1、準備好軟件:
pcre及pcre-devel | pcre是一個perl庫,包含perl所兼容的正則表達式庫。由於httpd服務具有CGI功能,而大多數的CGI都是基於perl的,所以需要安裝這個庫。 |
apr-1.5.1 | apr是Apache可移植運行庫,此庫可以使httpd跨平臺使用。是Apache必須依賴的庫。httpd-2.4的event模塊apr必須是1.5.x以上的 |
apr-util-1.5.3 | 基於apr的更高級的庫,名字類似是apr的工具 |
httpd-2.4.9 | 今天要編譯配置的主角。httpd-2.4.9相比2.2.x版本的已經全面支持event,並且IP控制使用Require all {granted|denied}取代了Allow from等等,而且虛擬主機不需要NameVirtualHost指令聲明。 |
2、編譯:
[root@pan soft]# ls apr-1.5.1.tar.gz apr-util-1.5.3.tar.bz2 httpd-2.4.9.tar.gz [root@pan soft]# |
#解包 [root@pan soft]# tar xf apr-1.5.1.tar.gz [root@pan soft]# tar xf apr-util-1.5.3.tar.bz2 [root@pan soft]# tar xf httpd-2.4.9.tar.gz [root@pan soft]# ls apr-1.5.1 apr-util-1.5.3 httpd-2.4.9 apr-1.5.1.tar.gz apr-util-1.5.3.tar.bz2 httpd-2.4.9.tar.gz [root@pan soft]# |
#編譯安裝apr-1.5.1到/application/apr-1.5.1目錄中 [root@pan soft]# cd apr-1.5.1 [root@pan apr-1.5.1]# ./configure \ --prefix=/application/apr-1.5.1 && make && make install |
#編譯安裝apr-util-1.5.3到/application/apr-util-1.5.3目錄中,並且指定apr所在目錄 [root@pan soft]# cd apr-util-1.5.3 [root@pan apr-util-1.5.3]# ./configure \ --prefix=/application/apr-util-1.5.3 \ --with-apr=/application/apr-1.5.1/ && make && make install |
#編譯安裝httpd-2.4.9: [root@pan soft]# cd httpd-2.4.9 [root@pan httpd-2.4.9]# ./configure \ --prefix=/application/httpd --sysconfdir=/etc/httpd24 \ --enable-modules=most --enable-so --enable-ssl \ --enable-mpms-shared=all --enable-cgi --enable-rewrite \ --with-apr=/application/apr-1.5.1/ \ --with-apr-util=/application/apr-util-1.5.3/ \ --with-ssl --with-mpm=event --with-zlib && make && make install ######編譯選項說明############## --prefix= #指定安裝目錄 --sysconfdir= #指定配置文件目錄 --enable-modules=most #編譯大多數模塊 --enable-so #開啓動態加載模塊方式 --enable-ssl #開啓ssl模塊 --with-ssl= #指定ssl庫的目錄,如果不指定則自動搜尋系統路徑。要安裝openssl和openssl-devel --enable-mpms-shared=all #啓用所有的mpm模塊 --with-mpm=event #默認mpm模塊是event,就是默認工作模型 --enable-cgi #開啓cgi功能 --enable-rewrite #開啓rewrite功能 --with-zlib #開啓壓縮庫 --with-apr=/application/apr-1.5.1/ #指定的apr目錄 --with-apr-util=/application/apr-util-1.5.3/ #指定apr-util的目錄 |
3.一些後續操作
鏈接頭文件 | [root@pan httpd]# ln -s /application/httpd/include/ /usr/include/httpd |
鏈接庫文件 | #httpd沒有生成庫文件,所以不用鏈接。如果需要鏈接的話,可以執行: echo "庫路徑" >/etc/ld.so.conf.d/軟件名.conf 或者 ln -sv 庫路徑 /usr/lib[64]/軟件名 然後執行: ldconfig 重新加載即可 注:ldconfig -p 可以查看當前加載的庫 |
鏈接man文檔 | 在man.config添加:MANPATH /application/httpd/man |
鏈接bin目錄 | 在/etc/profile.d/中添加httpd.sh,內容如下: export PATH=$PATH:/application/httpd/bin 重新登陸加載: . /etc/profile.d/httpd.sh |
備份 | tar Jcf /bak/httpd_config.tar.xz /etc/httpd24 |
4.基本配置:
隱藏httpd版本號 | ServerTokens Prod ServerSignature Off |
配置默認首頁 | DirectoryIndex index.html |
配置監聽端口 | Listen 80 |
配置網頁目錄 | DocumentRoot "/application/httpd/htdocs" |
配置網頁目錄屬性 | <Directory "/application/httpd/htdocs"> Options None AllowOverride None Require all granted </Directory> |
6.配置CGI方式的httpd:
CGI(Common Gateway Interface)是WWW技術中最重要的技術之一,有着不可替代的重要地位。CGI是外部應用程序(CGI程序)與Web服務器之間的接口標準,是在CGI程序和Web服務器之間傳遞信息的規程。CGI規範允許Web服務器執行外部程序,並將它們的輸出發送給Web瀏覽器,CGI將Web的一組簡單的靜態超媒體文檔變成一個完整的新的交互式媒體。
動態網站就是通過執行腳本來獲得動態的數據。不過由於CGI並不安全(http需要調用並執行程序腳本,可能執行的程序腳本需要一些特殊權限,這時就會帶來一些安全隱患問題),實際應用已經很少。
①確保mod_cgi.so模塊已經加載:
[root@pan ~]# egrep "mod_cgi.so" /etc/httpd24/httpd.conf LoadModule cgi_module modules/mod_cgi.so [root@pan ~]#
②修改配置文件:
DocumentRoot "/application/httpd/htdocs" AddHandler cgi-script .cgi .pl .sh <Directory "/application/httpd/htdocs"> Options ExecCGI AllowOverride None Require all granted </Directory>
③添加一個bash測試腳本到/application/httpd/htdocs目錄:
[root@pan htdocs]# cat index.sh #!/bin/bash # cat << EOF Content-Type: text/html <pre> The hostname is: `hostname`. The time is: `date` </pre> EOF [root@pan htdocs]# chmod +x index.sh [root@pan htdocs]# ls -l index.sh -rwxr-xr-x 1 root root 116 Dec 7 11:45 index.sh [root@pan htdocs]#
④啓動http並訪問測試:
[root@pan htdocs]# httpd -t Syntax OK [root@pan htdocs]# httpd -k start [root@pan htdocs]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 3 10.247.56.153:53 *:* LISTEN 0 3 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 50 *:3306 *:* LISTEN 0 128 *:80 *:* [root@pan htdocs]#
7.配置腳本別名的CGI:
配置別名,就是用戶訪問的URL指定到一個特定的目錄中,例如用戶訪問的是www.baidu.com/www/index.html,默認他會訪問httpd根網頁目錄下的/www/index.html(在我們的環境就是/application/httpd/htdocs/www/index.html),而我們完全可以通過別名把他定位到/application/test目錄中。當用戶訪問www.baidu.com/www/index.html會直接進入/application/test目錄中。
而腳本別名的CGI,就是別名的CGI目錄而已。注意:Alias用於定義普通別名,ScriptAlias定義腳本別名的CGI。
①爲了體現實驗效果,將剛纔的配置註釋並更改回原來的配置(不更改也不影響,我們爲的是體現實驗效果,也就是腳本別名不需要手動添加httpd服務的AddHandler cgi-script xx項和目錄的ExecCGI選項,ScriptAlias參數會自動加載這兩個選項):
DocumentRoot "/application/httpd/htdocs" #AddHandler cgi-script .cgi .pl .sh <Directory "/application/httpd/htdocs"> Options None AllowOverride None Require all granted </Directory>
②確保mod_alias.so和mod_cgi.so模塊已經加載
[root@pan htdocs]# egrep "mod_cgi.so|mod_alias" /etc/httpd24/httpd.conf LoadModule cgi_module modules/mod_cgi.so LoadModule alias_module modules/mod_alias.so [root@pan htdocs]#
③修改配置文件:
<IfModule alias_module> ScriptAlias /cgi-bin/ "/application/httpd/cgi-bin/" </IfModule> <Directory "/application/httpd/cgi-bin"> AllowOverride None Options None Require all granted </Directory>
④添加腳本到/application/httpd/cgi-bin目錄:
root@pan ~]# cp /application/httpd/htdocs/index.sh /application/httpd/cgi-bin [root@pan ~]# ls /application/httpd/cgi-bin index.sh printenv printenv.vbs printenv.wsf test-cgi [root@pan ~]#
⑤重新加載配置文件並訪問測試:
[root@pan ~]# httpd -k restart [root@pan ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 3 10.247.56.153:53 *:* LISTEN 0 3 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 50 *:3306 *:* LISTEN 0 128 *:80 *:* [root@pan ~]#
8.配置基於域名的虛擬主機:
虛擬主機可以在同一個服務器上實現多個web站點。可以配置多個虛擬主機,但是不能和中心主機並存。
