- A+
所属分类:linux技术
Httpd
1.httpd简介
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。
2.httpd的特性
httpd有很多特性,下面就分别来说说httpd-2.2版本和httpd-2.4版本各自的特性。
| 版本 | 特性 |
|---|---|
| 2.2 | 事先创建进程 按需维持适当的进程 模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块 支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等 支持https协议(通过mod_ssl模块实现) 支持用户认证 支持基于IP或域名的ACL访问控制机制 支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码) 支持URL重写 支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程) |
| 2.4 | httpd-2.4的新特性: MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载 支持event MPM,eventMPM模块生产环境可用 支持异步读写 支持每个模块及每个目录分别使用各自的日志级别 每个请求相关的专业配置,使用 |
| 工作模型 | 工作方式 |
|---|---|
| prefork | 多进程模型,预先生成进程,一个请求用一个进程响应 一个主进程负责生成n个子进程,子进程也称为工作进程 每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个 |
| worker | 基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程) |
| event | 基于事件的驱动,一个进程处理多个请求 |
2.1httpd2.4版本型新添加的模块
添加了之后常用的几个模块
| 模块 | 功能 |
|---|---|
| mod_proxy_fcgi | 反向代理时支持apache服务器后端协议的模块 |
| mod_ratelimit | 提供速率限制功能的模块 |
| mod_remoteip | 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制 |
3.httpd基础
3.1httpd自带的工具程序
| 工具 | 功能 |
|---|---|
| htpasswd | basic认证基于文件实现时,用到的帐号密码生成工具 |
| apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
| apxs | 由httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
| rotatelogs | 日志滚动工具 |
| suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
| ab | apache benchmark,httpd的压力测试工具 |
3.2 rpm包安装的httpd程序环境
| 文件/目录 | 对应的功能 |
|---|---|
| /var/log/httpd/access.log | 访问日志 |
| /var/log/httpd/error_log | 错误日志 |
| /var/www/html/ | 站点文档目录 |
| /usr/lib64/httpd/modules/ | 模块文件路径 |
| /etc/httpd/conf/httpd.conf | 主配置文件 |
| /etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
| /etc/httpd/conf.d/*.conf | 辅助配置文件 |
4.web相关的命令
curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。
curl支持以下功能:
- https认证
- http的POST/PUT等方法
- ftp上传
- kerberos认证
- http上传
- 代理服务器
- cookies
- 用户名/密码认证
- 下载文件断点续传
- socks5代理服务器
- 通过http代理服务器上传文件到ftp服务器
//语法:curl [options] [URL ...] //常用的options: -A/--user-agent <string> //设置用户代理发送给服务器 -basic //使用Http基本认证 --tcp-nodelay //使用TCP_NODELAY选项 -e/--referer <URL> //来源网址 --cacert <file> //CA证书(SSL) --compressed //要求返回时压缩的格式 -H/--header <line> //自定义请求首部信息传递给服务器 -I/--head //只显示响应报文首部信息 --limit-rate <rate> //设置传输速度 -u/--user <user[:password]> //设置服务器的用户和密码 -0/--http1 //使用http 1.0版本,默认使用1.1版本。这个选项是数字0而不是字母o -o/--output //把输出写到文件中 -#/--progress-bar //进度条显示当前的传送状态 httpd命令
//语法:httpd [options] //常用的options: -l //查看静态编译的模块,列出核心中编译了哪些模块。 //它不会列出使用LoadModule指令动态加载的模块 -M //输出一个已经启用的模块列表,包括静态编译在服务 //器中的模块和作为DSO动态加载的模块 -v //显示httpd的版本,然后退出 -V //显示httpd和apr/apr-util的版本和编译参数,然后退出 -X //以调试模式运行httpd。仅启动一个工作进程,并且 //服务器不与控制台脱离 -t //检查配置文件是否有语法错误 命令演示
[root@localhost ~]# httpd -t Syntax OK [root@localhost ~]# httpd -l Compiled in modules: core.c mod_so.c http_core.c [root@localhost ~]# httpd -M Loaded Modules: core_module (static) so_module (static) http_module (static) access_compat_module (shared) actions_module (shared) alias_module (shared) allowmethods_module (shared) [root@localhost ~]# httpd -v //小写v Server version: Apache/2.4.37 (centos) Server built: Nov 12 2021 04:57:27 [root@localhost ~]# httpd -V //大写V Server version: Apache/2.4.37 (centos) Server built: Nov 12 2021 04:57:27 Server's Module Magic Number: 20120211:83 Server loaded: APR 1.6.3, APR-UTIL 1.6.1 Compiled using: APR 1.6.3, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) 5.httpd常用的配置文件
