提供web服务的软件apache
官网:http://httpd.apache.org/
yum install httpd
1、配置文件:
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf
2、模块相关的配置文件:(配置文件模块化)
/etc/httpd/conf.modules.d/*.conf
3、systemdunit file:
/usr/lib/systemd/system/httpd.service
4、主程序文件:
/usr/sbin/httpd
httpd-2.4支持MPM的动态切换
5、日志文件:
/var/log/httpd
access_log:访问日志
error_log:错误日志
6、站点文档:
/var/www/html
7、模块文件路径:
/usr/lib64/httpd/modules
8、服务控制:
systemctl enable|disable httpd.service
systemctl{start|stop|restart|status} httpd.service
[root@centos7-7 conf]#cp httpd.conf{,.origin} 最好复制一份,以免误删改
配置文件中格式:Directive Value (指令+加值)指令首字母大写(路径需注意大小写)
[root@centos7-7 ~]#vim /etc/httpd/conf/httpd.conf
....
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"(应用程序的基准目录,所有设置相对路径的起始位置)
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80 (监听的套接字,使用所有的IP的80端口)
Listen 172.20.0.61:8080 (可指定IP地址及端口)
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf (配置文件模块化的组成部分,相对路径)
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache (以哪个用户身份运行当前程序,ps aux可查看)
Group apache
•prefork:多进程I/O模型,每个进程响应一个请求,默认模型
一个主进程:生成和回收n个子进程,创建套接字,不响应请求
多个子进程:工作work进程,每个子进程处理一个请求;系统初始时,预
先生成多个空闲进程,等待请求,最大不超过1024个
prefork的默认配置:
StartServers8
MinSpareServers5
MaxSpareServers20
ServerLimit256 最多进程数,最大20000
MaxClients256 最大并发
MaxRequestsPerChild4000 子进程最多能处理的请求数量。在处理MaxRequestsPerChild个请求之后,子进程将会被父进程终止,这时候子进程占用的内存就会释放(为0时永远不释放)
•worker:复用的多进程I/O模型,多进程多线程,IIS使用此模型
一个主进程:生成m个子进程,每个子进程负责生个n个线程,每个线程响
应一个请求,并发响应请求:m*n
worker的默认配置:
StartServers4
MaxClients300
MinSpareThreads25
MaxSpareThreads75
ThreadsPerChild25
MaxRequestsPerChild0 无限制
•event:事件驱动模型(worker模型的变种)
一个主进程:生成m个子进程,每个进程直接响应n个请求,并发响应请求
:m*n,有专门的线程来管理这些keep-alive类型的线程,当有真实请求时
,将请求传递给服务线程,执行完毕后,又允许释放。这样增强了高并发
场景下的请求处理能力
(最大连接并发数MaxRequestWorkers/ThreadsPerChild应小于等于ServerLimit)
使用event 系统必须支持事件驱动机制
epoll -Linux
kqueue -BSD
event ports -Solaris
[root@centos7-7 ~]#cd /etc/httpd/conf.modules.d/
[root@centos7-7 conf.modules.d]#ls (00,01文件名前面数字是启动顺序,因为存在依赖关系,模块不适用,更改后缀即可)
00-base.conf 00-dav.conf 00-lua.conf 00-mpm.conf 00-proxy.conf 00-systemd.conf 01-cgi.conf
[root@centos7-7 conf.modules.d]#vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so (默认开启prefork:预生成)
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
(切换注意需重启才可生效,生产用利用排干,灰度方式替换)
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
可直接在此配置文件中自定义相应模块的参数(注意不能混搭,如prefork写worker参数)
StartServers8
MinSpareServers5
MaxSpareServers20
ServerLimit256
MaxClients256
MaxRequestsPerChild4000
httpd -M 可查看启用的模块
httpd -t 检查语法
httpd -l 查看静态模块(编译进去的模块)
httpd -L 列出所有可用的模块
1、ServerName:主机名,以标识当前主机
2、DocumentRoot:url的根,映射到本地文件系统的路径 /path/to/somedir
3、对路径/path/to/somedir下的网页文件,定义,允许那些人访问,不允许哪些人访问,怎么能够被访问,做属性设定
4、Require:更加精细访问设置 (-59512)
Require all granted 所有人可访问
Require user dadda 只允许dadda访问
Require 192.168 只允许192.168.0.0网段访问
指定文件
支持正则表达式
url路径 LocationMatch也支持正则表达式,但是不建议用,会降低性能
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName centos7.dushan.com:80(互联网名称DNS解析到当前的主机名)
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
AllowOverride none
Require all denied /直接访问拒绝,不允许任何人更改,只允许访问documentroot即可
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html" 真正访问的页面
#
# Relax access to content within /var/www.
AllowOverride None
# Allow open access:
Require all granted
# Further relax access to the default document root:
以下定义访问/var/www/html规则
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks 访问网页时时如何响应,默认链接index.html文件,可改为none
(删除Indexes 则显示被拒 注:当没有index.html文件时)
(删除FollowSymLinks,则不允许链接源文件)
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None 是否允许对应的配置文件覆盖
#
# Controls who can get stuff from this server.
#
Require all granted
(Require可以做更为精细设置,Require user和Require ip给出以后就算设置了白名单,其他的则被拒绝)
(若引用Require not,需配合使用)
...
