一、初识httpd
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
官方站点:www.apache.org
1、httpd的特性
⑴高度模块化:core + modules
⑵DSO:Dynamic Shared Object,httpd支持动态装卸载模块
⑶MPM:Multipath Processing Module,多道处理模块,是一个统称,有多种实现:
①prefork:多进程,每个请求用一个进程响应,这个过程会用到select机制来通知。
缺点:相对占用更多的系统资源,不擅长处理高并发请求
②worker:启动多个进程,每个进程生成多个线程,每个线程响应一个用户请求;
优点:相对prefork,占用更少的内存,高并发处理能力优秀
缺点:线程不如进程安全;若开启了keep-alive,在高并发的场景中可能出现无服务线程可用的问题
③event:启动多个线程,每个线程响应N个请求。在httpd 2.4版本中被正式引入,httpd 2.2中的event处于测试阶段;基于事件驱动(event-driven)机制。
优点:event会启动一个专门的线程来管理keep-alive类型的线程,当有真实请求过来的时候,将请求传递给服务线程,执行完毕后,又允许它释放,因此它的并发响应能力比worker模块更强
缺点:因为完全使用线程处理请求,所以稳定性是三者中最差的
2、httpd的功能
丰富的用户认证:基本认证和摘要认证
CGI:原生支持perl CGI
虚拟主机:
基于端口、IP、主机名
反向代理:
负载均衡
用户站点:
路径别名:
支持第三方模块
3、安装方式:
rpm包:yum -y install httpd
源码编译
4、httpd程序的组成
配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
服务脚本:
/etc/rc.d/init.d/httpd
脚本配置文件:/etc/sysconfig/httpd
模块目录:
/etc/httpd/modules:链接文件
/usr/lib64/httpd/modules
主程序:
/usr/sbin/httpd:prefork
/usr/sbin/httpd.event:event
/usr/sbin/httpd.worker:worker
只能选择其中一种多道处理模块,默认为prefork,可在脚本配置文件/etc/sysconfig/httpd设置
日志文件目录:
/var/log/httpd(其有一个软链接/etc/httpd/logs)
access_log:访问日志
error_log:错误日志
站点文档根目录:
/var/www/html
URL中指定的资源路径就是相对于此根目录而言,例如
http://www.hello.com/images/a.jpg,此资源在服务器上的路径为/var/www/html/images/a.jpg
[root@node2 ~]# yum -y install httpd
...
[root@node2 ~]# rpm -ql httpd
/etc/httpd
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.d/README
/etc/httpd/conf.d/welcome.conf #当URL中不指明请求的资源且站点根目录下无默认主页面时,会显示此欢迎页
/etc/httpd/conf/httpd.conf #主配置文件
/etc/httpd/conf/magic
/etc/httpd/logs #是/var/log/httpd的软链接
/etc/httpd/modules
/etc/httpd/run
/etc/logrotate.d/httpd #实现日志滚动功能的脚本
/etc/rc.d/init.d/htcacheclean
/etc/rc.d/init.d/httpd #服务脚本
/etc/sysconfig/htcacheclean
/etc/sysconfig/httpd #脚本配置文件
/usr/lib64/httpd
/usr/lib64/httpd/modules #模块目录
/usr/lib64/httpd/modules/mod_actions.so
...
/usr/sbin/apachectl #httpd服务控制工具
/usr/sbin/htcacheclean
/usr/sbin/httpd
/usr/sbin/httpd.event
/usr/sbin/httpd.worker
/usr/sbin/httxt2dbm
/usr/sbin/rotatelogs
/usr/sbin/suexec
/usr/share/doc/httpd-2.2.15
/usr/share/doc/httpd-2.2.15/ABOUT_APACHE
/usr/share/doc/httpd-2.2.15/CHANGES
/usr/share/doc/httpd-2.2.15/LICENSE
/usr/share/doc/httpd-2.2.15/NOTICE
/usr/share/doc/httpd-2.2.15/README
/usr/share/doc/httpd-2.2.15/VERSIONING
/usr/share/man/man8/apachectl.8.gz
/usr/share/man/man8/htcacheclean.8.gz
/usr/share/man/man8/httpd.8.gz
/usr/share/man/man8/rotatelogs.8.gz
/usr/share/man/man8/suexec.8.gz
/var/cache/mod_proxy
/var/lib/dav
/var/log/httpd #日志文件目录
/var/run/httpd
/var/www
/var/www/cgi-bin #动态资源存放目录
/var/www/error
...
