Shulou(Shulou.com)06/02 Report--

13.1 introduction to httpd

Httpd is the main program of the Apache Hypertext transfer Protocol (HTTP) server. Designed as a background process that runs independently, it establishes a pool of child processes or threads that process requests.

In general, httpd should not be called directly, but should be called by apachectl in a Unix-like system and run as a service in Windows.

13.2 httpd version

This article mainly introduces the two major versions of httpd, httpd-2.2 and httpd-2.4.

The CentOS6 series version provides the httpd-2.2 version of the rpm package by default, while CentOS7 provides the httpd-2.4 version of the rpm package by default.

13.2.1 Features of httpd

Httpd has many features, so let's talk about the respective features of the httpd-2.2 version and the httpd-2.4 version.

Features of httpd-2.2:

A) create the process in advance

B) maintain appropriate processes as needed

C) Modular design, the core is relatively small, various functions are added through modules (including PHP), run-time configuration is supported, and separate modules are supported

D) support a variety of virtual host configurations, such as ip-based virtual hosts, port-based virtual hosts, domain name-based virtual hosts, etc.

E) support for https protocol (implemented through mod_ssl module)

F) support for user authentication

G) support ACL access control mechanism based on IP or domain name

H) support access control per directory (users do not need to provide a username and password when accessing the default home page, but users need to provide a username and password when accessing a specific directory)

I) support URL rewriting

J) support MPM (Multi Path Modules, multiprocessing module). The working model used to define httpd (single-process, single-process multi-thread, multi-process single-thread, multi-process multi-thread)

Prefork: a multi-process model in which processes are generated in advance and a request is responded to by a process.

A main process is responsible for generating n child processes, also known as worker processes

Each child process processes one user request, and even if there is no user request, multiple idle processes will be generated in advance, waiting for the request to arrive at any time, up to a maximum of 1024.

Worker: based on thread work, one request is responded by one thread (start multiple processes, each process generates multiple threads)

Event: event-based driver, one process handles multiple requests

New features of httpd-2.4:

A) MPM supports running the DSO mechanism (Dynamic Share Object, the dynamic loading / unloading mechanism of modules) to load on demand as modules

B) support eventMPM, eventMPM module production environment is available

C) support asynchronous read and write

D) support for each module and each directory to use its own log level

E) the professional configuration associated with each request, using the

F) enhanced expression parser

G) support for millisecond keepalive timeout

H) FQDN-based virtual hosts no longer need NameVirtualHost instructions

I) support for user-defined variables

J) support for new directives (AllowOverrideList)

K) reduce memory consumption

13.2.2 New modules for httpd-2.4

Httpd-2.4 has added several modules based on the previous version, here are a few commonly used to introduce.

Mod_proxy_fcgi: a module that supports apache server back-end protocols when reverse proxying

Mod_ratelimit: a module that provides rate limiting

Mod_remoteip: ip-based access control mechanism has been changed and Order,Deny,Allow is no longer supported for IP-based access control

13.3 httpd Foundation

13.3.1 tools that come with httpd

The account password generation tool used when htpasswd:basic authentication is implemented based on files.

Apachectl:httpd comes with a service control script that supports start,stop,restart

Apxs: a tool provided by the httpd-devel package that extends httpd to use third-party modules

Rotatelogs: log scrolling tool

Access.log-- >

Access.log,access.1.log

Access.log,access.1.log,access.2.log

Suexec: temporarily switch to the tool that the specified user runs when accessing some resources with special permissions

Ab:apache benchmark,httpd stress testing tool

13.3.2 httpd program environment for rpm package installation

Httpd-2.2 version program environment:

Configuration file:

/ etc/httpd/conf/httpd.conf

/ etc/httpd/conf.d/*.conf

Composition of the configuration file: grep "Section" / etc/httpd/conf/httpd.conf

# Section 1: Global Environment### Section 2: 'Main' server configuration### Section 3: Virtual Hosts

Configuration format: directive value

Directive: instruction, case-insensitive

Value: when path, depends on file system

Service script:

/ etc/rc.d/init.d/httpd

Configuration file for the service script:

/ etc/sysconfig/httpd

Main program file:

/ usr/sbin/httpd

/ usr/sbin/httpd.event

/ usr/sbin/httpd.worker

Log file directory:

/ var/log/httpd/

Access.log: access log

Error_log: error log

Site documentation directory:

/ var/www/html/

Module file path:

/ usr/lib64/httpd/modules/

Httpd-2.4 version program environment:

Main configuration file: / etc/httpd/conf/httpd.conf

Module configuration file: / etc/httpd/conf.modules.d/*.conf

Secondary profile: / etc/httpd/conf.d/*.conf

Mpm: provided by DSO mechanism, the configuration file is / etc/httpd/conf.modules.d/00-mpm.conf

13.3.3 web related commands

Curl command:

Curl is a file transfer tool that works in command line mode based on URL syntax. It supports protocols such as FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE and LDAP.

Curl supports:

Https certification

POST/PUT and other methods of http

Ftp upload

Kerberos certification

Http upload

Proxy server

Cookies

User name / password authentication

Download the file from a breakpoint.

Socks5 proxy server

Upload files to the ftp server through the http proxy server

Syntax: curl [options] [URL...]

Commonly used options:

-A/--user-agent: sets the user agent to send to the server

-basic: use Http basic authentication

-- tcp-nodelay: use the TCP_NODELAY option

-e/--referer: source URL

-- cacert: CA certificate (SSL)

-- compressed: the format that is required to be compressed when returned

-H/--header: the custom request header information is passed to the server

-I/--head: only the first part of the response message is displayed

-- limit-rate: sets the transfer speed

-u/--user: set the user and password of the server

-0/--http1: use http version 1.0 and default to version 1.1. This option is the number 0 instead of the letter o

Elinks command:

Syntax: elinks [options] [URL...]

Commonly used options:

-dump: output the contents of URL directly to standard output instead of entering interactive mode

Httpd command:

Syntax: httpd [options]

Commonly used options:

-l: look at the statically compiled modules and list which modules are compiled in the core. It does not list modules that are dynamically loaded using the LoadModule instruction

-M: outputs a list of enabled modules, including modules statically compiled in the server and dynamically loaded as DSO

-v: display the version of httpd, and then exit

-V: display the version and compilation parameters of httpd and apr/apr-util, and then exit

-X: run httpd in debug mode. Only one worker process is started, and the server is not detached from the console

13.4 compile and install httpd-2.4

Httpd depends on apr-1.4+,apr-util-1.4+, [apr-icon]

Apr:apache portable runtime

The apr provided by CentOS6 is version 1.3.9, and apr-util is also version 1.3.9, so you need to install apr-1.4+ and apr-util-1.4+, first when you want to install the httpd-2.4 version on CentOS6, but do not need to install it separately in CentOS7.

Httpd-2.4 compilation and installation steps:

A) install the development environment (yum groupinstall)

B) download and install apr-1.4+ and apr-util-1.4+. This step only needs to be performed on the CentOS6 series, not required by CentOS7

Cd / usr/src/wget http://mirrors.hust.edu.cn/apache//apr/apr-1.5.2.tar.bz2wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.5.4.tar.bz2tar xvf apr-1.5.2.tar.bz2tar xvf apr-util-1.5.4.tar.bz2cd apr-1.5.2./configure-- prefix=/usr/local/aprmake & & make installcd.. / apr -util-1.5.4./configure-- prefix=/usr/local/apr-util-- with-apr=/usr/local/aprmake & & make install

C) compile and install httpd

Groupadd-r apacheuseradd-r-g apache apacheyum-y install openssl-devel pcre-devel./configure-- prefix=/usr/local/apache-- sysconfdir=/etc/httpd24-- enable-so-- enable-ssl-- enable-cgi-- enable-rewrite-- with-zlib-- with-pcre-- with-apr=/usr/local/apr-- with-apr-util=/usr/local/apr-util/-- enable-modules=most-- enable-mpms-shared=all-- with-mpm=preforkmake & & make install

13.5 httpd common configuration

Common configurations for httpd-2.2:

Modify the listening IP and port:

Listen [IP:] PORT

Omitting IP means listening on all addresses. Listen can be repeated multiple times

Persistent connection: namely persistent connection

Persistent Connection: the connection is established. After each resource is acquired, the connection will not be disconnected immediately, but will continue to wait for other requests to be completed.

