httpd之web服务

httpd做web服务的相关配置

虚拟主机配置

虚拟主机配置步骤:

1,单独创建一个虚拟主机目录,一个虚拟主机一个配置文件,在主配置文件中Include引入;
[root@host2 conf]# pwd
/usr/local/apache/conf
[root@host2 conf]# mkdir vhosts
[root@host2 conf]# ll
drwxr-xr-x 2 root root   313 Aug 31 19:47 extra
-rw-r--r-- 1 root root 18417 Sep  1 15:52 httpd.conf
-rw-r--r-- 1 root root 18385 Sep  1 10:22 httpd.conf.bak
-rw-r--r-- 1 root root 13077 Aug 31 19:47 magic
-rw-r--r-- 1 root root 60855 Aug 31 19:47 mime.types
drwxr-xr-x 3 root root    37 Aug 31 19:47 original
drwxr-xr-x 2 root root     6 Sep  1 15:52 vhosts
[root@host2 conf]# vim vhosts/pc.conf

2,directory指定一个将要存放某虚拟主机网页文件的目录、并用Require指令放开文件系统授权,以及进程用户对目录的权限
3,定义虚拟主机配置段,指定documentroot为上步directory中指定目录;
[root@host2 conf]# cat vhosts/pc.conf 
<Directory "/data/pc">
	Require all granted
</Directory>

<VirtualHost *:80>
	ServerName www.pc.com
	DocumentRoot "/data/pc"
</VirtualHost>


4,主配置中引入
[root@host2 conf]# tail -1 httpd.conf
Include conf/vhosts/*.conf



5,创建对应目录,如有需要改为apache属主,一般只读权限也够了
[root@host2 conf]# httpd -t
AH00112: Warning: DocumentRoot [/data/pc] does not exist
Syntax OK

[root@host2 conf]# mkdir /data/pc -pv
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/pc’
[root@host2 conf]# httpd -t
Syntax OK
[root@host2 conf]# vim /data/pc/index.html
[root@host2 conf]# httpd -k restart

6,客户端改hosts文件,访问测试;
[root@host1 ~]# curl www.pc.com
pc-index page

如下:基于主机头的虚拟主机

[root@host3 ~]# cat /etc/httpd/conf.d/vhosts.conf 
# 先用directory指令放开文件系统的访问
# apache用户对文件系统的权限
# 定义虚拟主机配置段

<Directory "/data/host3/www1">
	Require all granted
</Directory>

<Directory "/data/host3/www2">
	Require all granted
</Directory>

<VirtualHost *:80>
	ServerName www1.host3.com
	DocumentRoot "/data/host3/www1"
	
</VirtualHost>
<VirtualHost *:80>
	ServerName www2.host3.com
	DocumentRoot "/data/host3/www2"
	
</VirtualHost>

基于ip

---
编辑vhosts配置文件,include到主配置文件中,默认就有
[root@localhost httpd]# cat conf.d/vhosts.conf 
<VirtualHost 192.168.80.101:80>
	ServerName www.a.com
	DocumentRoot /var/www/html/html/a.com
</VirtualHost>
<VirtualHost 192.168.10.101:80>
	ServerName www.b.com
	DocumentRoot /var/www/html/html/b.com
</VirtualHost>

# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

---注意:
<VirtualHost 192.168.80.101:80>
        ServerName www.a.com
        DocumentRoot html/a.com
</VirtualHost>
利用相对路径写法时,在serverroot和documentroot都建立了对应目录,都不行,最后写成绝对路径才行!

---
创建对应目录文件,
  226  mkdir /var/www/html/html/{a.com,b.com} -pv
  227  echo a.com > /var/www/html/html/a.com/index.html
  229  echo b.com > /var/www/html/html/b.com/index.html
  
---
调试配置文件,然后重启httpd
[root@localhost httpd]# httpd -S -f /etc/httpd/conf/httpd.conf 
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
192.168.10.101:80      www.b.com (/etc/httpd/conf.d/vhosts.conf:5)
192.168.80.101:80      www.a.com (/etc/httpd/conf.d/vhosts.conf:1)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48