不建议基于ip地址的认证,虽然高效,但是灵活性极差,并且很容易被伪装
• 认证质询:WWW-Authenticate:响应码为401,拒绝客户端请求,并说明要求
客户端提供账号和密码
• 认证:Authorization:客户端用户填入账号和密码后再次发送请求报文;认证
通过时,则服务器发送响应的资源
• 认证方式两种:
basic:明文
digest:消息摘要认证,兼容性差
• 安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便
于告知用户认证的原因
定义安全域格式:
Options None
AllowOverride None 是否允许覆盖
AuthType Basic 认证类型
AuthName "String" 认证提示,"string"内容自行修改
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE" 认证密码文件路径,通过htpasswd生成
Require user username 允许的用户
Require valid-user 允许账号文件中的所有用户登录访问
AuthGroupFile "/etc/httpd/conf/.htgroup" 创建组用户文件访问(需手动创建)
vim /etc/httpd/conf/.htgroup
(编辑内容disney: tom jerry)
Require group disney
• 用户的账号和密码
虚拟账号:仅用于访问某服务时用到的认证标识
存储:文本文件,SQL数据库,ldap目录存储,nis等
提供账号和密码存储(文本文件)
使用专用命令完成此类文件的创建及用户管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
-c 自动创建文件,仅应该在文件不存在时使用
-p 明文密码
-d CRYPT格式加密,默认
-m md5格式加密
-s sha格式加密
-D 删除指定用户,或直接删除文件
-b 使用命令行直接添加密码
[root@centos7-7 ~]#vim /etc/httpd/conf/httpd.conf
...
# Further relax access to the default document root:
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options none (none为/var/www/html/下,无index.html文件则拒绝访问)
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
Options Indexes
AllowOverride none
AuthType basic
AuthName "some private area..."
AuthUserFile "/etc/httpd/conf/.htpasswd"
Require user tom
...
[root@centos7-7 ~]#htpasswd -b -c -m /etc/httpd/conf/.htpasswd tom dushan 创建tom用户设置密码dushan
Adding password for user tom
[root@centos7-7 ~]#htpasswd -b -m /etc/httpd/conf/.htpasswd jerry shandu 第二次注意不需添加-c选项
Adding password for user jerry
[root@centos7-7 ~]#tail /etc/httpd/conf/.htpasswd
tom:$apr1$aX9.XL42$dzjpLk5MB5ivprfjiY/1D0
jerry:$apr1$E21f3YMg$TTaviG84A8bzaQXxwsGK01
[root@centos7-7 ~]#cd /var/www/html/
[root@centos7-7 html]#mkdir admin
[root@centos7-7 html]#cp index.html.origin /var/www/html/admin/admin.html
浏览器浏览http://192.168.32.7/admin/admin.html输入用户名及密码即可访问
访问不是DocumentRoot子路径下的html页面则需设置别名
[root@centos7-7 ~]#cd /app
[root@centos7-7 app]#cp /var/www/html/index.html /app/biemiing/
[root@centos7-7 bbs]#cat >index.html< This is /app/bieming/index.html !!!
> EOF
[root@centos7-7 bbs]#vim /etc/httpd/conf/httpd.conf
...
Alias /bieming/ /app/bieming/
Options none
AllowOverride none
Require all granted
...
