A summary of the book Ding Yiming from the "Linux operation and Maintenance Road"
Apache HTTP server projects are software for cross-platform open source HTTP servers that can be run on platforms such as Windows and UNIX, and the goal of this project is to provide a secure, efficient, and extensible HTTP Service. Apache HTTP Server is very important that it uses a modular design model, the Apache module is divided into static modules and dynamic modules, static module is the most basic module Apache, is unable to add and unload modules at any time, static modules are set when compiling software. Dynamic modules are modules that can be added and removed at any time, so designers can gain maximum flexibility when they deploy Apache. Apache modules will be compiled into dynamic shared Objects (DSO), these dynamic shared objects are independent of the HTTPD program, the DSO module can be added in the compilation Apache, or at any later time through the Apache Extension tool (APXS) tools to compile the Add module. You can use the Httpd–m command to view the module load manifest.
Download and install
[Email protected] tempal]# wget http://mirror.bit.edu.cn/apache/httpd/httpd-2.4.9.tar.gz
[Email protected] tempal]# wget http://mirror.bjtu.edu.cn/apache/apr/apr-util-1.5.3.tar.gz
[Email protected] tempal]# wget http://mirror.bjtu.edu.cn/apache/apr/apr-1.5.1.tar.gz
To install dependent software:
[Email protected] tempal]# yum-y install gcc autoconf automake make pcre pcre-devel OpenSSL openssl-devel
[Email protected] tempal]# TAR-XZF httpd-2.4.9.tar.gz-c/usr/src/
[Email protected] tempal]# TAR-XZF apr-1.5.1.tar.gz-c/usr/src/
[Email protected] tempal]# TAR-XZF apr-util-1.5.3.tar.gz-c/usr/src/
[Email protected] tempal]# CD/USR/SRC/APR-1.5.1/
[Email protected] apr-1.5.1]#./configure
[[email protected] apr-1.5.1]# make && make install
[Email protected] apr-1.5.1]# cd/usr/src/apr-util-1.5.3/
[Email protected] apr-util-1.5.3]#/configure--with-apr=/usr/local/apr/
[[email protected] apr-util-1.5.3]# make && make install
[Email protected] httpd-2.4.9]#/configure--prefix=/usr/local/apache2--enable-so--enable-ssl--enable-rewrite-- With-mpm=worker--with-suexec-bin--with-apr=/usr/local/apr/
[[email protected] httpd-2.4.9]# make && make install
You can view the scripts supported by the./configure–help
Options |
Describe |
--prefix |
Specify the main installation directory of the Apache HTTPD program |
--enable-so |
Enable the modular function to support DSO (dynamic shared object) |
--enable-ssl |
Support SSL Encryption |
--enable-rewrite |
Support for address rewriting |
--with-mpm |
Set Apache httpd working mode |
--with-suexec-bin |
Support Suid, SGID |
--withapr |
Support Apr Program Absolute Path |
Start the service:
[[email protected] ~]#/usr/local/apache2/bin/apachectl start
[Email protected] ~]# NETSTAT-TULNP | grep http
[[email protected] ~]# iptables-i input-p TCP--dport 80-j ACCEPT
[[Email protected] ~]# service Iptables Save
After installation, Apache will provide a startup script named Apachectl. In the/usr/local/apache2/bin directory, the script is used to launch, close, and test the Apache httpd, as specified in the following table.
start
Parameters |
Description |
TD valign= "Top" width= "284" >
Start httpd program |
Stop |
Close httpd program |
Restart |
Restart httpd program |
Graceful |
Start httpd without interrupting existing HTTP connection requests |
Graceful-stop |
Close httpd without interrupting existing HTTP connections |
Status |
View httpd program current status |
configtest |
Detect httpd master configuration syntax |
Starting the HTTPD program with start without modifying the configuration file may return an error message:
[[email protected] ~]#/usr/local/apache2/bin/apachectl start
AH00558:httpd:Could not reliably determine the server ' s fully qualified domain name, using Localhost.localdomain. Set the ' ServerName ' directive globally to suppress this message
(98) Address already in use:AH00072:make_sock:could not bind to address [::]:80
(98) Address already in use:AH00072:make_sock:could don't bind to address 0.0.0.0:80
No listening sockets available, shutting down
Ah00015:unable to open logs
But the service has already started.
