HTTPS+cronolog日志滚动+awstats日志分析+AB压力测试
### HTTPS+cronolog日志滚动+awstats日志分析+AB压力测试
实验环境
CA server:Centos6 192.168.10.111
https server:Centos6 192.168.10.110
client:windows 10 192.168.10.1
配置HTTPD支持SSL协议
- 为服务器申请数字证书
- CA服务端进行自签证书
[root@lg ~]# cd /etc/pki/CA/
[root@lg CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
...+++
e is 65537 (0x10001)
[root@lg CA]# touch index.txt
[root@lg CA]# echo 01 > serial
[root@lg CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:Beijing #省份
Locality Name (eg, city) [Default City]:Beijing #城市
Organization Name (eg, company) [Default Company Ltd]:ca.Inc #公司名称
Organizational Unit Name (eg, section) []: #单位名
Common Name (eg, your name or your server's hostname) []: #用户或主机名
Email Address []: #邮箱
[root@lg CA]# ls
cacert.pem certs crl index.txt newcerts private serial
- httpd服务端生成请求私钥
- 基于私钥生成证书申请
[root@lg6-1 ~]# scp /etc/httpd/ssl/httpd.csr root@192.168.10.111:/root
root@192.168.10.111's password:
httpd.csr 100% 952 0.9KB/s 00:00
[root@lg6-1 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:ca.Inc
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:lg6-1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#注:主机名为http服务器的主机名
-
将申请发送至CA服务器
-
CA服务器端进行签证
-
将签证的证书传回给http服务器
-
http服务端查看传回的数字证书
-
http服务端安装ssl模块
-
配置基于域名的虚拟主机,修改ssl.conf文件添加如下内容
NameVirtualHost 192.168.10.110:443 <VirtualHost 192.168.10.110:443> DocumentRoot "/www/docs/lgweb1/" ServerName web1.lg.com ErrorLog logs/ssllgweb1_error_log TransferLog logs/ssllgweb1_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key </VirtualHost> <VirtualHost 192.168.10.110:443> DocumentRoot "/www/docs/lgweb2/" ServerName web2.lg.com ErrorLog logs/ssllgweb2_error_log TransferLog logs/ssllgweb2_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key </VirtualHost>
-
重启服务并检查服务开启端口
-
客户端测试
-
由于证书为私签的,所以浏览器会弹出警告,选择高级-->接受风险并继续即可
-
CA服务器上使用openssl命令测试是否为ssl加密
日志滚动工具
- httpd访问量很大时日志文件将会异常庞大,所以需要将日志文件进行滚动(切割)
- Centos6系统自带了Logrotate工具用于日志切割,但容易丢失日志信息这里使用第三份开源的日志滚动工具cronolog完成日志滚动
cronolog配置(基于HTTPS)
- 软件包下载(官网需要FQ,或百度链接)
wget http://cronolog.org/download/cronolog-1.6.2.tar.gz
- 将软件包上传至httpd服务器
- 解压并安装(需要安装gcc编译器)
- 修改日志文件存放位置(这里由于使用了https所以日志存放位置设定不同,默认下修改/etc/httpd/conf/httpd.conf)
<VirtualHost 192.168.10.110:443>
DocumentRoot "/www/docs/lgweb1/"
ServerName web1.lg.com
#ErrorLog logs/ssllgweb1_error_log
#TransferLog logs/ssllgweb1_access_log
ErrorLog "| /usr/local/sbin/cronolog /etc/httpd/logs/error_web1_%Y%m%d%H.log"
TransferLog "| /usr/local/sbin/cronolog /etc/httpd/logs/access_web1_%Y%m%d%H.log"
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
</VirtualHost>
#| /usr/local/sbin/cronolog 表示通过管道符将日志传给cronolog
#/etc/httpd/logs/error_web1_%Y%m%d%H.log 指定日志文件存放位置及名称并在设定时间的边界点进行日志滚动
-
重启服务
-
客户端访问生成日志文件
-
每经过设定的时间界点会生成新的日志文件
图形化日志分析工具-AWStats
- 下载链接
官网链接
百度链接 - 上传至服务器
- 解压
- 将解压文件重命名为awstats
- 为tools目录下的脚本文件awstats_configure.pl和awstats_updateall.pl添加可执行权限
- 执行脚本文件awstats_configure.pl并进行配置
- 修改默认生成的配置文件,指定日志文件(若指定则在指定位置生成该文件)
- 创建配置文件中指定的文件
- 手动进行日志分析
- 浏览器上图形化形式查看
- 注:如果需要配置几个虚拟主机的日志,将第一个配置文件复制,并修改为相应的网站观测配置文件,修改日志文件的路径与主机名
- 定时进行日志分析
压力测试工具 -AB
- ab命令格式
- ab [option] URL
- -n:总请求数
- -c:模拟的并发数
- -k:以持久连接模式测试
- ab [option] URL