httpd简介
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。
httpd版本
主要介绍httpd的两大版本,httpd-2.2和httpd-2.4。
- CentOS6系列的版本默认提供的是httpd-2.2版本的rpm包
- CentOS7系列的版本默认提供的是httpd-2.4版本的rpm包
httpd特性
httpd有很多特性,下面分别介绍httpd2.2和httpd2.4各自的特性
httpd2.2
- 事先创建进程
- 按需维持适当的进程
- 模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块
- 支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等
- 支持https协议(通过mod_ssl模块实现)
- 支持用户认证
- 支持基于IP或域名的ACL访问控制机制
- 支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码)
- 支持URL重写
- 支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程)
httpd2.4
- MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载
- 支持event MPM,eventMPM模块生产环境可用
- 支持异步读写
- 支持每个模块及每个目录分别使用各自的日志级别
- 每个请求相关的专业配置,使用
来配置 - 增强版的表达式分析器
- 支持毫秒级的keepalive timeout
- 基于FQDN的虚拟主机不再需要NameVirtualHost指令
- 支持用户自定义变量
- 支持新的指令(AllowOverrideList)
- 降低对内存的消耗
工作模型:
- prefork:多进程模型,预先生成进程,一个请求用一个进程响应
一个主进程负责生成n个子进程,子进程也称为工作进程
每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个 - woker:基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程)
- event:基于事件的驱动,一个进程处理多个请求
httpd2.4新增模块
- mod_proxy_fcgi:反向代理时支持apache服务器后端协议的模块
- mod_ratelimit:提供速率限制功能的模块
- mod_remoteip:基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制
httpd基础
httpd自带工具
| 工具 | 功能 |
|---|---|
| htpasswd | basic认证基于文件实现时,用到的帐号密码生成工具 |
| apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
| apxs | 由httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
| rotatelogs | 日志滚动工具 |
| suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
| ab | apache benchmark,httpd的压力测试工具 |
rpm包安装的httpd程序环境
| 文件/目录 | 对应的功能 |
|---|---|
| /var/log/httpd/access.log | 访问日志 |
| /var/log/httpd/error_log | 错误日志 |
| /var/www/html/ | 站点文档目录 |
| /usr/lib64/httpd/modules/ | 模块文件路径 |
| /etc/httpd/conf/httpd.conf | 主配置文件 |
| /etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
| /etc/httpd/conf.d/*.conf | 辅助配置文件 |
mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf
编译安装httpd-2.4
除了编译安装外也可以使用yum安装,这里只是为了演示一下如何编译安装httpd
httpd有三个依赖:apr-1.4+,apr-util-1.4+,[apr-icon]
安装顺序:apr -> apr-util -> httpd
#安装开发环境
[root@lynkser ~]# yum groupinstall "Development Tools"
#添加一个服务用的用户
[root@lynkser ~]# groupadd -r apache
[root@lynkser ~]# useradd -r -g apache -M -s /bin/nologin apache
#安装前置工具
[root@lynkser ~]# yum -y install openssl-devel pcre-devel expat-devel libtool
#下载所需的源码包,各位可以各自从常用的站点下载,我这里已经下好了
[root@lynkser ~]# cd /usr/src
[root@lynkser src]# ls
apr-1.6.3.tar.bz2 apr-util-1.6.1.tar.bz2 debug httpd-2.4.34.tar.bz2 kernels
#解压源码包
[root@lynkser src]# tar -xf apr-1.6.3.tar.bz2
[root@lynkser src]# tar -xf apr-util-1.6.1.tar.bz2
[root@lynkser src]# tar -xf httpd-2.4.34.tar.bz2
#修改一下apr的配置文件,避免出问题。
[root@lynkser src]# cd apr-1.6.3/
[root@lynkser apr-1.6.3]# vim configure
cfgfile=${ofile}T
trap "$RM "$cfgfile"; exit 1" 1 2 15
# $RM "$cfgfile" #注释掉这一行
#编译安装apr
[root@lynkser apr-1.6.3]# ./configure --prefix=/usr/local/apr
[root@lynkser apr-1.6.3]# make && make install
#编译安装apr-util
[root@lynkser apr-1.6.3]# cd /usr/src/apr-util-1.6.1
[root@lynkser apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@lynkser apr-util-1.6.1]# make && make install
#编译安装httpd
[root@lynkser src]# cd /usr/src/httpd-2.4.34/
[root@lynkser httpd-2.4.34]# ./configure --prefix=/usr/local/apache
--sysconfdir=/etc/httpd24
--enable-so
--enable-ssl
--enable-cgi
--enable-rewrite
--with-zlib
--with-pcre
--with-apr=/usr/local/apr
--with-apr-util=/usr/local/apr-util/
--enable-modules=most
--enable-mpms-shared=all
--with-mpm=prefork
#上面整个都要输入进去,后面的列表里是我们的依赖和各种要启动和安装的模块
[root@lynkser httpd-2.4.34]# make && make install