/var/www/html #站点文档根目录
[root@node2 ~]# cat /etc/sysconfig/httpd
# Configuration file for the httpd service.
#
# The default processing model (MPM) is the process-based
# 'prefork' model. A thread-based model, 'worker', is also
# available, but does not work with some modules (such as PHP).
# The service must be stopped before changing this variable.
#
#HTTPD=/usr/sbin/httpd.worker #默认为prefork模式,要更改模式需先停止服务
#
# To pass additional options (for instance, -D definitions) to the
# httpd binary at startup, set OPTIONS here.
#
#OPTIONS=
#
# By default, the httpd process is started in the C locale; to
# change the locale in which the server runs, the HTTPD_LANG
# variable can be set.
#
#HTTPD_LANG=C
#
# By default, the httpd process will create the file
# /var/run/httpd/httpd.pid in which it records its process
# identification number when it starts. If an alternate location is
# specified in httpd.conf (via the PidFile directive), the new
# location needs to be reported in the PIDFILE.
#
#PIDFILE=/var/run/httpd/httpd.pid
二、httpd配置文件说明及配置示例
配置文件语法检查:
httpd -t
service httpd configtest
主配置文件httpd.conf有三大段:
Section 1: Global Environment
Section 2: 'Main' server configuration
Section 3: Virtual Hosts
主服务器和虚拟主机一般不同时使用,默认仅启用了主服务器
指令参数:参数名不区分字符大小写,但其值有可能区分大小写;某些指令依赖于模块,若没有装载其依赖的模块,可能无法使用
1、服务器标志信息
ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full
该指令参数控制了服务器回应给客户端的"Server:"应答头中包含的信息
各value的含义:
Prod[uctOnly]:仅显示软件名称,如Apache
Major:包括主版本号,如Apache/2
Minor:包括次版本号,如Apache/2.2
Min:包括完整版本号,如Apache/2.2.15
OS:包括操作系统类型,如Apache/2.2.15 (CentOS)
Full:包括apache支持的模块及模块版本号,如Apache/2.2.15 (CentOS) DAV/2
为防止信息泄露,一般设为Prod
2、持久连接
KeepAlive {On|Off} #默认为关闭
MaxKeepAliveRequests 100
KeepAliveTimeout 15
3、MPM参数
<IfModule prefork.c>
StartServers 8 #服务启动时启动的子进程数
MinSpareServers 5 #最少空闲子进程数
MaxSpareServers 20
ServerLimit 256 #同时启动的子进程数上限
MaxClients 256 #同时服务的客户端数上限(支持的并发数上限)
MaxRequestsPerChild 4000 #每个子进程在其生命周期内处理的请求数上限
</IfModule>
<IfModule worker.c>
StartServers 4 #服务启动时启动的子进程数
MaxClients 300
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25 #每个子进程可启动的线程数
MaxRequestsPerChild 0 #每个子进程可处理的请求数,0表示无限制
</IfModule>
4、指定监听的地址和端口
Listen [IP:]PORT #若省略IP则表示监听在所有的地址上。此指令可重复指定多次,修改监听的端口后要重启服务
5、DSO机制装载的模块
LoadModule Module_Name /path/to/Module_File #要卸载某个模块直接将其注释掉即可,不用重读配置文件就可立即生效;模块路径为相对于ServerRoot而言的路径
显示DSO动态装载的模块:
# httpd -D DUMP_MODULES
[root@node2 ~]# httpd -D DUMP_MODULES
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
auth_basic_module (shared)
auth_digest_module (shared)
authn_file_module (shared)
authn_alias_module (shared)
...
