First, Introduction1. UnderstandingEncrypted Web page (HTTPS): tcp:443 plaintext Web page (HTTP): tcp:80survey.netcraft.net--This site can be found on the latest website server usageHypertext Transfer Protocol (Http,hypertext Transfer Protocol) is one of the most widely used network protocols on the Internet. All WWW documents must comply with this standard. HTTP was originally designed to provide a way to publish and receive HTML pages2. ApacheApache HTTP Server (Apache) is an open source Web server of the Apache Software Foundation, which can be run in most computer operating systems, and is one of the most popular Web server-side software due to its multi-platform and security-wide use. features are as follows: 1, support the latest http/1.1 communication protocol 2, has a simple and powerful file-based configuration process 3, support the Common Gateway Interface 4, support IP-based and domain-based virtual host 5, support multiple ways of HTTP Authentication 6, Integrated Perl processing Module 7, integrated proxy Server Module 8, Support for real-time monitoring of server status and custom server log 9, support server-side include directive (SSI) 10, support Secure Socket Layer (SSL) 11, provide user session process tracking 12, support FastCGI13, through third-party modules can support Javaservlets3. Installation:www.apache.org--apache official website # yum Install httpd*--Install httpd Service # HTTPD-T--Check configuration file Correctness # rm-rf/etc/httpd/conf.d/welcome.conf-- Remove the Welcome screen, because Httpd-manual is installed, so you can accesshttp://ServerIp/manual4. Run in two modes: Prefork,workerprefork mode:Prefork is the default (default) MPM on the UNIX platform,use multiple child processes, with only one thread per child process。 Each process can only maintain one connection at a certain time,high efficiency, but large memory consumption。 This multi-path processing module (MPM) implements a non-threaded, pre-derived Web server that works in a similar way to Apache 1.3. It is suitable for systems that do not have a thread-safe library and need to avoid threading compatibility issues. It is the best mpm to require each request to be independent of each other, so that if a request has a problem it will not affect the other request.worker mode:Worker usemultiple child processes, with multiple threads per child process, each thread can only maintain one connection at a certain time,low memory footprint for high-traffic HTTP servers。 The downside is that if a thread crashes, the entire process will "die" with any of its threads, so ensure that a program must be recognized by the system as "every thread is safe" at run time. This multi-path processing module (MPM) enables a network server to support mixed multithreaded multi-process. Because a thread is used to process requests, a large amount of requests can be processed, while the overhead of system resources is less than the process-based MPM. But it also uses multiple processes, each with multiple threads, to get the stability of the process-based MPM. # httpd-l--View run mode, default to prefork.c# mv-v/usr/sbin/httpd{,.prefork}--Backup prefork mode # mv-v/usr/sbin/httpd{.worker,}--Use WOR Ker modeSecond, the configuration file detailed1. Global Environment ParametersServertokens OS--Displays Apache version and operating system name when the server responds to host header (header) InformationServerRoot "/ETC/HTTPD"--The base directory of the server, in general it will contain the conf/and logs/subdirectories, and the relative paths of other configuration files are based on this directory. Pidfile Run/httpd.pid--The process number file location of the first httpd process (the parent process of all other processes). Timeout 60-Disconnect the connection if no data is received or sent after 60 secondsKeepAlive OFF--The ability to keep connections is not used by default, that is, a client requests a connection to respond to only one file, and recommends allowing Maxkeepaliverequests 100--When maintaining the connection function, set the maximum amount of time that the client can respond to a request connection and disconnectKeepAliveTimeout 15--When using the Keep-connect function, two adjacent connections have a time interval of more than 15 seconds to disconnect the connection................. Listen 80--The port number that the server listens to, the listening port can be opened more Include conf.d/*.conf--Include all conf-terminated configuration files in the/ETC/HTTPD/CONF.D directoryUser Apache--users of child processes that provide servicesGroup Apache--User groups for child processes that provide servicesServerAdmin [email protected]--Administrator's email addressServerName mail.george.com:80--Primary site name (host name of the site)Usecanonicalname offdocumentroot "/var/www/html"--Set the Web document root directory, but you can use symbolic links and aliases to point to other locations and, if not absolute paths, are assumed to be relative to the ServerRoot path2. Path Control ParametersDirectoryIndex index.html Index.html.var--Site default page filename, left priorityAccessfilename. htaccess--Specifies the name of the protected directory configuration file---------------------------------------------------------------------------------------------------------<directory directory-path> --used to encapsulate a set of instructions that are only valid for a directory and its subdirectories. for a directory on the file system Options Indexes followsymlinksallowoverride Noneorder allow,denyallow from Alldeny from 192.168.133.22</directory >Directory-path-- can be the full path to a directory, or a wildcard string that contains the Unix shell matching syntax. In a wildcard string, "?" Matches any single character, "*" matches any sequence of characters. You can also use "[]" to determine the range of characters. Regular expressions can also be used after the "~" character Options-The value of this directive can be "None", "all", or any combination of the following options: Indexes(Previous '-', the function of closing the site column directory, or vice versa); includes ; Followsymlinks;symlinksifownermatch;execcgi;multiviews allowoverride -Controls the instructions that are placed in the. htaccess file. It can be all,none (no configuration in any. htaccess), or a combination of the following commands: Options; FileInfo; Authconfig; Limit Order,allow,deny -control who can access the service. The parameters of the Oreder are finally subject to the right, and the order can be reversed .