HTTPD 常见配置

文章目录

3.1 指定服务器名

[root@centos8 ~]#httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using centos8.localdomain. Set the 'ServerName' directive globally to
suppress this message
Syntax OK
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
#ServerName www.example.com:80
servername www.magedu.org
[root@centos8 ~]#httpd -t
Syntax OK

范例：

[root@centos8 ~]#httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain
name, using centos8.localdomain. Set the 'ServerName' directive globally to
suppress this message
Syntax OK

3.2 显示服务器版本信息

ServerTokens Major 在响应头中显示服务器的主版本号
ServerTokens Minor 在响应头中显示服务器的主版本号和次版本号
ServerTokens Min[imal] 在响应头中显示服务器的完整版本号
ServerTokens Prod 只显示服务器类型----生产建议使用该值
ServerTokens OS 显示完整版本号和操作系统类型
ServerTokens Full 都显示，不配置时默认使用 full 值

3.3 设置监听的 IP 和 PORT 端口

指令：Listen [IP:]PORT

1 省略 IP 表示为本机所有 IP
2 Listen 指令至少一个，可重复出现多次

  Listen 192.168.1.100:8080
  Listen 80

3.4 持久连接

持久连接：Persistent Connection，每个资源获取完成后不会断开连接，而是继续等待其它的请求完成，不配置时
默认关闭持久连接
连接断开的条件：
时间限制：以秒为单位，默认 5s，httpd-2.4 支持毫秒级
副作用：对并发访问量大的服务器，持久连接会使有些请求得不到响应
折衷：使用较短的持久连接时间
配置持久连接的指令

KeepAlive  On|Off
KeepAliveTimeOut  15      # 连接持续15s,可以以ms为单位,默认值为5s
MaxKeepAliveRequests 500  # 持久连接最大接收的请求数,默认值100

通过 telnet 使用 GET 方法测试

[root@webhost ~]# telnet 172.20.1.67 80
Trying 172.20.1.67...
Connected to 172.20.1.67.
Escape character is '^]'.
GET /index.html HTTP/1.1   # 使用GET方法
HOST:2.2.2.2

HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 13:01:05 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 06 Dec 2019 01:34:30 GMT
ETag: "5e-598ff0c1ecbee"
Accept-Ranges: bytes
Content-Length: 94
Content-Type: text/html; charset=UTF-8

<DOCTYPE html>
<head>
        <p1>Hello There!</p1>
</head>

<body>
        <a>A test message!!</a>
</body>

# 返回html响应体后并没有立即断开连接...


Connection closed by foreign host. # 15秒后无请求，断开连接

3.5 DSO(Dymanic Shared Object)配置

Dynamic Shared Object加载动态模块配置，不需重启即生效
动态模块所在路径为/usr/lib64/httpd/modules/
先在主配置文件中/etc/httpd/conf/httpd.conf指定加载模块配置文件

ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf

再到/etc/httpd/conf.modules.d/文件夹下添加特定模块的配置文件和指令
模块文件路径可使用相对路径：相对于 ServerRoot（默认/etc/httpd）

LoadModule <mod_name> <mod_path>

例：查看一些模块的配置文件和加载情况

# 查看默认有哪些模块的配置文件
[root@webhost ~]# ls -l /etc/httpd/conf.modules.d/
total 28
-rw-r--r-- 1 root root 3739 Aug  6 21:44 00-base.conf
-rw-r--r-- 1 root root  139 Aug  6 21:44 00-dav.conf
-rw-r--r-- 1 root root   41 Aug  6 21:44 00-lua.conf
-rw-r--r-- 1 root root  742 Aug  6 21:44 00-mpm.conf
-rw-r--r-- 1 root root  957 Aug  6 21:44 00-proxy.conf
-rw-r--r-- 1 root root   88 Aug  6 21:44 00-systemd.conf
-rw-r--r-- 1 root root  451 Aug  6 21:44 01-cgi.conf
# 查看httpd通常需要加载的模块
[root@webhost ~]# cat /etc/httpd/conf.modules.d/00-base.conf
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#

LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
......

# 查看静态编译的模块
[root@webhost ~]# httpd -l
Compiled in modules:
  core.c
  mod_so.c
  http_core.c

# 查看静态编译的模块和动态加载的模块
[root@webhost ~]# httpd -M

 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 .......

3.6 MPM(Multi-Processing Module)模块配置

MPM(Multi-Processing Module)多路处理模块使得 httpd 支持三种 MPM 工作模式：prefork, worker, event
分别由三个对应的 MPM 模块来提供对应的工作模式，配置文件位于/etc/httpd/conf.modules.d/00-mpm.conf

[root@webhost ~]# cat /etc/httpd/conf.modules.d/00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:

# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so

centos7 目前默认的为 prefork 工作模式，启用 MPM 相关的 LoadModule 指令即可使用相应的工作模式，其它未
启用的两项需要在行首加#注释
注意：不要同时启用多个 MPM 模块，否则会出现类似下面的错误
AH00534: httpd: Configuration error: More than one MPM loaded.
查看默认的 mpm 工作模式并改为 worker 工作模式

[root@webhost ~]# httpd -M |grep mpm
 mpm_prefork_module (shared)
[root@webhost ~]# vim /etc/httpd/conf.modules.d/00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines:

# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
######## 注释下面的这行
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
######## 取消注释下面的这行
LoadModule mpm_worker_module modules/mod_mpm_worker.so

# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@webhost ~]# systemctl restart httpd
[root@webhost ~]# httpd -M | grep mpm
 mpm_worker_module (shared)

3.7 prefork 模式的相关配置

StartServers            2000
MinSpareServers         2000
MaxSpareServers         2000
ServerLimit             2560 # 最多进程数,最大值 20000
MaxRequestWorkers       2560 # 最大的并发连接数，默认256
MaxRequestsPerChild     4000 # 从 httpd.2.3.9开始被MaxConnectionsPerChild代替
MaxConnectionsPerChild      4000 # 子进程最多能处理的请求数量。在处理MaxRequestsPerChild
                                 # 个请求之后,子进程将会被父进程终止，这时候子进程占用的内存就会释放(为0时永远不释放）

3.8 worker 和 event 模式相关的配置

ServerLimit         16
StartServers         2
MaxRequestWorkers  150
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25