①關閉中心主機配置(註釋掉DocumentRoot項即可):
[root@pan extra]# sed -i 's@^DocumentRoot@#&@g' /etc/httpd24/httpd.conf [root@pan extra]# grep "^#Document" /etc/httpd24/httpd.conf #DocumentRoot "/application/httpd/htdocs" [root@pan extra]#
②啓用虛擬主機配置文件:
Include /etc/httpd24/extra/httpd-vhosts.conf
③配置虛擬主機:
[root@pan extra]# cat /etc/httpd24/extra/httpd-vhosts.conf <VirtualHost *:80> DocumentRoot "/www/htdocs/a.com" ServerName www.a.com <Directory "/www/htdocs/a.com"> Options None AllowOverride None Require all granted </Directory> ErrorLog "logs/a.com-error_log" CustomLog "logs/a.com-access_log" common </VirtualHost> <VirtualHost *:80> DocumentRoot "/www/htdocs/b.com" ServerName www.b.com <Directory "/www/htdocs/b.com"> Options None AllowOverride None Require all granted </Directory> ErrorLog "logs/b.com-error_log" CustomLog "logs/b.com-access_log" common </VirtualHost> [root@pan extra]#
④提供頁面:
[root@pan ~]# cat /www/htdocs/a.com/index.html a.com [root@pan ~]# cat /www/htdocs/b.com/index.html b.com [root@pan ~]# httpd -t Syntax OK [root@pan ~]# httpd -k restart [root@pan ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 3 10.247.56.153:53 *:* LISTEN 0 3 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 50 *:3306 *:* LISTEN 0 128 *:80 *:* [root@pan ~]#
⑤.測試:
Linux配置hosts解析:
[root@pan ~]# cat /etc/hosts 127.0.0.1 localhost www.a.com www.b.com [root@pan ~]#
測試:
[root@pan ~]# curl www.a.com a.com [root@pan ~]# curl www.b.com b.com [root@pan ~]#
windows配置hosts解析:在C:\Windows\System32\drivers\etc\hosts添加IP對應的域名,我的是:
115.159.120.253 www.b.com
9.配置SSL主機。
SSL/TLS基於IP和端口建立安全的連接,如果要配置虛擬主機啓用SSL功能的話,默認只能一個IP:Port配置一個虛擬主機,https默認爲443端口。
①啓用SSL配置文件:
Include /etc/httpd24/extra/httpd-ssl.conf
②爲了實驗效果我們關閉虛擬主機:
#Include /etc/httpd24/extra/httpd-vhosts.conf
③啓動SSL模塊
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so
④使用openssl創建私有CA並生成證書
創建CA自己的私鑰 | [root@pan ~]# (umask 277;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .......................................+++ ..............................+++ e is 65537 (0x10001) [root@pan ~]# ls /etc/pki/CA/private/ -l total 4 -r-------- 1 root root 1675 Dec 7 13:40 cakey.pem [root@pan ~]# |
生成CA自己的證書,並設置頒發列表文件 | [root@pan ~]# (umask 277;openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [BeiJing]:BeiJing Locality Name (eg, city) [ChangPing]:ChangPing Organization Name (eg, company) [Telecom]:Telecom Organizational Unit Name (eg, section) [Tech]:Tech Common Name (eg, your name or your server's hostname) []:ca.meng.com Email Address []: [root@pan ~]# touch /etc/pki/CA/index.txt [root@pan ~]# echo "00"> /etc/pki/CA/serial |
爲http生成私鑰 | [root@pan ~]# mkdir /etc/httpd24/ssl [root@pan ~]# (umask 277;openssl genrsa -out /etc/httpd24/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .........................................+++ .+++ e is 65537 (0x10001) [root@pan ~]# |