httpd常用配置
切换使用MPM
#yum安装的情况下
[root@lynkser ~]# cd /etc/httpd/conf.modules.d
[root@lynkser conf.modules.d]# ls
00-base.conf 00-lua.conf 00-proxy.conf 01-cgi.conf
00-dav.conf 00-mpm.conf 00-systemd.conf
[root@lynkser conf.modules.d]# vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#编译安装的情况下
[root@lynkser ~]# vim /etc/httpd24/httpd.conf
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
访问控制法则
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip IPADDR | 授权指定来源地址的主机访问 |
| Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
| Require host HOSTNAME | 授权指定来源主机名的主机访问 |
| Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
IPADDR的类型:
- IP:192.168.1.1
- Network/mask:192.168.1.0/255.255.255.0
- Network/Length:192.168.1.0/24
- Net:192.168
HOSTNAME的类型
- FQDN:特定主机的全名
- DOMAIN:指定域名内的所有主机
http-2.4版本默认拒绝所有主机访问,安装后必须做显示授权访问
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.26.128
Require all granted
</RequireAll>
</Directory>
虚拟主机
虚拟主机有三类:
- 相同IP的不同端口
- 不同IP的相同端口
- 相同IP相同端口的不同域名
#设置主机名
#编译安装的情况下
[root@lynkser ~]# vim /etc/httpd24/httpd.conf
#要编辑的内容和其他操作和yum安装是相同的
#yum安装的情况下
[root@lynkser ~]# vim /etc/httpd/conf/httpd.conf
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.example.com:80
#在文件最后加上如下内容:
#virtual host 1 #虚拟主机1的配置
<VirtualHost 192.168.26.129:80> #写自己的IP
ServerName www.lynk.com #写自己的IP
DocumentRoot "/var/www/html/www"
ErrorLog "/var/log/httpd/www/error_log"
CustomLog "/var/log/httpd/www/access_log" combined
<Directory /var/www/html/www>
<RequireAll>
Require all granted
Require not ip 192.168.1
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 #虚拟主机2的配置
<VirtualHost 192.168.26.129:80> #写自己的IP
ServerName blog.lynk.com #写自己的域名
DocumentRoot "/var/www/html/blog"
ErrorLog "/var/log/httpd/blog/error_log"
CustomLog "/var/log/httpd/blog/access_log" combined
<Directory /var/www/html/blog>
<RequireAll>
Require all granted
</RequireAll>
</Directory>
</VirtualHost>
#创建网页目录并修改属主和属组
[root@lynkser var]# mkdir -p /var/www/html
[root@lynkser var]# cd /var/www/html
[root@lynkser html]# mkdir www blog
[root@lynkser html]# ll
total 0
drwxr-xr-x. 2 root root 6 Jan 16 01:34 blog
drwxr-xr-x. 2 root root 6 Jan 16 01:34 www
[root@lynkser html]# chown -R apache.apache blog
[root@lynkser html]# chown -R apache.apache www
[root@lynkser html]# ll
total 0
drwxr-xr-x. 2 apache apache 6 Jan 16 01:34 blog
drwxr-xr-x. 2 apache apache 6 Jan 16 01:34 www
#创建网页
[root@lynkser html]# echo "hello world www" > www/index.html
[root@lynkser html]# echo "hello world blog" > blog/index.html
#创建对应网页的日志目录
[root@lynkser html]# mkdir -p /var/log/httpd/{www,blog}
[root@lynkser html]# chown -R apache.apache /var/log/httpd/
[root@lynkser html]# ll /var/log/httpd/
total 0
drwxr-xr-x. 2 apache apache 6 Jan 16 01:39 blog
drwxr-xr-x. 2 apache apache 6 Jan 16 01:39 www
#添加防火墙规则
[root@lynkser ~]# firewall-cmd --add-service=http --permanent
[root@lynkser ~]# firewall-cmd --reload
#查看有没有开启防火墙的http服务允许规则
[root@lynkser ~]# firewall-cmd --list-services
#启动服务
#使用yum安装的情况下
[root@lynkser ~]# systemctl start httpd
#使用编译安装的情况下
[root@lynkser ~]# /usr/local/apache/bin/apachectl start
#查看有没有80端口
[root@lynkser ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
在客户机上打开浏览器验证
如果没有DNS,需要修改hosts,请自行修改,不做演示
实例
需求:
- 安装配置httpd,令其可以访问已有网页index.html
- 要求来自于192.168.26.0/24的客户端可以访问网页,而其他IP的用户不可以
[root@lynkser ~]# yum install -y httpd
[root@lynkser ~]# systemctl mask iptables.service ebtables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
Created symlink from /etc/systemd/system/ebtables.service to /dev/null.
[root@lynkser ~]# systemctl stop iptables ebtables
[root@lynkser ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.26.0/24 service name=http accept' --permanent
success
[root@lynkser ~]# firewall-cmd --reload
success
[root@lynkser ~]# systemctl start httpd
[root@lynkser ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
- 为站点配置SSL加密,签名证书为server30.crt,密钥为server30.key,证书授权信息为group30.crt
[root@lynkser ~]# yum install -y mod_ssl
[root@lynkser tls]# ls /etc/pki/tls/certs/ |grep server30.crt
server30.crt
[root@lynkser tls]# ls /etc/pki/tls/private/ |grep server30.key
server30.key
[root@lynkser certs]# ls /etc/pki/tls/certs/ |grep group30.crt
group30.crt
[root@lynkser tls]# vim /etc/httpd/conf.d/ssl.conf
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName server30.example.com:443
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/server30.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/server30.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/group30.crt
[root@lynkser tls]# systemctl restart httpd
- 为站点http://www.example.com创建一个虚拟主机
- 配置DocumentRoot为/var/www/virtual
- 将网页index置于Document下
- 确保zelda用户能够在/var/www/virtual下创建文件
[root@lynkser ~]# mkdir /var/www/virtual
[root@lynkser ~]# mv index.html /var/www/virtual/
[root@lynkser ~]# useradd zelda
[root@lynkser ~]# setfacl -m u:zelda:rwx /var/www/virtual/
[root@lynkser ~]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d/
[root@lynkser ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/var/www/virtual"
ServerName www.example.com
</VirtualHost>
[root@lynkser tls]# systemctl restart httpd
- 在server上的web服务器的DocumentRoot目录下创建一个名为private的目录,将已有的index.html文件放入这个1文件夹
- 在server上,任何人都可以浏览private的内容,但是从其他系统不能访问这个目录的内容
[root@lynkser ~]# mkdir /var/www/html/private
[root@lynkser ~]# mv index.html /var/www/html/private
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com
<Directory "/var/www/html/private">
Require ip 192.168.26.129
</Directory>
</VirtualHost>
[root@lynkser tls]# systemctl restart httpd
- 在server上实现动态web内容,动态内容有名为alt.example.com的虚拟主机提供
- 虚拟主机侦听端口为8909
- 动态内容使用脚本webapp.wsgi
13.客户端访问http://alt.example.com.8909时,应该收到动态生成的web页面
14.此http://alt.example.com.8909必须能被192.168.26.0/24内的所有系统访问
[root@lynkser ~]# mkdir /var/www/wsgi
[root@lynkser ~]# mv webapp.wsgi /var/www/wsgi
[root@lynkser ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
Listen 8909
<VirtualHost *:8909>
WSGIScriptAlias / "/var/www/wsgi/webapp.wsgi"
ServerName alt.example.com
</VirtualHost>
[root@lynkser ~]# yum install -y mod_wsgi
[root@lynkser ~]# yum -y install policycoreutils-python
[root@lynkser ~]# semanage port -a -t http_port_t -p tcp 8909
[root@lynkser ~]# semanage port -l|grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 8909, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@lynkser ~]# systemctl restart htpd
[root@lynkser ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.26.0/24 port protocol=tcp port=8909 accept' --permanent
success
[root@lynkser ~]# firewall-cmd --reload
success