# 配置示例
[root@webhost ~]#vim etc/httpd/conf.d/custom.conf
ServerLimit 24
StartServers 12
[root@webhost ~]# ps aux | grep /usr/sbin/httpd -w
root      16094  0.1  0.3 230716  5532 ?        Ss   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16095  0.0  0.1 230340  2980 ?        S    21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16096  0.0  0.2 517544  3488 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16097  0.0  0.2 517544  3488 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16098  0.0  0.2 517544  3492 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16099  0.0  0.2 517544  3492 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16100  0.0  0.2 517544  3492 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16101  0.0  0.2 517544  3492 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16102  0.0  0.2 517544  3488 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16103  0.0  0.2 517544  3488 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16105  0.0  0.2 517544  3488 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
apache    16107  0.0  0.2 517544  3492 ?        Sl   21:40   0:00 /usr/sbin/httpd -DFOREGROUND
root      16437  0.0  0.0 112712  1000 pts/2    R+   21:41   0:00 grep --color=auto /usr/sbin/httpd -w  # 不是
[root@webhost ~]# ps aux | grep /usr/sbin/httpd -w | wc -l
13

3.9 自定义 Main server 的文档页面路径

DocumentRoot 指向的路径为 URL 路径的起始位置
/path 必须显式授权后才可以访问

DocumentRoot   "/path"
<directory /path>
    Require all granted
</directory>

例如：

[root@webhost ~]#vim etc/httpd/conf.d/custom.conf
DocumentRoot   "/data/html"
<directory /data/html>
    Require all granted
</directory>

[root@webhost ~]# httpd -t
Syntax OK
[root@webhost ~]# systemctl restart httpd
[root@webhost ~]# echo Hello,apache. > /data/html/index.html
[root@webhost ~]# curl 172.20.1.67
Hello,apache.

3.10定义站点主页面

DirectoryIndex
index.php
index.html

3.11可实现访问控制的资源

可以针对文件系统和URI的资源进行访问控制
文件系统路径：

#基于目录
<Directory “/path">
...
</Directory>
#基于文件
<File “/path/file”>
...
</File>
#基于正则表达式
<FileMatch “regex”>
...
</FileMatch>

<Location "URL">
...
</Location>
<LocationMatch "regex">
...
</LocationMatch>

范例：

//以.gif或.jpg或.jpeg或.png 结尾的文件
<FilesMatch ".+\.(gif|jpe?g|png)$">
    # ...
</FilesMatch>

URL路径：

//URL指的是URI的一部分
<Location "URL">
...
</Location>
<LocationMatch "regex">
...
</LocationMatch>

范例1：

#/private1, /private1/，/private1/file.txt 匹配
#/private1other 不匹配
<Location "/private1">
# ...
</Location>
#/private2/，/private2/file.txt 匹配
#/private2，/private2other 不匹配
<Location "/private2/">
# ...
</Location>

范例2：

<Location /status>
<LocationMatch "/(extra|special)/data">

3.12针对目录实现访问控制

[1]Options指令

后跟1个或多个以空白字符分隔的选项列表，在选项前的+，- 表示增加或删除指定选项
常见选项：
- Indexes：指明的URL路径下不存在与定义的主页面资源相符的资源文件时，返回索引列表给用户
- FollowSymLinks：允许访问符号链接文件所指向的源文件
- None：全部禁用
- All：全部允许

//如果此目录下没有idnex.html文件
[root@centos7 ~]# ll /var/www/html/
total 0
-------------------------------------
//所以服务会自动读取默认的欢迎页面welcome.conf
[root@centos7 ~]# ll /etc/httpd/conf.d/
total 16
-rw-r--r-- 1 root root 2926 Aug  8 19:41 autoindex.conf
-rw-r--r-- 1 root root  366 Aug  8 19:42 README
-rw-r--r-- 1 root root 1252 Aug  6 21:44 userdir.conf
-rw-r--r-- 1 root root  824 Dec 11 15:00 welcome.conf

浏览器访问192.168.26.17

//当我们在/var/www/html/下创建目录，并在目录下创建文件时，在网站上是可见的
[root@centos7 ~]# mkdir /var/www/html/test
[root@centos7 ~]# touch /var/www/html/test/f1.txt
[root@centos7 ~]# touch /var/www/html/test/f2.txt

浏览器访问192.168.26.17/test/

//新建编辑配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf

<directory /var/www/html/test>
options -indexes
</directory>

重新加载服务systemctl reload httpd.service ，浏览器访问192.168.26.17/test/

//暂时关闭子配置文件下option指令
<directory /var/www/html/test>
#options -indexes   # 禁止使用目录
</directory>

//并在/var/www/html/test/目录下创建/etc/的软链接test_etc
[root@centos7 ~]# ln -s /etc/ /var/www/html/test/test_etc

重新加载服务systemctl reload httpd.service ，浏览器访问192.168.26.17/test/

//编辑子配置文件加入不显示软连接指令
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf 

<directory /var/www/html/test>
options -FollowSymLinks   # 禁止使用软连接
</directory>

重新加载服务systemctl reload httpd.service ，浏览器访问192.168.26.17/test/

[2]AllowOverride指令

与访问控制相关的哪些指令可以放在指定目录下的.htaccess（由AccessFileName 指令指定,AccessFileName .htaccess 为默认值）文件中，覆盖之前的配置指令，只对语句有效。
- AllowOverride All: .htaccess中所有指令都有效
- AllowOverride None： .htaccess 文件无效，此为httpd 2.3.9以后版的默认值
- AllowOverride AuthConfig .htaccess 文件中，除了AuthConfig 其它指令都无法生效

//在对应控制目录下创建隐藏文件.htaccess文件，将控制命令放在此文件内
[root@centos7 ~]# vim /var/www/html/test/.htaccess

options -indexes

//编辑子配置文件添加AllowOverride指令
<directory /var/www/html/test>
AllowOverride all   #允许.htaccess中的内容覆盖主配置文件里的设置
</directory>

重新加载服务systemctl reload httpd.service ，浏览器访问192.168.26.17/test/

3.13基于客户端IP地址实现访问控制

针对各种资源，可以基于以下两种方式的访问控制：
- 客户端来源地址
- 用户账号
基于客户端的IP地址的访问控制:
- 无明确授权的目录，默认拒绝
- 允许所有主机访问：Require all granted
- 拒绝所有主机访问：Require all denied
- 控制特定的IP访问： Require ip IPADDR：授权指定来源的IP访问 Require not ip IPADDR：拒绝
- 特定的IP访问
- 控制特定的主机访问： Require host HOSTNAME：授权特定主机访问 Require not host
- HOSTNAME：拒绝 HOSTNAME： FQDN：特定主机 domin.tld：指定域名下的所有主机

//不能有失败，至少有一个成功匹配才成功，即失败优先
//先允许所有ip，再拒绝指定ip
<RequireAll>
Require all granted
Require not ip 172.16.1.1 #拒绝特定IP
</RequireAll>

//多个语句有一个成功，则成功，即成功优先
//先拒绝所有ip，再允许指定ip
<RequireAny>
Require all denied
require ip 172.16.1.1 #允许特定IP
</RequireAny>

范例：

<directory /var/www/html/dir>
<requireany>
require all denied
Require ip 192.168.39.0/24
</requireany>
</directory>