[root@node2 ~]# httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
[root@node2 ~]# httpd.worker -l
Compiled in modules:
core.c
worker.c
http_core.c
mod_so.c
6、服务器名称
ServerName www.example.com
该指令参数默认没有启用。若没启用,httpd会尝试以hostname作为服务器名,但它并不会完全信任hostname,它会反解本机IP并与hostname对照,若发现不一致,那么在httpd服务启动时会有异常提示。(注意:ServerName和hostname是两个不同概念,二者可同可不同)
[root@node2 ~]# service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.30.20 for ServerName #提示无法确定服务器的FQDN,只能以192.168.30.20作为服务器名
[ OK ]
[root@node2 ~]# hostname
node2
[root@node2 ~]# hostname node2.inception.com
[root@node2 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.30.20 node2.inception.com #添加这一项
192.168.30.20 www.inception.com
[root@node2 ~]# service httpd restart #没有异常提示了
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
7、指定站点根目录
DocumentRoot "/path/to/somewhere" #默认为/var/www/html
[root@node2 ~]# cd /var/www/html
[root@node2 html]# vim test.html
hello
[root@node2 html]# less /etc/httpd/conf/httpd.conf
...
DirectoryIndex index.html index.html.var #主配置文件中预设的默认主页名
...
[root@node2 html]# vim index.html #创建一个默认主页
To be or not to be,that is a question
8、站点路径访问控制
基于本地文件系统路径:
<Directory "/path/to/somewhere">
...
</Directory>
<File [~] "/path/to/somefile">
...
</File>
基于URL访问路径做访问控制:
<Location "/path/to/URL">
...
</Location>
另外,路径可做模式匹配,但若非迫不得已不建议使用
如果既能使用Directory控制,也能使用Location控制,建议使用Directory
9、于Directory中可用的访问控制
①Options
Indexes:当无默认的主页面又无欢迎页时,将所有资源以列表形式呈现给用户。危险,慎用;在选项前添加减号即表示禁用,如-Indexes
FollowSymlinks:追踪符号链接
②AllowOverride
支持在每个页面目录下创建.htaccess用于实现对此目录中资源访问时的访问控制功能。 .htaccess文件会影响httpd的性能
[root@node2 html]# vim /etc/httpd/conf/httpd.conf
...
<Directory "/var/www/html">
...
Options Indexes FollowSymLinks #Indexes默认是启用的,在无默认主页和欢迎页时,会显示资源列表
...
</Directory>
...
[root@node2 html]# mv index.html index.html.back
[root@node2 html]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.back
[root@node2 html]# service httpd reload
Reloading httpd:
10、基于IP做访问控制
Order allow,deny #表示“先检查允许设定,没有允许的全部禁止”
Allow from 172.16.0.0/16
from后面能接受的地址格式:
IP, Network Address
网络地址格式较为灵活:
172.16
172.16.0.0
172.16.0.0/16
172.16.0.0/255.255.0.0
如果要禁止部分内容的访问,其他的全部开放:
Order Deny,Allow
Deny from ip1 ip2
或者
Order Allow,Deny
Allow from all
Deny from ip1 ip2
11、定义默认的主页面
DirectoryIndex
12、配置日志功能
ErrorLog "/path/to/error_log" #错误日志,路径为相对于ServerRoot而言的路径
LogLevel {debug|info|notice|warn|error|crit|alert|emerg}
指定级别及比其更高级别的信息都会被记录
LogFormat 格式 格式名
%h: 客户端地址
%l: 远程登录名,通常为-
%u: 认证时输入用户名,没有认证时为-
%t: 服务器收到用户请求时的时间
%r:请求报文的起始行
%>s: 响应状态码
%b: 响应报文的长度,单位是字节
%{HEADER_NAME}i: 记录指定首部对应的值
例如 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined #格式中若要使用引号则要使用反斜线转义
CustomLog "/path/to/access_log" LogFormat_Name
13、路径别名
实现URL路径的映射,从而所访问的资源不再依赖于站点根目录;
Alias /URL/ "/path/to/somewhere/"
例如 Alias /images/ "/www/tupian/" #后面映射的路径是绝对路径,而不再是相对于站点根目录而言的路径;此时若站点根目录(以/var/www/html为例)下也有一个images目录,那么将无法访问/var/www/html/images中的资源,因为images已被别名征用
[root@node2 html]# mkdir text
[root@node2 html]# vim text/a.html
being and time
[root@node2 html]# mkdir -p /www/paper
[root@node2 html]# vim /www/paper/b.html
relativity
[root@node2 html]# vim /etc/httpd/conf/httpd.conf
...
