An explanation of Apache configuration

The configuration of Apache is configured by the httpd.conf file, so the following configuration directives are modified in the httpd.conf file.
Configuration of the primary site (basic configuration)

(1) Basic configuration:
ServerRoot "/mnt/software/apache2" #你的apache软件安装的位置. Other specified directory if no absolute path is specified, the directory is relative to that directory.

Pidfile the process number file location of the Logs/httpd.pid #第一个httpd进程 (parent process for all other processes).

Listen #服务器监听的端口号.

ServerName www.clusting.com:80 #主站点名称 (host name of the Web site).

ServerAdmin [email protected] #管理员的邮件地址.

DocumentRoot "/mnt/web/clusting" #主站点的网页存储位置.


The following is access control for the directory of the primary site:

<directory "/mnt/web/clusting" >
Options FollowSymLinks
AllowOverride None
Order Allow,deny
Allow from all
</Directory>

In the above directory property configuration, the following options are mainly available:

Options: Configure which features are used in a particular directory, common values and basic meanings are as follows:

EXECCGI: CGI scripts are allowed in this directory.

FollowSymLinks: Allows the file system to use symbolic connections under this directory.

Indexes: When a user accesses the directory, if the user cannot find the DirectoryIndex specified master file (for example, index.html), the list of files in that directory is returned to the user.

SymLinksIfOwnerMatch: When a symbolic connection is used, it can only be accessed if the file owner of the symbolic connection is the same as the owner of the actual file.

Other available values and meanings can be found in: http://www.clusting.com/Apache/ApacheManual/mod/core.html#options


AllowOverride: The type of instruction that is allowed in the. htaccess file (. htaccess file name can be changed and its file name is determined by the ACCESSFILENAME Directive):
None: When AllowOverride is set to none. Do not search for. htaccess files under this directory (you can reduce server overhead).

All: You can use all the instructions in the. htaccess file.

Other available values and meanings (such as: Options FileInfo authconfig limit, etc.), see: http://www.clusting.com/Apache/ApacheManual/mod/core.html# AllowOverride

Order: Control which of the Allow and deny two access rules on Access which takes precedence:

Allow: The list of hosts that are allowed to access (available domain names or subnets, for example: Enable from 192.168.0.0/16).

Deny: The list of hosts that are denied access.

More detailed usage can be see: http://www.clusting.com/Apache/ApacheManual/mod/mod_access.html#order

DirectoryIndex index.html index.htm index.php #主页文件的设置 (This example sets the home file to: index.html,index.htm and index.php)


(2) Optimization of the server (mpm:multi-processing Modules)
The main advantage of APACHE2 is better support for multiprocessor, using the--WITH-MPM option at compile time to determine the apache2 mode of operation. If you know what working mechanism the current APACHE2 uses, you can know how it works by listing all of the Apache modules with the httpd-l command:

Prefork: If httpd-l lists PREFORK.C, the following segments need to be configured:

<ifmodule prefork.c>

Startservers 5 #启动apache时启动的httpd进程个数.

Minspareservers 5 #服务器保持的最小空闲进程数.

Maxspareservers #服务器保持的最大空闲进程数.

MaxClients #最大并发连接数.

Maxrequestsperchild #每个子进程被请求服务多少次后被kill掉. 0 means no limit and the recommended setting is 1000.

</IfModule>


In this mode of operation, the server initiates 5 httpd processes (6 parent processes, which can be seen through the Ps-ax|grep httpd command). When a user connects, Apache uses an idle process to service the connection, and the parent process will fork a child process. Until the idle process in memory reaches Maxspareservers. This mode is intended to be compatible with some older versions of the program. My default compile-time options.

Worker: If httpd-l lists Worker.c, the following segments need to be configured:

<ifmodule worker.c>

Startservers 2 #启动apache时启动的httpd进程个数.

MaxClients #最大并发连接数.

Minsparethreads #服务器保持的最小空闲线程数.

Maxsparethreads #服务器保持的最大空闲线程数.

Threadsperchild #每个子进程的产生的线程数.

Maxrequestsperchild 0 #每个子进程被请求服务多少次后被kill掉. 0 means no limit and the recommended setting is 1000.

