HTTP基本特性
0.9
文本
,method
1.0
非持久
, method,mime
,弱缓存
1.1
持久
2.0 mime, method,
引入spdy优势
,缓存加强
2.4 较 2.2新特性:
1、 MPM
非编译为核心
: httpd -M查看2、 event在2.4
生产环境
3、 支持
毫秒级别
的保持连接(KeepAlive Off KeepAliveTimeout 0.01?)4、 虚拟主机直接配置,不需要(#NameVirtualHost *:80)
5、
async IO
(由内核决定什么时候写入磁盘: async)6、 每个模块及每个目录各自独立的日志级别
7、 每请求配置;
8、 增强版的表达式分析器;正则表达式解析速度更快
9、 配置文件中自定义变量
2.4 引入模块
mod_proxy_fcgi //httpd以cgi协议与php结合 mod_ratelimit //支持速率限制 mod_remoteip //远端ip地址的控制
2.4 修改配置机制
访问控制指令变化: Order, Deny from, Allow from --> <RequireAll> Require [not] ip|host Require all granted Require all deny </RequireAll>
安装httpd-2.4
httpd2.4依赖: apr-1.4+, apr-util-1.4+, [apr-icon]
apr
apache portable[环境] runtime[运行]
不同OS平台提供的库接口不同,只有调用POSIX规范的库才能跨平台编译,apr运行环境能将库的不同的差异给抹除[即使开发调用的库不支持POSIX规范也能跨平台运行]
,就能实现不同OS平台运行httpd程序。
CentOS 6安装编译安装httpd-2.4
CentOS 6默认的apr, apr-util程序的版本:1.3
,需要编译安装httpd-2.4。
不建议在CentOS 6上使用httpd-2.4
,对大规模布署
不方便,除非自
己定制RPM包
。
开发环境
# yum -y groupinstall "Development Tools" "Server Platform Development"
获取源码ASF
编译apr-1.4+
# tar xf apr-1.6.2.tar.bz2 # ./configure --prefix=/usr/local/apr # make && make install (--prefix=安装路径,方便卸载,避免覆盖已有的程序)
编译apr-util-1.4+
# tar xf apr-util-1.6.0.tar.gz # ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/ # make && make install (--with-<>=/path/to/somewhere: 针对于哪个包来安装) xml/apr_xml.c:35:19: error: expat.h: No such file or directory xml/apr_xml.c:66: error: expected specifier-qualifier-list before ‘XML_Parser’ # yum -y install expat-devel **注意如果出现错误,需要在安装程序包后,删除apr-util-1.6.0目录,重新编译
编译httpd-2.4
确认安装目录内的文件位置
# ls /usr/local/httpd24/ bin build cgi-bin error htdocs icons include logs man manual modules
导出PATH环境变量
位置:[全局]
/etc/profile.d/*.sh
, [个人]~/.bash_profile
# vim /etc/profile.d/httpd24.sh export PATH=/usr/local/httpd24/bin:$PATH # . /etc/profile.d/httpd24.sh
导出库文件
位置:
/etc/ld.so.conf.d/*.conf
# vim /etc/ld.so.conf.d/httpd24.conf /usr/local/httpd24/lib # ldconfig [-v]
导出头文件
位置:
/usr/include/NAME
# ln -sv /usr/local/httpd24/include /usr/include/httpd24
导出man手册
位置:
/etc/man.conf
# vim /etc/man.config MANPATH /usr/man MANPATH /usr/share/man MANPATH /usr/local/man MANPATH /usr/local/share/man MANPATH /usr/X11R6/man MANPATH /usr/local/httpd24/man //添加的条目
添加用户apache
* 如果已经存在apache用户,则不用添加... # groupadd -r apache # useradd -r -g apache apache
安装依赖
# yum -y install pcre-devel
编译
# tar xf httpd-2.4.27.tar.bz2 # ./configure --prefix=/usr/local/httpd24 --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-pcre --with-zlib --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-modules=most --enable-mpms-shared=all --with-mpm=event # make && make install
--prefix: 安装路径。 方便卸载,避免覆盖已有的程序 --with-<>: 针对于哪个包来安装 --sysconfdir=<>: 避免覆盖,冲突 --enable-so DSO机制 --enable-ssl SSL --enable-rewrite URL重写 --with-pcre Perl扩展正则表达式 --with-zlib zlib提供多种压缩库,支持压缩传输 --enable-modules DSO --enable-mpm-shared MPM DSO --with-mpm 默认的MPM
