httpd
时间:2023-08-22 18:37:00
httpd
文章目录
- httpd
-
- 1.httpd常用配置
- 2.CA证书
1.httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
[root@localhost ~]# yum -y install httpd [root@localhost ~]# systemctl start httpd [root@localhost ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:111 0.0.0.0:* LISTEN 0 32 192.168.122.1:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 128 [::]:111 [::]:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 5 [::1]:631 [::]:* [root@localhost ~]# systemctl stop firewalld.service [root@localhost ~]# setenforce 0 [root@localhost ~]# cd /etc/httpd/conf.modules.d/ [root@localhost conf.modules.d]# pwd /etc/httpd/conf.modules.d [root@localhost conf.modules.d]# ls 00-base.conf 00-mpm.conf 00-systemd.conf 10-proxy_h2.conf 00-dav.conf 00-optional.conf 01-cgi.conf README 00-lua.conf 00-proxy.conf 10-h2.conf [root@localhost conf.modules.d]# vim 00-mpm.conf # prefork MPM: Implements a non-threaded, pre-forking web server # See: #http://httpd.apache.org/docs/2.4/mod/prefork.html # # NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux # boolean should be enabled, to allow graceful stop/shutdown. # LoadModule mpm_prefork_module modules/mod_mpm_prefork.so 访问控制规则:
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip IPADDR | 授权访问指定来源地址的主机 |
| Require not ip IPADDR | 拒绝访问指定来源地址的主机 |
| Require host HOSTNAME | 授权来源指定主机名称的主机访问 |
| Require not host HOSTNAME | 拒绝访问指定来源主机名称的主机 |
| [外链图片存储失败,源站可能有防盗链机制,建议保存图片直接上传(img-J1ildqaI-1658424920473)(./1658393893038.png)] | |
| 注意:httpd-2.默认版本拒绝所有主机访问,因此安装后必须进行显示授权访问 |
示例:
Require not ip 192.168.1.1 Require all granted 虚拟主机:
虚拟主机有三种:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP不同域名的相同端口
linux或者mac /e tc/hosts windows: c:/windows/system32/drivers/etc/hosts
准备工作
[root@localhost ~]# cd /var/www/html/ [root@localhost html]# ls [root@localhost html]# echo "hello" > index.html 
[root@localhost html]# mkdir youxi [root@localhost html]# cd youxi/ [root@localhost youxi]# ls feijiedazhan.zip 坦克.zip [root@localhost youxi]# rm -rf 坦克.zip [root@localhost youxi]# mv Battle_City tanke [root@localhost youxi]# mv tanke /var/www/html/ [root@localhost youxi]# cd [root@localhost ~]# cd /var/www/html/ [root@localhost html]# ls index.html tanke youxi [root@localhost html]# rm -rf youxi/ [root@localhost ~]# cd /var/www/html/ [root@localhost html]# ls feijiedazhan.zip index.html tanke [root@localhost html]# unzip feijiedazhan.zip [root@localhost html]# ls feijiedazhan.zip HTML全国飞机大战小游戏 index.html tanke [root@localhost hml]# mv HTML5全民飞机大战小游戏 feiji
[root@localhost html]# ls
feiji feijiedazhan.zip index.html tanke
[root@localhost html]# rm -rf feijiedazhan.zip
[root@localhost html]# ls
feiji index.html tanke
相同IP不同端口
[root@localhost ~]# cp /usr/share/doc/httpd/httpd-vhosts.conf/etc/httpd/conf.d/
[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke1.com
