Shulou(Shulou.com)06/01 Report--

This article is about how to configure httpd-2.2 in Apache. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Apache is the number one Web server software in the world. It can run on almost all widely used computer platforms. Because of its cross-platform and security, it is one of the most popular Web server-side software, and its service name is httpd. Apache has many considerations for setting up and tuning.

1. Listening socket Listen [IP:] port

This instruction can occur multiple times to specify to listen for multiple different sockets:

Listen 80Listen 192.168.1.116 Listen 80Listen 80802, keep alive used in configuration file

At present, most browsers ask the server to maintain a continuous connection, and this feature is called "KeepAlive", which is the standard specification in HTTP1.1 and is generally used to enhance the performance of the server. When using the keep-connection feature, set the maximum limit on which a customer's request for a connection can affect files. It is recommended to set the default value to ON in order to improve access performance. However, when load balancer is used, it will affect the effect of load balancer. Before disconnecting, synonymous clients are always directed to the same server.

KeepAlive {On | Off} KeepAliveTimeout 2 # timeout MaxKeepAliveRequests 50 # maximum number of requests for persistent connections 3, MPM # determine whether the module exists StartServers: the number of worker processes started by default; # does not include the main process, the main process is only responsible for the creation and recovery of child processes, etc. MinSpareServers: minimum number of idle processes; MaxSpareServers: maximum number of idle processes ServerLimit: maximum number of active processes; MaxClients: maximum number of concurrent requests; # request connections may not be active, less than or equal to serverlimit MaxRequestsPerChild: maximum number of requests each child process can serve during its life cycle; prefork.c > StartServers: number of child processes started MaxClients: maximum number of concurrent requests; MinSpareThreads: minimum number of idle threads MaxSpareThreads: maximum number of idle threads; ThreadsPerChild: the number of threads that can be generated by each child process; MaxRequestsPerChild: the maximum number of requests that each child process can serve during its life cycle. 0 means unlimited; prefork.c > 4, DSO module loading mode LoadModule module_name / path/to/module

If you use a relative path, for the location defined by ServerRoot; for example:

LoadModule php5_module / usr/lib64/httpd/modules/php5.so

Let the service overload the profile to take effect

Httpd-M: list all loaded DSO and non-DSO modules httpd-l: list supported non-DSO modules

The prefork module is used by default. If you want to use worker, modify the script configuration file:

[root@localhost conf] # vim / etc/sysconfig/httpd#HTTPD=/usr/sbin/httpd.worker # enable this item, modify the binaries used, and configure the site root directory DocumentRoot / path/to/somewhere

The path where the Apache server stores the web page. By default, all connections required to provide HTTP services are in this directory as the main directory, and the default is / var/www/html.

6. Configure page access attribute "/ path/to/somewhere" > Options: Indexes: when the specified default page is missing, all files in the directory are allowed to be returned to the user as a list, which is dangerous; FollowSymLinks: allow to follow the original files pointed to by symbolic links; None: none is enabled; All: all are enabled ExecCGI: allows the execution of CGI scripts using mod_cgi modules; Includes: allows server-side inclusion (SSI) using mod_include modules; MultiViews: allows content negotiation using mod_negotiation; SymLinksIfOwnerMatch: allows you to follow the original file pointed to by a symbolic link when the linked file's master group is the same as the original file's You can configure access properties under the site directory, and use "path" > to match based on regular expressions, but it is generally not recommended and can be time-consuming. Similar instructions include: ">: configure URL access properties, which are similar (you can configure endogenous status pages or paths that define aliases, etc.);">: limit the access properties of a single file;" >: equivalent to Location ~, but it is generally recommended to use this configuration for regular matching

If a URL whose attributes you want to configure can be mapped to a specific file system path, it is recommended.

7. Host-based access control "/ path/to/somewhere" > Options AllowOverride None # AllowOverride indicates whether the following ip-based access control is disabled, and none indicates that it is not disabled. The default rule Allow Deny after Order Deny,Allow # is not disabled.