How to disconnect?

Quantity limit: automatically disconnects when 100 resources are obtained by default

Time limit: configurable. For servers with high concurrency, this value cannot be set too high.

Side effects: for servers with large concurrent visits, persistent connections can make some requests unresponsive

Compromise: use a short persistent connection time. Httpd-2.4 supports millisecond persistence

KeepAlive {On | Off}: set whether to enable persistent connections MaxKeepAliveRequests 100: set the maximum number of resources allowed to be obtained, and automatically disconnect when some set values are reached. KeepAliveTimeout 15: set a time limit, and automatically disconnect when some time limits are reached

Test the persistent connection:

Telnet HOST PORT # telnet 192.168.1.1 80GET / URL HTTP/1.1 # GET / index.html HTTP/1.1Host: HOSTNAME or IP # Host: 192.168.1.1

MPM:Multi Path Modules, multiprocessing module. The working model used to define httpd (single-process, single-process multi-thread, multi-process single-thread, multi-process multi-thread)

Httpd-2.2 does not support compiling multiple modules at the same time, so only one can be selected at compile time

The package installed by rpm provides three binary files that are used to implement support for different MPM mechanisms. Confirmation method:

Ps aux | grep httpd

The default is / usr/sbin/httpd, which uses prefork

Change the httpd program you use: edit the / etc/sysconfig/httpd file and restart the service to make it effective

HTTPD= {httpd | httpd.worker | httpd.event}

Configure MPM: edit the main configuration file / etc/httpd/conf/httpd.conf

Configuration of prefork:

StartServers: number of server processes started when the service is started (number of child processes serving, excluding the main process) MinSpareServers: minimum number of idle processes MaxSpareServers: maximum number of idle processes ServerLimit: maximum number of processes allowed during the service life cycle prepared for MaxClients MaxClients: maximum number of concurrent requests MaxRequestsPerChild: how many requests can a server process respond to

Configuration of worker:

StartServers: number of server processes started at service startup (number of child processes provided, excluding main processes) MaxClients: maximum number of threads started on the server MinSpareThreads: minimum number of idle threads MaxSpareThreads: maximum number of idle threads ThreadsPerChild: number of threads each process can start MaxRequestsPerChild: maximum number of requests that each thread can respond to, 0 means unlimited

DSO:Dynamic Share Object, dynamic loading / unloading mechanism of module

Configure instructions to load the module:

LoadModule

Module paths (mod_path) can use relative paths:

Relative to the path pointed to by ServerRoot (/ etc/httpd)

/ etc/httpd/modules-- > / usr/lib64/httpd/modules

Define the document page path of the "Main" server, DocumentRoot

Document path mapping:

The path DocumentRoot points to is the starting position of the URL path.

DocumentRoot "/ var/www/html"

Test/index.html-- > http://HOST:PORT/test/index.html

Site access Control:

You can indicate which resources are controlled based on two types of paths:

For file system paths:

For URL paths:

Access control mechanism:

Based on source address

Based on account number

Access control based on source address in Directory: httpd-2.2 version

A) Options

All available features:

Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

Indexes: index that lists everything under the root (default / var/www/html) as a link when the specific path to the page to be accessed is not specified and there is no default home page (index.html)

FollowSymLinks: allow tracking of symbolic link files

B) access control mechanism based on source address

Order: check the order Order allow,deny allows first and then rejects. All are denied by default, and only those that are explicitly allowed are allowed to access the Order deny,allow first and then. All are allowed by default, and access to Allow from source address Deny from source address is denied only if it is explicitly denied.

The source address can be:

IP: such as 192.168.1.1

NetAddr:

172.16

172.16.0.0

172.16.0.0/16

172.16.0.0/255.255.0.0

FQDN: can be a full hostname or a domain name, such as * .idfsoft.com

All

User-based access control:

Authentication challenge: here is a response message

WWW-Authenticate: the response code is 401, rejects the client request, and states that the customer is required to provide the account number and password

Authentication: here is a request message

Authorization: the resource for the server to send a response if the client user fills in the account and password and sends a request message again after the authentication is passed.