ErrorLog "/var/log/httpd/www.tanke1.com-error_log"
CustomLog "/var/log/httpd/www.tanke1.com-access_log" common
Listen 81
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji1.com
ErrorLog "/var/log/httpd/feiji1.com-error_log"
CustomLog "/var/log/httpd/feiji1.com-access_log" common
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# systemctl restart httpd
不同 IP 相同端口
[root@localhost ~]# ip addr add 192.168.223.126/24 dev ens33
[root@localhost ~]# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:be:f1:34 brd ff:ff:ff:ff:ff:ff
inet 192.168.223.149/24 brd 192.168.223.255 scope global dynamic noprefixroute ens33
valid_lft 1636sec preferred_lft 1636sec
inet 192.168.223.126/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::8d7b:7fa:5b9d:1310/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke1.com
ErrorLog "/var/log/httpd/www.tanke1.com-error_log"
CustomLog "/var/log/httpd/www.tanke1.com-access_log" common
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji1.com
ErrorLog "/var/log/httpd/feiji1.com-error_log"
CustomLog "/var/log/httpd/feiji1.com-access_log" common
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# systemctl restart httpd
相同 IP 相同端口不同域名
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke1.com
ErrorLog "/var/log/httpd/www.tanke1.com-error_log"
CustomLog "/var/log/httpd/www.tanke1.com-access_log" common
DocumentRoot "/var/www/html/feiji"
ServerName www.feiji1.com
ErrorLog "/var/log/httpd/feiji1.com-error_log"
CustomLog "/var/log/httpd/feiji1.com-access_log" common
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# systemctl restart httpd
域名映射
创建网页目录并修改属主属组
[root@localhost ~]# cd /var/www/html/
[root@localhost html]# ls
feiji index.html tanke
[root@localhost html]# mkdir www blog
[root@localhost html]# ll
total 4
drwxr-xr-x. 2 root root 6 Jul 21 23:44 blog
drwxr-xr-x. 5 root root 56 Apr 17 2020 feiji
-rw-r--r--. 1 root root 6 Jul 21 21:51 index.html
drwxr-xr-x. 6 root root 72 Sep 24 2015 tanke
drwxr-xr-x. 2 root root 6 Jul 21 23:44 www
[root@localhost html]# chown -R apache.apache blog
[root@localhost html]# chown -R apache.apache www
[root@localhost html]# ll
total 4
drwxr-xr-x. 2 apache apache 6 Jul 21 23:44 blog
drwxr-xr-x. 5 root root 56 Apr 17 2020 feiji
-rw-r--r--. 1 root root 6 Jul 21 21:51 index.html
drwxr-xr-x. 6 root root 72 Sep 24 2015 tanke
drwxr-xr-x. 2 apache apache 6 Jul 21 23:44 www
启动服务并查看是否有80端口
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
2.CA证书
ssl:
启用模块:编辑/etc/httpd/conf.modules.d/00-base.conf文件,添加下面这行,如果已经有了但是注释了,则取消注释即可
LoadModule ssl_module modules/mod_ssl.so
下载ssl服务
[root@localhost ~]# dnf -y install mod_ssl*
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
1.生成证书
[root@localhost ~]# mkdir /etc/pki/CA
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
...................................................................+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAscr5n+2ddHzj7PSnQ42C