NAME有三种,分别是:
- prefork
- event
- worker
配置文件位置:
[root@localhost conf.modules.d]# pwd /etc/httpd/conf.modules.d [root@localhost conf.modules.d]# ls 00-base.conf 00-lua.conf 00-proxy.conf 01-cgi.conf 00-dav.conf 00-mpm.conf 00-systemd.conf [root@localhost conf.modules.d]# vim 00-mpm.conf # Select the MPM module which should be used by uncommenting exactly # one of the following LoadModule lines: # prefork MPM: Implements a non-threaded, pre-forking web server # See: http://httpd.apache.org/docs/2.4/mod/prefork.html LoadModule mpm_prefork_module modules/mod_mpm_prefork.s 访问控制法则:
| 法则 | 功能 |
|---|---|
| Require all granted | 允许所有主机访问 |
| Require all deny | 拒绝所有主机访问 |
| Require ip IPADDR | 授权指定来源地址的主机访问 |
| Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
| Require host HOSTNAME | 授权指定来源主机名的主机访问 |
| Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
| IPADDR的类型 | HOSTNAME的类型 |
|---|---|
| IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168 |
FQDN:特定主机的全名 DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
配置文件示例
<Directory "/var/www/html/www"> <RequireAll> Require not ip 192.168.111.1 Require all granted </RequireAll> </Directory> 4.编译安装httpd
1.准备环境
[root@localhost ~]# dnf -y groupinstall "Development Tools" --allowerasing Failed to set locale, defaulting to C.UTF-8 Last metadata expiration check: 0:03:34 ago on Tue Jul 12 22:42:38 2022. Dependencies resolved. =============================================================================================================== Package Arch Version Repository Size =============================================================================================================== Installing group/module packages: Complete! [root@localhost ~]# useradd -rMs /sbin/nologin apache [root@localhost ~]# id apache uid=994(apache) gid=991(apache) groups=991(apache) [root@localhost ~]# dnf -y install wget [root@localhost ~]# dnf -y install openssl-devel pcre-devel expat-devel libtool libxml2-devel [root@localhost ~]# dnf -y install gcc gcc-c++ [root@localhost ~]# dnf -y install make 2.下载 apr apr-util httpd
[root@localhost ~]# wget http://mirrors.aliyun.com/apache/apr/apr-1.7.0.tar.gz --2022-07-12 22:50:06-- http://mirrors.aliyun.com/apache/apr/apr-1.7.0.tar.gz Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 58.49.248.230, 58.49.248.232, 119.96.204.214, ... Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|58.49.248.230|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1093896 (1.0M) [application/octet-stream] Saving to: 'apr-1.7.0.tar.gz' apr-1.7.0.tar.gz 100%[==========================================>] 1.04M --.-KB/s in 0.06s 2022-07-12 22:50:06 (18.4 MB/s) - 'apr-1.7.0.tar.gz' saved [1093896/1093896] [root@localhost ~]# wget https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz --2022-07-12 22:50:49-- https://mirrors.aliyun.com/apache/apr/apr-util-1.6.1.tar.gz Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 58.49.248.229, 119.96.204.215, 58.49.248.226, ... Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|58.49.248.229|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 554301 (541K) [application/octet-stream] Saving to: 'apr-util-1.6.1.tar.gz' apr-util-1.6.1.tar.gz 100%[==========================================>] 541.31K --.