Alias /text/ "/www/paper/"
...
[root@node2 html]# service httpd reload
Reloading httpd:
14、设定默认字符集
AddDefaultCharset
字符集:GB2312,GB18030,GBK,UTF
15、CGI脚本路径别名
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
bash写CGI脚本:
所有文本都使用命令输出:echo, printf, cat
执行程序:命令引用
Content-Type: text/html
<pre>
</pre>
■CGI和FastCGI:
CGI:通常网关接口,连接web服务器和应用程式的接口。web服务进程接受动态资源(用编程语言php, jsp, asp,.net等编写的脚本)请求时,需要先将这些动态文件交给相应的解释器执行,解释器执行后返回html格式的结果给web服务进程。web服务进程和这些解释器之间通信遵循的就是CGI协议
FastCGI:web服务器每接受一个动态资源请求,就需要启动一个相应的解释器进程(例如执行一个php文件就需要启动一个php进程),执行完后再关闭;那么,如果有大量的动态资源请求,就意味着有大量的解释器进程需要频繁启动和关闭,这无疑会影响系统性能。于是,我们可效仿httpd的工作模式,预先启动一些解释器空闲进程等待处理前端web服务进程的动态文件处理请求,处理完毕后也不用立即关闭,还可继续等待处理后续请求。对于这种模式,web服务进程和解释器之间通信遵循的就是FastCGI协议。fastcgi的主要优点就是能把web服务器和应用程序分离开来
[root@node2 ~]# vim /var/www/cgi-bin/test.sh
#!/bin/bash
#
cat << EOF
Content-Type: text/html
<pre>
The hostname is: $(hostname)
The datetime is: $(date)
</pre>
EOF
16、基于用户访问控制
用户认证:
基本认证:Basic,明文发送
摘要认证:digest
虚拟用户:仅用于访问某服务或获取某资源的凭证;
账号和密码的存储机制:
文本文件:.htpasswd
SQL数据库
dbm:数据库引擎,提供API
ldap:
案例:基于文件做访问控制
①基于用户进行认证
<Directory "/var/www/html/admin">
Options none
AllowOverride AuthConfig #表示允许使用与认证授权相关的指令
AuthType Basic
AuthName "Admin Area."
#AuthBasicProvider file
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user
</Directory>
说明:
Require valid-user:文件中所有用户均可访问
Require user USERNAME, ...
②提供认证文件
htpasswd [option] passwdfile username
选项:
-b:在命令行中一并输入用户名和密码而不是根据提示输入密码
-c: 创建一个passwdfile,如果passwdfile已经存在,那么它会重新写入并删除原有内容
-m:以md5的格式编码存储用户的密码信息
-D:删除指定用户
③组认证
<Directory "/var/www/html/admin">
Options none
AllowOverride AuthConfig
AuthType Basic
AuthName "Admin Area."
#AuthBasicProvider file
AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /etc/httpd/conf/.htgroup
Require group GROUP_NAME
</Directory>
组文件(.htgroup)格式:
组名: user1 user2 user3
[root@node2 ~]# cd /var/www/html
[root@node2 html]# mkdir admin
[root@node2 html]# vim admin.html
The Moon and Sixpence
[root@node2 html]# vim /etc/httpd/conf/httpd.conf
...
