Apache configuration detailed, best Apache configuration documentation

http://blog.csdn.net/apple_llb/article/details/50253889

The configuration of Apache is configured by the httpd.conf file, so the following configuration directives are modified in the httpd.conf File. Configuration of the primary site (basic Configuration) (1) Basic configuration: serverroot"/mnt/software/apache2"#你的apache软件安装的位置. Other specified directory if no absolute path is specified, the directory is relative to that directory. Pidfile logs/httpd.pid The process number file location #第一个httpd进程 (parent process for all other processes). Listen the#服务器监听的端口号. ServerName www.clusting.com: the#主站点名称 (the host name of the Web site). ServerAdmin [email protected] #管理员的邮件地址. DocumentRoot"/mnt/web/clusting"#主站点的网页存储位置. The following is access control for the directory of the primary site:<directory"/mnt/web/clusting">Options followsymlinks allowoverride None Order allow,deny allow from all</Directory>in the above directory property configuration, There are mainly the following options: options: configure which features are used in a particular directory, common values and basic meanings are as follows: execcgi: CGI scripts are allowed in this directory. Followsymlinks: allows the file system to use symbolic connections under this directory. Indexes: when a user accesses the directory, if the user cannot find the DirectoryIndex specified master file (for example, index.html), the list of files in that directory is returned to the User. Symlinksifownermatch: When a symbolic connection is used, it can only be accessed if the file owner of the symbolic connection is the same as the owner of the actual file. Other available values and meanings can be found in: http://www.clusting.com/Apache/ApacheManual/mod/core.html#optionsallowoverride: The type of instruction that is allowed in The. htaccess file (. htaccess file name can be changed and its file name is determined by the Accessfilename directive): None: When AllowOverride is set to None. Do not search for. htaccess files under this directory (you can reduce server overhead). All: You can use all the instructions in The. htaccess file. Other available values and meanings (such as: Options FileInfo authconfig limit, etc.), see: http://Www.clusting.com/Apache/ApacheManual/mod/core.html#AllowOverrideOrder: controls the Allow and deny two access rules on Access which takes precedence: enable: list of hosts allowed to access (available domain names or subnets, for example: allows from 192.168.0.0/ -). Deny: the list of hosts that are denied Access. More detailed usage can be see: http://Www.clusting.com/Apache/ApacheManual/mod/mod_access.html#orderdirectoryindex index.html index.htm index.php #主页文件的设置 (this Example sets the home file To: index.html,index.htm and Index.php) (2) Server Optimization (mpm:multi-processing Modules) apache2 The main advantage is that support for multiprocessor is better and is used at compile time--WITH-MPM option to determine the apache2 mode of Operation. If you know what working mechanism the current apache2 uses, you can pass httpd-l command lists all of Apache's modules to know how it works: prefork: if httpd-L list prefork.c, you need to configure the following segments:<ifmodule prefork.c>startservers5#启动apache时启动的httpd进程个数. Minspareservers5#服务器保持的最小空闲进程数. MaxspareserversTen#服务器保持的最大空闲进程数. MaxClients max#最大并发连接数. Maxrequestsperchild +#每个子进程被请求服务多少次后被kill掉. 0 means no limit and the recommended setting is 1000. </IfModule>in this mode of operation, the server starts to move 5 httpd processes (plus 6 parent processes, through PS-ax|grep httpd command can be seen). When a user connects, Apache uses an idle process to service the connection, and the parent process will fork a child process. Until the idle process in memory reaches Maxspareservers. This mode is intended to be compatible with some older versions of the Program. My default Compile-time options. Worker: if httpd-L list worker.c, you need to configure the following segments:<ifmodule worker.c>startservers2#启动apache时启动的httpd进程个数. MaxClients max#最大并发连接数. Minsparethreads -#服务器保持的最小空闲线程数. Maxsparethreads the#服务器保持的最大空闲线程数. Threadsperchild -#每个子进程的产生的线程数. Maxrequestsperchild0#每个子进程被请求服务多少次后被kill掉. 