
开启apache
[root@localhost ~]# apachectl start //启动apache服务
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message //不想出现这个这个警告就修改主配置文件vim /etc/httpd24/httpd.conf把ServerName www.example.com:80 这一行的注释取消就好了
httpd (pid 1567) already running
[root@localhost ~]# ss -antl //查看80端口是否开启
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:80 *:*
访问控制法则:
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip IPADDR | 授权指定来源地址的主机访问 |
| Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
| Require host HOSTNAME | 授权指定来源主机名的主机访问 |
| Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
| IPADDR的类型 | HOSTNAME的类型 |
|---|---|
| IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 | FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
示例:
[root@localhost ~]# vim /etc/httpd24/httpd.conf
<Directory "/usr/local/apache/htdocs">
Require all granted //把这一行删除或注释
</Directory>
[root@localhost ~]# apachectl restart //重启服务打开浏览器就看不到页面了
[root@localhost ~]# vim /etc/httpd24/httpd.conf
<Directory "/usr/local/apache/htdocs">
Require all granted //取消注释或者添加此行就可以看到初始页面了
</Directory>
[root@localhost ~]# apachectl restart
虚拟主机:
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
进入存放网页的路径把网页加入进去
[root@localhost ~]# cd /usr/local/apache/htdocs/
[root@localhost htdocs]# ls
index.html jp year //这里的jp和year是目录里面是我弄得网页内容
[root@localhost htdocs]# tree
.
├── index.html
├── jp
│ └── index.html
└── year
├── css
│ ├── bootstrap.css
│ ├── font_1191451_h720mljzrsc.css
│ └── style.css
├── fonts
│ ├── DIN-Black_0.otf
│ ├── DIN-Bold_0.otf
│ ├── dinbold-webfont.bc8aa63.woff
│ ├── DIN-Light_0.otf
│ └── DIN-Medium_0.otf
├── getUserinfo.html
├── images
│ ├── bq001.png
│ ├── bq002.gif
│ └── time.jpg
├── index.html
├── js
│ ├── app.js
│ ├── bootstrap.min.js
│ ├── jquery.min.js
│ └── jweixin-1.4.0.js
├── json
│ └── index.json
└── mp3
└── akon.mp3
8 directories, 21 files
在浏览器输入IP地址加/目录名字就可以访问
相同ip不同端口访问网站虚拟主机配置
[root@localhost httpd24]# pwd
/etc/httpd24
[root@localhost httpd24]# ls
extra httpd.conf magic mime.types original
[root@localhost httpd24]# vim httpd.conf
Include /etc/httpd24/extra/httpd-vhosts.conf //找到这一行取消注释
[root@localhost httpd24]# vim extra/httpd-vhosts.conf //修改配置如下
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/jp"
ServerName jp.example.com
ErrorLog "logs/jp.example.com-error_log"
CustomLog "logs/jp.example.com-access_log" common
</VirtualHost>
listen 88 //监听88端口
<VirtualHost *:88>
DocumentRoot "/usr/local/apache/htdocs/year"
ServerName year.example.com
ErrorLog "logs/year.example.com-error_log"
CustomLog "logs/year.example.com-access_log" common
</VirtualHost>
[root@localhost httpd24]# apachectl restart
[root@localhost httpd24]# ss -ant //可以看到80和88端口
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 36 192.168.96.129:22 192.168.96.1:59787
ESTAB 0 0 192.168.96.129:22 192.168.96.1:62598
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:88 *:*
LISTEN 0 128 *:80 *:*
打开浏览器输入IP地址后面加:端口号就可以访问了
不同IP相同端口访问虚拟机配置
添加ip(重启失效)
[root@localhost httpd24]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:a6:9e:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.96.129/24 brd 192.168.96.255 scope global dynamic noprefixroute ens33
valid_lft 1282sec preferred_lft 1282sec
inet6 fe80::20c:29ff:fea6:9e07/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost httpd24]# ip addr add 192.168.96.166/24 dev ens33
[root@localhost httpd24]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:a6:9e:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.96.129/24 brd 192.168.96.255 scope global dynamic noprefixroute ens33
valid_lft 1165sec preferred_lft 1165sec
inet 192.168.96.166/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fea6:9e07/64 scope link noprefixroute
valid_lft forever preferred_lft forever
修改vhosts.conf配置文件
[root@localhost httpd24]# vim extra/httpd-vhosts.conf //修改配置如下
<VirtualHost 192.168.96.129:80>
DocumentRoot "/usr/local/apache/htdocs/jp"
ServerName jp.example.com
ErrorLog "logs/jp.example.com-error_log"
CustomLog "logs/jp.example.com-access_log" common
</VirtualHost>
<VirtualHost 192.168.96.166:80>
DocumentRoot "/usr/local/apache/htdocs/year"
ServerName year.example.com
ErrorLog "logs/year.example.com-error_log"
CustomLog "logs/year.example.com-access_log" common
</VirtualHost>
[root@localhost httpd24]# apachectl restart
打开浏览器输入ip
相同IP相同端口不同域名访问虚拟机配置
[root@localhost httpd24]# vim extra/httpd-vhosts.conf //修改配置如下
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/jp"
ServerName jp.example.com
ErrorLog "logs/jp.example.com-error_log"
CustomLog "logs/jp.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/usr/local/apache/htdocs/year"
ServerName year.example.com
ErrorLog "logs/year.example.com-error_log"
CustomLog "logs/year.example.com-access_log" common
