httpd
目录
httpd
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。
1.httpd的特性
| 版本 | 特性 |
|---|---|
| 2.2 | 事先创建进程 按需维持适当的进程 模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块 支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等 支持https协议(通过mod_ssl模块实现) 支持用户认证 支持基于IP或域名的ACL访问控制机制 支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码) 支持URL重写 支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程) |
| 2.4 | httpd-2.4的新特性: MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载 支持event MPM,eventMPM模块生产环境可用 支持异步读写 支持每个模块及每个目录分别使用各自的日志级别 每个请求相关的专业配置,使用 增强版的表达式分析器 支持毫秒级的keepalive timeout 基于FQDN的虚拟主机不再需要NameVirtualHost指令 支持用户自定义变量 支持新的指令(AllowOverrideList) 降低对内存的消耗 |
| 工作模型 | 工作方式 |
|---|---|
| prefork | 多进程模型,预先生成进程,一个请求用一个进程响应 一个主进程负责生成n个子进程,子进程也称为工作进程 每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个 |
| worker | 基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程) |
| event | 基于事件的驱动,一个进程处理多个请求 |
2.httpd-2.4新增的模块
| 模块 | 功能 |
|---|---|
| mod_proxy_fcgi | 反向代理时支持apache服务器后端协议的模块 |
| mod_ratelimit | 提供速率限制功能的模块 |
| mod_remoteip | 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制 |
3.httpd基础
3.1 httpd自带的工具程序
| 工具 | 功能 |
|---|---|
| htpasswd | basic认证基于文件实现时,用到的账号密码生成工具 |
| apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
| apxs | 有httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
| rotatelogs | 日志滚动工具 |
| suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
| ab | apache benchmark,httpd的压力测试工具 |
3.2 rpm包安装的httpd程序环境
| 文件/目录 | 对应的功能 |
|---|---|
| /var/log/httpd/access_log | 访问日志 |
| /var/log/httpd/error_log | 错误日志 |
| /var/www/html | 站点文档目录 |
| /usr/lib64/httpd/modules | 模块文件路径 |
| /etc/httpd/conf/httpd.conf | 主配置文件 |
| /etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
| /etc/httpd/conf.d/*.conf | 辅助配置文件 |
mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf
3.3 web相关命令
3.3.1 curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。
通过curl下载文件
[root@zzd139 ~]# curl -o zzd.html https://www.cnblogs.com/zicnotes/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 18291 0 18291 0 0 85074 0 --:--:-- --:--:-- --:--:-- 85074
[root@zzd139 ~]# ls
anaconda-ks.cfg zzd.html
3.3.2 httpd命令
常用选项
-l 查看静态编译模块,列出核心中编译了那些模块
[root@zzd139 ~]# httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
-M 输出一个已经启用的模块列表,包括静态在服务器中的模块和作为dso动态加载的模块
[root@zzd139 ~]# httpd -M
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::ac0:aa7e:f1b9:248e. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
…………
cgid_module (shared)
http2_module (shared)
proxy_http2_module (shared)
-v 显示httpd的版本
[root@zzd139 ~]# httpd -v
Server version: Apache/2.4.37 (centos)
Server built: Nov 12 2021 04:57:27
-V 显示httpd和apr/apr-util的版本和编译参数
[root@zzd139 ~]# httpd -v
Server version: Apache/2.4.37 (centos)
Server built: Nov 12 2021 04:57:27
[root@zzd139 ~]# httpd -V
Server version: Apache/2.4.37 (centos)
Server built: Nov 12 2021 04:57:27
Server's Module Magic Number: 20120211:83
Server loaded: APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="run/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
-X 以调试模式运行httpd。仅启动一个工作进程,并且服务器不与控制台脱离
-t 检查配置文件是否有语法错误
[root@zzd139 ~]# httpd -t
Syntax OK
4.httpd常用配置
4.1 切换使用mpm(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件)
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
//yum安装httpd默认的是event,现在改为prefork
[root@zzd139 ~]# cd /etc/httpd/conf.modules.d/
[root@zzd139 conf.modules.d]# vim 00-mpm.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so //删除此行首的注释
#LoadModule mpm_event_module modules/mod_mpm_event.so //将此行注释
4.2 访问控制法则
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip ipaddr | 授权指定来源地址的主机访问 |
| Require not ip ipaddr | 拒绝指定来源地址的主机访问 |
| Require host hostname | 授权指定来源主机名的主机访问 |
| Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
| IPADDR的类型 | HOSTNAME的类型 |
|---|---|
| IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 |
FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