---------------------------------------------------------------------------------------------------------< Directory "/www/images" ><files ~ "\.jpg$" >--for the specified file , either in a directory or globally Order Deny,allowallow from All</files></directory>--------------------------------------------------- ------------------------------------------------------<Location/server-status>- allows you to view server status (or information) in the form of a URL "http://servername/server-status"; Location is primarily a control URL SetHandler server-status (server-info) Order Deny,allowallow from All</location>------------------------------ ---------------------------------------------------------------------------Alias /url-path/filesystem-path --map URLs to file system paths (you can also use Ln-s soft links on your system to implement them) <directory "/filesystem-path" ></Directory>3, Directory Access to User password control (non-system users)<directory "/var/www/html" >--The theory can also be location,fileOptions Indexes followsymlinksallowoverride Noneorder allow,denyallow from allauthname "Authenticate yourself"-the prompt for the browser to open the URLAuthType Basicauthuserfile/etc/httpd/userpasswd--User & password file locationrequire Valid-user</directory># htpasswd-c/etc/httpd/userpasswd Frank--Create a Allow access user # HTPASSWD/ETC/HTTPD/USERPASSWD George--and create a , remember that the '-C ' parameter is used in order to create the password file, only when the first user is created.Note: If a directory uses Password control access, the directory is not visible when it is listed through a Web browser, that is, the directory is hidden. But it can be accessed directly by entering the URL (even if you have an account and password). 4. Domain-based virtual hostNamevirtualhost *:80--Add this configuration to set port 80 as the virtual host port<virtualhost *:80>--First virtual host servername www.george.comDocumentRoot/var/www/html/<Directory "/var/www/html" >..................</Directory></VirtualHost> <virtualhost *:80>--second virtual host ServerName mail.george.comdocumentroot/var/www/cgi-bin/openwebmail/scriptalias/mail/var/www/cgi-bin/openwebmail/ Openwebmail.pl<location/>......................</location></virtualhost>if the Severname parameter of the experiment is connected to the IP address, we can also do IP-based virtual host5. Log ParametersErrorlog Logs/error_log--where to save the error logLogLevel warn--Define the error log level, include:Debug, info, notice, warn, error, crit, Alert, Emerg.Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined ..... Logformat "%{user-agent}i" agent--the four bar isdefault format for access logsCustomlog Logs/access_log Combined--using the combined Access log format%h– the IP address or hostname of the client%l–the this is the RFC 1413 identity determined by the client identd, the symbol "-" in the output is represented here Invalid information. %u– the client name of the Web page accessed by the HTTP authentication system. Valid with authentication, the symbol "-" in the output indicates that the information here is invalid. The time that the%t– server finishes processing the request. "%r" – the quotation marks are the content of the request sent by the customer that contains a lot of useful information. %>s– This is the status code that the server returns to the client. %b– the last item is the number of bytes returned to the client that do not include the response header. "%{referer}i" – This entry indicates which Web page the request was submitted from. "%{user-agent}i" – this is the browser-aware information provided by the customer's browser.6. SSL Encryption Configuration# yum Install-y mod_ssl--Install encryption module # Vim/etc/httpd/conf.d/ssl.conf<virtualhost *:443>errorlog logs/ssl_error_ Logtransferlog logs/ssl_access_logloglevel warnsslengine onsslprotocol all-sslv2sslciphersuite DEFAULT:! Exp:! sslv2:! Des:! idea:! Seed:+3desSSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/LOCALHOST.CRT--Configuring the public key fileSslcertificatekeyfile/etc/pki/tls/private/localhost.key--configuration key file<files ~ "\. (cgi|shtml|phtml|php3?) $ ">ssloptions +stdenvvars</files>servername www.george.comDocumentRoot/var/www/cgi-bin/openwebmail/ Scriptalias/mail/var/www/cgi-bin/openwebmail/openwebmail.pl<location/>ssloptions +StdEnvVarsOptions Indexesorder Deny,allowallow from All</location>setenvif user-agent ". *msie.*" \nokeepalive Ssl-unclean-shutdown \downgrade-1.0 force-response-1.0customlog logs/ssl_request_log \ "%t%h%{SSL_PROTOCOL}x%{SSL_ cipher}x \ "%r\"%b "</VirtualHost>6.1. Configure the certificate yourself# mkdir/etc/pki/test/# cd/etc/pki/test# OpenSSL genrsa-out/etc/pki/test/test.key 1024--secret key # OpenSSL Req-new-key test . Key-out Test.csrcountry Name (2 letter code) [XX]:cnState or province name (full name) []:GuangdongLocality Name (eg, city) [Default City]:ShenzhenOrganization Name (eg, company) [Default company LTD]:ITOrganizational Unit Name (eg, section) []:MaintenanceCommon name (eg, your name or your server ' s hostname) []:www.george.comEmail Address []:[email protected]Please enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:123456An optional company name []:Azt# OpenSSL req-x509-days 365-key test.key-in test.csr-out test.crt--Public key # LS--then configure the following TEST.CRT && Test.key to/ Etc/httpd/conf.d/ssl.conf can test.crt TEST.CSR Test.key
6.2. Test your own configured certificateHttps://www.george.com/mail But the certificates we create ourselves are not trusted in the browser;The certificate status is also "because the CA root certificate is not in the trusted Root Certification Authorities store, so it is not trusted." "
We need to manually import our own created certificate (TEST.CRT) to Trusted Root Certification Authorities && trusted Publishers in our browser. The following steps are listed in Google Chrome:
Next, we will pop up a few more dialog boxes, we click "Next"-"done"-"yes". It's OK.
at this point, use your browser to open our web site and view the certificate's status "There is no problem with this certificate".
HTTP Service Setup