<Directory "/var/www/html/admin">
Options none
AllowOverride AuthConfig
AuthType Basic
AuthName "Admin Area."
#AuthBasicProvider file
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user
</Directory>
...
[root@node2 html]# htpasswd -c -m /etc/httpd/conf/.htpasswd tom
New password:
Re-type new password:
Adding password for user tom
[root@node2 html]# htpasswd -m /etc/httpd/conf/.htpasswd jerry
New password:
Re-type new password:
Adding password for user jerry
[root@node2 html]# service httpd reload
Reloading httpd:
17、虚拟主机
虚拟主机:使用不同访问路径
基于端口
基于IP
基于主机名
①使用虚拟的前提:取消主服务器
注释掉主服务器的站点根路径指定:DocumentRoot
②定义虚拟主机
NameVirtualHost IP:PORT #基于主机名配置虚拟主机需要启用该项,只在httpd 2.2中才有,httpd 2.4中没有
<VirtualHost IP:PORT>
ServerName
DocumentRoot
ServerAlias
ErrorLog
CustomLog
</VirtualHost>
配置示例:
NameVirtualHost 172.16.100.7:80
<VirtualHost 172.16.100.7:80>
ServerName www.hello.com
DocumentRoot "/web/hosta"
</VirtualHost>
<VirtualHost 172.16.100.8:80>
ServerName www.hello.com
DocumentRoot "/web/hostb"
</VirtualHost>
<VirtualHost 172.16.100.8:8080>
ServerName www.hello.com
DocumentRoot "/web/hostc"
</VirtualHost>
<VirtualHost 172.16.100.7:80>
ServerName www.hello.com
DocumentRoot "/web/hostd"
</VirtualHost>
建议:将虚拟主机设定在一个新的档案/etc/httpd/conf.d/*.conf当中,如此一来虚拟主机设定档就可进行移动,修改的时候也不会影响到原有的httpd.conf的资料,而主配置文件httpd.conf中有个include的参数可将/etc/httpd/conf.d/*.conf都包含进来
③测试:
elinks:文本浏览器
用法:elinks [-dump] URL
-dump: 以纯文本的方式打印页面信息然后退出进程;
[root@node2 html]# vim /etc/httpd/conf/httpd.conf
...
Listen 80
Listen 8080
...
#DocumentRoot "/var/www/html" #注释掉中心主机
...
NameVirtualHost 192.168.30.20:80 #只在基于主机名配置虚拟机时启用
...
<VirtualHost 192.168.30.20:80>
ServerName www.inception.com
DocumentRoot "/web/hosta"
</VirtualHost>
<VirtualHost 192.168.30.21:80>
ServerName www.inception.com
DocumentRoot "/web/hostb"
</VirtualHost>
<VirtualHost 192.168.30.20:8080>
ServerName www.inception.com
DocumentRoot "/web/hostc"
</VirtualHost>
<VirtualHost 192.168.30.20:80>
ServerName web.inception.com
DocumentRoot "/web/hostd"
</VirtualHost>
[root@node2 html]# mkdir -p /web/{hosta,hostb,hostc,hostd}
[root@node2 html]# cd /web
[root@node2 web]# vim hosta/index.html
<h1> Host A </h1>
[root@node2 web]# vim hostb/index.html
<h1> Host B </h1>
[root@node2 web]# vim hostc/index.html
<h1> Host C </h1>
[root@node2 web]# vim hostd/index.html
<h1> Host D </h1>
[root@node2 web]# ifconfig eth0:0 192.168.30.21/24
[root@node2 web]# httpd -t
Syntax OK
[root@node2 web]# service httpd restart 新增监听的地址或端口后要重启服务
...
[root@node2 web]# yum -y install elinks
...