3.14日志设定

httpd服务器上有两种日志
- 访问日志
- 错误日志

错误日志

ErrorLog logs/error_log
LogLevel warn
LogLevel 可选值: debug, info, notice, warn,error, crit, alert,
emerg
//事件严重度，从左到右越来越严重

//我们查看一下主配置文件中errorlog的默认路径
[root@centos7 ~]# grep -i errorlog /etc/httpd/conf/httpd.conf 
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
ErrorLog "logs/error_log"

//查看目录得.logs为软链接
[root@centos7 ~]# ll /etc/httpd/
total 0
drwxr-xr-x 2 root root  37 Dec 11 15:19 conf
drwxr-xr-x 2 root root  99 Dec 11 15:53 conf.d
drwxr-xr-x 2 root root 146 Dec 11 11:09 conf.modules.d
lrwxrwxrwx 1 root root  19 Dec 11 11:09 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root  29 Dec 11 11:09 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root  10 Dec 11 11:09 run -> /run/httpd

//其真实得错误日志路径为/var/log/httpd/error_log，查看得
[root@centos7 ~]# cat /var/log/httpd/error_log

访问日志

定义日志格式

描述：	描述在日志文件中使用的格式
句法：	LogFormat format|nickname [nickname]
默认：	LogFormat "%h %l %u %t \"%r\" %>s %b"
内容：	服务器配置，虚拟主机
状态：	基础
模块：	mod_log_config

//查看主配置文件定义的格式类型
[root@centos7 ~]# grep -i LogFormat /etc/httpd/conf/httpd.conf 
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

使用日志格式：

描述：	设置日志文件的文件名和格式
句法：	CustomLog file|pipe format|nickname [env=[!]environment-variable| expr=expression]
内容：	服务器配置，虚拟主机
状态：	基础
模块：	mod_log_config

查看通用日志文件

//查看主配置文件里的CustomLog命令的定义的格式
[root@centos7 ~]# grep -i CustomLog /etc/httpd/conf/httpd.conf 
    # a CustomLog directive (see below).
    #CustomLog "logs/access_log" common
    CustomLog "logs/access_log" combined

//访问日志存放的路径
[root@centos7 ~]# cat /var/log/httpd/access_log

[自定义日志格式]：http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

%h 客户端IP地址
%l 远程用户,启用mod_ident才有效，通常为减号“-”
%u 验证（basic，digest）远程用户,非登录访问时，为一个减号“-”
%t 服务器收到请求时的时间
%r First line of request，即表示请求报文的首行；记录了此次请求的“方法”
“URL”以及协议版本
%>s 响应状态码
%b 响应报文的大小，单位是字节；不包括响应报文http首部
%{Referer}i 请求报文中首部“referer”的值；即从哪个页面中的超链接跳转至当前页面的
%{User-Agent}i 请求报文中首部“User-Agent”的值；即发出请求的应用程序

3.15设定默认字符集

在配置文件内可设定字符集指令

AddDefaultCharset UTF-8 #此为默认值

中文字符集：GBK, GB2312, GB18030

3.16定义路径别名

格式：

Alias /URL/ "/PATH/"

范例：

//创建实验所需文件数据
[root@centos7 ~]# echo "别名路径测试" > /data/html/index.html

//编辑修改子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf

alias /test/ /data/html/

浏览器访问192.168.26.17/test/

//因为访问目录，必须明确授权
//所以我们编辑子配置文件，授权给指定目录
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf

alias /test /data/html/

<directory /data/html/>
require all granted
</directory>

3.18基于用户的访问控制

认证质询：WWW-Authenticate，响应码为401，拒绝客户端请求，并说明要求客户端需要提供账号和
密码认证：Authorization，客户端用户填入账号和密码后再次发送请求报文；认证通过时，则服务器
发送响应的资源
认证方式：
- basic：明文
- digest：消息摘要认证,兼容性差
安全域：需要用户认证后方能访问的路径；应该通过名称对其进行标识，以便于告知用户认证的原因
用户的账号和密码
虚拟账号：仅用于访问某服务时用到的认证标识
存储：文本文件，SQL数据库，ldap目录存储，nis等

basic认证配置示例：
(1) 定义安全域

<Directory “/path">
Options None   #禁止索引，软链接
AllowOverride None   #禁止在目录下启用.hatccess文件
AuthType Basic   #指定验证方法
AuthName "String“   #验证时弹出对话框的描述文字
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"   #指定用户名密码存放地文件路径
Require user username1 username2 ...   #约定AuthUserFile定义的文件内的特定用户可以访问
</Directory>

允许账号文件中的所有用户登录访问：

Require valid-user   #只要添加到/PATH/HTTPD_USER_PASSWD_FILE文件里的用户都可以访问

(2) 提供账号和密码存储（文本文件）使用专用命令完成此类文件的创建及用户管理

选项：
- -c 自动创建文件，仅应该在文件不存在时使用(即第一次时加此选项)
- -p 明文密码
- -d CRYPT格式加密，默认
- -m md5格式加密
- -s sha格式加密
- -D 删除指定用户

范例1：

//创建实验所需页面
[root@centos7 ~]# mkdir /var/www/html/admin ; echo "/var/www/html/admin/index.html" > /var/www/html/admin/index.html

//创建用户小王并设置密码
[root@centos7 ~]# htpasswd -c /etc/httpd/conf.d/.httpuser xiaowang

//添加用户小李并设置密码
[root@centos7 ~]# htpasswd  /etc/httpd/conf.d/.httpuser xiaoli

//编辑子配置文件
<directory /var/www/html/admin>
AuthType Basic
AuthName "welcome to beijing"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user xiaowang   #只允许xiaowang登陆访问
</directory>

浏览器访问192.168.26.17/admin/

//创建实验所需页面
[root@centos7 ~]# mkdir /var/www/html/secret ; echo "/var/www/html/secret/index.html" > /var/www/html/secret/index.html

//创建编辑在页面同一目录下的.htaccess文件
[root@centos7 ~]# vim /var/www/html/secret/.htaccess

AuthType Basic
AuthName "welcome to beijing"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
Require user xiaoli   #只允许用户xiaoli登录访问

//编辑子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf

<directory /var/www/html/secret>
allowoverride authconfig
</directory>

(2) 创建用户账号和组账号文件组文件：每一行定义一个组

GRP_NAME: username1 username2 ...

范例(2)：

[root@centos7 ~]# cat /var/www/html/secret/.htaccess 
AuthType Basic
AuthName "welcome to beijing"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
AuthGroupFile "/etc/httpd/conf.d/.httpgroup"
Require group webadmins
--------------------------------------------------
[root@centos7 ~]# cat /etc/httpd/conf.d/.httpuser

xiaowang:$apr1$ys/0c5YW$JyCm1yTTCE2qseZVH9zSn1
xiaoli:$apr1$OvI43/u5$.VEtXtKhuI7Iv9Z6Yi//C/
xiaosun:$apr1$TvnalQHF$UoSyF/YgzF8Sn5wytiMQn.

