其他分享
首页 > 其他分享> > httpd

httpd

作者:互联网

目录

httpd

httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。

通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。

1.httpd的特性

版本 特性
2.2 事先创建进程
按需维持适当的进程
模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块
支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等
支持https协议(通过mod_ssl模块实现)
支持用户认证
支持基于IP或域名的ACL访问控制机制
支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码)
支持URL重写
支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程)
2.4 httpd-2.4的新特性:
MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载
支持event MPM,eventMPM模块生产环境可用
支持异步读写
支持每个模块及每个目录分别使用各自的日志级别
每个请求相关的专业配置,使用来配置
增强版的表达式分析器
支持毫秒级的keepalive timeout
基于FQDN的虚拟主机不再需要NameVirtualHost指令
支持用户自定义变量
支持新的指令(AllowOverrideList)
降低对内存的消耗
工作模型 工作方式
prefork 多进程模型,预先生成进程,一个请求用一个进程响应
一个主进程负责生成n个子进程,子进程也称为工作进程
每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个
worker 基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程)
event 基于事件的驱动,一个进程处理多个请求

2.httpd-2.4新增的模块

模块 功能
mod_proxy_fcgi 反向代理时支持apache服务器后端协议的模块
mod_ratelimit 提供速率限制功能的模块
mod_remoteip 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制

3.httpd基础

3.1 httpd自带的工具程序

工具 功能
htpasswd basic认证基于文件实现时,用到的账号密码生成工具
apachectl httpd自带的服务控制脚本,支持start,stop,restart
apxs 有httpd-devel包提供的,扩展httpd使用第三方模块的工具
rotatelogs 日志滚动工具
suexec 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具
ab apache benchmark,httpd的压力测试工具

3.2 rpm包安装的httpd程序环境

文件/目录 对应的功能
/var/log/httpd/access_log 访问日志
/var/log/httpd/error_log 错误日志
/var/www/html 站点文档目录
/usr/lib64/httpd/modules 模块文件路径
/etc/httpd/conf/httpd.conf 主配置文件
/etc/httpd/conf.modules.d/*.conf 模块配置文件
/etc/httpd/conf.d/*.conf 辅助配置文件

mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf

3.3 web相关命令

3.3.1 curl命令

curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。

通过curl下载文件

[root@zzd139 ~]# curl -o zzd.html https://www.cnblogs.com/zicnotes/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18291    0 18291    0     0  85074      0 --:--:-- --:--:-- --:--:-- 85074
[root@zzd139 ~]# ls
anaconda-ks.cfg  zzd.html

3.3.2 httpd命令

常用选项

-l 查看静态编译模块,列出核心中编译了那些模块

[root@zzd139 ~]# httpd -l
Compiled in modules:
  core.c
  mod_so.c
  http_core.c

-M 输出一个已经启用的模块列表,包括静态在服务器中的模块和作为dso动态加载的模块

[root@zzd139 ~]# httpd -M
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::ac0:aa7e:f1b9:248e. Set the 'ServerName' directive globally to suppress this message
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 access_compat_module (shared)
…………
 cgid_module (shared)
 http2_module (shared)
 proxy_http2_module (shared)

-v 显示httpd的版本

[root@zzd139 ~]# httpd -v
Server version: Apache/2.4.37 (centos)
Server built:   Nov 12 2021 04:57:27

-V 显示httpd和apr/apr-util的版本和编译参数

[root@zzd139 ~]# httpd -v
Server version: Apache/2.4.37 (centos)
Server built:   Nov 12 2021 04:57:27
[root@zzd139 ~]# httpd -V
Server version: Apache/2.4.37 (centos)
Server built:   Nov 12 2021 04:57:27
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

-X 以调试模式运行httpd。仅启动一个工作进程,并且服务器不与控制台脱离

-t 检查配置文件是否有语法错误

[root@zzd139 ~]# httpd -t
Syntax OK

4.httpd常用配置

4.1 切换使用mpm(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件)

