Linux進階:httpd服務(二)
阿新 • • 發佈:2018-11-10
httpd
提供web服務的軟體apache
官網:http://httpd.apache.org/
yum install httpd
一、Rpm安裝程式環境:
1、配置檔案:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
2、模組相關的配置檔案:(配置檔案模組化)
/etc/httpd/conf.modules.d/*.conf
3、systemdunit file:
/usr/lib/systemd/system/httpd.service
4、主程式檔案:
/usr/sbin/httpd
httpd-2.4支援MPM的動態切換
5、日誌檔案:
/var/log/httpd
access_log:訪問日誌
error_log:錯誤日誌
6、站點文件:
/var/www/html
7、模組檔案路徑:
/usr/lib64/httpd/modules
8、服務控制:
systemctl enable|disable httpd.service
systemctl{start|stop|restart|status} httpd.service
二、主配置檔案
/etc/httpd/conf/httpd.conf:
-
[[email protected] conf]#cp httpd.conf{,.origin} 最好複製一份,以免誤刪改
-
配置檔案中格式:Directive Value (指令+加值)指令首字母大寫(路徑需注意大小寫)
[[email protected] ~]#vim /etc/httpd/conf/httpd.conf .... # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path. If you point # ServerRoot at a non-local disk, be sure to specify a local disk on the # Mutex directive, if file-based mutexes are used. If you wish to share the # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # ServerRoot "/etc/httpd"(應用程式的基準目錄,所有設定相對路徑的起始位置) # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 (監聽的套接字,使用所有的IP的80埠) Listen 172.20.0.61:8080 (可指定IP地址及埠) # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # Include conf.modules.d/*.conf (配置檔案模組化的組成部分,相對路徑) # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User apache (以哪個使用者身份運行當前程式,ps aux可檢視) Group apache
三、MPM工作模式
•prefork:多程序I/O模型,每個程序響應一個請求,預設模型
一個主程序:生成和回收n個子程序,建立套接字,不響應請求
多個子程序:工作work程序,每個子程序處理一個請求;系統初始時,預
先生成多個空閒程序,等待請求,最大不超過1024個
prefork的預設配置:
StartServers8
MinSpareServers5
MaxSpareServers20
ServerLimit256 最多程序數,最大20000
MaxClients256 最大併發
MaxRequestsPerChild4000 子程序最多能處理的請求數量。在處理MaxRequestsPerChild個請求之後,子程序將會被父程序終止,這時候子程序佔用的記憶體就會釋放(為0時永遠不釋放)
•worker:複用的多程序I/O模型,多程序多執行緒,IIS使用此模型
一個主程序:生成m個子程序,每個子程序負責生個n個執行緒,每個執行緒響
應一個請求,併發響應請求:m*n
worker的預設配置:
StartServers4
MaxClients300
MinSpareThreads25
MaxSpareThreads75
ThreadsPerChild25
MaxRequestsPerChild0 無限制
•event:事件驅動模型(worker模型的變種)
一個主程序:生成m個子程序,每個程序直接響應n個請求,併發響應請求
:m*n,有專門的執行緒來管理這些keep-alive型別的執行緒,當有真實請求時
,將請求傳遞給服務執行緒,執行完畢後,又允許釋放。這樣增強了高併發
場景下的請求處理能力
(最大連線併發數MaxRequestWorkers/ThreadsPerChild應小於等於ServerLimit)
使用event 系統必須支援事件驅動機制
epoll -Linux
kqueue -BSD
event ports -Solaris
/etc/httpd/conf.modules.d/00-mpm.conf
[[email protected] ~]#cd /etc/httpd/conf.modules.d/
[[email protected] conf.modules.d]#ls (00,01檔名前面數字是啟動順序,因為存在依賴關係,模組不適用,更改字尾即可)
00-base.conf 00-dav.conf 00-lua.conf 00-mpm.conf 00-proxy.conf 00-systemd.conf 01-cgi.conf
[[email protected] conf.modules.d]#vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so (預設開啟prefork:預生成)
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
(切換注意需重啟才可生效,生產用利用排幹,灰度方式替換)
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
可直接在此配置檔案中自定義相應模組的引數(注意不能混搭,如prefork寫worker引數)