[root@centos7 ~]# cat /etc/httpd/conf.d/.httpgroup

webadmins: xiaosun
----------------------------------------------------
[root@centos7 ~]# cat /etc/httpd/conf.d/test.conf

<directory /var/www/html/secret>
allowoverride authconfig
</directory>

3.19远程客户端和用户验证的控制

Satisfy ALL|Any

说明：
- ALL 客户机IP和用户验证都需要通过才可以，此为默认值
- Any 客户机IP和用户验证,有一个满足即可

#针对/var/www/html/test目录，来自192.168.1.0/24的客户可以访问，其它网络的用户需要经过用
户验证才能访问
<Directory "/var/www/html/test">
Require valid-user
Allow from 192.168.1
Satisfy Any
</Directory>


#/var/www/private目录只有用户验证才能访问
<Directory "/var/www/private">
Require valid-user
</Directory>
#/var/www/private/public 不需要用户验证，任何客户都可以访问
<Directory "/var/www/private/public">
Allow from all
Satisfy Any
</Directory>

3.20实现用户家目录的http共享

[root@centos7 ~]# vim /etc/httpd/conf.d/userdir.conf

<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    # UserDir disabled   #禁用

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disabled" line above, and uncomment
    # the following line instead:
    # 
    UserDir html   #启用
</IfModule>

#<Directory "/home/*/public_html">   #注释
#    AllowOverride FileInfo AuthConfig Limit Indexes
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    Require method GET POST OPTIONS
#</Directory>   #自己编辑
<Directory /home/sun/html>
require all granted
</Directory>
--------------------------------------------------------
[root@centos7 ~]# su - sun
Last login: Wed Dec 11 21:22:31 CST 2019 on pts/0
[sun@centos7 ~]$ mkdir /home/sun/html/ ; echo "hello world" > /home/sun/html/index.html
[sun@centos7 ~]$ setfacl –m u:apache:x /home/sun/
[sun@centos7 ~]$ su - root
----------------------------------------------------------
[root@centos7 ~]# systemctl reload httpd.service

浏览器访问192.168.26.17/~sun

范例：对家目录共享并实现basic验证

[root@centos7 ~]# vim /etc/httpd/conf.d/userdir.conf

<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    # UserDir disabled   #禁用

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disabled" line above, and uncomment
    # the following line instead:
    # 
    UserDir html   #启用
</IfModule>

#<Directory "/home/*/public_html">   #注释
#    AllowOverride FileInfo AuthConfig Limit Indexes
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    Require method GET POST OPTIONS
#</Directory>   #自己编辑
<Directory /home/sun/html>
AuthType Basic
AuthName "test home"
AuthUserFile "/etc/httpd/conf.d/.httpuser"
require user xiaosun
</Directory>
---------------------------------------------------------
[root@centos7 ~]# htpasswd  /etc/httpd/conf.d/.httpuser xiaosun
[root@centos7 ~]# systemctl reload httpd.service

浏览器访问192.168.26.17/~sun

3.21禁止错误页面版本泄露

ServerSignature On | Off | EMail

默认值Off，当客户请求的网页并不存在时，服务器将产生错误文档，如果ServerSignature选项为on，
错误文档的最后一行将包含服务器名字、Apache版本等信息，如果不对外显示这些信息，就可将这个
参数设置为Off,设置为Email，将显示ServerAdmin 的Email提示

3.22禁止trace方法

TraceEnable [on|off|extended]

是否支持trace方法，默认on，基于安全风险，建议关闭

[root@centos7 ~]# curl -IX options http://127.0.0.1 
HTTP/1.1 501 Not Implemented
Date: Wed, 11 Dec 2019 13:57:41 GMT
Server: Apache/2.4.6 (CentOS)
Allow: POST,OPTIONS,GET,HEAD,TRACE
Content-Length: 205
Connection: close
Content-Type: text/html; charset=iso-8859-1

[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf
[root@centos7 ~]# cat /etc/httpd/conf.d/test.conf 
TraceEnable off
[root@centos7 ~]# curl -IX options http://127.0.0.1 
HTTP/1.1 501 Not Implemented
Date: Wed, 11 Dec 2019 13:59:00 GMT
Server: Apache/2.4.6 (CentOS)
Allow: POST,OPTIONS,GET,HEAD,TRACE
Content-Length: 205
Connection: close
Content-Type: text/html; charset=iso-8859-1

3.23status状态页

httpd提供了状态页，可以用来观察httpd的运行情况。此功能需要加载mod_status.so模块才能实现

LoadModule status_module modules/mod_status.so
<Location "/status">
SetHandler server-status
</Location>
ExtendedStatus On #显示扩展信息,httpd 2.3.6以后版默认为On

范例：启动状态页

<location "/status">
SetHandler server-status
        <RequireAny>
        Require all denied
        Require ip 172.20.1.11
        </RequireAny>
#Order Deny,Allow ?    # 此方式也可以控制访问
#Deny from all
#Allow from 192.168.100
</Location>
ExtendedStatus Off   # 如果要详细信息，设置为on

[root@centos8 ~]#systemctl restart httpd

打开浏览器访问http://httpd服务器192.168.26.17/status即可得到一下画面

3.24多虚拟主机

httpd 支持在一台物理主机上实现多个网站，即多虚拟主机
网站可以使用不同的方式来唯一标识：
IP 相同，但端口不同
IP 不同，但端口均为默认端口
FQDN 不同
多虚拟主机有三种实现方案：
基于 IP：为每个虚拟主机准备至少一个 ip 地址
基于 PORT：为每个虚拟主机使用至少一个独立的 port
基于 FQDN：为每个虚拟主机使用至少一个 FQDN，识别请求报文中首部记录Host: www.bokebi.cn
注意：httpd 2.4 版本中，基于 FQDN 的虚拟主机不再需要 NameVirutalHost 指令
虚拟主机的基本配置方法：配置一般存放在独立的配置文件中、

<VirtualHost  IP:PORT>
ServerName FQDN
DocumentRoot  "/path"
</VirtualHost>

范例：基于端口的虚拟主机

[root@centos7 ~]# mkdir /data/website{1,2,3}
[root@centos7 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@centos7 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@centos7 ~]# echo /data/website3/index.html > /data/website3/index.html
--------------------------------------------------------
//新建编辑修改子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf

listen 8001
listen 8002
listen 8003
<virtualhost *:8001>
documentroot /data/website1/
Customlog logs/website1_access.log combined
<directory /data/website1/>
require all granted
</directory>
</virtualhost>