-KB/s in 0.04s 2022-07-12 22:50:49 (14.6 MB/s) - 'apr-util-1.6.1.tar.gz' saved [554301/554301] [root@localhost ~]# wget https://mirrors.aliyun.com/apache/httpd/httpd-2.4.54.tar.gz --2022-07-12 22:51:06-- https://mirrors.aliyun.com/apache/httpd/httpd-2.4.54.tar.gz Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 58.49.248.229, 119.96.204.215, 58.49.248.226, ... Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|58.49.248.229|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 9743277 (9.3M) [application/octet-stream] Saving to: 'httpd-2.4.54.tar.gz' httpd-2.4.54.tar.gz 100%[==========================================>] 9.29M 39.8MB/s in 0.2s 2022-07-12 22:51:07 (39.8 MB/s) - 'httpd-2.4.54.tar.gz' saved [9743277/9743277] [root@localhost ~]# ls anaconda-ks.cfg apr-1.7.0.tar.gz apr-util-1.6.1.tar.gz httpd-2.4.54.tar.gz 3.解压apr apr-util httpd
[root@localhost ~]# tar -xf apr-util-1.6.1.tar.gz -C /usr/local/src/ [root@localhost ~]# tar -xf httpd-2.4.54.tar.gz -C /usr/local/src/ [root@localhost ~]# tar -xf apr-1.7.0.tar.gz -C /usr/local/src/ [root@localhost ~]# ls /usr/local/src/ apr-1.7.0 apr-util-1.6.1 httpd-2.4.54 4.安装apr apr-util httpd
安装apr
[root@localhost ~]# cd /usr/local/src/apr-1.7.0/ [root@localhost apr-1.7.0]# vi configure cfgfile=${ofile}T trap "$RM "$cfgfile"; exit 1" 1 2 15 #$RM "$cfgfile" //注释这行 [root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr [root@localhost apr-1.7.0]# make && make install [root@localhost apr-1.7.0]# ls /usr/local/apr/ bin build-1 include lib 安装apr-util
[root@localhost apr-util-1.6.1]# cd /usr/local/src/apr-util-1.6.1/ [root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/ [root@localhost apr-util-1.6.1]# make && make install [root@localhost apr-util-1.6.1]# ls /usr/local/apr-util/ bin include lib 安装httpd
[root@localhost httpd-2.4.54]# cd /usr/local/src/httpd-2.4.54/ [root@localhost httpd-2.4.54]# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/ --enable-modules=most --enable-mpms-shared=all --with-rpm=prefork [root@localhost httpd-2.4.54]# make && make install [root@localhost httpd-2.4.54]# ls /usr/local/apache/ bin cgi-bin error icons logs manual build conf htdocs include man modules 5.配置环境变量
[root@localhost ~]# echo 'export PATH=/usr/local/apache/bin:$PATH' > /etc/profile.d/apache.sh [root@localhost ~]# source /etc/profile.d/apache.sh [root@localhost ~]# which apachectl /usr/local/apache/bin/apachectl [root@localhost ~]# ln -s /usr/local/apache/include/ /usr/include/apache [root@localhost ~]# ll /usr/include/ | grep apache lrwxrwxrwx. 1 root root 26 Jul 12 23:15 apache -> /usr/local/apache/include/ [root@localhost ~]# vi /etc/man_db.conf //使apache的man生效 #MANDATORY_MANPATH /usr/src/pvm3/man # MANDATORY_MANPATH /usr/man MANDATORY_MANPATH /usr/share/man MANDATORY_MANPATH /usr/local/share/man MANDATORY_MANPATH /usr/local/apache/man //添加此行 6.关闭防火墙和selinux服务
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@localhost ~]# setenforce 0 7.开启apache服务,并看出是否能访问
8.取消警告信息
[root@localhost ~]# cd /usr/local/apache/ [root@localhost apache]# ls bin cgi-bin error icons logs manual build conf htdocs include man modules [root@localhost apache]# cd conf/ [root@localhost conf]# ls extra httpd.conf magic mime.types original [root@localhost conf]# vi httpd.conf #ServerName www.example.com:80 //删除注释 [root@localhost conf]# apachectl start //此时没有警告 [root@localhost conf]# ss -anlt State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:*
9.使用systemctl命令使用httpd
