HTTP service construction and http Construction
1. Introduction 1. Understand encrypted Web pages (https): tcp: 443 plaintext web pages (http): tcp: 80survey.netcraft.net -- the latest HyperText Transfer Protocol (HTTP, HyperText Transfer Protocol) for website servers is the most widely used network Protocol on the Internet. All WWW files must comply with this standard. HTTP was designed to provide a method for publishing and receiving HTML pages. 2. Apache HTTP Server (Apache for short) is an open source web Server of the Apache Software Foundation, it can run in most computer operating systems. Because of its wide use of multiple platforms and security, it is one of the most popular Web server software. Its features are as follows: 1. Support for the latest HTTP/1.1 Communication Protocol 2. Simple and powerful file-based configuration process 3. Support for Common Gateway interfaces 4. Support for IP-based and domain-based virtual hosts 5 support for multiple HTTP Authentication 6. Integration with Perl Processing Module 7. Integration with proxy server module 8. Support for Real-Time Server Status Monitoring and Server Log Customization 9. Support for server-side commands (SSI) 10. supports Secure Socket Layer (SSL) 11, user session process tracking 12, FastCGI13, assumervlets3, and www.apache.org-apache official website # yum Install httpd * -- install httpd service # httpd-t -- Check Configuration File correctness # rm-rf/etc/httpd/conf. d/welcome. conf -- delete the welcome page. Because httpd-manual is installed, you can access http: // ServerIp/manual 4 and run in two modes: prefork and workerprefork: prefork is the default MPM on the Unix platform. Multiple Sub-processes are used, and each sub-process has only one thread. Each process can maintain only one connection at a specified time, which is efficient, but the memory usage is large. This multi-path processing module (MPM) implements a non-threaded, pre-derived web server, which works in a way similar to Apache 1.3. It is suitable for systems that do not have a thread security library and need to avoid thread compatibility issues. It is the best MPM for each request to be independent from each other, so that if a request fails, it will not affect other requests. Worker mode: worker uses multiple sub-processes. Each sub-process has multiple threads, and each thread can maintain only one connection at a specified time. The memory usage is small, suitable for high-traffic http servers. The disadvantage is that if a thread crashes, the whole process will "die" together with any of its threads ", therefore, ensure that a program must be recognized by the system as "Every thread is safe" during running ". This multi-path processing module (MPM) enables network servers to support mixed multi-threaded Multi-process. Because a thread is used to process requests, a large number of requests can be processed, and the overhead of system resources is less than the process-based MPM. However, it also uses multiple processes, and each process has multiple threads to obtain the stability of the process-based MPM. # Httpd-l -- view the running mode. The default value is prefork. c # mv-v/usr/sbin/httpd {,. prefork} -- backup prefork mode # mv-v/usr/sbin/httpd {. worker,} -- use worker mode II. configuration file DETAILS 1. Global Environment Parameter ServerTokens OS -- when the server responds to the Host header (header) the Apache version and operating system name ServerRoot "/etc/httpd" are displayed. The basic directory of the server is generally included in the conf/and logs/subdirectories, the relative path of other configuration files is based on this directory. PidFile run/httpd. pid -- the location of the Process number file of the first httpd process (parent process of all other processes. Timeout 60 -- if no data is received or sent in 60 seconds, the KeepAlive Off of the connection is cut Off. By default, the KeepAlive function is not used, that is, the client can only respond to one file at a request, we recommend that you allow MaxKeepAliveRequests 100 -- When you maintain the connection function, set the maximum number of files that can be responded to a client request, and disconnect KeepAliveTimeout 15 if the maximum value is exceeded. -- when you use the keep connection function, if the time interval between two adjacent connections exceeds 15 seconds, the connection will be disconnected ................. listen 80 -- the port number of the server listener. You can enable Include conf for multiple listening ports. d /*. conf -- set/etc/httpd/conf. all configuration files ending with conf in the d directory contain User apache -- User Group of sub-processes that provide services ServerAdmin root@george.com -- administrator's mail Ware address ServerName mail.george.com: 80 -- main site name (website host name) UseCanonicalName OffDocumentRoot "/var/www/html" -- set the Web document root directory; however, you can use Symbolic Links and aliases to point to other locations. If it is not an absolute path, it is assumed to be a path relative to ServerRoot. 2. Path Control Parameter DirectoryIndex index.html. var -- default webpage file name on the website, with the top AccessFileName on the left. htaccess -- specify the name of the Directory configuration file to protect <Directory-path> -- Encapsulate a group of commands to take effect only for a directory and Its subdirectories. For a Directory on the file system, Options Indexes FollowSymLinksAllowOverride NoneOrder allow, denyAllow from allDeny from 192.168.133.22 </Directory> Directory-path -- can be a complete Directory path, or a wildcard string that contains the Unix shell matching syntax. In a wildcard string ,"? "Match any single character," * "match any character sequence. You can also use "[]" to determine the character range. In "~ "You can also use the regular expression Options after the character. The value of this command can be" None "," All ", or any combination of the following Options: Indexes (with '-' in front '-', disable the website column directory function. If no directory is available, then vice versa.); Includes; FollowSymLinks; SymLinksifOwnerMatch; ExecCGI; MultiViewsAllowOverride -- controls those placed in. commands in the htaccess file. It can be All or None (No. any