[root@node2 web]# elinks -dump http://192.168.30.21
Host B
★18、https协议
http协议:文本编码
验证:可使用telnet发http请求
# telnet 172.16.100.7 80
Trying 172.16.100.7...
Connected to 172.16.100.7.
Escape character is '^]'.
GET /index.html HTTP/1.0
Host: www.b.org
...
[root@node2 ~]# telnet 192.168.30.20 80
Trying 192.168.30.20...
Connected to 192.168.30.20.
Escape character is '^]'.
GET /index.html HTTP/1.0
Host: www.inception.com
HTTP/1.1 200 OK
Date: Tue, 17 Nov 2015 09:50:10 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 17 Nov 2015 07:48:11 GMT
ETag: "60b06-12-524b7bf552aa5"
Accept-Ranges: bytes
Content-Length: 18
Connection: close
Content-Type: text/html; charset=UTF-8
<h1> Host A </h1>
Connection closed by foreign host.
https:http+ssl模块,基于SSL二进制编码, 443/tcp;ssl模块被做成单独的包
tcp三次握手 ==> 建立SSL通道(身份认证、密钥交换)==> 请求和响应
ssl会话基于IP地址创建,所以,每一个IP仅创建一个SSL会话;
一个IP为何不能创建多个SSL会话(https为何不能基于主机名配置虚拟主机)?
对于https,在发送http请求之前需先建立ssl通道,而建立ssl通道当然需要服务器端发送CA证书给客户端进行验证,服务器端存在多个主机名,理所当然每个主机名就会对应一个CA证书,服务器端只有从请求报文中的host首部才能得知该发送哪个证书,由此才能建立ssl通道。但获取请求报文之前又需要先建立ssl通道,这就形成了一个悖论。
ssl握手要完成的工作:
交换协议版本号
选择双方都支持的加密方式
客户端对服务器端实现身份认证
客户端验证服务器端证书:
有效性检测:证书是否仍然在有效期内
CA的可信度检测:
证书的完整性检测:
持有者的身份检测:比较浏览器中输入的主机名与证书上的主体名称是否一致
密钥交换
■配置httpd工作于https:
①安装mod_ssl模块
# yum install mod_ssl
②为服务端生成私钥,并为其提供证书;
# mkdir /etc/httpd/ssl && cd /etc/httpd/ssl
# (umask 077;openssl genrsa -out httpd.key 1024)
# openssl req -new -key httpd.key -out httpd.csr
签署后的证书为:/etc/httpd/ssl/httpd.crt
③配置使用https的虚拟主机
在/etc/httpd/conf.d/ssl.conf中:
SSLCertificateFile /path/to/somecrt
SSLCertificateKeyFile /path/to/somekeyfile
<VirtualHost IP:443>
DocumentRoot
ServerName
</VirtualHost>
④重新装载配置
⑤测试
# openssl s_client -connect IP:PORT -CAfile /path/to/ca_certificate
例如 openssl s_client -connect 192.168.30.20:443 -CAfile /etc/pki/CA/cert.pem
[root@node2 ~]# yum -y install mod_ssl #安装ssl模块
...