[root@localhost ~]# cd /usr/lib/systemd/system [root@localhost system]# ls sshd.service sshd.service [root@localhost system]# cp sshd.service httpd.service [root@localhost system]# vi httpd.service [Unit] Description=OpenSSH server daemon //修改成Description=httpd server daemon Documentation=man:sshd(8) man:sshd_config(5) //删除 After=network.target sshd-keygen.target Wants=sshd-keygen.target //删除 [Service] Type=notify //修改成Type=forking EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config //删除 EnvironmentFile=-/etc/sysconfig/sshd //删除 ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY //修改成ExecStart=/usr/local/apache/bin/apachectl start ExecStop=/usr/local/apache/bin/apachectl stop //添加此行用作停止 ExecReload=/bin/kill -HUP $MAINPID KillMode=process //删除 Restart=on-failure //删除 RestartSec=42s //删除 [Install] WantedBy=multi-user.target [root@localhost system]# cat httpd.service [Unit] Description=httpd server daemon After=network.target sshd-keygen.target [Service] Type=forking ExecStart=/usr/local/apache/bin/apachectl start ExecStop=/usr/local/apache/bin/apachectl stop ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target [root@localhost system]# systemctl daemon-reload [root@localhost system]# cd [root@localhost ~]# systemctl status httpd ● httpd.service - httpd server daemon Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; ven> Active: inactive (dead) lines 1-3/3 (END) [root@localhost ~]# systemctl start httpd [root@localhost ~]# ss -anlt //查看80端口已开启 State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* [root@localhost ~]# systemctl status httpd ● httpd.service - httpd server daemon Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; ven> Active: active (running) since Wed 2022-07-13 19:26:50 CST; 7s ago Process: 145364 ExecStart=/usr/local/apache/bin/apachectl start (code> Main PID: 145367 (httpd) Tasks: 82 (limit: 23457) Memory: 21.6M CGroup: /system.slice/httpd.service ├─145367 /usr/local/apache/bin/httpd -k start ├─145368 /usr/local/apache/bin/httpd -k start ├─145369 /usr/local/apache/bin/httpd -k start └─145370 /usr/local/apache/bin/httpd -k start Jul 13 19:26:50 localhost.localdomain systemd[1]: Starting httpd server> Jul 13 19:26:50 localhost.localdomain systemd[1]: Started httpd server >
5.访问控制权限
访问当前虚拟机的IP
[root@localhost ~]# dnf -y install httpd [root@localhost ~]# cd /var/www/html/ [root@localhost html]# ls [root@localhost html]# echo "123" > index.html [root@localhost html]# systemctl restart httpd [root@localhost html]# systemctl stop firewalld [root@localhost html]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@localhost html]# setenforce 0
在/var/www/html下新建一个zxr目录,在zxr目录下创建一个a.html文件,进行访问测试
[root@localhost ~]# cd /var/www/html/ [root@localhost html]# ls index.html [root@localhost html]# mkdir zxr [root@localhost html]# ls index.html zxr [root@localhost html]# cd zxr/ [root@localhost zxr]# echo "abc" > a.html [root@localhost zxr]# ls a.html [root@localhost zxr]# systemctl restart httpd
设置物理机不允许访问/var/www/html/zxr/a.html
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf <Directory "/var/www/html/zxr"> <RequireAll> Require not ip 192.168.111.1 Require all granted </RequireAll> </Directory> [root@localhost ~]# httpd -t Syntax OK [root@localhost ~]# systemctl restaer httpd [root@localhost ~]# curl http://192.168.111.135 123 [root@localhost ~]# curl http://192.168.111.135/zxr/a.html abc