Based on IP control:

Allow from Deny from IP, Network Address 172.16 172.16.0.0 172.16.0.0/16 172.16.0.0/255.255.0.0

If both match or there is no match, the latter shall prevail; otherwise, the match shall prevail

8. Define the default main page DirectoryIndex index.php index.html home.html default.html # find 9 from left to right, user home page

If you expect each user to create a personal site: http://Server_IP/~Username/

Userdir disablied: prohibit userdir public_html:public_html from being the name of the directory under the user's home directory, and all files located in this directory can be accessed through the aforementioned access path

Example of configuring a user's home page:

[root@localhost conf] # vim httpd.conf # first enable the following option 366 # UserDir disabled367368 UserDir public_ html [root @ localhost httpd] # service httpd reload [root@localhost conf] # useradd feiyu [root@localhost conf] # su-feiyu [feiyu@localhost ~] $mkdir public_ html [feiyu @ localhost ~] $cd public_html/ [feiyu @ localhost public_html] $echo "hello feiyu" > index.html

You can access it now. But the apache user does not have permission to read the file, so you have to define the access right

[feiyu@localhost ~] $ls-ld / home/feiyu/drwx-. 6 feiyu feiyu 4096 Feb 15 20:42 / home/feiyu/ [feiyu@localhost ~] $setfacl-m u:apache:x / home/feiyu/ [feiyu@localhost ~] $getfacl / home/feiyu/getfacl: Removing leading'/ 'from absolute path names# file: home/feiyu/# owner: feiyu# group: feiyuuser::rwxuser:apache:--xgroup::---mask::--xother::--- [feiyu@localhost ~] $curl 192.168.1.117/~feiyu/hello feiyu10, configure log function

Default log directory: / var/log/httpd/

Access.log: access log, and what it needs to record requires custom error.log: error log

Access log: CustomLog "/ path/to/access_log_file" Format_Name # CustomLog Custom access Log path LogFormat Format_String Format_Name

% h: client address% l: remote login name, usually -% u: remote user name at authentication, -% t: time when the request was received without authentication;% r: start line of request message;% > s: response status code;% b: length of response message, in bytes% {Header_Name} I: record the content of the specified request message header (value)

For more information, please refer to http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats

Error log: ErrorLog

11. Path alias Alias / alias/ "/ path/to/somewhere/"

It means that when accessing http://Server_IP/alias/, the page file comes from the / path/to/somewhere location; note: the path should be the same, ending with "/" or none at all.

12. Set the default character set AddDefaultCharset UTF-8

Define the cgi script path alias:

CGI: Common Gateway Interface protocol (execution of certain files with administrator privileges is rarely used) 13. CGI script path alias CGI: Common Gateway Interface protocol (execution of certain files with administrator privileges is rarely used)

Define the cgi script path alias:

ScriptAlias / URL/ "/ path/to/somewhere/" # using this method, the definition file is executed using the cgi protocol or explicitly using execcgi14, user-based access control

User-based access control can be used when your site or a path to your site only wants to be accessed by your authorized users.

Virtual users: you can use mechanisms such as files, SQL databases or ldap for authentication. Authentication type (auth): basic: basic authentication, account and password sent in clear text

Digest: summary authentication, sent after hash programming, not supported by most browsers

Authentication provider (authentication provider): where the account number and password are stored

Authorization mechanism (authorization): what is the basis for authorization

Example: file-based, basic authentication, authorization according to users and groups

Use the htpasswd command to generate the authentication library

Htpasswd:-c # creates a new file with-c for the first time This is not the first time do not use this option-m # user password encrypted with MD5-s # user password encrypted with SHA stored-p # user password unencrypted-d # disable an account-e # enable an account [root@localhost fin] # htpasswd-c-m / etc/httpd/conf/.htpasswd feiyu # for the first time you need to use the-c option to create a file New password:Re-type new password:Adding Password for user feiyu [root@localhost fin] # htpasswd-m / etc/httpd/conf/.htpasswd feiyu1New password:Re-type new password:Adding password for user feiyu1

Configure authentication mechanism

"/ www/htdocs/fin" > Options None AllowOverride AuthConfig AuthType Basic AuthName "Private Area" # AuthBasicProvider file # does not need to be specified. By default, the authentication file Require valid-user # used in file AuthUserFile / etc/httpd/conf/.htpasswd # allows all legitimate accounts in the file.