0 means no limit and the recommended setting is 1000. </IfModule>This mode is a thread that listens to the Client's Connection. When a new client connects, a connection is accepted by one of the idle threads. The server starts with two processes, and each process produces a fixed number of threads (threadsperchild), so there are 50 threads at Startup. When 50 threads are not enough, the server automatically fork a process and generate 25 more THREADS. perchild: if httpd-L list perchild.c, you need to configure the following segments:<ifmodule perchild.c>numservers5#服务器启动时启动的子进程数 startthreads5#每个子进程启动时启动的线程数 minsparethreads5#内存中的最小空闲线程数 maxsparethreadsTen#最大空闲线程数 Maxthreadsperchild -#每个线程最多被请求多少次后退出. 0 Unrestricted. Maxrequestsperchild10000#每个子进程服务多少次后被重新fork. 0 means Unrestricted. </IfModule>in this mode, the number of child processes is fixed and the number of threads is not limited. When the client connects to the server, the idle thread provides the SERVICE. If the number of idle threads is insufficient, the child process automatically generates threads for the new connection Service. This mode is used for multi-site servers. (3HTTP callback Information configuration: Servertokens Prod #该参数设置http头部返回的apache版本信息, the available values and meanings are as follows: Prod: software name only, for example: Apache Major: including the major version number, Example: Apache/2Minor: include minor version number, for example: Apache/2.0Min: The full version number of Apache only, for example: Apache/2.0. wuos: includes OS type, for example: Apache/2.0. wu(Unix) full: includes Apache supported module and module version number, for example: Apache/2.0. wu(Unix) mod_ssl/2.0. wuopenssl/0.9. 7g serversignature Off #在页面产生错误时是否出现服务器版本信息. The recommended setting is off (4) Persistent connection setting KeepAlive on #开启持久性连接功能. That is, when the client connects to the server, it remains connected after downloading the Data. Maxkeepaliverequests -#一个连接服务的最多请求次数. KeepAliveTimeout -#持续连接多长时间 that the connection does not request data again, the connection is Disconnected. The default is 15 SECONDS. Alias settings for pages that are not in a directory specified by documentroot, you can use either symbolic connections or Aliases. The aliases are set as Follows: alias/download/"/var/www/download/"#访问时可以输入: http://www.custing.com/download/<directory"/var/www/download">#对该目录进行访问控制设置 Options Indexes multiviews allowoverride authconfig Order allow,deny allow from all</Directory>CGI settings Scriptalias/cgi-bin/"/mnt/software/apache2/cgi-bin/"# Access Can: http://www.clusting.com/cgi-bin/. however, the CGI script file under this directory should be executable permission! <directory"/usr/local/apache2/cgi-bin">#设置目录属性 allowoverride None Options none Order Allow,deny allow from all</Directory>profile settings (public_html) userdir public_html (the user's home page is stored in the public_html directory under the User's home directory under URL http://www.clusting.com/~bearzhang/file.html will read the/home/bearzhang/public_html/file.html File)chmod755/home/Bearzhang #使其它用户能够读取该文件. Userdir/var/html (the URL http://www.clusting.com/~bearzhang/file.html will read/var/html/bearzhang/file.html)Userdir/var/www/*/docs (the URLhttp://www.clusting.com/~bearzhang/file.html will read/var/www/bearzhang/docs/file.html) log settings (1) error log settings errorlog logs/error_log #日志的保存位置 LogLevel Warn #日志的级别 display format kusakabe: [Mon Oct 15:54:29 2005] [error] [client 192.168.10.22] access to/download/failed, Reason:user A DMin not allowed access (2) the default format for access log settings logs is as Follows: logformat "%h%l%u%t"%r "%>s%b"%{referer}i ""%{user-agent}i "comb ined logformat "%h%l%u%t"%r "%>s%b" common #common为日志格式名称 logformat "%{referer}i-%u" Referer logformat "%{us Er-agent}i "agent Customlog logs/access_log The various parameters in the common format are as