</IfModule>


This mode is a thread that listens to the client's connection. When a new client connects, a connection is accepted by one of the idle threads. The server starts with two processes, and each process produces a fixed number of threads (threadsperchild), so there are 50 threads at startup. When 50 threads are not enough, the server automatically fork a process and generate 25 more threads.


Perchild: If httpd-l lists PERCHILD.C, the following segments need to be configured:

<ifmodule perchild.c>

Numservers 5 #服务器启动时启动的子进程数

Startthreads 5 #每个子进程启动时启动的线程数

Minsparethreads 5 #内存中的最小空闲线程数

Maxsparethreads #最大空闲线程数

Maxthreadsperchild #每个线程最多被请求多少次后退出. 0 unrestricted.

Maxrequestsperchild 10000 #每个子进程服务多少次后被重新fork. 0 means unrestricted.

</IfModule>

In this mode, the number of child processes is fixed and the number of threads is not limited. When the client connects to the server, the idle thread provides the service. If the number of idle threads is insufficient, the child process automatically generates threads for the new connection service. This mode is used for multi-site servers.
(3) HTTP header return information configuration:

Servertokens Prod #该参数设置http头部返回的apache版本信息, the available values and meanings are as follows:

Prod: Software name only, for example: Apache
Major: Includes the major version number, for example: APACHE/2
Minor: Include minor version number, for example: apache/2.0
Min: Only the full version number of Apache, for example: apache/2.0.54
OS: Includes operating system type, for example: apache/2.0.54 (Unix)
Full: Includes Apache supported module and module version number, for example: apache/2.0.54 (Unix) mod_ssl/2.0.54 openssl/0.9.7g
Serversignature Off #在页面产生错误时是否出现服务器版本信息. Recommended setting to OFF


(4) Persistent connection settings

KeepAlive on #开启持久性连接功能. That is, when the client connects to the server, it remains connected after downloading the data.

Maxkeepaliverequests #一个连接服务的最多请求次数.

KeepAliveTimeout #持续连接多长时间, the connection is disconnected if no more data is requested. The default is 15 seconds.

Alias settings
For pages that are not in a directory specified by DocumentRoot, you can use either symbolic connections or aliases. The aliases are set up as follows:

alias/download/"/var/www/download/" #访问时可以输入: http://www.custing.com/download/

<directory "/var/www/download" > #对该目录进行访问控制设置
Options Indexes MultiViews
AllowOverride authconfig
Order Allow,deny
Allow from all
</Directory>


CGI settings

scriptalias/cgi-bin/"/mnt/software/apache2/cgi-bin/" # Access can be: http://www.clusting.com/cgi-bin/. However, the CGI script file under this directory should be executable permission!

<directory "/usr/local/apache2/cgi-bin" > #设置目录属性
AllowOverride None
Options None
Order Allow,deny
Allow from all
</Directory>


Settings for Personal home page (public_html)

Userdir public_html (the user's home page is stored in the public_html directory under the user's home directory http://www.clusting.com/~bearzhang/file.html will read/home/ bearzhang/public_html/file.html file)

chmod 755/home/bearzhang #使其它用户能够读取该文件.

Userdir/var/html (The URL http://www.clusting.com/~bearzhang/file.html will read/var/html/bearzhang/file.html)

Userdir/var/www/*/docs (The URL http://www.clusting.com/~bearzhang/file.html will read/var/www/bearzhang/docs/file.html)

Settings for the log

(1) Error log settings
Errorlog Logs/error_log #日志的保存位置
LogLevel warn #日志的级别

The format shown is Kusakabe:
[Mon Oct 10 15:54:29 2005] [ERROR] [Client 192.168.10.22] Access to/download/failed, Reason:user admin not allowed access

(2) Access log settings

There are several default formats for logging:
Logformat "%h%l%u%t"%r "%>s%b"%{referer}i ""%{user-agent}i "" combined
Logformat "%h%l%u%t"%r "%>s%b" common #common为日志格式名称
Logformat "%{referer}i,%u" Referer
Logformat "%{user-agent}i" Agent
Customlog Logs/access_log Common


The various parameters in the format are as follows:

%H--The client's IP address or host name

%l--the This is the RFC 1413 identity that is determined by the client identd, and the symbol "-" in the output indicates that the information here is invalid.