//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
    prefork
    event
    worker
//yum安装httpd默认的是event,现在改为prefork
[root@zzd139 ~]# cd /etc/httpd/conf.modules.d/
[root@zzd139 conf.modules.d]# vim 00-mpm.conf
	LoadModule mpm_prefork_module modules/mod_mpm_prefork.so	//删除此行首的注释
	#LoadModule mpm_event_module modules/mod_mpm_event.so		//将此行注释

4.2 访问控制法则

法则 功能
Require all granted 允许所有主机访问
Require all deny 拒绝所有主机访问
Require ip ipaddr 授权指定来源地址的主机访问
Require not ip ipaddr 拒绝指定来源地址的主机访问
Require host hostname 授权指定来源主机名的主机访问
Require not host HOSTNAME 拒绝指定来源主机名的主机访问
IPADDR的类型 HOSTNAME的类型
IP:192.168.1.1
Network/mask:192.168.1.0/255.255.255.0
Network/Length:192.168.1.0/24
Net:192.168
FQDN:特定主机的全名
DOMAIN:指定域内的所有主机

注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问

[root@zzd139 ~]# vim /etc/httpd/conf/httpd.conf 
$(拒绝192.168.169.1主机访问httpd的zic.html页面)
    <Directory /var/www/html/zic.html>
        <RequireAll>
            Require not ip 192.168.169.1
            Require all granted
        </RequireAll>
    </Directory>
[root@zzd139 ~]# httpd -t
Syntax OK
[root@zzd139 ~]# systemctl restart httpd

使用物理机去访问此页面

4.3 虚拟主机

虚拟主机有三类:

4.3.1 相同ip不同端口

//查找httpd-vhosts.conf文件
[root@zzd139 ~]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@zzd139 ~]# cp /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/
[root@zzd139 ~]# cd /etc/httpd/conf.d/
[root@zzd139 conf.d]# ls
autoindex.conf  httpd-vhosts.conf  README  userdir.conf  welcome.conf
[root@zzd139 conf.d]# vim httpd-vhosts.conf
    <VirtualHost 192.168.169.139:80>
        ServerName  zzd.feiji.com
        DocumentRoot "/var/www/html/feiji"
        ErrorLog "/var/log/httpd/feiji/error_log"
        CustomLog "/var/log/httpd/feiji/access_log" common
    </VirtualHost>

    Listen 82
    <VirtualHost 192.168.169.139:82>
        ServerName zzd.tanke.com
        DocumentRoot "/var/www/html/tanke"
        ErrorLog "/var/log/httpd/tanke/error_log"
        CustomLog "/var/log/httpd/tanke/access_log" common
    </VirtualHost>


[root@zzd139 ~]# cd /var/www/html/
[root@zzd139 html]# ls
feiji  tanke
[root@zzd139 html]# httpd -t
Syntax OK
[root@zzd139 ~]# chown -R apache.apache /var/www/html/
[root@zzd139 ~]# chown -R apache.apache /etc/httpd/
[root@zzd139 ~]# chown -R apache.apache /var/log/httpd/
[root@zzd139 ~]# systemctl stop firewalld.service 
[root@zzd139 ~]# setenforce 0
[root@zzd139 ~]# systemctl restart httpd

访问80端口

访问82端口

4.3.2 不同ip相同端口

[root@zzd139 ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
    <VirtualHost 192.168.169.139:80>
        ServerName  zzd.feiji.com
        DocumentRoot "/var/www/html/feiji"
        ErrorLog "/var/log/httpd/feiji/error_log"
        CustomLog "/var/log/httpd/feiji/access_log" common
    </VirtualHost>

    <VirtualHost 192.168.169.141:80>
        ServerName zzd.tanke.com
        DocumentRoot "/var/www/html/tanke"
        ErrorLog "/var/log/httpd/tanke/error_log"
        CustomLog "/var/log/httpd/tanke/access_log" common
    </VirtualHost>
[root@zzd139 ~]# httpd -t
Syntax OK
[root@zzd139 ~]# systemctl restart httpd