</VirtualHost>
因为我们做实验的是假域名所以我们得加以下操作:
c: \windows\system32\drivers\etc\hosts拖到桌面上
右键以管理员身份用写字板打开,写入以下内容
虚拟机IP地址 网页的域名
然后把hosts拖回c: \windows\system32\drivers\etc\hosts目录
然后重启apache服务
[root@localhost httpd24]# apachectl restart
然后打开浏览器输入域名
总结虚拟主机配置过程
- 修改主配置文件httpd.conf,加入vhosts.conf配置文件的包含信息
- 编写vhosts.conf文件
- 重启服务
配置https步骤
生成配置httpd.conf、在http-ssl.conf中配置证书位置、检查文件是否有语法错误
[root@localhost ~]# dnf -y install mod_ssl //安装模块
//安装过程省略
[root@localhost httpd24]# pwd
/etc/httpd24
[root@localhost httpd24]# vim extra/httpd-ssl.conf 在httpd-ssl.conf中配置证书的位置//修改如下
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/jp"
ServerName jp.example.com:443
ErrorLog "/usr/local/apache/logs/jp_error_log"
TransferLog "/usr/local/apache/logs/jp_access_log"
SSLCertificateFile "/etc/httpd24/httpd.crt"
SSLCertificateKeyFile "/etc/httpd24/httpd.key"
[root@localhost httpd24]# vim httpd.conf //找到下面两行取消注释
LoadModule ssl_module modules/mod_ssl.so
Include /etc/httpd24/extra/httpd-ssl.conf
[root@localhost httpd24]# apachectl -t //检查配置文件是否有语法错误
AH00526: Syntax error on line 92 of /etc/httpd24/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
[root@localhost httpd24]# vim +92 extra/httpd-ssl.conf //找到下面两行注释
#SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
#SSLSessionCacheTimeout 300
生成证书
[root@localhost httpd24]# mkdir /etc/pki/CA
[root@localhost httpd24]# cd /etc/pki/CA/
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //生成密钥,括号必须要
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
...........................................................................................................................................+++++
e is 65537 (0x010001)
[root@localhost CA]# ls private/
cakey.pem
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key //提取公钥
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxH5ky1mhtZDxO99mEDqI
iqB0qmAEzt5Zsrcd8094KwC6zD5Ju+jQna6BVjwNTGaeo7XrDHUwycpOzT91SPLS
W8lyy1cH0Ih5K0f/evbeC1NNlrSsBF0CTu4IY9z8C97SgBzYybjq4O0hgqz6HnJp
xXyxMl6cMZ+SyOaTqSASF0TMVVopvtDODoCDoO3Utcg4epXV4JomKQbCZCsFabIZ
81uojzxXtchHCSu1vmaWnS2RHYQd9XmnRcVRp2vCFizQsq03OB76N3FiSGQ+8+2b
jJ57GvYs9nQ1FdnMObo9PIJAt9Y/ImttBTElk3zZZzvn/g/DiA0DeaUjOUsWrk5V
kQIDAQAB
-----END PUBLIC KEY-----
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 //生成自签署证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家名字
State or Province Name (full name) []:HB //省份
Locality Name (eg, city) [Default City]:WH //城市
Organization Name (eg, company) [Default Company Ltd]:jxrt //组织名字
Organizational Unit Name (eg, section) []:jxrt //组织单元
Common Name (eg, your name or your server's hostname) []:jp.example.com //域名
Email Address []:123@.com //邮箱这里瞎设置的
[root@localhost CA]# ls
cacert.pem private
root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cd /opt/
[root@localhost opt]# ls
[root@localhost opt]# (umask 077;openssl genrsa -out httpd.key 2048) //客户端(例如httpd服务器)生成密钥
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................................................................................................................................................+++++
....+++++
e is 65537 (0x010001)
[root@localhost opt]# ls
httpd.key
[root@localhost opt]# openssl req -new -key httpd.key -days 365 -out httpd.csr //客户端生成证书签署请求
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:jxrt
Organizational Unit Name (eg, section) []:jxrt
Common Name (eg, your name or your server's hostname) []:123@.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost opt]# ll
total 8
-rw-r--r--. 1 root root 985 Apr 27 17:29 httpd.csr
-rw-------. 1 root root 1675 Apr 27 17:27 httpd.key
[root@localhost opt]# openssl ca -in /opt/httpd.csr -out httpd.crtt -days 365 //CA签署客户端提交上来的证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 09:31:52 2021 GMT
Not After : Apr 27 09:31:52 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = jxrt
organizationalUnitName = jxrt
commonName = 123@.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9C:AF:99:B2:B8:1C:DD:29:16:DB:AB:AB:E3:B2:B0:D9:13:CE:F4:EE
X509v3 Authority Key Identifier:
keyid:57:F6:77:F2:9C:C7:3A:90:FA:CC:9E:03:49:28:40:B0:63:EC:0A:55
Certificate is to be certified until Apr 27 09:31:52 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost opt]# ls
httpd.crt httpd.csr httpd.key
[root@localhost opt]# mv httpd.c
httpd.crt httpd.csr
[root@localhost opt]# mv httpd.crt httpd.key /etc/httpd24/
[root@localhost opt]# cd /etc/httpd24/
[root@localhost httpd24]# ls
extra httpd.crt magic original
httpd.conf httpd.key mime.types
[root@localhost httpd24]# apachectl restart //启动或重启服务
配置https步骤:
生成证书
配置httpd.conf,取消以下内容的注释
在httpd-vhosts.conf中配置虚拟主机
在httpd-ssl.conf中配置证书的位置
检查配置文件是否有语法错误
启动或重启服务
设置hosts以便用域名访问(仅学习阶段,企业实际工作中无需做此步。)