[root@node2 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
以下是建立CA服务器:
[root@node2 ~]# cd /etc/pki/CA
[root@node2 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成私钥
Generating RSA private key, 2048 bit long modulus
................................................................................................................+++
....................................................+++
e is 65537 (0x10001)
[root@node2 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #自签证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Dongpu
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:ca.inception.com
Email Address []:camaster@inception.com
[root@node2 CA]# touch index.txt serial
[root@node2 CA]# echo 01 > serial
以下是节点申请证书:
[root@node2 CA]# mkdir /etc/httpd/ssl
[root@node2 CA]# cd /etc/httpd/ssl
[root@node2 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................................+++
..........................................................................................................................................................+++
e is 65537 (0x10001)
[root@node2 ssl]# openssl req -new -key httpd.key -out httpd.csr #生成证书签署请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Dongpu
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:www.inception.com
Email Address []:webadmin@inception.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node2 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 1000 #CA签署证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 17 15:26:02 2015 GMT
Not After : Aug 13 15:26:02 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Zhejiang
organizationName = Dongpu
organizationalUnitName = web
commonName = www.inception.com
emailAddress = webadmin@inception.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:CF:05:01:DA:F7:00:54:33:4C:47:48:79:E5:DC:E4:76:BA:32:18
X509v3 Authority Key Identifier:
keyid:2C:99:D1:98:7F:47:7C:50:10:8D:7E:9F:19:61:2F:CB:D1:CF:8C:23
Certificate is to be certified until Aug 13 15:26:02 2018 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node2 ssl]# ls
httpd.crt httpd.csr httpd.key
以下是配置https:
[root@node2 ssl]# cd /etc/httpd/conf.d
[root@node2 conf.d]# vim ssl.conf
...
<VirtualHost 192.168.30.20:443>
...
DocumentRoot "/web/hosta"
ServerName www.inception.com:443
...
SSLCertificateFile /etc/httpd/ssl/httpd.crt #指明服务器证书的位置
...
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #指明服务器密钥的位置
...
</VirtualHost>
[root@node2 conf.d]# httpd -t
Syntax OK
[root@node2 conf.d]# service httpd restart
...
[root@node2 conf.d]# netstat -tnl #可以看到443端口已被监听
...
tcp 0 0 :::8080 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::53264 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:6010 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
tcp 0 0 ::1:6011 :::* LISTEN
[root@node2 conf.d]# openssl s_client -connect 192.168.30.20:443 -CAfile /etc/pki/CA/cacert.pem
...
SSL handshake has read 1734 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 874DBF1FFDF68375023A1649044B60F3D239121313D99821BAF9C07805B9DDA3
Session-ID-ctx:
Master-Key: D8C1A9F169623D1EDE6CC6808DD6E96E9DD65187A28B129232445F75D7AED8FFDE3C4F7D5F552DF676477ECCF13CA573
...
---
GET /index.html HTTP/1.1
Host: www.inception.com
HTTP/1.1 200 OK
Date: Tue, 17 Nov 2015 17:32:46 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 17 Nov 2015 07:48:11 GMT
ETag: "60b06-12-524b7bf552aa5"
Accept-Ranges: bytes
Content-Length: 18
Connection: close
Content-Type: text/html; charset=UTF-8
<h1> Host A </h1>
closed
19、status页面
handler: 当文件被调用时,apache的内部表示形式;一般每种文件类型都有其隐式处理器
httpd内嵌有handler,其中有一个handler(server-status)用于输出当前httpd服务相关状态信息
启用handler要使用SetHandler指令:
SetHandler server-status
[root@node2 ~]# vim /etc/httpd/conf/httpd.conf
...
<Location /server-status>
SetHandler server-status
Order allow,deny
Allow from 192.168.30.0/24
</Location>
...
[root@node2 ~]# httpd -t #配置文件语法检查
Syntax OK
[root@node2 ~]# service httpd reload
Reloading httpd:
20、curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE及LDAP等协议。curl支持HTTPS认证,并且支持HTTP的POST、PUT等方法, FTP上传, kerberos认证,HTTP上传,代理服务器, cookies, 用户名/密码认证, 下载文件断点续传,上载文件断点续传,,http代理服务器管道( proxy tunneling), 甚至它还支持IPv6, socks5代理服务器,,通过http代理服务器上传文件到FTP服务器等等,功能十分强大。
用法:curl [option] URL
常用选项:
-A/--user-agent <string>:设置用户代理发送给服务器
-basic:使用HTTP基本认证
--tcp-nodelay:使用TCP_NODELAY选项
-e/--referer <URL>:来源网址
--cacert <file>:CA证书 (SSL)
--compressed:要求返回是压缩的格式
-H/--header <line>:自定义头信息传递给服务器
-I/--head:只显示响应报文首部信息
--limit-rate <rate>:设置传输速度
-u/--user <user[:password]>:设置服务器的用户和密码
-0/--http1.0:使用HTTP 1.0
[root@node2 ~]# curl 192.168.30.20
<h1> Host A </h1>
[root@node2 ~]# curl 192.168.30.20:8080
<h1> Host C </h1>
[root@node2 ~]# curl -I 192.168.30.20
HTTP/1.1 200 OK
Date: Tue, 17 Nov 2015 19:20:55 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 17 Nov 2015 07:48:11 GMT
ETag: "60b06-12-524b7bf552aa5"