访问192.168.169.139:80端口

访问192.168.169.141:80端口

4.3.3 相同ip相同端口不同域名

[root@zzd139 ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
    <VirtualHost 192.168.169.139:80>
        ServerName  zzd.feiji.com
        DocumentRoot "/var/www/html/feiji"
        ErrorLog "/var/log/httpd/feiji/error_log"
        CustomLog "/var/log/httpd/feiji/access_log" common
    </VirtualHost>

    <VirtualHost 192.168.169.139:80>
        ServerName zzd.tanke.com
        DocumentRoot "/var/www/html/tanke"
        ErrorLog "/var/log/httpd/tanke/error_log"
        CustomLog "/var/log/httpd/tanke/access_log" common
    </VirtualHost>
[root@zzd139 ~]# httpd -t
Syntax OK
[root@zzd139 ~]# systemctl restart httpd

//在物理机的C:\Windows\System32\drivers\etc\hosts文添加一下内容做域名映射
192.168.169.139 zzd.feiji.com
192.168.169.139 zzd.tanke.com

访问zzd.feiji.com

访问zzd.tanke.com

4.4 ssl

安装ssl模块

[root@zzd139 ~]# dnf -y install mod_ssl
[root@zzd139 ~]# systemctl restart httpd
[root@zzd139 ~]# ss -antl | grep 443
LISTEN 0      128                *:443             *:*   
[root@zzd139 ~]# httpd -M | grep ssl
 ssl_module (shared)

openssl实现私有CA:

//CA生成一对密钥
[root@zzd139 ~]# cd /etc/pki/
[root@zzd139 pki]# mkdir CA
[root@zzd139 pki]# cd CA
[root@zzd139 CA]# mkdir private
[root@zzd139 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)	//生成密钥,括号必须要
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
........................................+++++
e is 65537 (0x010001)
[root@zzd139 CA]# openssl rsa -in private/cakey.pem -pubout		//提取公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzoU+pfZIPjZgyyMKIUQS
Bgrzlp05r6ssR2vHUW9vD0BWgfhtIKh7w4+kBQjQMhO3msUIcDLtLXeocd/UKI67
bGvVQEUAPnwLWT9F+oZ0UAqn6Y6kX++JU1ons/dkmVkzORpF3t2fFl6LmElazCb7
umvGOjrdNjNv8XEESbRN6GZJB9MLVxAz1Q6cWPndohAl7wvKg5fB1rdmtvXerfV5
Nw/CbX7giov3NdCz73rU1VeB84ASSKFwCzS/aidKdoYIcVhCh5wervQ9aPUClfgL
RX/zy/ttE3ncnC9P+bYKanyqOFmkHIXseL18T89y/N9X25k0SPM5FnrHpUZY52fq
pwIDAQAB
-----END PUBLIC KEY-----

//CA生成自签署证书
[root@zzd139 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:twt
Organizational Unit Name (eg, section) []:gbb
Common Name (eg, your name or your server's hostname) []:zzd.feiji.com
Email Address []:zic@a.com
[root@zzd139 CA]# openssl x509 -text -in cacert.pem		//读取cacert.pem证书内容
[root@zzd139 CA]# mkdir certs newcerts crl
[root@zzd139 CA]# touch index.txt && echo 01 > serial

//生成密钥
[root@zzd139 CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@zzd139 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
....................................................+++++
e is 65537 (0x010001)

//生成证书签署请求
[root@zzd139 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:twt
Organizational Unit Name (eg, section) []:gbb
Common Name (eg, your name or your server's hostname) []:zzd.feiji.com
Email Address []:zic@a.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//CA签署证书
[root@zzd139 ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 23 07:26:04 2022 GMT
            Not After : Jul 23 07:26:04 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = hb
            organizationName          = twt
            organizationalUnitName    = gbb
            commonName                = zzd.feiji.com
            emailAddress              = zic@a.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                1D:08:3D:53:2D:35:26:CB:76:32:E2:EF:EF:88:A6:DA:C3:B4:65:BE
            X509v3 Authority Key Identifier: 
                keyid:3C:A9:51:46:D4:5A:9B:3D:AB:1E:72:3C:E0:2F:73:77:00:C6:F0:0A

Certificate is to be certified until Jul 23 07:26:04 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

修改ssl配置文件

[root@zzd139 ssl]# cd ../conf.d/
[root@zzd139 conf.d]# vim ssl.conf 
	SSLCertificateFile /etc/pki/tls/certs/localhost.crt  
	SSLCertificateKeyFile /etc/pki/tls/certs/localhost.key  
	$(将以上两行修改为以下两行)
	SSLCertificateFile /etc/httpd/ssl/httpd.crt
	SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

//向上找到以下4行配置
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/feiji"		//删掉注释更改路径
ServerName zzd.feiji.com:443		//删掉注释更改域名
[root@zzd139 conf.d]# httpd -t
Syntax OK
[root@zzd139 conf.d]# systemctl restart httpd

进行访问测试

5.httpd源码安装

httpd依赖于apr-1.4+,apr-util-1.4+

//安装开发环境
[root@zzd139 ~]# dnf groups mark install "Development Tools"

[root@zzd139 ~]# dnf -y install openssl-devel pcre-devel expat-devel libtool

//下载安装apr和apr-util
[root@zzd139 ~]# wget https://mirrors.aliyun.com/apache/apr/apr-1.7.0.tar.gz
[root@zzd139 ~]# wget https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz

[root@zzd139 ~]# tar xf apr-1.7.0.tar.gz 
[root@zzd139 ~]# cd apr-1.7.0/
[root@zzd139 apr-1.7.0]# vim configure
    cfgfile=${ofile}T
    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
    # $RM "$cfgfile"	//将此行注释
[root@zzd139 apr-1.7.0]# ./configure --prefix=/usr/local/apr/ 
[root@zzd139 apr-1.7.0]# make && make install

[root@zzd139 ~]# tar xf apr-util-1.6.1.tar.gz 
[root@zzd139 ~]# cd apr-util-1.6.1/
[root@zzd139 apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@zzd139 apr-util-1.6.1]# make && make install

//下载并安装httpd
[root@zzd139 ~]# wget https://mirrors.aliyun.com/apache/httpd/httpd-2.4.54.tar.gz
[root@zzd139 ~]# tar xf httpd-2.4.54.tar.gz 
[root@zzd139 ~]# cd httpd-2.4.54/
[root@zzd139 httpd-2.4.54]# ./configure --prefix=/usr/local/apache \
> --sysconfdir=/etc/httpd24 \
> --enable-so \
> --enable-ssl \
> --enable-cgi \
> --enable-rewrite \
> --with-zlib \
> --with-pcre \
> --with-apr=/usr/local/apr \
> --with-apr-util=/usr/local/apr-util \
> --enable-modules=most \
> --enable-mpms-shared=all \
> --with-mpm=prefork
[root@zzd139 httpd-2.4.54]# make && make install

//配置环境变量
[root@zzd139 ~]# echo "export PATH=$PATH:/usr/local/apache/bin" > /etc/profile.d/httpd.sh 
[root@zzd139 ~]# source /etc/profile.d/httpd.sh 
//将httpd的include头部文件存放目录映射到/usr/include/httpd
[root@zzd139 ~]# ln -s /usr/local/apache/include/ /usr/include/httpd
[root@zzd139 ~]# ll /usr/include/httpd
lrwxrwxrwx. 1 root root 26 Jul 21 19:37 /usr/include/httpd -> /usr/local/apache/include/
//将httpd的man目录添加到文件/etc/man_db.conf
[root@zzd139 ~]# vim /etc/man_db.conf 
	MANDATORY_MANPATH                       /usr/local/apache/man
//启动apache
[root@zzd139 ~]# apachectl 

标签:httpd,log,etc,conf,zzd139,root
来源: https://www.cnblogs.com/zicnotes/p/16512188.html