[root@centos7-7 ~]#httpd -t
Syntax OK
[root@centos7-7 ~]#systemctl restart httpd
浏览器访问http://192.168.32.7/bieming/ 显示/app/bieming/index.html内容及成功
注意:/var/www/html路径下(document路径下若文件夹有和Alias重名的,优先显示Alias页面)
访问日志
[root@centos7-7 ~]#tail /var/log/httpd/access_log
···
192.168.32.1 - - [18/Oct/2018:07:03:00 +0800] "GET /bbs/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64;
1 2 3 4 5 6 7
···
1.哪个客户端
2.时间
3.请求报文的起始行(方法:GET,请求/bbs/这个URL,基于hTTP/1.1版本)
4.响应码
5.响应内容长度
6.表示从什么位置跳转来的
7.用户代理
错误日志
[root@centos7-7 ~]#tail /var/log/httpd/error_log
···
[Thu Oct 18 07:00:24.356714 2018] [lbmethod_heartbeat:notice] [pid 4114] AH02282: No slotmem from mod_heartmonitor
1 2 3 4
···
1.时间
2.加载的模块
3.进程
4.哪里出的问题
LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" testlog
•使用日志格式:
CustomLog logs/access_log testlog
参考帮助:http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
•%h 客户端IP地址
•%l 远程用户,启用mod_ident才有效,通常为减号“-”
•%u 验证(basic,digest)远程用户,非登录访问时,为一个减号“-”
•%t 服务器收到请求时的时间
•%r First line of request,即表示请求报文的首行;记录了此次请求的“
方法”,“URL”以及协议版本
•%>s 响应状态码
•%b 响应报文的大小,单位是字节;不包括响应报文http首部
•%{Referer}i 请求报文中首部“referer”的值;即从哪个页面中的超链
接跳转至当前页面的
•%{User-Agent}i 请求报文中首部“User-Agent”的值;即发出请求的
应用程序,浏览器型号
[root@centos7-7 ~]#vim /etc/httpd/conf/httpd.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 系统第一种格式 ,需引号注意转译\
LogFormat "%h %l %u %t \"%r\" %>s %b" common 系统第二种格式
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a
# container, they will be logged here. Contrariwise, if you *do*
# define per- access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common (两种格式可切换)
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined (默认启用)
...
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log" 错误日志路径
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn 错误日志级别
站点标识: socket
IP相同,但端口不同
IP不同,但端口均为默认端口
FQDN不同: 请求报文中首部 Host: www.baidu.com
有三种实现方案:
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN
!!!注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,
一般先禁用main主机
禁用方法:注释中心主机的DocumentRoot指令即可!!!
ServerName FQDN
DocumentRoot “/path"
建议:上述配置存放在独立的配置文件中 /etc/httpd/conf.d/子配置文件中
•其它可用指令:
ServerAlias:虚拟主机的别名;可多次使用
ErrorLog: 错误日志
CustomLog:访问日志
Alias
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
listen 808
listen 8080
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
NameVirtualHost *:80 httpd2.4不需要此指令
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
[root@centos7-7 ~]#cd /etc/httpd
[root@centos7-7 httpd]#ls
conf conf.d conf.modules.d logs modules run
[root@centos7-7 httpd]#vim conf.d/www.conf
ServerName www.dushan.com
DocumentRoot "/vhosts/www/htdocs"
Options none
AllowOverride none
Require all Granted
ErrorLog "/vhosts/logs/www_access_log"
CustomLog "/vhosts/logs/www_error_log" combined
[root@centos7-7 httpd]#cp conf.d/www.conf conf.d/bbs.conf
[root@centos7-7 httpd]#vim conf.d/bbs.conf
ServerName bbs.dushan.com
DocumentRoot "/vhosts/bbs/htdocs"
Options none
AllowOverride none
Require all Granted
CustomLog "/vhosts/logs/bbs_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/bbs_access_log"
[root@centos7-7 httpd]#mkdir -pv /vhosts/{www,bbs}/htdocs /vhosts/logs
[root@centos7-7 httpd]#vim /vhosts/bbs/htdocs/index.html
/vhost/bbs/htdocs/index.html
[root@centos7-7 httpd]#vim /vhosts/www/htdocs/index.html
/vhosts/www/htdocs/index.html
[root@centos7-7 httpd]#ifconfig eth0:1 192.168.32.77/24 up
[root@centos7-7 httpd]#systemctl restart httpd
构建实验(只够一个ip地址都使用80端口时,名字至关重要,不一样就可以)
[root@centos7-7 httpd]#vim conf.d/www.conf
ServerName www.dushan.com 使用名字到达
ServerAlias wwws.dushan.com 也可设置别名,这样两个名字都可
DocumentRoot "/vhosts/www/htdocs"
Options none
AllowOverride none
Require all Granted
CustomLog "/vhosts/logs/www_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/www_access_log"
[root@centos7-7 httpd]#vim conf.d/bbs.conf
ServerName bbs.dushan.com 设置名字
DocumentRoot "/vhosts/bbs/htdocs"
Options none
AllowOverride none
Require all Granted
CustomLog "/vhosts/logs/bbs_error_log" combined(指定格式)
ErrorLog "/vhosts/logs/bbs_access_log"
[root@centos7-7 ~]#vim /etc/hosts
192.168.32.7 www.dushan.com wwws.dushan.com bbs.dushan.com
服务器负载很轻时可打开,服务器负载较重时注意关闭。
KeepAlive on下包含两个方面:
1、KeepAliveTimeout #ms 保持连接超时时长
2、MaxKeepAliveRequests 100 最大并发请求数量
两者同时生效,哪个先到达,遵循哪个
[root@centos7-7 ~]# vim /etc/httpd/conf/httpd.conf
...
KeepAlive on
KeepAlive Timeout 10s
MaxKeepAliveRequests 100
[root@centos7-7 ~]#httpd -t
Syntax OK
[root@centos7-7 ~]#!sys
systemctl restart httpd
1、使用mod_deflate模块压缩页面优化传输速度
2、适用场景:
(1) 节约带宽,额外消耗CPU;同时,可能有些较老浏览器不支持。
(2) 压缩适于压缩的资源,例如文本文件
LoadModule deflate_module modules/mod_deflate.so 装载模块
SetOutputFilter DEFLATE 利用过滤器指定哪些类型
类型:
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
3、Level of compression (Highest 9 - Lowest 1) 设定压缩比DeflateCompressionLevel 9
指定命令
4、排除特定旧版本的浏览器,不支持压缩
1)Netscape 4.x 只压缩text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
2)Netscape 4.06-08三个版本 不压缩
BrowserMatch ^Mozilla/4\.0[678] no-gzip
3)Internet Explorer标识本身为“Mozilla / 4”,但实际上是能够处理请求的压缩。
如果用户代理首部匹配字符串“MSIE”(“B”为单词边界”),就关闭之前定
义的限制
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
[root@centos7-7 ~]#httpd -M |grep deflate 查看是否加载
deflate_module (shared)
[root@centos7-7 ~]#vim /etc/httpd/conf.d/deflate.conf
SetOutputFilter DEFLATE
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
DeflateCompressionLevel 6
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
[root@centos7-7 ~]#httpd -t
Syntax OK
[root@centos7-7 ~]#!sys
systemctl restart httpd
[root@centos7-7 ~]#cp /var/log/messages /var/www/html/
admin/ index.html index.html.origin
[root@centos7-7 ~]#cp /var/log/messages /var/www/html/index.html
cp: overwrite ‘/var/www/html/index.html’? y
[root@centos7-7 ~]#ll /var/www/html/
total 1296
drwxr-xr-x 2 root root 24 Oct 19 12:33 admin
-rw-r--r-- 1 root root 1321814 Oct 19 22:03 index.html 注意权限,若无读权限则apache用户无法访问chmod +r /var/www/html/index.html
1、https:http over ssl 基于ssl的http
2、SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书
(2) 服务器端发送证书以及选定的加密方式给客户端
(3) 客户端取得证书并进行证书验证
如果信任给其发证书的CA
(a) 验证证书来源的合法性;用CA的公钥解密证书上数字签名
(b) 验证证书的内容的合法性:完整性验证
(c) 检查证书的有效期限
(d) 检查证书是否被吊销
(e) 证书中拥有者的名字,与访问的目标主机要一致
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完
成密钥交换
(5) 服务用此密钥加密用户请求的资源,响应给客户端
• 注意:SSL是基于IP地址实现,单IP的主机仅可以使用一个https虚拟主机
3、https实现
• (1) 为服务器申请数字证书
测试:通过私建CA发证书
(a) 创建私有CA
(b) 在服务器创建证书签署请求
(c) CA签证
• (2) 配置httpd支持使用ssl,及使用的证书
yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
• (3) 测试基于https访问相应的主机
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
[root@centos7-7 ~]#cd /etc/httpd
[root@centos7-7 httpd]#ls
conf conf.d conf.modules.d logs modules run
[root@centos7-7 httpd]#mkdir ssl
[root@centos7-7 httpd]#cd ssl/
[root@centos7-7 ssl]#(umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
......................................................................................................................+++
..................................+++
e is 65537 (0x10001)
[root@centos7-7 ssl]#ll
total 4
-rw------- 1 root root 1675 Oct 19 22:25 httpd.key
[root@centos7-7 ssl]#openssl req -new -x509 -key ./httpd.key -out httpd.crt -subj "/CN=www.dushan.com/0=dushan" -days 3650
[root@centos7-7 ssl]#yum install mod_ssl
[root@centos7-7 ssl]#cd /etc/httpd/conf.d/
[root@centos7-7 conf.d]#vim ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt 更改路径
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key 更改路径
重定向
Redirect [status] URL-path URL
status状态:
• Permanent: 返回永久重定向状态码 301
• Temp:返回临时重定向状态码302. 此为默认值
添加至配置文件结尾即可:
vim /etc/httpd/conf/httpd.conf 或 /etc/httpd/conf.d/*.conf
Redirect temp / https://www.dushan.com/