<virtualhost *:8002>
documentroot /data/website2/
Customlog logs/website2_access.log combined
<directory /data/website2/>
require all granted
</directory>
</virtualhost>

<virtualhost *:8003>
documentroot /data/website3/
Customlog logs/website3_access.log combined
<directory /data/website3/>
require all granted
</directory>
</virtualhost>
-----------------------------------------------
//语法检查
[root@centos7 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::7a63:4abc:9540:e640. Set the 'ServerName' directive globally to suppress this message
Syntax OK
-----------------------------------------------
//启动服务
[root@centos7 ~]# systemctl reload httpd.service
-----------------------------------------------
//查看生成的日志文件
[root@centos7 ~]# ll /var/log/httpd/
total 24
-rw-r--r-- 1 root root 11432 Dec 12 08:04 access_log
-rw-r--r-- 1 root root 10173 Dec 12 08:21 error_log
-rw-r--r-- 1 root root     0 Dec 12 08:21 website1_access.log
-rw-r--r-- 1 root root     0 Dec 12 08:21 website2_access.log
-rw-r--r-- 1 root root     0 Dec 12 08:21 website3_access.log
-----------------------------------------------
#浏览器访问不同端口，得到不同的页面
http://192.168.26.17:8001/
http://192.168.26.17:8002/
http://192.168.26.17:8003/

范例：基于ip的虚拟主机

[root@centos7 ~]# mkdir /data/website{1,2,3}
[root@centos7 ~]# echo /data/website1/index.html > /data/website1/index.html
[root@centos7 ~]# echo /data/website2/index.html > /data/website2/index.html
[root@centos7 ~]# echo /data/website3/index.html > /data/website3/index.html
------------------------------------------------------
//在指定网卡创建多个ip地址，并且给定不同的标签
[root@centos7 ~]# ip a a 10.0.0.8/24 dev eth1 label eth1:1
[root@centos7 ~]# ip a a 10.0.0.18/24 dev eth1 label eth1:2
[root@centos7 ~]# ip a a 10.0.0.28/24 dev eth1 label eth1:3
[root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:16:9f:68 brd ff:ff:ff:ff:ff:ff
    inet 172.20.2.139/16 brd 172.20.255.255 scope global noprefixroute dynamic eth0
       valid_lft 2591716sec preferred_lft 2591716sec
    inet6 fe80::7a63:4abc:9540:e640/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:16:9f:72 brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.17/24 brd 192.168.26.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet 10.0.0.8/24 scope global eth1:1
       valid_lft forever preferred_lft forever
    inet 10.0.0.18/24 scope global secondary eth1:2
       valid_lft forever preferred_lft forever
    inet 10.0.0.28/24 scope global secondary eth1:3
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe16:9f72/64 scope link 
       valid_lft forever preferred_lft forever
---------------------------------------------------------
//新建编辑子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf

<virtualhost 10.0.0.8:80>
documentroot /data/website1/
Customlog logs/website1_access.log combined
<directory /data/website1/>
require all granted
</directory>
</virtualhost>

<virtualhost 10.0.0.18:80>
documentroot /data/website2/
Customlog logs/website2_access.log combined
<directory /data/website2/>
require all granted
</directory>
</virtualhost>

<virtualhost 10.0.0.28:80>
documentroot /data/website3/
Customlog logs/website3_access.log combined
<directory /data/website3/>
require all granted
</directory>
</virtualhost>
-------------------------------------------------
//语法检查
[root@centos7 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::7a63:4abc:9540:e640. Set the 'ServerName' directive globally to suppress this message
Syntax OK
-------------------------------------------------
//重新加载配置文件
[root@centos7 ~]# systemctl reload httpd.service 
-------------------------------------------------
//分别浏览不同ip，得到不同页面
[root@centos7 ~]# curl 10.0.0.8
/data/website1/index.html
[root@centos7 ~]# curl 10.0.0.18
/data/website2/index.html
[root@centos7 ~]# curl 10.0.0.28
/data/website3/index.html

范例：基于FQDN虚拟主机

//创建存放页面
[root@centos7 ~]# mkdir /data/{a,b,c}.com
[root@centos7 ~]# echo /data/a.com/index.html > /data/a.com/index.html
[root@centos7 ~]# echo /data/b.com/index.html > /data/b.com/index.html
[root@centos7 ~]# echo /data/c.com/index.html > /data/c.com/index.html
----------------------------------------
//新建编辑文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf 

<virtualhost *:80>
Servername www.a.com
documentroot /data/a.com/
ErrorLog "logs/a_error_log"
Customlog logs/a_access.log combined
<directory /data/a.com/>
Options None
AllowOverride None
require all granted
</directory>
</virtualhost>

<virtualhost *:80>
Servername www.b.com
documentroot /data/b.com/
ErrorLog "logs/b_error_log"
Customlog logs/b_access.log combined
<directory /data/b.com/>
Options None
AllowOverride None
require all granted
</directory>
</virtualhost>

<virtualhost *:80>
Servername www.c.com
documentroot /data/c.com/
ErrorLog "logs/c_error_log"
Customlog logs/c_access.log combined
<directory /data/c.com/>
Options None
AllowOverride None
require all granted
</directory>
</virtualhost>
------------------------------------------------
//编辑本地dns解析文件，添加
192.168.26.17 www.a.com
192.168.26.17 www.b.com
192.168.26.17 www.c.com
------------------------------------------------
//语法检查
[root@centos7 ~]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::7a63:4abc:9540:e640. Set the 'ServerName' directive globally to suppress this message
Syntax OK
------------------------------------------------
//重新加载配置文件
[root@centos7 ~]# systemctl reload httpd.service
------------------------------------------------
//分别浏览不同域名，得到不同页面
[root@centos7 ~]# curl www.a.com
/data/a.com/index.html
[root@centos7 ~]# curl www.b.com
/data/b.com/index.html
[root@centos7 ~]# curl www.c.com
/data/c.com/index.html

3.25压缩

压缩功能需要另一个模块来实现，使用 mod_deflate 模块压缩页面优化传输速度

LoadModule deflate_module modules/mod_deflate.so SetOutputFilter

[root@centos7 ~]# grep "deflate" /etc/httpd/conf.modules.d/*
/etc/httpd/conf.modules.d/00-base.conf:LoadModule deflate_module modules/mod_deflate.so