StartServers8
MinSpareServers5
MaxSpareServers20
ServerLimit256
MaxClients256
MaxRequestsPerChild4000
httpd 選項
httpd -M 可檢視啟用的模組
httpd -t 檢查語法
httpd -l 檢視靜態模組(編譯進去的模組)
httpd -L 列出所有可用的模組
四、httpd上主機主要需定義的引數
1、ServerName:主機名,以標識當前主機
2、DocumentRoot:url的根,對映到本地檔案系統的路徑 /path/to/somedir
3、對路徑/path/to/somedir下的網頁檔案,定義,允許那些人訪問,不允許哪些人訪問,怎麼能夠被訪問,做屬性設定
4、Require:更加精細訪問設定 (-59512)
<Directory "">
Require all granted 所有人可訪問
Require user dadda 只允許dadda訪問
Require 192.168 只允許192.168.0.0網段訪問
</Directory>
<File ""> 指定檔案
</File>
<DirectoryMatch "">支援正則表示式
</DiretoryMatch>
<Location " ">url路徑 LocationMatch也支援正則表示式,但是不建議用,會降低效能
</Location " ">
etc/httpd/conf/httpd.conf
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName centos7.dushan.com:80(網際網路名稱DNS解析到當前的主機名)
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied /直接訪問拒絕,不允許任何人更改,只允許訪問documentroot即可
</Directory>
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html" 真正訪問的頁面
#
# Relax access to content within /var/www.
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html"> 以下定義訪問/var/www/html規則
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks 訪問網頁時時如何響應,預設連結index.html檔案,可改為none
(刪除Indexes 則顯示被拒 注:當沒有index.html檔案時)
(刪除FollowSymLinks,則不允許連結原始檔)
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None 是否允許對應的配置檔案覆蓋
#
# Controls who can get stuff from this server.
#
Require all granted
(Require可以做更為精細設定,Require user和Require ip給出以後就算設定了白名單,其他的則被拒絕)
(若引用Require not,需配合<RequireAll>使用)
...
五、基於使用者的訪問控制
不建議基於ip地址的認證,雖然高效,但是靈活性極差,並且很容易被偽裝
• 認證質詢:WWW-Authenticate:響應碼為401,拒絕客戶端請求,並說明要求
客戶端提供賬號和密碼
• 認證:Authorization:客戶端使用者填入賬號和密碼後再次傳送請求報文;認證
通過時,則伺服器傳送響應的資源
• 認證方式兩種:
basic:明文
digest:訊息摘要認證,相容性差
• 安全域:需要使用者認證後方能訪問的路徑;應該通過名稱對其進行標識,以便
於告知使用者認證的原因
定義安全域格式:
<Directory “/path">
Options None
AllowOverride None 是否允許覆蓋
AuthType Basic 認證型別
AuthName "String" 認證提示,"string"內容自行修改
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" 認證密碼檔案路徑,通過htpasswd生成
Require user username 允許的使用者
</Directory>
Require valid-user 允許賬號檔案中的所有使用者登入訪問
AuthGroupFile "/etc/httpd/conf/.htgroup" 建立組使用者檔案訪問(需手動建立)
vim /etc/httpd/conf/.htgroup
(編輯內容disney: tom jerry)
Require group disney
• 使用者的賬號和密碼
虛擬賬號:僅用於訪問某服務時用到的認證標識
儲存:文字檔案,SQL資料庫,ldap目錄儲存,nis等
提供賬號和密碼儲存(文字檔案)
使用專用命令完成此類檔案的建立及使用者管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
-c 自動建立檔案,僅應該在檔案不存在時使用
-p 明文密碼
-d CRYPT格式加密,預設
-m md5格式加密
-s sha格式加密
-D 刪除指定使用者,或直接刪除檔案
-b 使用命令列直接新增密碼
構建實驗
[[email protected] ~]#vim /etc/httpd/conf/httpd.conf
...
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options none (none為/var/www/html/下,無index.html檔案則拒絕訪問)
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
<Directory "/var/www/html/admin">
Options Indexes
AllowOverride none
AuthType basic
AuthName "some private area..."
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
</Directory>
...
[[email protected] ~]#htpasswd -b -c -m /etc/httpd/conf/.htpasswd tom dushan 建立tom使用者設定密碼dushan
Adding password for user tom
[[email protected] ~]#htpasswd -b -m /etc/httpd/conf/.htpasswd jerry shandu 第二次注意不需新增-c選項
Adding password for user jerry
[[email protected] ~]#tail /etc/httpd/conf/.htpasswd
tom:$apr1$aX9.XL42$dzjpLk5MB5ivprfjiY/1D0
jerry:$apr1$E21f3YMg$TTaviG84A8bzaQXxwsGK01
[[email protected] ~]#cd /var/www/html/
[[email protected] html]#mkdir admin
[[email protected] html]#cp index.html.origin /var/www/html/admin/admin.html
瀏覽器瀏覽http://192.168.32.7/admin/admin.html輸入使用者名稱及密碼即可訪問
六、定義路徑別名
訪問不是DocumentRoot子路徑下的html頁面則需設定別名
[[email protected] ~]#cd /app
[[email protected] app]#cp /var/www/html/index.html /app/biemiing/
[[email protected] bbs]#cat >index.html<<EOF
> This is /app/bieming/index.html !!!
> EOF
[[email protected] bbs]#vim /etc/httpd/conf/httpd.conf
...
Alias /bieming/ /app/bieming/
<Directory "/app/bieming/">
Options none
AllowOverride none
Require all granted
</Directory>
...
[[email protected] ~]#httpd -t
Syntax OK
[[email protected] ~]#systemctl restart httpd
瀏覽器訪問http://192.168.32.7/bieming/ 顯示/app/bieming/index.html內容及成功
注意:/var/www/html路徑下(document路徑下若資料夾有和Alias重名的,優先顯示Alias頁面)
七、日誌檔案
/var/log/httpd/access_log
訪問日誌
[[email protected] ~]#tail /var/log/httpd/access_log
···
192.168.32.1 - - [18/Oct/2018:07:03:00 +0800] "GET /bbs/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64;
1 2 3 4 5 6 7
···
1.哪個客戶端
2.時間
3.請求報文的起始行(方法:GET,請求/bbs/這個URL,基於hTTP/1.1版本)
4.響應碼
5.響應內容長度
6.表示從什麼位置跳轉來的
7.使用者代理
/var/log/httpd/error_log
錯誤日誌
[[email protected] ~]#tail /var/log/httpd/error_log
···
[Thu Oct 18 07:00:24.356714 2018] [lbmethod_heartbeat:notice] [pid 4114] AH02282: No slotmem from mod_heartmonitor
1 2 3 4
···
1.時間
2.載入的模組
3.程序
4.哪裡出的問題
定義日誌格式:LogFormat format strings
LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" testlog
•使用日誌格式:
CustomLog logs/access_log testlog
參考幫助:http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
•%h 客戶端IP地址
•%l 遠端使用者,啟用mod_ident才有效,通常為減號“-”
•%u 驗證(basic,digest)遠端使用者,非登入訪問時,為一個減號“-”
•%t 伺服器收到請求時的時間
•%r First line of request,即表示請求報文的首行;記錄了此次請求的“
方法”,“URL”以及協議版本
•%>s 響應狀態碼
•%b 響應報文的大小,單位是位元組;不包括響應報文http首部
•%{Referer}i 請求報文中首部“referer”的值;即從哪個頁面中的超鏈
接跳轉至當前頁面的
•%{User-Agent}i 請求報文中首部“User-Agent”的值;即發出請求的
應用程式,瀏覽器型號
[[email protected] ~]#vim /etc/httpd/conf/httpd.conf
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 系統第一種格式 ,需引號注意轉譯\
LogFormat "%h %l %u %t \"%r\" %>s %b" common 系統第二種格式
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common (兩種格式可切換)
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined (預設啟用)
</IfModule>
...
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log" 錯誤日誌路徑
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn 錯誤日誌級別
八、虛擬主機
-
站點標識: socket
IP相同,但埠不同
IP不同,但埠均為預設埠
FQDN不同: 請求報文中首部 Host: www.baidu.com -
有三種實現方案:
基於ip:為每個虛擬主機準備至少一個ip地址
基於port:為每個虛擬主機使用至少一個獨立的port
基於FQDN:為每個虛擬主機使用至少一個FQDN
!!!注意:一般虛擬機器不要與main主機混用;因此,要使用虛擬主機,
一般先禁用main主機
禁用方法:註釋中心主機的DocumentRoot指令即可!!!
虛擬主機的配置方法:
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot “/path"
</VirtualHost>
建議:上述配置存放在獨立的配置檔案中 /etc/httpd/conf.d/子配置檔案中
•其它可用指令:
ServerAlias:虛擬主機的別名;可多次使用
ErrorLog: 錯誤日誌
CustomLog:訪問日誌
<Directory “/path">
</Directory>
Alias
基於IP的虛擬主機示例:
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.7:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.8:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
基於埠的虛擬主機:可和基於IP的虛擬主機混和使用
listen 808
listen 8080
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:808>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:8080>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
基於FQDN的虛擬主機:http2.2版本需新增一句 NameVirtualHost *:80
NameVirtualHost *:80 httpd2.4不需要此指令
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
構建實驗
[[email protected] ~]#cd /etc/httpd
[[email protected] httpd]#ls
conf conf.d conf.modules.d logs modules run
[[email protected] httpd]#vim conf.d/www.conf
<VirtualHost 192.168.32.7:80>
ServerName www.dushan.com
DocumentRoot "/vhosts/www/htdocs"
<Direcotry "/vhosts/www/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
ErrorLog "/vhosts/logs/www_access_log"
CustomLog "/vhosts/logs/www_error_log" combined
</VirtualHost>
[[email protected] httpd]#cp conf.d/www.conf conf.d/bbs.conf
[[email protected] httpd]#vim conf.d/bbs.conf
<VirtualHost 192.168.32.77:80>
ServerName bbs.dushan.com
DocumentRoot "/vhosts/bbs/htdocs"
<Direcotry "/vhosts/bbs/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
CustomLog "/vhosts/logs/bbs_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/bbs_access_log"
</VirtualHost>
[[email protected] httpd]#mkdir -pv /vhosts/{www,bbs}/htdocs /vhosts/logs
[[email protected] httpd]#vim /vhosts/bbs/htdocs/index.html
/vhost/bbs/htdocs/index.html
[[email protected] httpd]#vim /vhosts/www/htdocs/index.html
/vhosts/www/htdocs/index.html
[[email protected] httpd]#ifconfig eth0:1 192.168.32.77/24 up
[[email protected] httpd]#systemctl restart httpd
構建實驗(只夠一個ip地址都使用80埠時,名字至關重要,不一樣就可以)
[[email protected] httpd]#vim conf.d/www.conf
<VirtualHost *:80>
ServerName www.dushan.com 使用名字到達
ServerAlias wwws.dushan.com 也可設定別名,這樣兩個名字都可
DocumentRoot "/vhosts/www/htdocs"
<Direcotry "/vhosts/www/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
CustomLog "/vhosts/logs/www_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/www_access_log"
</VirtualHost>
[[email protected] httpd]#vim conf.d/bbs.conf
<VirtualHost *:80>
ServerName bbs.dushan.com 設定名字
DocumentRoot "/vhosts/bbs/htdocs"
<Direcotry "/vhosts/bbs/htdocs">
Options none
AllowOverride none
Require all Granted
</Directory>
CustomLog "/vhosts/logs/bbs_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/bbs_access_log"
[[email protected] ~]#vim /etc/hosts
192.168.32.7 www.dushan.com wwws.dushan.com bbs.dushan.com
九、keepAlive 保持持久連線,以滿足上百個資源載入時提升效能
伺服器負載很輕時可開啟,伺服器負載較重時注意關閉。
KeepAlive on下包含兩個方面:
1、KeepAliveTimeout #ms 保持連線超時時長
2、MaxKeepAliveRequests 100 最大併發請求數量
兩者同時生效,哪個先到達,遵循哪個
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
...
KeepAlive on
KeepAlive Timeout 10s
MaxKeepAliveRequests 100
[[email protected] ~]#httpd -t
Syntax OK
[[email protected] ~]#!sys
systemctl restart httpd
十、mod_deflate 模組
1、使用mod_deflate模組壓縮頁面優化傳輸速度
2、適用場景:
(1) 節約頻寬,額外消耗CPU;同時,可能有些較老瀏覽器不支援。
(2) 壓縮適於壓縮的資源,例如文字檔案
LoadModule deflate_module modules/mod_deflate.so 裝載模組
SetOutputFilter DEFLATE 利用過濾器指定哪些型別
型別:
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
3、Level of compression (Highest 9 - Lowest 1) 設定壓縮比DeflateCompressionLevel 9 指定命令
4、排除特定舊版本的瀏覽器,不支援壓縮
1)Netscape 4.x 只壓縮text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
2)Netscape 4.06-08三個版本 不壓縮
BrowserMatch ^Mozilla/4\.0[678] no-gzip
3)Internet Explorer標識本身為“Mozilla / 4”,但實際上是能夠處理請求的壓縮。
如果使用者代理首部匹配字串“MSIE”(“B”為單詞邊界”),就關閉之前定
義的限制
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
實驗環境
[[email protected] ~]#httpd -M |grep deflate 檢視是否載入
deflate_module (shared)
[[email protected] ~]#vim /etc/httpd/conf.d/deflate.conf
SetOutputFilter DEFLATE
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
DeflateCompressionLevel 6
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
[[email protected] ~]#httpd -t
Syntax OK
[[email protected] ~]#!sys
systemctl restart httpd
[[email protected] ~]#cp /var/log/messages /var/www/html/
admin/ index.html index.html.origin
[[email protected] ~]#cp /var/log/messages /var/www/html/index.html
cp: overwrite ‘/var/www/html/index.html’? y
[[email protected] ~]#ll /var/www/html/
total 1296
drwxr-xr-x 2 root root 24 Oct 19 12:33 admin
-rw-r--r-- 1 root root 1321814 Oct 19 22:03 index.html 注意許可權,若無讀許可權則apache使用者無法訪問chmod +r /var/www/html/index.html
十一、https
1、https:http over ssl 基於ssl的http
2、SSL會話的簡化過程
(1) 客戶端傳送可供選擇的加密方式,並向伺服器請求證書
(2) 伺服器端傳送證書以及選定的加密方式給客戶端
(3) 客戶端取得證書並進行證書驗證
如果信任給其發證書的CA
(a) 驗證證書來源的合法性;用CA的公鑰解密證書上數字簽名
(b) 驗證證書的內容的合法性:完整性驗證
(c) 檢查證書的有效期限
(d) 檢查證書是否被吊銷
(e) 證書中擁有者的名字,與訪問的目標主機要一致
(4) 客戶端生成臨時會話金鑰(對稱金鑰),並使用伺服器端的公鑰加密此資料傳送給伺服器,完
成金鑰交換
(5) 服務用此金鑰加密使用者請求的資源,響應給客戶端
• 注意:SSL是基於IP地址實現,單IP的主機僅可以使用一個https虛擬主機
3、https實現
• (1) 為伺服器申請數字證書
測試:通過私建CA發證書
(a) 建立私有CA
(b) 在伺服器建立證書籤署請求
(c) CA簽證
• (2) 配置httpd支援使用ssl,及使用的證書
yum -y install mod_ssl
配置檔案:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
• (3) 測試基於https訪問相應的主機
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
實驗環境,直接生成一個祕鑰舉例
[[email protected] ~]#cd /etc/httpd
[[email protected] httpd]#ls
conf conf.d conf.modules.d logs modules run
[[email protected] httpd]#mkdir ssl
[[email protected] httpd]#cd ssl/
[[email protected] ssl]#(umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
......................................................................................................................+++
..................................+++
e is 65537 (0x10001)
[[email protected] ssl]#ll
total 4
-rw------- 1 root root 1675 Oct 19 22:25 httpd.key
[[email protected] ssl]#openssl req -new -x509 -key ./httpd.key -out httpd.crt -subj "/CN=www.dushan.com/0=dushan" -days 3650
[[email protected] ssl]#yum install mod_ssl
[[email protected] ssl]#cd /etc/httpd/conf.d/
[[email protected] conf.d]#vim ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt 更改路徑
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key 更改路徑
十二、http重定向https
將http請求轉發至https的URL
-
重定向
Redirect [status] URL-path URL -
status狀態:
• Permanent: 返回永久重定向狀態碼 301
• Temp:返回臨時重定向狀態碼302. 此為預設值
新增至配置檔案結尾即可:
vim /etc/httpd/conf/httpd.conf 或 /etc/httpd/conf.d/*.conf
Redirect temp / https://www.dushan.com/