Configuration file Resolution:
The configuration file defaults to the/usr/local/apache2/conf directory, and the primary configuration file for that directory is the httpd.conf file. There are additional configuration files located in the extra directory. The main configuration file is made up of containers, the container uses < container name > begins with the </container name > End, and the container's directives are generally valid only within the container.
²severroot instructions: Set up the Apache Software Installation home directory, if the use of source installation, this default path is/usr/local/apache2
²listen directive: Set the server listening IP and port number. The syntax format is: LISTEN[IP address:] Port [Protocol], where the IP address and protocol can be optional. You can eat more. Use the Listen command to open multiple ports.
²loadmodule directive: At compile time add-enable-so will mod_so statically compile to Apache core module, the function of LoadModule instruction is to load module.
²loadfile instruction: Loads the module file under the Modules directory via an absolute path.
²serveradmin directive: Provides a problem-solving email address.
²SERVENAME directive: Sets the host name and port of the server native, which is important for the redirection of the URL address.
²documentroot directive: Sets the document root that the Web service is open to clients, that is, the root path of the Client Access Web site, and defaults to/usr/local/apache2/htdocs.
²errorlog directive: Locates the location of the server error log, which uses the relative path by default, and is the "Logs/error_log" file under the ServerRoot directory.
²errorlogformat directive: Set the format of the error log, Apache HTTP server predefined many format strings can be directly referenced.
²customlog directive: This instruction sets the client access log file and the log format, in the format "Logs/access_log", the syntax format is customlog file name format
²LOGFORMAT directive: This instruction describes the user log file format, you can directly use the Apache pre-set format string, generally we will set the LOGFORMAT instruction date format format to create aliases.
²INCLUDE directive: Syntax format: options[+|-] options [[+|0-] options]. The option can be set to none, which means that no additional features are started. You can also use the following common options: All, to open all options except multiviews; EXECCGI: Allows all CGI scripts in the options specified directory to be executed ; FollowSymLinks: Allows options to specify files or directories that are in the directory to be linked to outside the directory. Indexes: If the DirectoryIndex specified home page document is not found in the options directory corresponding to the URL, Apache will index all the files in the current directory.
²order directives: Control the default access state and the order of allow and deny, and if you use Order Deny,allow, first check the Deny and then in the allowed. If there is a conflict, allow precedence, the default rule is allow. If you use Order Allow,deny, the permission is checked first and then rejected. If there is a conflict, the refusal takes precedence and the default rule is deny. For example:
Case one, all rejected:
Order Deny,allow
Deny from all
Case two, except 192.168.118.254, refuses:
Order Allow,deny
Allow from 192.168.118.254
Case three, reject all:
Order Allow,deny
Allow from 192.168.118.254
Deny from all
Case FOUR: Reject except 192.168.118.254:
Order Deny,allow
Deny from all
Allow from 192.168.118.254
²ifdefine container: The test condition will be processed only when Apache is started, and the test condition needs to be defined by HTTPD–D when it starts Apache. Syntax format for:<ifdefine> directive </IfDefine>
<ifdefine memcache>
LoadModule Mem_cache_module modules/mod_mem_cache.so
</IfDefine>
Note If you use Httpd–d Memcache when you start Apache, this Apache will load the Mod_mem_cache module, and if not, Apache will not load the modules.
²ifmodule container
Use the Ifmodule container to encapsulate instructions that will only be processed when the condition is met. Syntax format: <ifmodule[!] Modules > Directives </IfModule>
Example:
<ifmodule unixd_module>
User Daemon
Group Daemaon
</IfModule>
The User daemon and group daemon will be processed by Apache only after the Unixd_module module has been loaded.
²directory Container: Applies only to specific file system directories, subdirectories, and content in the directory, Syntax format: <directory directory-path> directive </Directory>. Paths can use ~ to match regular expressions.
Example:
<directory "/usr/local/apche2/htdocs" >
Options Indexs FollowSymLinks
</Directory>
Options Indexs FollowSymLinks is only valid for/usr/local/apache2/htdocs directories.
²<DIRECTORYMATCH>: Similar to directory, but you can use regular expression matching directly. No need to use the ~ symbol to match.
²file containers: Similar to directory, but directives within the files container apply to specific files in the syntax format: <file file name > directives </File>
²filesmatch container: Similar to file, but you can use regular expression matching directly. No need to use the ~ symbol to match.