%u-the name of the customer who accessed the page by the HTTP authentication system. Valid with authentication, the symbol "-" in the output indicates that the information here is invalid.

%t--time when the server finishes processing the request.

"%r"-the quotation marks are the content of the request sent by the customer that contains a lot of useful information.

%>s-This is the status code returned to the client by the server.

%b--This last item is the number of bytes returned to the client that do not include the response header.

"%{referer}i"-This entry indicates which Web page the request was submitted from.

"%{user-agent}i"-this is the browser-aware information provided by the customer's browser.

The following is an example of an access log:
192.168.10.22-bearzhang [10/oct/2005:16:53:06 +0800] "get/download/http/1.1" 200 1228
192.168.10.22--[10/oct/2005:16:53:06 +0800] "Get/icons/blank.gif http/1.1" 304-
192.168.10.22--[10/oct/2005:16:53:06 +0800] "Get/icons/back.gif http/1.1" 304-

For a detailed explanation of each parameter, please refer to: http://www.clusting.com/Apache/ApacheManual/logs.html


User-certified Configuration
(1) in the httpd.conf:
Accessfilename. htaccess
.........
alias/download/"/var/www/download/"
<directory "/var/www/download" >
Options Indexes
AllowOverride authconfig
</Directory>
(2) Create a password file:
/usr/local/apache2/bin/htpasswd-c/var/httpuser/passwords Bearzhang

(3) Onfigure the server to request a password and tell the server which users is allowed access.
Vi/var/www/download/.htaccess:
AuthType Basic
AuthName "Restricted Files"
Authuserfile/var/httpuser/passwords
Require User Bearzhang
#Require valid-user #all Valid user

Configuration of the virtual host
(1) IP address-based virtual host configuration
Listen 80
<virtualhost 172.20.30.40>
Documentroot/www/example1
ServerName www.example1.com
</VirtualHost>
<virtualhost 172.20.30.50>
Documentroot/www/example2
ServerName www.example2.org
</VirtualHost>


(2) IP and multi-port-based virtual host configuration
Listen 172.20.30.40:80
Listen 172.20.30.40:8080
Listen 172.20.30.50:80
Listen 172.20.30.50:8080

<virtualhost 172.20.30.40:80>
Documentroot/www/example1-80
ServerName www.example1.com
</VirtualHost>

<virtualhost 172.20.30.40:8080>
documentroot/www/example1-8080
ServerName www.example1.com
</VirtualHost>

<virtualhost 172.20.30.50:80>
Documentroot/www/example2-80
ServerName www.example1.org
</VirtualHost>

<virtualhost 172.20.30.50:8080>
documentroot/www/example2-8080
ServerName www.example2.org
</VirtualHost>

(3) Domain-based virtual host configuration on a server with a single IP address:
# Ensure that Apache listens on port 80
Listen 80

# Listen for virtual host requests on all IP addresses
Namevirtualhost *:80

<virtualhost *:80>
Documentroot/www/example1
ServerName www.example1.com
Serveralias example1.com. *.example1.com
# Other Directives here
</VirtualHost>

<virtualhost *:80>
Documentroot/www/example2
ServerName www.example2.org
# Other Directives here
</VirtualHost>

(4) Configure a domain-based virtual host on a server with multiple IP addresses:
Listen 80

# This is the ' main ' server running on 172.20.30.40
ServerName server.domain.com
Documentroot/www/mainserver

# This was the other address
Namevirtualhost 172.20.30.50

<virtualhost 172.20.30.50>
Documentroot/www/example1
ServerName www.example1.com
# Other directives ...
</VirtualHost>

<virtualhost 172.20.30.50>
Documentroot/www/example2
ServerName www.example2.org
# Other directives ...
</VirtualHost>

(5) Run different sites on different ports (configure domain-based virtual hosts on multi-port-based servers):
Listen 80
Listen 8080

Namevirtualhost 172.20.30.40:80
Namevirtualhost 172.20.30.40:8080

<virtualhost 172.20.30.40:80>
ServerName www.example1.com
Documentroot/www/domain-80
</VirtualHost>

<virtualhost 172.20.30.40:8080>
ServerName www.example1.com
documentroot/www/domain-8080
</VirtualHost>