[root@zzd139 ~]# vim /etc/httpd/conf/httpd.conf
$(拒绝192.168.169.1主机访问httpd的zic.html页面)
<Directory /var/www/html/zic.html>
<RequireAll>
Require not ip 192.168.169.1
Require all granted
</RequireAll>
</Directory>
[root@zzd139 ~]# httpd -t
Syntax OK
[root@zzd139 ~]# systemctl restart httpd
使用物理机去访问此页面
4.3 虚拟主机
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
4.3.1 相同ip不同端口
//查找httpd-vhosts.conf文件
[root@zzd139 ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@zzd139 ~]# cp /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/
[root@zzd139 ~]# cd /etc/httpd/conf.d/
[root@zzd139 conf.d]# ls
autoindex.conf httpd-vhosts.conf README userdir.conf welcome.conf
[root@zzd139 conf.d]# vim httpd-vhosts.conf
<VirtualHost 192.168.169.139:80>
ServerName zzd.feiji.com
DocumentRoot "/var/www/html/feiji"
ErrorLog "/var/log/httpd/feiji/error_log"
CustomLog "/var/log/httpd/feiji/access_log" common
</VirtualHost>
Listen 82
<VirtualHost 192.168.169.139:82>
ServerName zzd.tanke.com
DocumentRoot "/var/www/html/tanke"
ErrorLog "/var/log/httpd/tanke/error_log"
CustomLog "/var/log/httpd/tanke/access_log" common
</VirtualHost>
[root@zzd139 ~]# cd /var/www/html/
[root@zzd139 html]# ls
feiji tanke
[root@zzd139 html]# httpd -t
Syntax OK
[root@zzd139 ~]# chown -R apache.apache /var/www/html/
[root@zzd139 ~]# chown -R apache.apache /etc/httpd/
[root@zzd139 ~]# chown -R apache.apache /var/log/httpd/
[root@zzd139 ~]# systemctl stop firewalld.service
[root@zzd139 ~]# setenforce 0
[root@zzd139 ~]# systemctl restart httpd
访问80端口
访问82端口
4.3.2 不同ip相同端口
[root@zzd139 ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.169.139:80>
ServerName zzd.feiji.com
DocumentRoot "/var/www/html/feiji"
ErrorLog "/var/log/httpd/feiji/error_log"
CustomLog "/var/log/httpd/feiji/access_log" common
</VirtualHost>
<VirtualHost 192.168.169.141:80>
ServerName zzd.tanke.com
DocumentRoot "/var/www/html/tanke"
ErrorLog "/var/log/httpd/tanke/error_log"
CustomLog "/var/log/httpd/tanke/access_log" common
</VirtualHost>
[root@zzd139 ~]# httpd -t
Syntax OK
[root@zzd139 ~]# systemctl restart httpd
访问192.168.169.139:80端口
访问192.168.169.141:80端口
4.3.3 相同ip相同端口不同域名
[root@zzd139 ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost 192.168.169.139:80>
ServerName zzd.feiji.com
DocumentRoot "/var/www/html/feiji"
ErrorLog "/var/log/httpd/feiji/error_log"
CustomLog "/var/log/httpd/feiji/access_log" common
</VirtualHost>
<VirtualHost 192.168.169.139:80>
ServerName zzd.tanke.com
DocumentRoot "/var/www/html/tanke"
ErrorLog "/var/log/httpd/tanke/error_log"
CustomLog "/var/log/httpd/tanke/access_log" common
</VirtualHost>
[root@zzd139 ~]# httpd -t
Syntax OK
[root@zzd139 ~]# systemctl restart httpd
//在物理机的C:\Windows\System32\drivers\etc\hosts文添加一下内容做域名映射
192.168.169.139 zzd.feiji.com
192.168.169.139 zzd.tanke.com
访问zzd.feiji.com
访问zzd.tanke.com
4.4 ssl
安装ssl模块
[root@zzd139 ~]# dnf -y install mod_ssl
[root@zzd139 ~]# systemctl restart httpd
[root@zzd139 ~]# ss -antl | grep 443
LISTEN 0 128 *:443 *:*
[root@zzd139 ~]# httpd -M | grep ssl
ssl_module (shared)
openssl实现私有CA:
//CA生成一对密钥
[root@zzd139 ~]# cd /etc/pki/
[root@zzd139 pki]# mkdir CA
[root@zzd139 pki]# cd CA
[root@zzd139 CA]# mkdir private
[root@zzd139 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //生成密钥,括号必须要
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
........................................+++++
e is 65537 (0x010001)
[root@zzd139 CA]# openssl rsa -in private/cakey.pem -pubout //提取公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzoU+pfZIPjZgyyMKIUQS
Bgrzlp05r6ssR2vHUW9vD0BWgfhtIKh7w4+kBQjQMhO3msUIcDLtLXeocd/UKI67
bGvVQEUAPnwLWT9F+oZ0UAqn6Y6kX++JU1ons/dkmVkzORpF3t2fFl6LmElazCb7
umvGOjrdNjNv8XEESbRN6GZJB9MLVxAz1Q6cWPndohAl7wvKg5fB1rdmtvXerfV5
Nw/CbX7giov3NdCz73rU1VeB84ASSKFwCzS/aidKdoYIcVhCh5wervQ9aPUClfgL
RX/zy/ttE3ncnC9P+bYKanyqOFmkHIXseL18T89y/N9X25k0SPM5FnrHpUZY52fq
pwIDAQAB
-----END PUBLIC KEY-----