测试启动
查看80是否被占用,Socket会独占端口 # ss -tnl 启用服务 # apachectl start # hash /usr/local/httpd24/bin/apachectl //确保启动是2.4httpd 测试 # iptables -F # setenforce 0
CentOS 7安装httpd-2.4
CentOS 7 默认安装httpd-2.4。
rpm安装
# yum -y install httpd
CentOS 7 对应配置文件
配置路径:
/etc/httpd/conf/httpd.conf /etc/httpd/conf.d/*.conf
欢迎页:
/etc/httpd/conf.d/welcome.conf
模块路径:
/etc/httpd/conf.modules.d/*.conf /usr/lib64/httpd/modules/mod_mpm_event|prefork|worker
httpd-2.4基本应用
MPM切换及查看
查看编译进核心的模块:
# httpd -l
查看动态装载的模块及编译进核心的模块:
# httpd -M mpm_event_module (shared)
切换模块
备份配置: # cp -v /etc/httpd24/httpd.conf{,.bak} 进入配置,注释event.so,起动prefork或worker: #LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #LoadModule mpm_worker_module modules/mod_mpm_worker.so 退出配置后: # httpd -t # apachectl restart
查看模块
# httpd -M mpm_prefork_module (shared)
虚拟主机
准备DocumentRoot及默认主页面
# mkdir -p /vhosts/www # echo "www.mykernel.cn" > /vhosts/www/index.html
添加配置
备份配置: # cp -v /etc/httpd24/extra/httpd-vhosts.conf{,.bak} 仅在配置添加以下内容 # vim /etc/httpd24/extra/httpd-vhosts.conf <VirtualHost *:80> ServerName www.mykernel.cn DocumentRoot /vhosts/www ErrorLog logs/www.err CustomLog logs/www.access combined <Directory "/vhosts/www"> Options None AllowOverride None Require all granted </Directory> <Location /server-status> SetHandler server-status Require all granted </Location> #ExtendedStatus On </VirtualHost>
测试并访问
# httpd -t # apachectl restart 在windows的解析库中添加以下内容(C:\Windows\System32\drivers\etc) 172.16.100.1 www.mykernel.cn
启用虚拟主机
# vim /etc/httpd24/httpd.conf 注释中心主机 #DocumentRoot "/usr/local/httpd24/htdocs" # Virtual hosts Include /etc/httpd24/extra/httpd-vhosts.conf
配置虚拟主机
访问控制
本机127.0.0.1访问
安装文本协议浏览工具 # yum -y install curl elinks telnet # curl 172.16.100.1 www.mykernel.cn # elinks --dump http://172.16.100.1 www.mykernel.cn # telnet 172.16.100.1 80 Trying 172.16.100.1... Connected to 172.16.100.1. Escape character is '^]'. GET / HTTP/1.1 Host: 172.16.100.1 HTTP/1.1 200 OK Date: Sun, 10 Sep 2017 00:37:49 GMT Server: Apache/2.4.27 (Unix) Last-Modified: Sun, 10 Sep 2017 00:20:44 GMT ETag: "10-558cac7f1211e" Accept-Ranges: bytes Content-Length: 16 Content-Type: text/html www.mykernel.cn
在配置文件中修改为禁止本机访问
# vim /etc/httpd24/extra/httpd-vhosts.conf <RequireAll> Require all granted Require not ip 172.16.100.1 </RequireAll>
测试