设置物理机可以访问虚拟机访问不了
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf <Directory "/var/www/html/zxr"> <RequireAll> Require not ip 192.168.111.135 Require all granted </RequireAll> </Directory> [root@localhost ~]# httpd -t Syntax OK [root@localhost ~]# curl http://192.168.111.135/zxr/a.html //访问失败 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html>
6.配置三种不同的虚拟主机
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
6.1 配置相同IP不同端口
先将需要使用的上传到/var/www/html下
[root@localhost ~]# dnf -y install httpd [root@localhost ~]# find / -name *vhosts.conf /usr/share/doc/httpd/httpd-vhosts.conf [root@localhost ~]# cd /etc/httpd/ [root@localhost httpd]# ls conf conf.d conf.modules.d logs modules run state [root@localhost httpd]# cd conf.d/ [root@localhost conf.d]# ls README autoindex.conf userdir.conf welcome.conf [root@localhost conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/ [root@localhost conf.d]# ls README autoindex.conf httpd-vhosts.conf userdir.conf welcome.conf [root@localhost conf.d]# cd /var/www/html/ [root@localhost html]# ls doudizhu.zip zhuawawaji.zip //需要将自己要使用的上传至文件夹内 [root@localhost html]# dnf -y install unzip //没有unzip解压需要下载一个 [root@localhost html]# unzip doudizhu.zip [root@localhost html]# unzip zhuawawaji.zip [root@localhost html]# ls doudizhu.zip 'HTML5 canvas移动端斗地主小游戏' jQuery抓娃娃机游戏代码 zhuawawaji.zip [root@localhost html]# rm -rf doudizhu.zip zhuawawaji.zip [root@localhost html]# ls 'HTML5 canvas移动端斗地主小游戏' jQuery抓娃娃机游戏代码 [root@localhost html]# mkdir doudizhu zhuawawaji [root@localhost html]# mv 'HTML5 canvas移动端斗地主小游戏'/* doudizhu/ [root@localhost html]# cd doudizhu/ [root@localhost doudizhu]# ls DJDDZ.js img index.html JControls.js Prototype.js ResourceData.js [root@localhost html]# mv jQuery抓娃娃机游戏代码/* zhuawawaji/ [root@localhost html]# cd zhuawawaji/ [root@localhost zhuawawaji]# ls images img index.html js [root@localhost html]# ls doudizhu 'HTML5 canvas移动端斗地主小游戏' jQuery抓娃娃机游戏代码 zhuawawaji [root@localhost html]# rm -rf jQuery抓娃娃机游戏代码 HTML5 canvas移动端斗地主小游戏/ [root@localhost html]# ls doudizhu zhuawawaji [root@localhost html]# cd /etc/httpd/conf.d/ [root@localhost conf.d]# vim httpd-vhosts.conf //修改配置文件 <VirtualHost 192.168.111.135:80> DocumentRoot "/var/www/html/zhuawawaji" ServerName www.zhuawawaji.com ErrorLog "/var/log/httpd/www.zhuawawaji.com-error_log" CustomLog "/var/log/httpd/www.zhuawawaji.com-access_log" common </VirtualHost> listen 81 <VirtualHost 192.168.111.135:81> DocumentRoot "/var/www/html/doudizhu" ServerName www.doudizhu.com ErrorLog "/var/log/httpd/www.doudizhu.com-error_log" CustomLog "/var/log/httpd/doudizhu.com-access_log" common </VirtualHost> [root@localhost conf.d]# httpd -t Syntax OK [root@localhost conf.d]# systemctl stop firewalld //没关闭防火墙需要关闭防火墙 [root@localhost conf.d]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@localhost conf.d]# systemctl restart httpd
查看效果
6.2 配置不同IP相同端口