压缩适用场景
1. 节约带宽，额外消耗 CPU；同时，可能有些较老浏览器不支持
2. 压缩适于压缩的资源，例如文本文件

//可选项
SetOutputFilter DEFLATE  
//指定对哪种MIME类型进行压缩，必须指定项
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
#压缩级别 (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
#排除特定旧版本的浏览器，不支持压缩
#Netscape 4.x 只压缩text/html
BrowserMatch ^Mozilla/4  gzip-only-text/html
#Netscape 4.06-08 三个版本 不压缩
BrowserMatch  ^Mozilla/4\.0[678]  no-gzip
#Internet Explorer标识本身为“Mozilla / 4”，但实际上是能够处理请求的压缩。如果用户代理首部
匹配字符串“MSIE”（“B”为单词边界”），就关闭之前定义的限制
BrowserMatch \bMSI[E]  !no-gzip !gzip-only-text/html

//随便找一个大点的文件
[root@centos7 ~]# cp -a /etc/ /var/www/html/etc.txt

//新建编辑子配置文件
[root@centos7 ~]# vim /etc/httpd/conf.d/test.conf 

SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain
DeflateCompressionLevel 9   支持的压缩比1-9
--------------------------------------------
//重启服务
[root@centos7 ~]# systemctl restart httpd.service

浏览器访问192.168.26.17/etc.txt,浏览器页面按F2刷新可显示是压缩后的文件

3.26实现https

https: http over ssl，实现验证和加密 http 的数据传输
https 的工作过程

客户端发送可供选择的加密方式，并向服务器请求证书
服务器端发送证书以及选定的加密方式给客户端
客户端取得证书并进行证书验证，如果信任给其发证书的 CA
(a) 验证证书来源的合法性；用 CA 的公钥解密证书上数字签名
(b) 验证证书的内容的合法性：完整性验证
(c) 检查证书的有效期限
(d) 检查证书是否被吊销
(e) 证书中拥有者的名字，与访问的目标主机要一致
客户端生成临时会话密钥（对称密钥），并使用服务器端的公钥加密此数据发送给服务器，完成密钥交换
服务用此密钥加密用户请求的资源，响应给客户端

注意：SSL 是基于 IP 地址实现，单 IP 的 httpd 主机，仅可以使用一个 https 虚拟主机
https 大致实现过程

为服务器申请数字证书用于测试证书：可以通过私建 CA 颁发证书实现
(a) 创建私有 CA
(b) 在服务器创建证书签署请求
(c) CA 签署证书
实际使用中需要购买证书，个人可以使用免费证书
配置 httpd 支持使用 ssl，及使用的证书

例 1：使用自签证书实现 https

//安装服务
[root@centos8 ~]# yum -y install httpd

//查看模块是已加载
[root@centos8 ~]# httpd -M | grep ssl
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::de18:1128:8f0:e603. Set the 'ServerName' directive globally to suppress this message

//查看模块说明
[root@centos8 ~]# dnf info mod_ssl
Last metadata expiration check: 0:01:37 ago on Fri 13 Dec 2019 05:00:34 AM CST.
Available Packages
Name         : mod_ssl
Epoch        : 1
Version      : 2.4.37
Release      : 12.module_el8.0.0+185+5908b0db
Arch         : x86_64
Size         : 130 k
Source       : httpd-2.4.37-12.module_el8.0.0+185+5908b0db.src.rpm
Repo         : AppStream
Summary      : SSL/TLS module for the Apache HTTP Server
URL          : https://httpd.apache.org/
License      : ASL 2.0
Description  : The mod_ssl module provides strong cryptography for the
             : Apache Web server via the Secure Sockets Layer (SSL)
             : and Transport Layer Security (TLS) protocols.

//安装模块
[root@centos8 ~]# dnf -y install mod_ssl

//查看模块
[root@centos8 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/70/221b67fd81b65321f5220d22dcb99c36d3841c
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl
[root@centos8 ~]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so

//启动服务
[root@centos8 ~]# systemctl start httpd.service

//查看生成的自签名证书
[root@centos8 ~]# ls /etc/pki/tls/certs/localhost.crt 
/etc/pki/tls/certs/localhost.crt

//查看生成的私钥
[root@centos8 ~]# ls /etc/pki/tls/private/
localhost.key

//查看自签名证书
[root@centos8 ~]# openssl x509 -in /etc/pki/tls/certs/localhost.crt -n
oout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5055589927373660778 (0x46291040d726626a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Unspecified, OU = ca-516777335850016332, CN = centos8, emailAddress = root@centos8
        Validity
            Not Before: Dec 12 21:06:18 2019 GMT
            Not After : Dec 16 22:46:18 2020 GMT
        Subject: C = US, O = Unspecified, CN = centos8, emailAddress = root@centos8
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c2:fb:f4:08:86:08:00:a4:32:b2:3b:a0:d6:86:
                    c3:6f:50:d7:65:e3:fd:33:73:7c:d0:03:f8:89:89:
                    81:06:d5:b2:0e:ee:d7:65:83:f2:41:3f:8a:56:fd:
                    fa:65:66:b3:7f:58:e2:3f:11:44:62:e1:e8:c8:09:
                    d0:04:74:64:7d:1e:05:44:0c:21:54:92:9a:a7:89:
                    a3:4a:fe:f5:f2:77:88:e5:69:6d:07:cd:72:b4:df:
                    c1:28:3b:f5:e4:8f:d7:b3:15:49:a1:9c:f6:0d:29:
                    e9:a9:9f:30:3a:05:57:f7:0d:52:5d:fa:61:3e:2d:
                    d4:ec:e8:0c:c6:98:f8:cf:e6:e1:82:ca:d8:4f:71:
                    e3:ce:2d:70:02:64:a8:8f:c8:40:d7:64:4b:03:ab:
                    62:ac:88:33:6a:75:46:3e:0d:e5:0c:9f:ac:59:cc:
                    1e:c1:01:d3:8e:0a:02:0b:a9:db:f8:90:18:5c:4c:
                    83:4a:c6:8a:02:dd:04:0c:4d:ce:f4:ac:f7:a6:d5:
                    94:4c:60:29:b2:b3:40:ab:7d:fc:85:85:e0:ea:46:
                    94:2d:65:66:e5:26:5e:c7:92:5c:c0:97:47:00:ba:
                    70:56:d9:5b:f3:4b:84:49:30:a7:00:cd:95:87:99:
                    eb:ce:88:61:33:78:93:7b:be:2f:b7:5c:c6:56:6a:
                    89:49
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:centos8
            X509v3 Authority Key Identifier: 
                keyid:26:E4:66:F8:CC:8A:DA:DA:13:83:BA:22:AD:0E:66:8D:DE:61:BB:C6