The access interface is as follows:

Httpd-2.2 configuration and usage complete strategy httpd-2.2 configuration and usage complete strategy

Authentication based on group

Create a user before creating a group file:

Group file format: group name: user 1 user 2 user 3 "/ www/htdocs/fin" > Options None AllowOverride AuthConfig AuthType Basic AuthName "Private Area" # AuthBasicProvider file AuthUserFile / etc/httpd/conf/.htpasswd AuthGroupFile / etc/httpd/conf/.htgroup # group file Require group GroupName "> 15, virtual host

Virtual hosting means that a physical server provides multiple sites. In the past, Aliyun's free virtual host was used when the station was built. I think it should be configured based on this method. There are three ways to implement a virtual host:

Implement different virtual hosts based on different IP: changing IP

Implement different virtual hosts based on different port: changing port

Implement different virtual hosts based on different FQDN: change the parameters of ServerName

Configure the use of virtual hosts:

(1) annotate the central host and enable the relevant configuration

[root@localhost http] # vim / etc/httpd/conf/httpd.confDocumentRoot "/ var/www/html" # comment center host NameVirtualHost *: 80 # you need to launch this item when using a domain name-based virtual host, and the following configuration is consistent with it, so you don't need to use it in httpd-2.4

(2) Virtual host based on ip:

ServerName www.feiyu1.com DocumentRoot "/ var/www/html/feiyu1" ServerName www.feiyu2.com DocumentRoot "/ var/www/html/feiyu2"

(3) Port-based virtual host:

ServerName www.feiyu1.com DocumentRoot "/ var/www/html/feiyu1"

ServerName www.feiyu2.com DocumentRoot "/ var/www/html/feiyu2" (4) Domain name-based virtual hosts:

NameVirtualHost *: 80 ServerName www.feiyu1.com DocumentRoot "/ var/www/html/feiyu1" CustomLog "/ var/log/httpd/feiyu1-access_log" combined ServerName www.feiyu2.com DocumentRoot "/ var/www/html/feiyu2" CustomLog "/ var/log/httpd/feiyu2-access_log" combined16, enable https protocol

Https is the result of ssl/tls encryption based on http. Although it is more secure to enable https, there is no risk of traffic hijacking, but using https is no longer a three-way handshake, it will increase the time to establish a connection.

Comparison of http and https first request:

Httpd-2.2 configuration and usage complete playbook httpd-2.2 configuration and usage complete playbook httpd-2.2 configuration and usage complete playbook httpd-2.2 configuration and usage

Http: text protocol, 80/tcphttps: binary format protocol, 443/tcpSSL handshake to complete the work:

Exchange protocol version number

Choose the encryption method supported by both parties

Implement identity verification on both sides

Key exchange

SSL sessions are based on IP addresses and are not supported on FQDN-based virtual hosts, so when virtual hosts are used on servers with only one public network IP, https can only be used for one site.

The configuration supports https:

(1) install httpd to support ssl module

[root@localhost ~] # yum install mod_ssl-y

(2) self-built CA

[root@localhost] # cd / etc/pki/CA [root@localhost] # (umask 077; openssl genrsa-out private/cakey.pem 2048) [root@localhost] # openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 365

(3) generate private key

[root@localhost ~] # cd / etc/httpd/conf/ [root@localhost ~] # mkdir ssl [root@localhost] # cd ssl [root@localhost ~] # (umask 077; openssl genrsa-out httpd.key 1024)

(4) generate certificate application

[root@localhost] # openssl req-new-key httpd.key-out httpd.csr

(5) Certificate signed by CA

[root@localhost] # openssl ca-in httpd.csr-out httpd.crt-days 365

(6) modify the ssl configuration file of httpd

[root@localhost ~] # vim / etc/httpd/conf.d/ssl.confDocumentRoot "/ var/www/html/feiyu1" ServerName www.feiyu.comSSLCertificateFile / etc/httpd/conf/ssl/httpd.crtSSLCertificateKeyFile / etc/httpd/conf/ssl/httpd.key

(7) verify the import browser

To verify, you can use the following command to verify or import the certificate into the browser and access it:

# openssl s_client-connect IP:port-CAfile / path/to/CA_certificate_file17, server status page

Status pages are httpd endogenous, and this information can be displayed through web, and this information is about the running status of the server, so it cannot be displayed to everyone.