[root@localhost conf.d]# ip addr add 192.168.111.140/24 dev ens33 [root@localhost conf.d]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:6d:53:62 brd ff:ff:ff:ff:ff:ff inet 192.168.111.135/24 brd 192.168.111.255 scope global dynamic noprefixroute ens33 valid_lft 1088sec preferred_lft 1088sec inet 192.168.111.140/24 scope global secondary ens33 //添加成功 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe6d:5362/64 scope link noprefixroute valid_lft forever preferred_lft forever <VirtualHost 192.168.111.135:80> DocumentRoot "/var/www/html/zhuawawaji" ServerName www.zhuawawaji.com ErrorLog "/var/log/httpd/www.zhuawawaji.com-error_log" CustomLog "/var/log/httpd/www.zhuawawaji.com-access_log" common </VirtualHost> [root@localhost conf.d]# vim httpd-vhosts.conf <VirtualHost 192.168.111.140:80> DocumentRoot "/var/www/html/doudizhu" ServerName www.doudizhu.com ErrorLog "/var/log/httpd/www.doudizhu.com-error_log" CustomLog "/var/log/httpd/doudizhu.com-access_log" common </VirtualHost> [root@localhost conf.d]# httpd -t Syntax OK [root@localhost conf.d]# systemctl restart httpd
查看效果
6.3 配置相同IP相同端口不同域名
windows hosts文件位置:
C:windowssystem32driversetc下
打开方式选择记事本
添加IP和域名并保存
[root@localhost conf.d]# dnf -y install bind-utils [root@localhost conf.d]# vim httpd-vhosts.conf <VirtualHost 192.168.111.135:80> DocumentRoot "/var/www/html/zhuawawaji" ServerName www.zhuawawaji.com ErrorLog "/var/log/httpd/www.zhuawawaji.com-error_log" CustomLog "/var/log/httpd/www.zhuawawaji.com-access_log" common </VirtualHost> <VirtualHost 192.168.111.135:80> DocumentRoot "/var/www/html/doudizhu" ServerName www.doudizhu.com ErrorLog "/var/log/httpd/www.doudizhu.com-error_log" CustomLog "/var/log/httpd/doudizhu.com-access_log" common </VirtualHost> [root@localhost conf.d]# httpd -t Syntax OK [root@localhost conf.d]# systemctl restart httpd
查看效果
6.4 添加访问权限
[root@localhost conf.d]# vim httpd-vhosts.conf <Directory /var/www/html/zhuawawaji> <RequireAll> Require not ip 192.168.111.1 Require all granted </RequireAll> </Directory> [root@localhost conf.d]# httpd -t Syntax OK [root@localhost conf.d]# systemctl restart httpd
查看效果
7.配置https
7.1 安装ssl安全模块
[root@localhost ~]# dnf -y install mod_ssl Last metadata expiration check: 0:36:22 ago on Sat 23 Jul 2022 03:23:44 PM CST. Dependencies resolved. =========================================================================================================================== Package Architecture Version Repository Size =========================================================================================================================== Installing: mod_ssl x86_64 1:2.4.37-43.module_el8.5.0+1022+b541f3b1 AppStream 136 k Installing dependencies: sscg x86_64 2.3.3-14.el8 AppStream 49 k Transaction Summary =========================================================================================================================== Install 2 Packages Total download size: 185 k Installed size: 364 k Downloading Packages: (1/2): sscg-2.3.3-14.el8.x86_64.rpm 109 kB/s | 49 kB 00:00 (2/2): mod_ssl-2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64.rpm 205 kB/s | 136 kB 00:00 --------------------------------------------------------------------------------------------------------------------------- Total 279 kB/s | 185 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : sscg-2.3.3-14.el8.x86_64 1/2 Installing : mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 2/2 Running scriptlet: mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 2/2 Verifying : mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 1/2 Verifying : sscg-2.3.3-14.el8.x86_64 2/2 Installed: mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 sscg-2.3.3-14.el8.x86_64 Complete! [root@localhost ~]# systemctl restart httpd [root@localhost ~]# httpd -M | grep ssl ssl_module (shared)
7.2 CA生成一对密钥