Type of certification:

Basic: plaintext

Digest: message digest, encrypted by MD5

Security domain: a path that requires user authentication before it can be accessed is called a security domain

It should be identified by name and used to inform the user of the reason for authentication.

Where is the user's account number and password stored:

Virtual account: the authentication ID used only when accessing a service

Storage mechanism:

Text file

SQL database

Ldap

Nis

Basic Authentication: a Storage Mechanism based on text File

A) define a security domain

Options None AllowOverride None AuthType Basic AuthName "String" AuthUserFile "/ PATH/TO/HTTPD_USER_PASSWD_FILE" Require user username1 username2. # allow only the users specified in the account file to log in and access: add Require valid-user between

B) provide account and password storage (using the htpasswd command)

Htpasswd [options] passwordfile username

Commonly used options:

-c: passwordfile is created automatically, so you should use it only when adding the first user

-m / path/to/passwordfile:md5 encrypt user password

-s:sha1 encrypted user password

-D: delete the specified user

C) implement group-based authentication

Options None AllowOverride None AuthType Basic AuthName "String" AuthUserFile "/ PATH/TO/HTTPD_USER_PASSWD_FILE" AuthGroupFile "/ PATH/TO/HTTPD_GROUP_FILE" Require group GROUP1 GROUP2...

To provide user account files and group files:

Group files: can only be defined manually, with one group per line. The format is as follows:

GROUP_NAME:user1 user2 user3...

The user in the group file must exist in the account file.

Define the default main page:

DirectoryIndex index.html index.html.var

Log settings:

Define the log format: LogFormat

LogFormat "h% l% u% t\" r\ "% > s% b\"% {Referer} I\ "\"% {User-Agent} I\ "" combinedLogFormat "% h% l% u% t\"% r\ "% > s% b" commonLogFormat "% {Referer} I->% U" refererLogFormat "% {User-agent} I" agent

Commonly used log format definition macros: please see the official documentation for details

% h: client IP address% l: lowercase L, user name of remote login, Remote logname (from identd,if supplied). -represented as empty% u: remote user. Remote user, (from auth; may be bogus if return status (% s) is 401)% t: time the server received the request% r: the first line of the request message (request method, URL, protocol version)% > s: response status code% b: the size of the response message, excluding the header of the response message, in bytes% {Referer} I: the value of the header "referer" in the request message. The access entry of the current resource, that is, from which page the hyperlink jumps to% {User-Agent} I: the value of the header "User-Agent" in the request message. That is, the application used to make the request

Error log:

Errorlog logs/error_logLogLevel # defaults to warn level

The log levels are as follows: from low to high, the lower the log level, the more detailed the record

Debug

Info

Notice

Warn

Error

Crit

Alert

Emerg

Access Log:

CustomLog logs/access_log combined

Path alias: map a URL to another path

Alias / URL/ "/ PATH/TO/SOMEDIR/" such as: Alias / bbs/ "/ bbs/htdocs"

Set the default character set:

AddDefaultCharset UTF-8

Virtual host:

There are three implementation scenarios:

Ip-based: prepare at least one ip address for each virtual host

Port-based: prepare at least one dedicated port for each virtual host, which is rarely used in practice

Domain name based: prepare at least one dedicated domain name for each virtual host

You need to remove the comments from NameVirtualHost.

Any of the above three methods can be mixed.

Note: the general virtual host should not be mixed with the central host, so in order to use the virtual host, the central host must be disabled first.