[root@localhost html] # vim / etc/httpd/conf/httpd.confSetHandler server-statusAuthType BasicAuthName "Server Status" AuthUserFile "/ etc/httpd/conf/.htpasswd" Require valid-userOrder deny,allowAllow from all

SetHandler: explicitly defines the processor used, which is the internal Apache representation when the file is called; generally, each file type has its own implicit processor

18. Use mod_deflate module to compress pages to optimize transmission speed

Generally, compression is enabled when the CPU is idle and the bandwidth pressure is high. Enabling compression can not only optimize the transmission speed but also save bandwidth, but one of its disadvantages is that it will reduce the cache hit rate.

[root@localhost html] # vim / etc/httpd/conf/httpd.confSetOutputFilter DEFLATE # enable specify [root @ localhost conf.d] # vim deflate.conf # Restrict compression to these MIME types to define the file type to be compressed AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE text/css # Level of compression (root 9-Lowest 1) DeflateCompressionLevel 9 # compression ratio The default is 6 # Netscape 4.x has some problems. BrowserMatch ^ Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^ Mozilla/4\ .0 [678] no-gzip # MSIE masquerades as Netscape, but it is fine BrowserMatch\ bMSI [E]! no-gzip! gzip-only-text/html19, Resource qualification

Soft limit: a limit that can be exceeded, but only for a certain period of time

Hard limit: a limit that must not be exceeded

Soft limits can be modified using ulimit:

-n [N]: displays or limits the maximum number of file handles that can be opened

-u [N]: the maximum number of processes that can be run

The corresponding configuration file is: / etc/security/limits.conf, extension configuration: / etc/security/limits.d/*.conf

Root@tianfeiyu # vim / etc/security/limits.conf # set the hard limit apache hard nofile 65535 # set the maximum number of files that can be opened apache hard nproc 3000 processes set the maximum number of processes that can be opened 20, introduce the tools that come with the httpd package

Httpd:Apache server.

Apachectl:Apache HTTP server control tools. Ab:Apache HTTP server performance benchmark tool. Apxs:Apache extension tool. Configure: configure the source code. Dbmmanage: create and update user authentication files in DBM format for basic authentication. Htcacheclean: clean up the disk cache. Htdigest: create and update user authentication files for summary authentication. Htdbm: operate the DBM password database. Htpasswd: create and update user authentication files for basic authentication. Httxt2dbm: create a dbm file for RewriteMap. Logresolve: resolves the IP address in the Apache log file to the host name. Rotatelogs: switch log files without closing Apache. Suexec: switch users before executing external programs. Running directory: / etc/httpd configuration file: master configuration: / etc/httpd/conf/httpd.conf extension configuration: / etc/httpd/conf.d/*.confSocket: 80/tcp, 443/tcp document root directory: / var/www/htmlCGI directory: / var/www/cgi-bin/MPM (Multipath Processing Module): multiprocessing module, not a module Instead, it is called a multiprocess model prefork: a process responds to a request (the main process creates a process response) multithreading model worker: a main process has multiple child processes, a process generates multiple threads, a thread responds to a request, and a process generates a limited number of threads. Event model event: a thread responds to multiple requests and maintains multiple user requests based on an event-driven mechanism Event-driven: event-driven, the main purpose is to achieve single-thread response to multiple requests; httpd configuration directory information: service script: / etc/rc.d/init.d/httpd script configuration file: / etc/sysconfig/httpd highly modular: DSO (Dynamic Shared Object) dynamic decoration module MPM (Multipath Processing Module): multiprocessing module, not a module, but a feature of the title thank you for reading! This is the end of this article on "how to configure httpd-2.2 in Apache". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.