http生成證書申請 | [root@pan ~]# (umask 277;openssl req -new -key /etc/httpd24/ssl/httpd.key -out /etc/httpd24/ssl/httpd.csr -days 365) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [BeiJing]:BeiJing Locality Name (eg, city) [ChangPing]:ChangPing Organization Name (eg, company) [Telecom]:Telecom Organizational Unit Name (eg, section) [Tech]:Tech Common Name (eg, your name or your server's hostname) []:www.ssl.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@pan ~]# |
CA頒發證書 | [root@pan ~]# (umask 277;openssl ca -md sha256 -in /etc/httpd24/ssl/httpd.csr -out /etc/httpd24/ssl/httpd.crt) Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Dec 7 05:49:40 2015 GMT Not After : Dec 6 05:49:40 2016 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = Telecom organizationalUnitName = Tech commonName = www.ssl.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: CC:51:13:6B:2E:2A:C7:22:01:22:AC:66:0B:C2:91:EE:30:20:39:23 X509v3 Authority Key Identifier: keyid:BF:8A:1D:A7:EE:77:C5:7E:EC:5F:AB:1A:B5:BC:D4:9F:59:FE:56:38 Certificate is to be certified until Dec 6 05:49:40 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@pan ~]# ls -l /etc/httpd24/ssl total 16 -r-------- 1 root root 4453 Dec 7 13:49 httpd.crt -r-------- 1 root root 1005 Dec 7 13:47 httpd.csr -r-------- 1 root root 1675 Dec 7 13:45 httpd.key [root@pan ~]# |
⑤修改httpd的SSL配置文件:
[root@pan ~]# vim /etc/httpd24/extra/httpd-ssl.conf
######################SSL global Config########################### Listen 443 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/application/httpd/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 ######################Virtual Host Config####################### <VirtualHost _default_:443> DocumentRoot "/www/htdocs/ssl/" ServerName www.ssl.com:443 <Directory "/www/htdocs/ssl"> Options None Allowoverride None Require all granted </Directory> ErrorLog "/application/httpd/logs/ssl_error_log" TransferLog "/application/httpd/logs/ssl_access_log" SSLEngine on SSLCertificateFile "/etc/httpd24/ssl/httpd.crt" #證書文件 SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key" #私鑰文件 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/application/httpd/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/application/httpd/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
⑥啓動服務提供文件:
[root@pan extra]# httpd -t Syntax OK [root@pan extra]# echo "<h1>SSL Test</h1>" >/www/htdocs/ssl/index.html [root@pan extra]# httpd -k restart [root@pan extra]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 3 10.247.56.153:53 *:* LISTEN 0 3 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 *:443 *:* LISTEN 0 50 *:3306 *:* LISTEN 0 128 *:80 *:* [root@pan extra]#
⑧測試:
這裏顯示不是私密連接,原因是我們的CA服務器的證書沒有導入到本地計算機,所以無法驗證服務器端的真實性,將CA的證書(/etc/pki/CA/cacert.pem)下載下來將後綴改爲crt導入:
⑨訪問測試: