(一)Apache
(1)下载安装APR-Apache Portable Runtime
# cd /usr/local/src
# wget http://www.apache.org/dist/apr/apr-1.5.1.tar.gz
# tar zxvf apr-1.5.1.tar.gz
# cd /usr/local/src/apr-1.5.1
# ./configure --prefix=/usr/local/apr/1.5.1
# make clean
# make && make install
(2)下载安装APR-Util-Apache Portable Runtime Utility Library
# cd /usr/local/src
# wget http://www.apache.org/dist/apr/apr-util-1.5.3.tar.gz
# tar zxvf apr-util-1.5.3.tar.gz
# cd /usr/local/src/apr-util-1.5.3
# ./configure --prefix=/usr/local/apr-util/1.5.3 --with-apr=/usr/local/apr/1.5.1
# make clean
# make && make install
(3)下载安装httpd
# cd /usr/local/src
# wget http://archive.apache.org/dist/httpd/httpd-2.4.9.tar.gz
# tar zxvf httpd-2.4.9.tar.gz
# cd /usr/local/src/httpd-2.4.9
# ./configure \
--prefix=/usr/local/apache/2.4.9 \
--enable-expires \
--enable-proxy \
--enable-proxy-ajp \
--enable-proxy-http \
--enable-proxy-connect \
--enable-headers \
--enable-so \
--enable-rewrite \
--enable-ssl=shared \
--with-apr=/usr/local/apr/1.5.1 \
--with-apr-util=/usr/local/apr-util/1.5.3 \
--with-pcre=/usr/local/pcre/8.35 \
--with-ssl=/usr/local/ssl
# make && make install
(4)设置
日志
# cp -f /usr/local/apache/2.4.9/conf/httpd.conf /usr/local/apache/2.4.9/conf/httpd.conf.org
# vi /usr/local/apache/2.4.9/conf/httpd.conf
# when proxy server
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
#CustomLog "logs/access_log" common
CustomLog "|/usr/sbin/rotatelogs /usr/local/apache/2.4.9/logs/access_log.%Y-%m-%d 86400" common
ServerName
# cat /usr/local/apache/2.4.9/conf/httpd.conf | grep ServerName
# ServerName gives the name and port that the server uses to identify itself.
ServerName xxxxx
# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 xxxxx
启动
# echo "# chkconfig: 2345 99 10" >> /usr/local/apache/2.4.9/bin/apachectl
# echo "# description: Starts/Stops httpd Server" >> /usr/local/apache/2.4.9/bin/apachectl
# mv /etc/init.d/httpd /etc/init.d/httpd.org
# ln -s /usr/local/apache/2.4.9/bin/apachectl /etc/init.d/httpd
确认
# /etc/init.d/httpd start
# wget http://localhost
It works!
# /etc/init.d/httpd sttop
(5)设置SSL
私钥
# mkdir -p /usr/local/apache/2.4.9/conf/cert_`date +%Y%m%d`
# cd /usr/local/apache/2.4.9/conf/cert_`date +%Y%m%d`
# openssl genrsa -des3 -out server_needpass.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for server_needpass.key: my-phrase
Verifying - Enter pass phrase for server_needpass.key: my-phrase
# openssl rsa -in server_needpass.key -out server.key
Enter pass phrase for server_needpass.key: my-phrase
writing RSA key
公钥
# openssl req -new -days 365 -key server.key -out server.csr <-第三方认证
Country Name (2 letter code) [GB]:
......