<virtualhost 172.20.30.40:80>
ServerName www.example2.org
Documentroot/www/otherdomain-80
</VirtualHost>

<virtualhost 172.20.30.40:8080>
ServerName www.example2.org
documentroot/www/otherdomain-8080
</VirtualHost>

(6) Domain-based and IP-based hybrid virtual host configuration:
Listen 80

Namevirtualhost 172.20.30.40

<virtualhost 172.20.30.40>
Documentroot/www/example1
ServerName www.example1.com
</VirtualHost>

<virtualhost 172.20.30.40>
Documentroot/www/example2
ServerName www.example2.org
</VirtualHost>

<virtualhost 172.20.30.40>
Documentroot/www/example3
ServerName www.example3.net
</VirtualHost>



Configuration of SSL Encryption

First understand some basic concepts before you configure them:

The concept of a certificate: to first have a root certificate, and then use the root certificate to issue the server certificate and client certificate, generally understand: Server certificate and Customer certificate is a peer relationship. SSL must have a server certificate installed to authenticate. Therefore: In this environment, there must be at least three certificates: Root certificate, server certificate, client certificate. Before the certificate is generated, there is typically a private key that generates a certificate request with the private key, and then the Certificate server's root card is used to issue the certificate.

The certificate used by SSL can be generated on its own, or it can be signed by a commercial CA such as VeriSign or Thawte.

Issue of issuing certificates: If you are using a commercial certificate, please check the relevant vendor's instructions for the specific signing method, and if you are a confidant-issued certificate, you can use the Ca.sh scripting tool that comes with OpenSSL.

If you do not issue a certificate for a separate client, the client certificate can be used without a build, and the client uses the same certificate as the server side.
(1) The main parameters in the conf/ssl.conf configuration file are configured as follows:

Listen 443
Sslpassphrasedialog Buildin
#SSLPassPhraseDialog Exec:/path/to/program
Sslsessioncache Dbm:/usr/local/apache2/logs/ssl_scache
Sslsessioncachetimeout 300
Sslmutex File:/usr/local/apache2/logs/ssl_mutex

<virtualhost _default_:443>

# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin [email protected]
Errorlog/usr/local/apache2/logs/error_log
Transferlog/usr/local/apache2/logs/access_log

Sslengine on
Sslciphersuite all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp:+enull

Sslcertificatefile/usr/local/apache2/conf/ssl.crt/server.crt
Sslcertificatekeyfile/usr/local/apache2/conf/ssl.key/server.key
Customlog/usr/local/apache2/logs/ssl_request_log "%t%h%{ssl_protocol}x%{ssl_cipher}x"%r "%b"

</VirtualHost>

(2) Create and use self-signed certificates:
A.create a RSA private key for your Apache server
/usr/local/openssl/bin/openssl Genrsa-des3-out/usr/local/apache2/conf/ssl.key/server.key 1024

B. Create a Certificate Signing Request (CSR)
/usr/local/openssl/bin/openssl req-new-key/usr/local/apache2/conf/ssl.key/server.key-out/usr/local/apache2/conf /ssl.key/server.csr

C. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA
/usr/local/openssl/bin/openssl req-x509-days 365-key/usr/local/apache2/conf/ssl.key/server.key-in/usr/local/ Apache2/conf/ssl.key/server.csr-out/usr/local/apache2/conf/ssl.crt/server.crt

/usr/local/openssl/bin/openssl Genrsa 1024-out Server.key
/usr/local/openssl/bin/openssl Req-new-key server.key-out SERVER.CSR
/usr/local/openssl/bin/openssl req-x509-days 365-key server.key-in server.csr-out server.crt

(3) Create your own CA (Certificate of authentication) and use that CA to sign the server's certificate.
Mkdir/ca
Cd/ca
CP Openssl-0.9.7g/apps/ca.sh/ca
./CA.SH-NEWCA
OpenSSL genrsa-des3-out Server.key 1024
OpenSSL Req-new-key server.key-out SERVER.CSR
CP SERVER.CSR NEWREQ.PEM
./ca.sh-sign

CP NEWCERT.PEM/USR/LOCAL/APACHE2/CONF/SSL.CRT/SERVER.CRT
CP server.key/usr/local/apache2/conf/ssl.key/

Top

An explanation of Apache configuration