configuration in htaccess), or a combination of the following commands: Options; FileInfo; AuthConfig; LimitOrder, Allow, Deny -- controls who can get the service. The oreder parameters are based on the values on the right. The order can be reversed by using <Directory "/www/images"> <Files ~ "\. Jpg $ "> -- for a specified file, it can be in a Directory or globally Order deny, allowAllow from all </Files> </Directory> allow <Location/server-status> -- allow the use of URL "http: // view the server status (or information) in the form of servername/server-status; Location mainly controls URLSetHandler server-status (server-info) Order deny, allowAllow from all </Location> --------------------- Using Alias/url-path/filesystem-path -- map the URL to the file system path. (You can also use the ln-s soft link on the system) <Directory "/filesystem-path"> </Directory> 3. User Password Control for Directory access (non-system users) <Directory "/var/www/html"> -- The Theory can also be found in Location, fileOptions Indexes FollowSymLinksAllowOverride NoneOrder allow, denyAllow from allauthname "Authenticate yourself" -- the prompt for the browser to open the url: Htype basicauthuserfile/etc/httpd/userpasswd -- user & Password File Location require valid-user </Directory> # htpasswd-c/etc/httpd/userpasswd frank -- create an access user # htpasswd/etc/httpd/userpasswd george -- create another one, remember that the '-C' parameter is used only when the first user is created to create the password file. Note: If a directory uses a password to control access, the parent directory of the directory is not displayed when the browser lists the directory, that is, the directory is hidden. However, you can directly enter a url for access (even if you have an account and a password ). 4. Domain Name-based virtual host NameVirtualHost *: 80 -- add this configuration and set port 80 to the virtual host port <VirtualHost *: 80> -- the first virtual host ServerName www. george. comDocumentRoot/var/www/html/<Directory "/var/www/html"> .................. </Directory> </VirtualHost> <VirtualHost *: 80> -- ServerName mail of the second VM. george. comDocumentRoot/var/www/cgi-bin/openwebmail/ScriptAlias/mail/var/www/cgi-bin/openwebmail. pl <Location/> ...................... </L Ocation> </VirtualHost> If the SeverName parameter of this experiment is connected to an IP address, we can also create an IP-based virtual host. 5. The log parameter ErrorLog logs/error_log -- the location of the Error Log, LogLevel warn -- defines the error log level, including: debug, info, notice, warn, error, crit, alert, emerg. logFormat "% h % l % u % t \" % r \ "%> s % B \" % {Referer} I \ "\" % {User-Agent} I \ "" combined .............. logFormat "% {User-agent} I" agent -- the four are the default access log format CustomLog logs/access_log combined -- use the combined access log format % h-Client ip Address Address or host name % l-The ID of RFC 1413 determined by The client identd. The output symbol "-" indicates that The information here is invalid. % U-name of the customer accessing the webpage obtained by the HTTP Authentication System. Valid only when authentication is available. The "-" symbol in the output indicates that the information here is invalid. % T-time when the server completes processing the request. "% R"-the quotation marks indicate the request content sent by the customer that contains many useful information. %> S-the status code returned by the server to the client. % B-the last response is the number of bytes that are returned to the client, excluding the response header. "% {Referer} I"-This item indicates the webpage from which the request was submitted. "% {User-Agent} I"-This item is the browser identification information provided by the customer's browser. 6. SSL encryption configuration # yum install-y mod_ssl -- install the encryption module # vim/etc/httpd/conf. d/ssl. conf <VirtualHost *: 443> ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_loglevel warnSSLEngine onSSLProtocol all-SSLv2SSLCipherSuite DEFAULT :! EXP :! SSLv2 :! DES :! IDEA :! SEED: + 3 DESSSLCertificateFile/etc/pki/tls/certs/localhost. crt -- configure the public key file SSLCertificateKeyFile/etc/pki/tls/private/localhost. key -- configure the key file <Files ~ "\. (Cgi | shtml | phtml | php3 ?) $ "> SSLOptions + StdEnvVars </Files> ServerName www. george. comDocumentRoot/var/www/cgi-bin/openwebmail/ScriptAlias/mail/var/www/cgi-bin/openwebmail. pl <Location/> SSLOptions + StdEnvVarsOptions Indexesorder deny, allowAllow from all </Location> SetEnvIf User-Agent ". * MSIE. * "\ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0CustomLog logs/ssl_request_log \" % t % h % {SSL_PROTOCOL} x % {SSL_CIPHER} x \ "% r \" % B "</VirtualHost> 6.1. Configure the certificate by yourself # mkdir/etc/pki/test/# cd/etc/pki/test # openssl genrsa-out/etc/pki/test/ test. key 1024 -- key # openssl req-new-key test. key-out test. csrCountry Name (2 letter code) [XX]: cnState or Province Name (full name) []: guangDongLocality Name (eg, city) [Default City]: ShenzhenOrganization Name (eg, company) [Default Company Ltd]: ITOrganizational Unit Name (eg, section) []: maintenanceCommon Name (eg, your name or your server's hostname) []: www. george. comEmail Address []: root@mail.george.comPlease enter the following 'extra 'attributesto be sent with your certificate requestA challenge password []: 123456An optional company name []: azt # openssl req-x509-days 365-key test. key-in test. csr-out test. crt -- Public Key # ls -- then the following test. crt & test. key to/etc/httpd/conf. d/ssl. conf to test. crt test. csr test. key
6.2. Test the certificate https://www.george.com/mail we configured, but the certificate we created ourselves identifies in the browser as untrusted; the certificate status is "because the CA root certificate is not in the" Trusted Root Certificate Authority "storage area, it is not trusted."
We need to manually import the certificate (test. crt) We created in the browser to "Trusted Root Certificate Authority" & "trusted publisher ". The steps are as follows:
Then, several dialog boxes will pop up, And we will click "Next"> "finish"> "yes ". OK.
In this case, open our website in a browser and check the Certificate Status "This certificate is correct ".