# openssl req -new -x509 -days 3650 -key server.key -out server.crt <-测试用
配置Apache的SSL认证文件
# cp /usr/local/apache/2.4.9/conf/cert_<YYYYMMDD>/server_needpass.key /usr/local/apache/2.4.9/conf/server_needpass.key
# cp /usr/local/apache/2.4.9/conf/cert_<YYYYMMDD>/server.key /usr/local/apache/2.4.9/conf/server.key
# cp /usr/local/apache/2.4.9/conf/cert_<YYYYMMDD>/server.csr /usr/local/apache/2.4.9/conf/server.csr
# cp /usr/local/apache/2.4.9/conf/cert_<YYYYMMDD>/server.crt /usr/local/apache/2.4.9/conf/server.crt
安装设置mod_ssl
# yum install mod_ssl
# vi /usr/local/apache/2.4.9/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
再确认
# /etc/init.d/httpd restart
# wget http://localhost
Congratulations!
# wget https://localhost
Congratulations!
(二)Nginx
下载安装
# cd /usr/local/src/
# wget http://nginx.org/download/nginx-1.7.7.tar.gz
# tar xzvf nginx-1.7.7.tar.gz
# cd nginx-1.7.7
# ./configure \
--prefix=/usr/local/nginx-1.7.7 \
--with-pcre=/usr/local/src/pcre-8.35 \
--with-zlib=/usr/local/src/zlib-1.2.8 \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--without-http_ssi_module \
--without-http_uwsgi_module \
--with-http_realip_module
# make
# make install
# ln -s /usr/local/nginx-1.7.7 /usr/local/nginx
启动
# vi /etc/init.d/nginx
从http://wiki.nginx.org/RedHatNginxInitScript下载脚本文件后按以下修改:
9 # config: /usr/local/nginx/conf/nginx.conf
11 # pidfile: /var/run/nginx/nginx.pid
22 nginx="/usr/local/nginx/sbin/nginx"
25 NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
# chown nginx:nginx /etc/init.d/nginx
# chmod 755 /etc/init.d/nginx
设置
# cd /usr/local/nginx/conf/
# cp nginx.conf nginx.conf.default
# vi nginx.conf
location /myproj {
client_max_body_size 20M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
proxy_pass http://localhost:8080/myproj; # <= Tomcat
}
设置SSL
# mkdir /etc/nginx/ssl
# cd /etc/nginx/ssl
# openssl req -new -x509 -sha256 -newkey rsa:2048 -days 365 -nodes -out /etc/nginx/ssl/nginx.pem -keyout /etc/nginx/ssl/nginx.key
# chmod 600 /etc/nginx/ssl/nginx.pem
# vi /usr/local/nginx/conf/nginx.conf
server {
# [...]
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.pem;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# SSLv3 is broken by POODLE as of October 2014
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
# make the server choose the best cipher instead of the browser
# Perfect Forward Secrecy(PFS) is frequently compromised without this
ssl_prefer_server_ciphers on;
# support only believed secure ciphersuites using the following priority:
# 1.) prefer PFS enabled ciphers
# 2.) prefer AES128 over AES256 for speed (AES128 has completely adequate security for now)
# 3.) Support DES3 for IE8 support
#
# disable the following ciphersuites completely
# 1.) null ciphers
# 2.) ciphers with low security
# 3.) fixed ECDH cipher (does not allow for PFS)
# 4.) known vulnerable cypers (MD5, RC4, etc)
# 5.) little-used ciphers (Camellia, Seed)
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# [...]
确认
# /etc/init.d/nginx start
# wget http://localhost
# wget https://localhost
# /etc/init.d/nginx stop
(三)Jetty
下载安装
# cd /usr/local/src
# wget http://download.eclipse.org/jetty/stable-9/dist/jetty-distribution-9.2.9.v20150224.tar.gz
# tar zxvf jetty-distribution-9.2.9.v20150224.tar.gz -C /opt/
# mv /opt/jetty-distribution-9.2.9.v20150224/ /opt/jetty
# useradd -m jetty
# chown -R jetty:jetty /opt/jetty/
# ln -s /opt/jetty/bin/jetty.sh /etc/init.d/jetty
设置
# vi /etc/default/jetty
JETTY_HOME=/opt/jetty
NO_START=0
JETTY_USER=jetty
JETTY_ARGS=jetty.port=8085
JETTY_HOST=0.0.0.0
JETTY_LOGS=/opt/jetty/logs/
确认
# service jetty start
# wget http://localhost:8085
# service jetty stop
(四)Tomcat
下载安装
# cd /usr/local/src
# wget http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.57/bin/apache-tomcat-7.0.57.tar.gz
# tar xzvf apache-tomcat-7.0.57.tar.gz
# mv apache-tomcat-7.0.57 /usr/local/tomcat
# /usr/local/tomcat/bin/version.sh
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/default
......