    Signature Algorithm: sha256WithRSAEncryption
         91:09:6b:9a:84:25:09:71:3e:14:f2:09:83:2c:dd:5c:1b:94:
         8e:c6:fd:be:d2:ee:90:62:51:3a:6b:ca:35:af:7e:ae:9a:cf:
         54:34:13:3c:8d:79:92:80:87:15:3c:aa:09:a5:c1:fe:71:7e:
         8a:51:e4:27:e2:14:9b:31:77:01:b7:a7:44:47:80:c1:b3:be:
         4a:d9:1b:48:b9:95:d0:86:ca:16:43:7a:2d:85:58:b4:38:2d:
         6f:89:5d:0f:19:f7:f9:c1:34:ab:f7:52:79:ca:c6:60:73:4e:
         2f:c9:db:7d:b3:d2:3a:f3:48:56:25:1e:3f:81:c2:15:e7:d8:
         99:5f:f2:72:7e:50:35:91:35:33:c1:5c:6d:72:1e:aa:2b:10:
         af:96:8a:12:10:59:1f:57:72:80:6c:f8:14:87:07:7d:d8:10:
         25:e2:d6:64:04:90:d1:ab:3c:6a:9f:02:52:e2:5b:86:8f:fb:
         c4:95:a5:f0:d6:18:b0:b9:25:f8:c8:a1:71:ca:18:34:6b:fe:
         5a:b1:34:fa:01:cf:2b:d6:85:cf:34:60:f7:e3:2b:e3:03:3b:
         5e:2f:c8:65:e2:a8:da:34:f1:2b:05:77:c2:28:fa:9e:3b:4b:
         39:00:b0:53:fc:25:10:cc:5e:c3:26:1a:1c:8b:c5:f6:34:1e:
         62:61:cb:ae:31:cd:0f:74:42:84:01:7f:ae:b2:f4:e6:75:82:
         a4:9f:75:46:6b:54:09:fd:2f:55:2f:68:7d:b4:a5:51:8f:96:
         84:cb:b8:50:1b:44:e0:a2:ec:7f:05:df:3e:a0:52:57:6c:a0:
         f3:54:35:fe:a1:9f:41:2c:7f:ab:ea:7d:cf:0e:52:55:59:a4:
         d7:c1:b4:23:31:81:98:ef:7b:56:11:65:7e:44:cb:d9:b4:2a:
         fa:8b:74:f9:38:ad:f5:86:ea:59:be:5f:cc:c9:a2:4a:9c:7d:
         72:6a:7c:42:45:a9:40:8b:64:af:9c:f0:64:46:05:69:c7:e5:
         62:6f:57:99:2a:04:33:23:e9:63:43:a5:ec:7b:67:0f:bf:8f:
         3b:ef:ce:43:10:58:cf:6d:8f:8a:9f:52:89:9d:3a:fe:c2:d7:
         4f:03:0a:7b:5f:71:46:ef:37:a6:2f:cc:ab:10:b0:4f:9f:67:
         b2:7a:8d:ca:4c:ad:5b:98:c2:48:a0:8c:b8:f6:80:e1:20:4e:
         54:2c:5b:b1:16:d1:bd:41:60:11:8b:29:cd:4c:96:45:40:cd:
         b5:af:d1:ac:13:aa:08:f4:f3:93:6c:4d:b1:10:be:8b:cb:57:
         a6:d1:d1:26:89:fd:20:34:38:d9:37:14:f4:e9:74:28:9d:f0:
         02:27:bc:88:9b:c2:6e:0e

浏览器访问https://192.168.26.18，因为是自签名证书所以会得以下界面

范例(二): 在centos8上实现

在centos7/etc/pki/tls/certs/Makefile去掉下列参数

//查看Makefile文件
[root@centos7 ~]# cd /etc/pki/tls/certs/
[root@centos7 certs]# ls
ca-bundle.crt        make-dummy-cert  renew-dummy-cert
ca-bundle.trust.crt  Makefile

//修改文件，如上图
[root@centos7 certs]# vim Makefile

//发送至centos8 192.168.26.18 主机上继续实验
[root@centos7 certs]# scp Makefile 192.168.26.18:/etc/pki/tls/certs/

//dnf -y install make
[root@centos8 certs]# dnf -y install make

//使用make生成证书
[root@centos8 certs]# make bokebi.cn.crt
umask 77 ; \
/usr/bin/openssl genrsa  2048 > bokebi.cn.key
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
......................................................................................+++++
e is 65537 (0x010001)
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key bokebi.cn.key -x509 -days 365 -out bokebi.cn.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M39
Common Name (eg, your name or your server's hostname) []:www.bokebi.cn
Email Address []:

[root@centos8 certs]# ls
bokebi.cn.crt  ca-bundle.crt        localhost.crt
bokebi.cn.key  ca-bundle.trust.crt  Makefile

//查看生成得证书文件
[root@centos8 certs]# openssl x509 -in bokebi.cn.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1f:0e:a6:4e:fd:a0:80:e6:2d:a2:f3:12:12:eb:7f:55:13:5f:84:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = M39, CN = www.bokebi.cn
        Validity
            Not Before: Dec 12 21:37:17 2019 GMT
            Not After : Dec 11 21:37:17 2020 GMT
        Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = M39, CN = www.bokebi.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d2:a9:36:d9:a2:d5:cb:7f:61:d8:6b:5a:c4:69:
                    2b:86:9e:d0:85:88:ee:c9:0c:15:ba:a3:22:48:5f:
                    f7:3c:33:fc:33:6a:b2:ad:ae:72:ed:ab:36:ab:41:
                    e8:db:2c:91:f4:d8:b8:c2:b3:55:4b:9a:11:10:dd:
                    dc:1e:aa:8c:00:38:76:58:c1:03:41:a3:4d:ea:7f:
                    b8:86:15:e9:b5:d3:98:97:b2:f3:e3:da:0a:77:c0:
                    ee:48:41:93:ce:e4:98:4a:cc:c4:84:16:fb:31:ca:
                    01:2f:c8:75:89:7c:96:b8:7e:df:d2:31:79:7a:84:
                    f7:60:3f:96:37:46:57:f3:a6:3d:cc:bc:a0:5f:74:
                    bc:38:7d:e2:7d:35:07:12:48:41:00:a9:3e:83:19:
                    bf:36:45:c8:0a:dd:be:e7:3f:3e:50:21:67:9f:ba:
                    eb:3b:51:d0:b0:2d:7b:1f:da:e5:50:85:ba:3b:4c:
                    ce:04:dc:76:2a:cd:4a:e3:26:2f:0d:38:df:d1:06:
                    30:fb:60:a5:e2:f6:4d:e4:28:8f:58:18:46:02:5d:
                    6a:0e:c9:17:b8:93:af:7c:b8:ef:46:a2:1a:27:4b:
                    d3:e4:97:2e:38:54:33:40:df:22:bc:7c:09:ab:74:
                    b3:2b:1f:bb:e4:25:87:c7:99:dd:99:fd:be:62:51:
                    0a:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E5:FA:32:E1:B6:D7:28:BB:B3:AA:DE:69:F0:E5:25:E7:49:E5:34:82
            X509v3 Authority Key Identifier: 
                keyid:E5:FA:32:E1:B6:D7:28:BB:B3:AA:DE:69:F0:E5:25:E7:49:E5:34:82