TUPQUWkZpueeiXs90n7O+/E9AIL34RVyguxWF0DYUwYJLDlcFYdmwn2Y2pcsuLkY
vLmhGNu6Ho12xUSqNmSZDaafS6UPkISLQ/tAcTYHp9/GHDOW2nIOHMRQh8Z0+miC
3m6adZUq6WmL+Dummgpw+YlQ0iU25IaXpsg7bS+5A1XZV8gZMh5kzb5X2ldFNrqF
CdS0oJQzMu5PO3bIEzeTH5SeZmqP6e36mjjc1EtG9tFpyWu7MsJAWYODgynrCieP
vnKw/tlIAfVd2DMZmQRRHqJKdAFlt2USBLyfQgkWoxeqJsckkd72eAE96ibv5NrK
RwIDAQAB
-----END PUBLIC KEY-----
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:www.tanke1.com
Email Address []:1@2.com
[root@localhost CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:1b:a1:ad:bc:34:dc:aa:12:4e:cf:86:9a:ea:b6:8c:fb:f3:81:28
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = hb, L = wh, O = runtime, OU = edu, CN = www.tanke1.com, emailAddress = 1@2.com
Validity
Not Before: Jul 21 16:02:23 2022 GMT
Not After : Jul 21 16:02:23 2023 GMT
Subject: C = cn, ST = hb, L = wh, O = runtime, OU = edu, CN = www.tanke1.com, emailAddress = 1@2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:ca:f9:9f:ed:9d:74:7c:e3:ec:f4:a7:43:8d:
82:4d:43:d0:51:69:19:a6:e7:9e:89:7b:3d:d2:7e:
ce:fb:f1:3d:00:82:f7:e1:15:72:82:ec:56:17:40:
d8:53:06:09:2c:39:5c:15:87:66:c2:7d:98:da:97:
2c:b8:b9:18:bc:b9:a1:18:db:ba:1e:8d:76:c5:44:
aa:36:64:99:0d:a6:9f:4b:a5:0f:90:84:8b:43:fb:
40:71:36:07:a7:df:c6:1c:33:96:da:72:0e:1c:c4:
50:87:c6:74:fa:68:82:de:6e:9a:75:95:2a:e9:69:
8b:f8:3b:a6:9a:0a:70:f9:89:50:d2:25:36:e4:86:
97:a6:c8:3b:6d:2f:b9:03:55:d9:57:c8:19:32:1e:
64:cd:be:57:da:57:45:36:ba:85:09:d4:b4:a0:94:
33:32:ee:4f:3b:76:c8:13:37:93:1f:94:9e:66:6a:
8f:e9:ed:fa:9a:38:dc:d4:4b:46:f6:d1:69:c9:6b:
bb:32:c2:40:59:83:83:83:29:eb:0a:27:8f:be:72:
b0:fe:d9:48:01:f5:5d:d8:33:19:99:04:51:1e:a2:
4a:74:01:65:b7:65:12:04:bc:9f:42:09:16:a3:17:
aa:26:c7:24:91:de:f6:78:01:3d:ea:26:ef:e4:da:
ca:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DE:6F:20:CB:C8:FA:89:FC:27:25:35:CE:2E:E0:E4:E9:C2:16:1B:CA
X509v3 Authority Key Identifier:
keyid:DE:6F:20:CB:C8:FA:89:FC:27:25:35:CE:2E:E0:E4:E9:C2:16:1B:CA
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
0a:97:27:27:2a:bd:72:cb:7d:a2:f1:70:7e:29:b8:21:50:e6:
65:50:f5:e9:7e:91:a1:43:bf:ce:2d:ca:b8:6e:36:5f:c4:48:
02:7a:91:64:49:ea:5e:02:4a:b5:02:4c:6c:d9:66:e0:72:ea:
a2:55:02:0e:89:e5:bc:42:ac:31:d5:91:8e:3f:df:71:24:3e:
f7:63:fb:09:b7:33:75:d2:a6:03:c8:9a:59:a0:e2:a3:69:9e:
4f:fe:aa:d0:c4:52:c1:94:b6:4a:a3:76:77:e9:97:b2:e4:b1:
45:3c:05:2f:26:dc:42:80:50:b3:2d:8d:a6:2c:22:1c:8d:4e:
61:85:a6:48:ca:d0:79:c4:31:f3:2f:25:22:63:b7:6b:ac:3c:
07:ac:e1:d6:43:a2:1c:c2:fa:37:d3:38:a5:19:b6:ab:6e:3e:
bd:d3:36:15:01:97:ad:b5:b5:16:9e:67:c9:b9:95:99:b4:48:
ed:05:26:5e:37:9d:89:a6:48:fb:53:52:62:9e:24:bf:30:df:
58:3e:1b:e6:2b:48:1d:5d:b5:05:27:25:aa:cc:4a:44:3b:ee:
f9:58:6b:09:fb:07:e9:40:34:f3:45:f3:44:77:1d:ca:a0:f2:
61:7f:c3:d7:eb:dd:77:25:54:f4:11:09:20:b2:59:92:2c:a8:
0c:20:d5:26
-----BEGIN CERTIFICATE-----
MIID0TCCArmgAwIBAgIURhuhrbw03KoSTs+Gmuq2jPvzgSgwDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmhiMQswCQYDVQQHDAJ3aDEQMA4G
A1UECgwHcnVudGltZTEMMAoGA1UECwwDZWR1MRcwFQYDVQQDDA53d3cudGFua2Ux
LmNvbTEWMBQGCSqGSIb3DQEJARYHMUAyLmNvbTAeFw0yMjA3MjExNjAyMjNaFw0y
MzA3MjExNjAyMjNaMHgxCzAJBgNVBAYTAmNuMQswCQYDVQQIDAJoYjELMAkGA1UE
BwwCd2gxEDAOBgNVBAoMB3J1bnRpbWUxDDAKBgNVBAsMA2VkdTEXMBUGA1UEAwwO
d3d3LnRhbmtlMS5jb20xFjAUBgkqhkiG9w0BCQEWBzFAMi5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxyvmf7Z10fOPs9KdDjYJNQ9BRaRmm556J
ez3Sfs778T0AgvfhFXKC7FYXQNhTBgksOVwVh2bCfZjalyy4uRi8uaEY27oejXbF
RKo2ZJkNpp9LpQ+QhItD+0BxNgen38YcM5bacg4cxFCHxnT6aILebpp1lSrpaYv4
O6aaCnD5iVDSJTbkhpemyDttL7kDVdlXyBkyHmTNvlfaV0U2uoUJ1LSglDMy7k87
dsgTN5MflJ5mao/p7fqaONzUS0b20WnJa7sywkBZg4ODKesKJ4++crD+2UgB9V3Y
MxmZBFEeokp0AWW3ZRIEvJ9CCRajF6omxySR3vZ4AT3qJu/k2spHAgMBAAGjUzBR
MB0GA1UdDgQWBBTebyDLyPqJ/CclNc4u4OTpwhYbyjAfBgNVHSMEGDAWgBTebyDL
yPqJ/CclNc4u4OTpwhYbyjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBAQAKlycnKr1yy32i8XB+KbghUOZlUPXpfpGhQ7/OLcq4bjZfxEgCepFkSepe
Akq1Akxs2WbgcuqiVQIOieW8Qqwx1ZGOP99xJD73Y/sJtzN10qYDyJpZoOKjaZ5P
/qrQxFLBlLZKo3Z36Zey5LFFPAUvJtxCgFCzLY2mLCIcjU5hhaZIytB5xDHzLyUi
Y7drrDwHrOHWQ6Icwvo30zilGbarbj690zYVAZettbUWnmfJuZWZtEjtBSZeN52J
pkj7U1JiniS/MN9YPhvmK0gdXbUFJyWqzEpEO+75WGsJ+wfpQDTzRfNEdx3KoPJh
f8PX6913JVT0EQkgslmSLKgMINUm
-----END CERTIFICATE-----
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................................+++++
................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:www.tanke1.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 21 16:06:43 2022 GMT
Not After : Jul 21 16:06:43 2023 GMT
Subject:
countryName = cn
stateOrProvinceName = hb
organizationName = runtime
organizationalUnitName = edu
commonName = www.tanke1.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6D:38:2B:C1:31:C2:70:57:88:43:50:56:63:AD:52:78:15:E2:F7:6C
X509v3 Authority Key Identifier:
keyid:DE:6F:20:CB:C8:FA:89:FC:27:25:35:CE:2E:E0:E4:E9:C2:16:1B:CA
Certificate is to be certified until Jul 21 16:06:43 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.配置 httpd.conf
3.在 httpd-vhosts.conf 中配置虚拟主机
4.在 ssl.conf 中配置证书的位置
[root@localhost ~]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# vim ssl.conf
......
DocumentRoot "/var/www/html/tanke"
ServerName www.tanke1.com:443
.....
SSLCertificateFile /etc/httpd/ssl/httpd.crt
.....
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
5.检查配置文件是否有语法错误
[root@localhost ~]# httpd -t
Syntax OK
6.重启服务
[root@localhost ~]# systemctl restart httpd
7.查看端口
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0: *
LISTEN 0 32 192.168.122.1:53 0.0.0.0: *
LISTEN 0 128 0.0.0.0:22 0.0.0.0: *
LISTEN 0 5 127.0.0.1:631 0.0.0.0: *
LISTEN 0 128 *:443 *: *
LISTEN 0 128 [::]:111 [::]: *
LISTEN 0 128 *:80 *: *
LISTEN 0 128 [::]:22 [::]: *
LISTEN 0 5 [::1]:631 [::]: *
[root@localhost ~]#
8.设置 hosts 用域名访问