安装Tomcat daemon服务
# cp -pf /usr/local/tomcat/bin/commons-daemon-native.tar.gz /usr/local/src/
# tar xzvf commons-daemon-native.tar.gz
# cd commons-daemon-1.0.15-native-src/unix/
# ./configure --with-java=/usr/java/default
# make clean && make
# cp -f jsvc /usr/local/tomcat/bin/
安装APR
# cd /usr/local/tomcat/bin/
# tar xzvf tomcat-native.tar.gz
# cd tomcat-native-1.1.32-src/jni/native
# ./configure \
--with-apr=/usr/local/apr/1.5.1/bin/apr-1-config \
--with-java-home=/usr/java/default/ \
--prefix=/usr/local/tomcat/
# make && make install
设置
# cd /usr/local/tomcat/bin/
# vi setenv.sh
# Where your java installation lives
JAVA_HOME=/usr/java/default
# You can pass some parameters to java
JAVA_OPTS='-server -Djava.net.preferIPv4Stack=true'
# Where your tomcat installation lives
CATALINA_HOME=/usr/local/tomcat
# What user should run tomcat
TOMCAT_USER=tomcat
# Set the TOMCAT_PID location
CATALINA_PID="/var/run/tomcat.pid"
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib
export LD_LIBRARY_PATH
# jsvc options
JSVC_OPTS='-jvm server'
CATALINA_OPTS="-server -Xms1024m -Xmx1024m
-XX:PermSize=512m -XX:MaxPermSize=1024m
-Xloggc:/usr/local/tomcat/logs/gc.log
-XX:+PrintClassHistogram -XX:+PrintGCDetails"
# cp /usr/local/tomcat/bin/daemon.sh /etc/init.d/tomcat
# echo "# chkconfig: 2345 98 11" >> /etc/init.d/tomcat
# echo "# description: Starts/Stops Tomcat Server" >> /etc/init.d/tomcat
# useradd -M tomcat
# chown -R tomcat.tomcat /usr/local/tomcat/
# vi /usr/local/tomcat/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="admin"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<user username="admin" password="123456" roles="admin,manager,manager-gui"/>
</tomcat-users>
确认
# /etc/init.d/tomcat start
# wget http://localhost:8080
Congratulations!
# /etc/init.d/tomcat stop
Apache &Tomcat
Apache与Tomcat有3种连接方式:
JK、http_proxy、ajp_proxy,这里使用AJP链接。
设置Apache的AJP
# cat /dev/null > /usr/local/apache/2.4.9/conf/extra/httpd-proxy.conf
# vi /usr/local/apache/2.4.9/conf/extra/httpd-proxy.conf
<Location /myproj>
ProxyPass ajp://127.0.0.1:8009/myproj/
</Location>
# vi /usr/local/apache/2.4.9/conf/httpd.conf
Include conf/extra/httpd-proxy.conf
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
设置Tomcat
# vi /usr/local/tomcat/conf/server.xml
禁用8080端口
<!-- <Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" /> -->
设置URIEncoding为UTF-8
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
URIEncoding="UTF-8" useBodyEncodingForURI="true" />
不输出访问日志
<!-- <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" /> -->
确认
# /etc/init.d/tomcat stop
# /etc/init.d/tomcat start
# /etc/init.d/httpd restart
# wget http://localhost:8080
Error
# wget http://localhost
Congratulations!