//CA生成自签署证书
[root@zzd139 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:twt
Organizational Unit Name (eg, section) []:gbb
Common Name (eg, your name or your server's hostname) []:zzd.feiji.com
Email Address []:zic@a.com
[root@zzd139 CA]# openssl x509 -text -in cacert.pem //读取cacert.pem证书内容
[root@zzd139 CA]# mkdir certs newcerts crl
[root@zzd139 CA]# touch index.txt && echo 01 > serial
//生成密钥
[root@zzd139 CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@zzd139 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
....................................................+++++
e is 65537 (0x010001)
//生成证书签署请求
[root@zzd139 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:twt
Organizational Unit Name (eg, section) []:gbb
Common Name (eg, your name or your server's hostname) []:zzd.feiji.com
Email Address []:zic@a.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
//CA签署证书
[root@zzd139 ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 23 07:26:04 2022 GMT
Not After : Jul 23 07:26:04 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = hb
organizationName = twt
organizationalUnitName = gbb
commonName = zzd.feiji.com
emailAddress = zic@a.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1D:08:3D:53:2D:35:26:CB:76:32:E2:EF:EF:88:A6:DA:C3:B4:65:BE
X509v3 Authority Key Identifier:
keyid:3C:A9:51:46:D4:5A:9B:3D:AB:1E:72:3C:E0:2F:73:77:00:C6:F0:0A
Certificate is to be certified until Jul 23 07:26:04 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
修改ssl配置文件
[root@zzd139 ssl]# cd ../conf.d/
[root@zzd139 conf.d]# vim ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/certs/localhost.key
$(将以上两行修改为以下两行)
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
//向上找到以下4行配置
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/feiji" //删掉注释更改路径
ServerName zzd.feiji.com:443 //删掉注释更改域名
[root@zzd139 conf.d]# httpd -t
Syntax OK
[root@zzd139 conf.d]# systemctl restart httpd
进行访问测试
5.httpd源码安装
httpd依赖于apr-1.4+,apr-util-1.4+
//安装开发环境
[root@zzd139 ~]# dnf groups mark install "Development Tools"
[root@zzd139 ~]# dnf -y install openssl-devel pcre-devel expat-devel libtool
//下载安装apr和apr-util
[root@zzd139 ~]# wget https://mirrors.aliyun.com/apache/apr/apr-1.7.0.tar.gz
[root@zzd139 ~]# wget https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz
[root@zzd139 ~]# tar xf apr-1.7.0.tar.gz
[root@zzd139 ~]# cd apr-1.7.0/
[root@zzd139 apr-1.7.0]# vim configure
cfgfile=${ofile}T
trap "$RM \"$cfgfile\"; exit 1" 1 2 15
# $RM "$cfgfile" //将此行注释
[root@zzd139 apr-1.7.0]# ./configure --prefix=/usr/local/apr/
[root@zzd139 apr-1.7.0]# make && make install
[root@zzd139 ~]# tar xf apr-util-1.6.1.tar.gz
[root@zzd139 ~]# cd apr-util-1.6.1/
[root@zzd139 apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@zzd139 apr-util-1.6.1]# make && make install
//下载并安装httpd
[root@zzd139 ~]# wget https://mirrors.aliyun.com/apache/httpd/httpd-2.4.54.tar.gz
[root@zzd139 ~]# tar xf httpd-2.4.54.tar.gz
[root@zzd139 ~]# cd httpd-2.4.54/
[root@zzd139 httpd-2.4.54]# ./configure --prefix=/usr/local/apache \
> --sysconfdir=/etc/httpd24 \
> --enable-so \
> --enable-ssl \
> --enable-cgi \
> --enable-rewrite \
> --with-zlib \
> --with-pcre \
> --with-apr=/usr/local/apr \
> --with-apr-util=/usr/local/apr-util \
> --enable-modules=most \
> --enable-mpms-shared=all \
> --with-mpm=prefork
[root@zzd139 httpd-2.4.54]# make && make install
//配置环境变量
[root@zzd139 ~]# echo "export PATH=$PATH:/usr/local/apache/bin" > /etc/profile.d/httpd.sh
[root@zzd139 ~]# source /etc/profile.d/httpd.sh
//将httpd的include头部文件存放目录映射到/usr/include/httpd
[root@zzd139 ~]# ln -s /usr/local/apache/include/ /usr/include/httpd
[root@zzd139 ~]# ll /usr/include/httpd
lrwxrwxrwx. 1 root root 26 Jul 21 19:37 /usr/include/httpd -> /usr/local/apache/include/
//将httpd的man目录添加到文件/etc/man_db.conf
[root@zzd139 ~]# vim /etc/man_db.conf
MANDATORY_MANPATH /usr/local/apache/man
//启动apache
[root@zzd139 ~]# apachectl