---
测试
[root@localhost ~]# curl 192.168.10.101
b.com
[root@localhost ~]# curl 192.168.80.101
a.com

基于port

---
多加一个listen端口;
[root@localhost httpd]# grep Listen conf/httpd.conf 
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to 
#Listen 12.34.56.78:80
Listen 80
Listen 8080

虚拟主机,改成ip相同,端口不同;重启测试;
[root@localhost httpd]# cat conf.d/vhosts.conf 
<VirtualHost 192.168.80.101:80>
	ServerName www.a.com
	DocumentRoot /var/www/html/html/a.com
</VirtualHost>
<VirtualHost 192.168.80.101:8080>
	ServerName www.b.com
	DocumentRoot /var/www/html/html/b.com
</VirtualHost>



---
[root@localhost ~]# curl 192.168.80.101:80
a.com
[root@localhost ~]# curl 192.168.80.101:8080
b.com

基于主机头

​ web服务器对外提供的ip和port只有一份,但是拆包到http头的时候,根据请求头部的主机名不同,可转发给不同的虚拟主机段进行处理;虚拟主机必须指定自己独有的ServerName,没指定时,就继承所在主机的FQDN;

---
改成ip,port都一样,靠servername区分;
listen改为只有一个80;重启;

[root@localhost httpd]# cat conf.d/vhosts.conf 
<VirtualHost 192.168.80.101:80>
	ServerName www.b.com
	DocumentRoot /var/www/html/html/b.com
</VirtualHost>
<VirtualHost 192.168.80.101:80>
	ServerName www.a.com
	DocumentRoot /var/www/html/html/a.com
</VirtualHost>

---
另一台主机测试:

[root@localhost ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.80.101 www.a.com www.b.com www.c.com


[root@localhost ~]# curl www.a.com
a.com
[root@localhost ~]# curl www.b.com
b.com
[root@localhost ~]# curl www.c.com
a.com
对于没有定义的主机头www.c.com,会被排第一位的虚拟主机匹配并处理,交换2虚拟主机定义位置后,再访问www.com就成了b.com的结果;

[root@localhost ~]# curl www.b.com
b.com
[root@localhost ~]# curl www.a.com
a.com
[root@localhost ~]# curl www.c.com
b.com

状态页

---
setHandler结合
开启状态页
<Location "/server-status">
	SetHandler server-status
	Require all granted
</Location>
同样,location支持正则

网页身份认证

访问控制可根据来源ip和来源用户身份

htpasswd

​ 用于创建用户和密码,用作用户认证的依据文件,一般为.开头的隐藏文件,并设置合理的权限,保证安全;

htpasswd -h

[root@localhost conf.d]# htpasswd -bc ht.pass wang wang
Adding password for user wang

b 不用提示符,直接命令行就输入密码,没有b会提示交互式输入密码;
c 是新建一个passfile,每次用c都会新建,和之前的passfile相同名字会冲掉之前内容;
D 是删除用户
n 不输出到文件,输出到控制台;

n和c不同时用;



[root@localhost conf.d]# htpasswd -b ht.pass li li
Adding password for user li
[root@localhost conf.d]# cat ht.pass 
wang:$apr1$xW9RSLyU$o0sJmbQdw4whjzxlrq4lD1
li:$apr1$Ql.LAGAT$N7di3x5IfUmQcF4sqd3KI/
[root@localhost conf.d]# htpasswd -D ht.pass wang
Deleting password for user wang
[root@localhost conf.d]# cat ht.pass 
li:$apr1$Ql.LAGAT$N7di3x5IfUmQcF4sqd3KI/


---
改加密算法,默认md5
[root@localhost conf.d]# htpasswd -bns wang wang
wang:{SHA}w2n5nCHTE/Xp7iuVe5PMcMOwIE0=

[root@localhost conf.d]# htpasswd -bnm wang wang
wang:$apr1$sESRKDad$ZKJU.gPwOZcwxbe71E1w61

[root@localhost conf.d]# htpasswd -bnp wang wang
Warning: storing passwords as plain text might just not work on this platform.
wang:wang