[root@localhost ~]# cd /etc/pki/ [root@localhost pki]# ls ca-trust java rpm-gpg rsyslog tls [root@localhost pki]# mkdir CA [root@localhost pki]# cd CA/ [root@localhost CA]# pwd /etc/pki/CA [root@localhost CA]# mkdir private [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ..................................................+++++ ...................+++++ e is 65537 (0x010001) [root@localhost CA]# openssl rsa -in private/cakey.pem -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Rk5ctGrccaHpgdm9luZ ZKnskqUCjEVby2ftNgPiiPfvXaXZTVtydngnc8KJM3vUj+Ci2FlxTV28xiz+MTQJ 73M1eDwV4KG0Fh6H+vt9G7HPLpjt66vPPfQBnyjbUgxOL1rhRVeLRi86x9EV5NMF dhxjXk30dCbeluz+EXLnVjf2mYDDeF43ShngME56D1qU70+iJkopnV5AB1XkKEKw SmK13IHc/h1TfaoSuwHw8vNSJanz8Wk5vVG8uyJUDFCPg/eMuj59sSJue+1xZRkr vjbA6g7hkY5BIhSJiuv7yzmpHsEj4lD0et0c9+xgZCy21mkVlAcoQPe0chKgM7O0 MQIDAQAB -----END PUBLIC KEY-----
7.3 CA生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:runtime Organizational Unit Name (eg, section) []:peixun Common Name (eg, your name or your server's hostname) []:www.doudizhu.com Email Address []:[email protected] [root@localhost CA]# openssl x509 -text -in cacert.pem [root@localhost CA]# mkdir certs newcerts crl [root@localhost CA]# touch index.txt && echo 01 > serial [root@localhost CA]# ls cacert.pem certs crl index.txt newcerts private serial [root@localhost CA]# cat serial 01
7.4 客户端生成密钥
[root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl [root@localhost ssl]# pwd /etc/httpd/ssl [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ...................................................................................+++++ ..........................+++++ e is 65537 (0x010001) [root@localhost ssl]# ls httpd.key
7.5 客户端生成证书签署请求
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wu Organization Name (eg, company) [Default Company Ltd]:runtime Organizational Unit Name (eg, section) []:peixun Common Name (eg, your name or your server's hostname) []:www.duodizhu.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# ls httpd.csr httpd.key
7.6 CA签署客户端提交上来的证书
[root@localhost ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 23 08:37:51 2022 GMT Not After : Jul 23 08:37:51 2023 GMT Subject: countryName = cn stateOrProvinceName = hb organizationName = runtime organizationalUnitName = peixun commonName = www.duodizhu.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 27:23:14:CB:51:6C:E0:8E:D8:8C:B1:D2:EF:BB:62:1F:EB:A1:97:E5 X509v3 Authority Key Identifier: keyid:C8:13:CA:71:2C:58:9B:16:6B:84:4F:71:41:9C:FA:B9:19:49:25:76 Certificate is to be certified until Jul 23 08:37:51 2023 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost ssl]# ls httpd.crt httpd.csr httpd.key
7.7 修改ssl.conf配置文件
[root@localhost ssl]# pwd /etc/httpd/ssl [root@localhost ssl]# cd /etc/httpd/conf.d/ [root@localhost conf.d]# ls autoindex.conf httpd-vhosts.conf README ssl.conf userdir.conf welcome.conf [root@localhost conf.d]# vim ssl.conf <VirtualHost _default_:443> # General setup for the virtual host, inherited from global configuration DocumentRoot "/var/www/html/zhuawawaji" ServerName www.zhuawawaji.com:443 SSLCertificateFile /etc/httpd/ssl/httpd.crt //修改位置 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //修改位置 [root@localhost conf.d]# httpd -t Syntax OK [root@localhost conf.d]# systemctl restart httpd [root@localhost conf.d]# ss -anlt | grep 443 LISTEN 0 128 *:443 *:*
7.8 查看效果