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         c8:5f:2e:b5:1e:f1:bc:8f:d1:96:97:88:d9:fe:46:75:c5:a3:
         25:b2:56:f4:5f:ef:5a:bc:95:c8:e5:7a:10:d7:85:8a:26:77:
         5c:63:6e:22:44:91:44:78:6e:dc:f1:91:e0:f9:59:b5:10:e1:
         f2:bf:fe:c2:4a:62:17:2f:5e:da:d3:6a:58:4b:61:72:13:ea:
         6f:24:be:04:c6:08:21:c2:80:c4:ee:dd:42:61:b9:2f:49:70:
         48:4c:6b:f8:bf:4a:65:01:40:13:c8:c7:06:7f:6e:dc:48:f7:
         04:65:d5:4b:41:69:43:f1:0d:91:a3:fe:9d:b7:1f:0f:74:59:
         27:c0:3e:2a:2f:28:0b:76:39:fc:48:fa:6c:71:3f:b6:01:14:
         20:cd:0a:ef:3f:0f:3f:1e:79:29:6f:aa:5c:6f:30:3f:98:fe:
         b1:2c:46:30:78:65:0b:3c:fc:d1:0e:ce:98:ed:cd:f9:f3:65:
         99:0c:5c:ec:bb:ea:7d:2d:9d:2c:fb:33:9e:20:4f:fc:3f:92:
         27:a3:1f:87:a9:01:62:f0:e5:ec:19:76:ea:44:27:d9:be:55:
         ce:16:0a:15:74:22:03:e0:e3:e7:3e:28:15:c5:ad:24:fd:41:
         a3:e9:b4:b4:83:07:df:cc:81:4c:bc:12:43:1c:4d:b6:c6:1b:
         b7:eb:c6:db


//将生成得证书和密钥移动至常用工作目录
[root@centos8 certs]# mkdir /etc/httpd/conf.d/ssl
[root@centos8 certs]# mv /etc/pki/tls/certs/bokebi.cn.* /etc/httpd/conf.d/ssl

//修改配置文件
[root@centos8 ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib/.build-id
/usr/lib/.build-id/70/221b67fd81b65321f5220d22dcb99c36d3841c
/usr/lib/systemd/system/httpd-init.service
/usr/lib/systemd/system/httpd.socket.d/10-listen443.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-gencerts
/usr/libexec/httpd-ssl-pass-dialog
/usr/share/man/man8/httpd-init.service.8.gz
/var/cache/httpd/ssl

[root@centos8 ~]# vim /etc/httpd/conf.d/ssl.conf

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf.d/ssl/bokebi.cn.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/bokebssl/i.cn.key

浏览器访问https://192.168.26.18,可得到下画面，说明证书颁发成功

3.27URL重定向

URL 重定向，即将客户端请求的 URL 转发至另一个的 URL
指令Redirect [status] URL-path URL
status
permanent：返回永久重定向状态码 301
temp：返回临时重定向状态码 302. 此为默认值
例如：

[root@webhost ~]# vim /etc/httpd/conf.d/custom.conf
Redirect temp / https://www.suosuoli.com/
[root@webhost ~]# systemctl restart httpd

3.28实现HSTS

HSTS:HTTP Strict Transport Security , 服务器端配置支持HSTS后，会在给浏览器返回的HTTP首部中携带HSTS字段。浏览器获取到该信息后，会将所有HTTP访问请求在内部做307跳转到HTTPS。而无需任
何网络过程,实现更高的安全性
HSTS preload list: 是Chrome浏览器中的HSTS预载入列表，在该列表中的网站，使用Chrome浏览器访
问时，会自动转换成HTTPS。Firefox、Safari、Edge浏览器也会采用这个列表

vim /etc/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "max-age=31536000"   #自动跳转时间
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]

3.29正向代理和方向代理

正向代理
主要作用：主要服务于用户，提供缓存功能
启用反向代理
主要作用：主要用于服务器调度

ProxyPass "/" "http://www.example.com/"
ProxyPassReverse "/" "http://www.example.com/"

特定 URL 反向代理

ProxyPass "/images"  "http://www.example.com/" connectiontimeout=5 timeout=30
ProxyPassReverse "/images" http://www.example.com/

例如：

<VirtualHost *>
ServerName www.bokebi.cn
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>

3.30Sendfile机制

指令EnableSendfile On

sendfile 机制介绍
不用 sendfile 的传统网络传输过程： read(file, tmp_buf, len) write(socket, tmp_buf, len) 硬盘 >>
kernel buffer >> user buffer >> kernel socket buffer >> 协议栈
一般网络应用通过读硬盘数据，写数据到 socket 来完成网络传输,底层执行过程：

系统调用 read() 产生一个上下文切换：从 user mode 切换到 kernel mode，然后 DMA 执行拷贝，把文件数据
从硬盘读到一个 kernel buffer 里。
数据从 kernel buffer 拷贝到 user buffer，然后系统调用 read() 返回，这时又产生一个上下文切换：从 kernel mode
切换到 user mode
系统调用 write() 产生一个上下文切换：从 user mode 切换到 kernel mode，然后把步骤 2 读到 user buffer 的数据
拷贝到 kernel buffer（数据第 2 次拷贝到 kernel buffer），不过这次是个不同的 kernel buffer，这个 buffer
和 socket 相关联。
系统调用 write() 返回，产生一个上下文切换：从 kernel mode 切换到 user mode(第 4 次切换),然后 DMA 从
kernel buffer 拷贝数据到协议栈（第 4 次拷贝）

上面 4 个步骤有 4 次上下文切换，有 4 次拷贝，如果能减少切换次数和拷贝次数将会有效提升性能

linux 在 kernel 2.0+ 版本中，系统调用 sendfile() 就是用来简化上面步骤提升性能的。sendfile() 不但能减少
切换次数而且还能减少拷贝次数
用 sendfile() 来进行网络传输的过程： sendfile(socket, file, len);
硬盘 —> kernel buffer (快速拷贝到 kernel socket buffer) —> 协议栈

系统调用 sendfile() 通过 DMA 把硬盘数据拷贝到 kernel buffer，然后数据被 kernel 直接拷贝到另外一个与 socket
相关的 kernel buffer。这里没有 user mode 和 kernel mode 之间的切换，在 kernel 中直接完成了从一个 buffer 到
另一个 buffer 的拷贝
DMA 把数据从 kernel buffer 直接拷贝给协议栈，没有切换，也不需要数据从 user mode 拷贝到 kernel mode，
因为数据就在 kernel 里

linux进阶-http常见配置大全