认证相关指令

提供认证功能的相关模块

[root@localhost modules]# ll |grep auth
-rwxr-xr-x 1 root root  15336 Apr  2 21:14 mod_auth_basic.so
-rwxr-xr-x 1 root root  36088 Apr  2 21:14 mod_auth_digest.so
-rwxr-xr-x 1 root root  11160 Apr  2 21:14 mod_authn_anon.so
-rwxr-xr-x 1 root root  15376 Apr  2 21:14 mod_authn_core.so
-rwxr-xr-x 1 root root  15272 Apr  2 21:14 mod_authn_dbd.so
-rwxr-xr-x 1 root root  11200 Apr  2 21:14 mod_authn_dbm.so
-rwxr-xr-x 1 root root  11176 Apr  2 21:14 mod_authn_file.so
-rwxr-xr-x 1 root root  19552 Apr  2 21:14 mod_authn_socache.so
-rwxr-xr-x 1 root root  23752 Apr  2 21:14 mod_authz_core.so
-rwxr-xr-x 1 root root  15304 Apr  2 21:14 mod_authz_dbd.so
-rwxr-xr-x 1 root root  11216 Apr  2 21:14 mod_authz_dbm.so
-rwxr-xr-x 1 root root  11200 Apr  2 21:14 mod_authz_groupfile.so
-rwxr-xr-x 1 root root  11200 Apr  2 21:14 mod_authz_host.so
-rwxr-xr-x 1 root root  11144 Apr  2 21:14 mod_authz_owner.so
-rwxr-xr-x 1 root root   7040 Apr  2 21:14 mod_authz_user.so
[root@localhost modules]# pwd
/etc/httpd/modules
# 不同的模块提供不同类型的认证功能
  • AuthType
    • none basic digest form 常用的是basic,即密码文件认证;
  • AuthName
    • 认证提示信息;
  • AuthUserFile file-path
    • 密码文件路径,htpasswd生成
  • AuthGroupFile file-path
    • 组认证密码文件,文件格式:mygroup: wang li lu
    • 相对路径相对于ServerRoot

Require指令

认证相关模块,可提供require指令一些功能;

mod_authz_user.so提供
Require user user1 ...

mod_authz_groupfile.so提供
Require group group1 ...

 mod_authz_host.so提供
Require host ...
Require ip ...



Require expr exprssion...
表达式为真才允许访问
Require method method...
允许特定的访问方法访问
Require env envvalue...
环境变量值定义了才能访问

基于用户认证

---
创建用户密码文件,在ServerRoot目录下;

  329  htpasswd -bc pass.user wang wang
  330  htpasswd -b pass.user li li
  331  htpasswd -b pass.user lu lu
  332  htpasswd -b pass.user yang yang

[root@localhost httpd]# cat conf.d/vhosts.conf 
<VirtualHost 192.168.80.101:80>
	ServerName www.b.com
	DocumentRoot /var/www/html/html/b.com
	<Directory "/var/www/html/html/b.com">
		AllowOverride Authconfig # 开启basic认证必须配置
		AuthType Basic # 认证类型basic
		AuthName "enter your name & password" # 提示字符串
		AuthUserFile pass.user # 认证文件,采用ServerRoot的相对路径
		Require user wang lu # 设置哪些用户可以认证

	</Directory>
</VirtualHost>

<VirtualHost 192.168.80.101:80>
	ServerName www.a.com
	DocumentRoot /var/www/html/html/a.com
</VirtualHost>

---
重启,访问测试;

基于组认证

---
在ServerRoot目录下:创建组文件;再把li yang用户加入group1,
echo "group1:li yang" > pass.group

[root@localhost httpd]# cat conf.d/vhosts.conf 
<VirtualHost 192.168.80.101:80>
	ServerName www.b.com
	DocumentRoot /var/www/html/html/b.com
	<Directory "/var/www/html/html/b.com">
		AllowOverride Authconfig
		AuthType Basic
		AuthName "enter your name & password"
		AuthUserFile pass.user
		Require user wang lu
		# 授权group1可以方式,此时li yang用户也可认证访问b.com了;
		AuthGroupFile pass.group
		Require group group1

	</Directory>
</VirtualHost>
<VirtualHost 192.168.80.101:80>
	ServerName www.a.com
	DocumentRoot /var/www/html/html/a.com
</VirtualHost>

---
重启测试;

日志

httpd日志有2种:访问日志(http访问相关)、错误日志(进程相关信息)

httpd.conf的主配置文件:默认有日志级别、访问日志格式定义和引用、错误日志格式定义和引用;

各个虚拟主机可以在自己配置内,自定义日志格式或日志路径,或继承主配置文件的;默认会继承;

customlog访问日志

CustomLog file|pipe format|nickname [env=[!]environment-variable| expr=expression]
file或管道,
	file指定日志文件名
	pipe结合日志处理程序用
format
	直接写日志格式定义
nickname
	调用上面定义好的日志格式的名字,如combined,common
env=
expr=
	环境变量或表达式为真或为加的时候,对应日志才记录生效;
eg:
SetEnvIf Request_URI \.gif$ gif-req
CustomLog "gif-req.log" common env=gif-req
CustomLog "no-gif-req.log" common env=!gif-req
含义为,gif的请求单独记录一个日志,其他的记录另一个日志;

日志相关变量

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

192.168.80.1 - wang [14/Aug/2020:12:50:58 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://192.168.80.101/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36"
对比得出:
%h 客户端ip
%l remote logname,前提要开启一个模块,不然就是空,表现为短横线;
%u 需要认证的网页,被认证后访问了,就记录用户名;
%t 时间
%r 请求方法
\" \" 会内容之外加个冒号;
%>s final stauts of request 状态码
%b 响应的字节大小,包括响应头
Referer 和 User-agent都是请求头里的,依赖处理头部的模块来获得的,是变量;格式需要加%{var_name}i
前端是代理时,如nginx,并开启了透传,httpd在设置接收透传的ip时,也要采取这种方式;

errorlog错误日志

https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat

日志轮替

rotatelogs

​ httpd自带的日志工具;可基于时间、大小来轮替日志文件,可截断;

​ 默认启动进程时,不会立刻创建日志文件,直到第一个请求到达,-f选项会改变这一行为,启动就立刻创建;

​ 基于时间或大小到轮替的时候,突然没请求了,默认也不轮替,直到有请求到底,-c选项改变这行为;

Usage: rotatelogs [-v] [-l] [-L linkname] [-p prog] [-f] [-t] [-e] [-c] [-n number] <logfile> {<rotation time in seconds>|<rotation size>(B|K|M|G)} [offset minutes from UTC]



-n选项
-n number-of-files
              Use  a circular list of filenames without timestamps. With -n 3, the series
              of log files opened would  be  "logfile",  "logfile.1",  "logfile.2",  then
              overwriting "logfile".


  rotationtime
              The  time between log file rotations in seconds. The rotation occurs at the
              beginning of this interval. For example, if the rotation time is 3600,  the
              log  file  will  be rotated at the beginning of every hour; if the rotation
              time is 86400, the log file will be rotated every night at midnight. (If no
              data is logged during an interval, no file will be created.)

man 8 rotatelogs,查看更多用法;

eg:
分别是按照时间轮替,日志文件加上时间后缀,按大小轮替
CustomLog "|/usr/sbin/rotatelogs /var/logs/logfile 86400" common
CustomLog "/usr/sbin/rotatelogs /var/logs/logfile.%Y.%m.%d 86400" common
CustomLog "|/usr/sbin/rotatelogs /var/logs/logfile 5M" common

时间修饰符:

常用的有年月日,时分秒;

cronolog

1,配置epel源

2,yum安装即可
yum install -y cronolog

3,直接在CustomLog定义引用命令即可

eg:
CustomLog "|/usr/sbin/cronolog logs/%Y/%m/%d/acccess.log" combined
采用相对serverroot的路径,和rotatelogs不同的是,用带年月日的目录,区别日志轮替的文件;到了轮替的时间点了,但没有请求到达,是不创建新文件的;

不支持截断日志文件功能;

有符合链接功能,轮替的文件自动更新链接,访问方便;
eg:
CustomLog "|/usr/sbin/cronolog --symlink=/var/logs/logfile logs/%Y/%m/%d/%h/%m/%s" combined