Accept-Ranges: bytes
Content-Length: 18
Connection: close
Content-Type: text/html; charset=UTF-8
21、使用mod_deflate模块压缩页面优化传输速度
SetOutputFilter DEFLATE
# mod_deflate configuration
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
# Level of compression (Highest 9 - Lowest 1)
DeflateCompressionLevel 9 #指定压缩比
# Netscape 4.x has some problems.
BrowserMatch ^Mozilla/4 gzip-only-text/html #针对特定浏览器的特殊指定
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
三、httpd程序包自带的工具
①httpd:apache服务器程序
常用选项:
-t: 测试配置文件
-l: 显示静态编译进httpd的模块
-D DUMP_MODULES:列出DSO模块
-M:相当于-t -D DUMP_MODULES
-D DUMP_VHOSTS: 列出所有虚拟主机
②htpasswd:为基于文件的basic认证创建和更新用户认证文件
③apachectl:脚本,httpd服务控制工具
④ab:apache benchmark,httpd的基准性能测试工具
用法:ab [options] [http[s]://]hostname[:port]/path
常用选项:
-c #:模拟的并发数
-n #:模拟的请求数,-n的值一定要大于等于-c的值
同类工具:http_load, webbench, seige
⑤apxs:httpd得以扩展使用第三方模块的工具
⑥htcacheclean:磁盘缓存清理工具
⑦htdigest:为digest认证创建和更新用户认证文件
⑧httxt2dbm:为rewrite map创建dbm格式的文件
⑨rotatelogs:滚动日志,不关闭httpd而切换其使用日志文件的工具
access_log, access_log.1, access_log.2,
⑩suexec:当httpd进程需要以另外的用户的身份去访问某些资源时,可以以suexec作临时切换;
[root@node1 ~]# ab -c 300 -n 3000 http://www.inception.com/beauty.jpg
This is ApacheBench, Version 2.3 <$Revision: 1554214 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking www.inception.com (be patient)
Completed 300 requests
Completed 600 requests
Completed 900 requests
Completed 1200 requests
Completed 1500 requests
Completed 1800 requests
Completed 2100 requests
Completed 2400 requests
Completed 2700 requests
Completed 3000 requests
Finished 3000 requests
Server Software: Apache/2.2.15
Server Hostname: www.inception.com
Server Port: 80
Document Path: /beauty.jpg
Document Length: 343328 bytes #请求的资源大小
Concurrency Level: 300
Time taken for tests: 17.543 seconds #测试的总时长
Complete requests: 3000
Failed requests: 0
Total transferred: 1030764000 bytes #总共传输了多个字节
HTML transferred: 1029984000 bytes
Requests per second: 171.01 [#/sec] (mean) #每秒处理的请求的个数
Time per request: 1754.273 [ms] (mean) #每处理一个并发单位所经过的时长
Time per request: 5.848 [ms] (mean, across all concurrent requests) #处理单个请求所经过的时长
Transfer rate: 57380.20 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 94 102.1 77 1070
Processing: 855 1639 367.0 1590 3026
Waiting: 18 285 286.2 154 1383
Total: 922 1733 392.1 1683 3189
Percentage of the requests served within a certain time (ms)
50% 1683
66% 1811
75% 1905
80% 2003
90% 2285
95% 2546
98% 2833
99% 2939
100% 3189 (longest request)