# httpd -t # apachectl restart # curl -I 172.16.100.1 HTTP/1.1 403 Forbidden Date: Sun, 10 Sep 2017 00:45:04 GMT Server: Apache/2.4.27 (Unix) Content-Type: text/html; charset=iso-8859-1 # elinks --dump 172.16.100.1 Forbidden You don't have permission to access / on this server. # telnet 172.16.100.1 80 Trying 172.16.100.1... Connected to 172.16.100.1. Escape character is '^]'. GET / HTTP/1.1 Host: 172.16.100.1 HTTP/1.1 403 Forbidden Date: Sun, 10 Sep 2017 00:46:02 GMT Server: Apache/2.4.27 (Unix) Content-Length: 209 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / on this server.<br /> </p> </body></html>
mod_ssl
自建CA
# dir=/etc/pki/CA # touch $dir/index.txt # echo "01" > $dir/serial # (umask 077;openssl genrsa -out $dir/private/cakey.pem 2048) # openssl req -new -x509 -key $dir/private/cakey.pem -out $dir/cacert.pem -days 7300 (SC, ChengDu, ChengDu, MageEdu Ltd, Ops, ca.mykernel.cn, caadmin@mykernel.cn)
生成请求
# mkdir /etc/httpd24/ssl && cd /etc/httpd24/ssl # (umask 077;openssl genrsa -out httpd.key 2048) # openssl req -new -key httpd.key -out httpd.csr -days 7300 (SC, ChengDu, ChengDu, MageEdu Ltd, Ops, www.mykernel.cn, admin@mykernel.cn)
本机签署
# openssl ca -in httpd.csr -out $dir/certs/www.mykernel.cn.crt -days 365
获取证书
# cp -a /etc/pki/CA/certs/www.mykernel.cn.crt .
启用mod_ssl
# vim /etc/httpd24/httpd.conf LoadModule ssl_module modules/mod_ssl.so //2.4默认不启用 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so # Secure (SSL/TLS) connections Include /etc/httpd24/extra/httpd-ssl.conf
启用ssl虚拟主机
# cp -v /etc/httpd24/extra/httpd-ssl.conf{,.bak} # vim /etc/httpd24/extra/httpd-ssl.conf <VirtualHost *:443> DocumentRoot "/vhosts/www" ServerName www.mykernel.cn SSLCertificateFile "/etc/httpd24/ssl/www.mykernel.cn.crt SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key
测试语法
# httpd -t # apachectl restart //需要监听新的端口
测试ssl会话是否能建立
在Linux主机: 在CA所在主机的/etc/hosts文件中添加如下行: 172.16.100.1 www.mykernel.cn 测试 # openssl s_client -connect www.mykernel.cn:443 -CAfile /etc/pki/CA/cacert.pem Certificate chain Server certificate subject issuer No client certificate CA names sent New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Compression: NONE Expansion: NONE SSL-Session: TLSv1.2 在Windows主机: 在windows的C:\Windows\System32\drivers\etc文件中添加 172.16.100.1 www.mykernel.cn 将CA证书[公钥]导入受信任的颁发机构,在浏览器中的输入: https://www.mykernel.cn即可访问
服务脚本
bash shell编程的资深专家,以rpm,为蓝本,修改修改即可
# cp -v /etc/rc.d/init.d/httpd{,24}
修改
# vim /etc/rc.d/init.d/httpd24 apachectl=/usr/local/httpd24/bin/apachectl httpd=${HTTPD-/usr/local/httpd24/bin/httpd} prog=httpd pidfile=${PIDFILE-/var/run/httpd/httpd24.pid} lockfile=${LOCKFILE-/var/lock/subsys/httpd24} # vim /etc/httpd24/httpd.conf PidFile "/var/run/httpd/httpd24.pid"
测试使用
# chkconfig --add httpd24 # killall httpd # service httpd24 {start|stop|restart|status}