假设时间现在是2020、08、15,定义了cronolog的日志轮替格式为年月日;每日一轮替;
1st:
	先建立不存在的2020文件夹;
	再建立不存在的08文件夹;
	再建立不存在的15文件夹;
	建立access.log
2st:
	2020,不用建立了
	08不用建立了
	16要建立
	建立access.log
以此类推;


cronolog没有请求时,即便根据时间轮替到时间了,也不建立新文件,以一天一轮替单位来说,
15号有请求,后面3天没请求,第4天有请求了,那么就略过3天的文件,不建立了;

路径映射、重定向

处理顺序

重定向,优于路径映射处理,相同类型的按照先后顺序匹配处理;匹配到处理后就略过后面的;由mod_alias模块提供;

scriptalias和alias一样,只是专用于做cgi程序路径的映射;

  1. redirect、redirectmatch
  2. alias、aliasmatch

路径映射、alias、aliasmatch

alias路径映射作用:将访问的uri映射到httpd所在主机的文件系统路径

alias语法:alias uri 本地文件系统路径,

alias将url路径映射到本地根文件系统的路径;不受documentroot的局限;注意放开目录的限制:一、dirctory定义;二、httpd启动用户对文件的实际权限;

eg1:
Alias "/image" "/data/html/image"

eg2:
AliasMatch "^/image(.*)" "/data/html/image$1"

末尾加了/的,要相互匹配
eg3:
Alias "/image/" "/data/html/image/"

---
配置路径映射后,对相应目录的放行,[以及httpd用户的访问权限,要不用chmod等]
Alias "/image" "/data/html/image"
<Directory "/data/html/image">
	Require all granted
</Directory>

---
若是在location中做映射如下,location中就是url路径,再加个被映射到的路径即可:
<Location "/image">
	Alias "/data/html/image"
</Location>

重定向、redirect、redirectmatch

redirect重定向作用:当网页资源发生变动时,将旧的uri重定向到新的uri,重定向分为内部重定向和外部重定向;

当资源发生变动时,客户端请求却发来的仍是旧的url路径,此时就要发回资源重定向响应,让客户端去请求新的url路径,【既然是新的url路径,就不局限于主机,自然是只要是url都可重定向,互联网其他url都可以重定向】

Redirect [status] old-url new-url

2个url都必须是/开头的绝对路径,new-url还可以是完整的域名路径;

eg1:
Redirect "/image" "https://www.baidu.com"
重定向到别的完整域名的网站;

eg2:
Redirect "/image" "/img"
重定向到本机的url的/img路径;

---
没指定status参数,默认是302,临时重定向;

permanent 301 永久重定向
temp 302 临时重定向,默认的
gone 410 表示资源被永久删除,new-url参数不生效;
seeother 303 表资源已经被替代


---
在location里面,只需指定new-url,因为location自带old-url
<Location "/img">
	Redirect permanent "https://www.baidu.com"
</Location>
<Location "/gif">
	Redirect 302 "/png"
</Location>
<LocationMatch "/png/(.*)">
	Redirect permanent "/gif/(.*)"
</LocationMatch>

location和alias、redirect的搭配

alias语法:

​ alias uri路径 本地文件系统路径

redirect语法:

​ redirect 状态码 旧的uri路径 新的uri路径

**当结合location时:**第一个uri路径都移动到了location内部;

alias:

<location "uri路径">
	alias 本地文件系统路径
</location>

redirect:

<location "旧的uri路径">
	redirect 状态码 新的uri路径
</location>

https加密配置

参考文档:http://httpd.apache.org/docs/2.4/ssl/

mod_ssl实现

[root@host3 ~]# curl https://192.168.80.102
curl: (7) Failed connect to 192.168.80.102:443; Connection refused

# 默认不支持https访问
# 安装mod_ssl包,其中包括,共享库文件、配置文件,一套自签名密钥文件,证书
# 重启后,即可实现https加密
[root@host3 ~]# yum install -y mod_ssl

[root@host3 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl

[root@host3 ~]# systemctl restart httpd
[root@host3 ~]# curl https://192.168.80.102
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
updatedupdated2020-10-162020-10-16
加载评论