²location Container: Valid only for a specific URL, syntax format: <location url-path| url> Directive </Location>
²LOCATIONMATHCH Containers and VirtualHost containers
Virtual host application Case:
To turn on the statement for the master configuration file:
[Email protected] ~]# gedit/usr/local/apache2/conf/httpd.conf
Remove comments
Include conf/extra/httpd-vhosts.conf
Change the httpd-vhosts.conf file
<virtualhost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache2/htdocs/example"
ServerName www.example.com
Serveralias web.example.com
Errorlog "Logs/example.com-error_log"
Customlog "Logs/example.com-access_log" common
</VirtualHost>
<virtualhost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache2/htdocs/test"
ServerName www.test.com
Serveralias web.test.com
Errorlog "Logs/test.com-error_log"
Customlog "Logs/test.com-access_log" common
</VirtualHost>
Open:
[[email protected] ~]# mkdir-p/usr/local/apache2/htdocs/{example,test}
[Email protected] ~]# echo "example.com" >/usr/local/apache2/htdocs/example/index.html
[Email protected] ~]# echo "test.com" >/usr/local/apache2/htdocs/test/index.html[[email protected] ~]# iptables-i Input-p TCP--dport 80-j ACCEPT
[[Email protected] ~]# service Iptables Save
iptables:saving firewall rules to/etc/sysconfig/iptables:[OK]
[Email protected] ~]#/usr/local/apache2/bin/apachectl restart
Website Security Application Case:
TLS (Transport Layer Security) is an extension and optimization of SSL that provides data security while ensuring data integrity. Apache HTTP Server implements support for SSL/TLS through the Mod_ssl module.
Deploying certificates
[email protected] ~]# OpenSSL genrsa-out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
...+++
E is 65537 (0x10001)
[email protected] ~]# OpenSSL req-new-x509-key server.key-out server.crt
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:guangzhou
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default company LTD]:ABC
Organizational Unit Name (eg, section) []:tech
Common name (eg, your name or your server ' s hostname) []:web1
Email Address []:[email protected]
[[email protected] ~]# CP {SERVER.KEY,SERVER.CRT}/usr/local/apache2/conf/
Modify the Apache configuration file, you need to load mod_ssl and MOD_SOCACHE_SHMCB two modules in the master configuration file, and use the include directive to read the Http-ssl configuration file under the Conf/extra directory.
[Email protected] ~]# gedit/usr/local/apache2/conf/httpd.conf
Remove comments
LoadModule Ssl_module modules/mod_ssl.so
LoadModule Socache_shmcb_module modules/mod_socache_shmcb.so
[Email protected] ~]# gedit/usr/local/apache2/conf/extra/httpd-ssl.conf
What to modify:
Listen 443
Sslciphersuite high:medium:!anull:! MD5
Sslpassphrasedialog Builtin
Sslsessioncache "Shmcb:/usr/local/apache2/logs/ssl_scache (512000)"
Sslsessioncachetimeout 300
<virtualhost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs/secret"
ServerName www.abc.com:443
ServerAdmin [email protected]
Errorlog "/usr/local/apache2/logs/error_log"
Transferlog "/usr/local/apache2/logs/access_log"
Sslengine on
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
<filesmatch "\. (cgi|shtml|phtml|php) $ ">
Ssloptions +stdenvvars
</FilesMatch>
<directory "/usr/local/apache2/cgi-bin" >
Ssloptions +stdenvvars
</Directory>
Browsermatch "MSIE [2-5]" \
Nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Customlog "/usr/local/apache2/logs/ssl_request_log" \
"%t%h%{ssl_protocol}x%{ssl_cipher}x \"%r\ "%b"
</VirtualHost>
[Email protected] ~]# mkdir-p/usr/local/apache2/htdocs/secret
[Email protected] ~]# echo "Secret" >/usr/local/apache2/htdocs/secret/index.html
[Email protected] ~]#/usr/local/apache2/bin/apachectl restart
[[email protected] ~]# iptables-i input-p TCP--dport 443-j ACCEPT
[[Email protected] ~]# service Iptables Save
iptables:saving firewall rules to/etc/sysconfig/iptables:[OK]
[Email protected] ~]# gedit/etc/hosts