follows:%h--the client's IP address or hostname%l--the this is the RFC 1413 identity determined by the client identd, the output of the The symbol "-" indicates that the information here is INVALID. %u-the name of the customer who accessed the page by the HTTP authentication System. Valid with authentication, the symbol "-" in the output indicates that the information here is INVALID. %t--time when the server finishes processing the Request. "%r"-the quotation marks are the content of the request sent by the customer that contains a lot of useful information. %>s-this is the status code returned to the client by the Server. %b--this last item is the number of bytes returned to the client that do not include the response header. "%{referer}i"-this entry indicates which web page the request was submitted From. "%{user-agent}i"-this is the Browser-aware information provided by the Customer's Browser. The following is an example of an access log: 192.168.10.22-bearzhang [10/oct/2005:16:53:06 +0800] "get/download/http/1.1" 200 1228 192.168.10.22-- [10/oct/2005:16:53:06 +0800] "get/icons/blank.gif http/1.1" 304-192.168.10.22--[10/oct/2005:16:53:06 +0800] "get/icons/back.gi F http/1.1 "304-detailed explanations of each parameter, see:http://www.clusting.com/apache/apachemanual/logs.html  User-certified configuration (1) in the Httpd.conf:AccessFileName. htaccess ... Alias/download/"/var/www/download/" <directory "/var/www/download" > Options Indexes allowoverride AuthConfig </Directory> (2) Create a password file:/usr/local/apache2/bin/htpasswd-c/var/httpuser/passwords bearzhang (3) Onfigure the server to request a password and tell the server which users is allowed Access. Vi/var/www/download/.htaccess:authtype Basic authname "Restricted Files" authuserfile/var/httpuser/passwords Require User Bearzhang #Require valid-user #all Valid user virtual host configuration (1) IP address-based Virtual Host configuration Listen <virtualhost 172.20.30.40> Doc Umentroot/www/example1 ServerName www.example1.com </VirtualHost> <virtualhost 172.20.30.50> Documentroot/www/example2 ServerName www.example2.org </VirtualHost> (2) IP and multiport-based virtual host configuration Listen 172.20.30.40:80 Listen 172.20.30.40:8080 Listen 172.20.30.50:80 Listen 172.20.30.50:8080 <virtualhost 172.20.30.40:80> Documentroot/www/example1-80 ServerName www.example1.com </VirtualHost> <virtualhost 172.20.30.40:8080> documentroot/www/ example1-8080 ServerName www.example1.com </VirtualHost> <virtualhost 172.20.30.50:80> documentroot/www/ example2-80 ServerName www.example1.org </VirtualHost> <virtualhost 172.20.30.50:8080> documentroot/www/ example2-8080 ServerName www.example2.org </VirtualHost> (3) domain-based Virtual Host configuration on the server for a single IP address: # ensure that Apache listens On Port Listen # Listen for virtual host requests on all IP addresses Namevirtualhost *:80 <virtualhost *:80> Documentroot/www/example1 ServerName www.example1.com Serveralias example1.com. *.example1.com # Other directives here </VirtualHost> <virtualhost *:80> documentroot/www/example2 ServerName www.example2.org # Other directives here </VirtualHost> (4) Configure a domain-based virtual host on a server with multiple IP addresses: Listen # this is T He "main" server running on 172.20.30.40 ServerName server.domain.com documentroot/www/mainserver # ThThe other address namevirtualhost 172.20.30.50 <virtualhost 172.20.30.50> documentroot/www/example1 Serverna Me www.example1.com # Other directives here ... </VirtualHost> <virtualhost 172.20.30.50> documentroot/www/e Xample2 ServerName www.example2.org # Other directives here ... </VirtualHost> (5) run different sites on different ports ( Configuring a domain-based virtual host on a multi-port-based server: Listen Listen 8080 namevirtualhost 172.20.30.40:80 namevirtualhost 172.20.30.40:8080 < VirtualHost 172.20.30.40:80> ServerName www.example1.com documentroot/www/domain-80 </VirtualHost> < VirtualHost 172.20.30.40:8080> ServerName www.example1.com documentroot/www/domain-8080 </VirtualHost> < VirtualHost 172.20.30.40:80> ServerName www.example2.org documentroot/www/otherdomain-80 </VirtualHost> <virtualhost 172.20.30.40:8080> ServerName www.example2.org documentroot/www/otherdomain-8080 </ virtualhost> (6) configuration of domain-based and ip-based hybrid virtual hosts: Listen namevirtualhost 172.20.30.40 <virtuaLhost 172.20.30.40> documentroot/www/example1 ServerName www.example1.com </VirtualHost> <virtualhost 172.20.30.40> documentroot/www/example2 ServerName www.example2.org </VirtualHost> <virtualhost 172.20.30.40> documentroot/www/example3 ServerName www.example3.net </VirtualHost> SSL Encryption Configuration first, before configuring the basic concepts: the concept of a certificate: the first to have a root certificate, and then use the root certificate to issue a server certificate and client certificate, generally understand: server certificate and customer certificate is a peer Relationship. SSL must have a server certificate installed to Authenticate. Therefore: in this environment, there must be at least three certificates: root certificate, server certificate, client Certificate. Before the certificate is generated, there is typically a private key that generates a certificate request with the private key, and then the certificate Server's root card is used to issue the Certificate. The certificate used by SSL can be generated on its own, or it can be signed by a commercial CA such as VeriSign or Thawte. Issue of issuing certificates: if you are using a commercial certificate, please check the relevant Vendor's instructions for the specific signing method, and if you are a confidant-issued certificate, you can use the Ca.sh scripting tool that comes with openssl. If you do not issue a certificate for a separate client, the client certificate can be used without a build, and the client uses the same certificate as the server Side. (1) The main parameters in the conf/ssl.conf configuration file are configured as Follows: Listen 443 sslpassphrasedialog buildin #SSLPassPhraseDialog Exec:/path/to/program Sslsessioncache Dbm:/usr/local/apache2/logs/ssl_scache sslsessioncachetimeout SSLMutex file:/usr/local/apache2/ Logs/ssl_mutex <virtualhost _default_:443> # General setup for the virtual host DOCUMENTROot "/usr/local/apache2/htdocs" ServerName www.example.com:443 ServerAdmin [email protected] errorlog/usr/local /apache2/logs/error_log transferlog/usr/local/apache2/logs/access_log sslengine on SSLCipherSuite ALL:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp:+enull sslcertificatefile/usr/local/apache2/conf/ssl.crt/ SERVER.CRT Sslcertificatekeyfile/usr/local/apache2/conf/ssl.key/server.key Customlog/usr/local/apache2/logs/ssl_ Request_log "%t%h%{ssl_protocol}x%{ssl_cipher}x"%r "%b" </VirtualHost> (2) Create and use self-signed certificates: a.create a RSA private K EY for your Apache server/usr/local/openssl/bin/openssl Genrsa-des3-out/usr/local/apache2/conf/ssl.key/server.key 1024x768 B. Create a Certificate Signing Request (CSR)/usr/local/openssl/bin/openssl req-new-key/usr/local/apache2/conf/ss L.KEY/SERVER.KEY-OUT/USR/LOCAL/APACHE2/CONF/SSL.KEY/SERVER.CSR C. Create a self-signed CA Certificate (X509 structure) With the RSA key of the Ca/usr/local/openssl/bin/openssl Req-x509-daYs 365-key/usr/local/apache2/conf/ssl.key/server.key-in/usr/local/apache2/conf/ssl.key/server.csr-out/usr/local /apache2/conf/ssl.crt/server.crt/usr/local/openssl/bin/openssl Genrsa 1024-out server.key/usr/local/openssl/bin/ OpenSSL req-new-key server.key-out server.csr/usr/local/openssl/bin/openssl req-x509-days 365-key server.key-in SE Rver.csr-out SERVER.CRT (3) creates its own CA (certificate of Authentication) and uses that CA to sign the Server's Certificate. MKDIR/CA cd/ca cp openssl-0.9.7g/apps/ca.sh/ca./ca.sh-newca OpenSSL genrsa-des3-out server.key 1024x768 OpenSSL Req-ne W-key server.key-out SERVER.CSR CP SERVER.CSR newreq.pem./ca.sh-sign CP newcert.pem/usr/local/apache2/conf/ssl.crt/se RVER.CRT CP server.key/usr/local/apache2/conf/ssl.key/

Apache configuration detailed, best Apache configuration documentation