Disable central host: comment DocumentRoot

Each virtual host has a dedicated configuration: access control can also be done through Directory in the virtual host

# the * here can be replaced with the specified IP address ServerAdmin webmaster@dummy-host.example.com DocumentRoot / www/docs/dummy-host.example.com ServerName dummy-host.example.com ErrorLog logs/dummy-host.example.com-error_log CustomLog logs/dummy-host.example.com-access_log common

Built-in status page: you can view the status of the server

SetHandler server-status Order deny,allow Deny from all Allow from .example.com

Use mod_deflate module to compress pages to optimize transfer speed: suitable for httpd-2.2 version

Applicable scenarios:

A) save bandwidth and consume extra CPU, while some older browsers may not support it

B) compress resources suitable for compression, such as text files

Methods:

A) Edit the main configuration file / etc/httpd/conf/httpd.conf, find mod_deflate.so, remove the comments in front of it, and enable the mod_deflate module

B) add the following to the main profile:

SetOutputFilter DEFLATE # calls DEFLATE output filter # mod_deflate configuration# Restrict compression to these MIME types to compress AddOutputFilterByType DEFLATE text/plainAddOutputFilterByType DEFLATE text/htmlAddOutputFilterByType DEFLATE application/xhtml+xmlAddOutputFilterByType DEFLATE text/xmlAddOutputFilterByType DEFLATE application/xmlAddOutputFilterByType DEFLATE application/x-javascriptAddOutputFilterByType DEFLATE text/javascriptAddOutputFilterByType DEFLATE text/css# Level of compression (Highest 9-Lowest 1) to set the compression ratio DeflateCompressionLevel output Netscape 4.x has some problems. Match browser type and version BrowserMatch ^ Mozilla/4 gzip-only-text/html # based on regular patterns according to the first User-Agent when the browser is Mozilla/4, compress it with gzip But only compress the document # Netscape 4.06-4.08 have some more problems in text/html format according to the first User-Agent based on regular pattern matching browser type and version BrowserMatch ^ Mozilla/4\. 0 [678] no-gzip # browser is not compressed # MSIE masquerades as Netscape when the browser is version 4.0,4.6,4.7 or 4.8 of Mozilla But it is fine matches browser types and versions based on regular patterns based on the header User-Agent BrowserMatch\ bMSI [E]! no-gzip! gzip-only-text/html # when the browser is prior to IE6.0 Do not compress, if you want to compress, only use gzip to compress documents in text/html format

Configure httpd to support https:

A) request a digital certificate for the server

Test: issue certificates through private CA

Create a private CA

Create a certificate signing request on the server

CA visa

B) configure httpd to support the use of ssl and the certificates used

Yum-y install mod_ssl

Configuration file: / etc/httpd/conf.d/ssl.conf

DocumentRoot = ServerName = SSLCertificateFile = SSLCertificateKeyFile =?

C) testing access to the appropriate host based on https

Openssl s_client [- connect host:port] [- cert filename] [- CApath directory] [- CAfile filename]

Common configurations for httpd-2.4:

Switch to use MPM (edit / etc/httpd/conf.modules.d/00-mpm.conf file):

LoadModule mpm_NAME_module modules/mod_mpm_NAME.so# NAME: there are three kinds, which are prefork,event,worker

Modify the DocumentRoot of "Main" Server

IP-based access control rules:

Allow all hosts to access: Require all granted

Deny all host access: Require all deny

Control specific IP access:

Require ip IPADDR: authorize the host with the specified source address to access Require not ip IPADDR: deny the host with the specified source address access to the IPADDR type: IP:192.168.1.1 Network/mask:192.168.1.0/255.255.255.0 Network/Length:192.168.1.0/24 Net:192.168

Control host-specific (HOSTNAME) access:

Type of Require host HOSTNAMERequire not host HOSTNAMEHOSTNAME: FQDN: full name of a specific host DOMAIN: all hosts in the specified domain

Note: the httpd-2.4 version denies access to all hosts by default, so display authorization must be done after installation.

Example:

Require not ip 192.168.1.20 Require all granted

Virtual host:

Based on IP, PORT and domain name support

Domain name-based NameVirtualHost directives are no longer required

Ssl:

Enable module: edit the / etc/httpd/conf.modules.d/00-base.conf file and add the following line. If you already have a comment, uncomment it.

LoadModule ssl_module modules/mod_ssl.so

Service script:

CentOS6 compiles and installs the service script: apachectl {start | stop | restart}

CentOS7 service script: httpd.service, controlled by systemctl

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.