Apache HTTP Server 2.4版本的源码安装配置及实现
一、Apache HTTP Server简介Linux下最有名的、功能最丰富的WEB服务器就属Apache HTTP Server(简称Apache)。
Apache HTTP Server是Apache软件基金会最有名的开源项目之一,它可以在大多数操作系统上运行。
目前官网的主要版本为2.2和2.4。CentOS 6使用2.2版本,CentOS 7使用2.4版本。
目前生产环境中部署2.2版本的居多,但是2.4版本有很多新的特性,下面就简要说明以下:
(1)运行时动态可装载MPM
在2.4版本中,MPM可以被编程成可装载的模块。在运行时,只要配置使用什么MPM即可。
(2)支持Event MPM
正式支持Event MPM,之前是作为试验性的。
(3)更好的异步读写支持
(4)在每模块及每目录分别使用不同的日志级别
(5)基于每一个请求可以使用、和配置
(6)增强版的表达式分析器
(7)可以毫秒级控制KeepAliveTimeout
(8)不再需要NameVirtualHost指令
(9)可以在配置中使用自定义变量
(10)比2.2版本使用更少的内存
(11)增加了很多新的Module,例如mod_proxy_fcgi, mode_ratelimit, mod_request, mod_remoteip。同时还增强了很多Module
(12)访问控制的改变
2.2 configuration:
Order deny,allow
Deny from all
2.4 configuration:
Require all denied
2.2 configuration:
Order allow,deny
Allow from all
2.4 configuration:
Require all granted
2.2 configuration:
Order Deny,Allow
Deny from all
Allow from example.org
2.4 configuration:
Require host example.org
鉴于V2.4引入了这么多新的功能,生产环境安装V2.4也是非常必要。
二、编译安装
(一)准备工作
1、开发库
源代码编译安装需要依赖众多开发库,请使用yum安装。将CentOS光盘挂载到/media/cdrom,配置本地yum源备用。配置yun请参看博主博文 《Linux的程序安装和包管理》,此类博文很多,这里不再赘述。使用下面的语句安装开发环境。
# yum groupinstall "Development tools" "Server Platform Development"
官网下载httpd-2.4.10.tar.bz2
实验环境是CentOS 6.5,默认已经安装了2.2版本,把V2.2停止掉。
# service httpd stop
# chkconfig httpd off
# chkconfig --list httpd
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# tar xf httpd-2.4.10.tar.bz2
2、apr安装
httpd依赖apr(Apache Portable Runtime),且2.4版本依赖较新的apr版本,要求是1.4以上。CentOS 6安装的是1.3.9
去http://apr.apache.org下载apr-1.5.1.tar.bz2和apr-util-1.5.3.tar.bz2。
# tar xf apr-1.5.1.tar.bz2
# tar xf apr-util-1.5.3.tar.bz2
# cd apr-1.5.1
# ./configure --prefix=/usr/local/apr15
# make && make install
# cd ~/apr-util-1.5.3
# ./configure --prefix=/usr/local/aprutil15 --with-apr=/usr/local/apr15/
# make && make install
3、安装httpd
configure常用选项
名称说明取值--prefix程序安装目录,默认安装在/usr/local/apache2/usr/local/apache24--sysconfdir配置文件目录/etc/httpd24--enable-so启用DSO功能 --enable-modules空白字符分隔的module列表,也可以是"all" | "most" | "few" | "none" | "reallyall"most--enable-sslSSL/TLS支持(mod_ssl) --enable-cgi支持CGI --enable-rewrite服务器端重写 --with-pcre使用PCRE库 --with-apr指定apr路径/usr/local/apr15/--with-apr-util指定apr-util路径/usr/local/aprutil15/--with-z使用zlib库 --enable-mpms-shared空白字符分隔的MPM Module动态加载列表,可以是用allall--with-mpm=MPMApache使用的默认处理模型,MPM={event|worker|prefork|winnt}event
# cd httpd-2.4.10
# ./configure --prefix=/usr/local/apache24 --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-z --with-pcre --with-apr=/usr/local/apr15/ --with-apr-util=/usr/local/aprutil15/ --enable-mpms-shared=all --with-mpm=event --enable-modules=most
# make && make install
安装目录和文件说明
/etc/httpd24配置主目录/etc/httpd24/extra额外配置目录/etc/httpd24/httpd.conf主配置文件/usr/local/apache24/htdocs站点根目录/usr/local/apache24/error预置的错误文档目录/usr/local/apache24/cgi-binCGI目录/usr/local/apache24/include头文件目录,二次开发用,必要时可以导出/usr/local/apache24/man帮助手册,需要导出/usr/local/apache24/modulesDSO模块目录/usr/local/apache24/bin可执行文件目录/usr/local/apache24/logs日志目录
导出bin目录
# cd /etc/profile.d/
# vim httpd24.sh
PATH=/usr/local/apache24/bin:$PATH
export PATH
然后重启连接会话
导出man目录
在/etc/man.config 中加入一条
MANPATH /usr/local/apache24/man
即可生效
导出头文件目录
# ln -s /usr/local/apache24/include/ /usr/include/apache
apachectl
apachectl是/usr/local/apache24/bin下的一个shell脚本。通过它可以控制httpd的启动、关闭、重启、优雅重启动、优雅关闭。
所谓优雅,就是不蛮横,重启或者关闭前如果有连接就不会立即终止连接。
第一次尝试启动
# apachectl start
# ss -tnlp | grep :80
LISTEN 0 128 :::80 :::* users:(("httpd",2308,4),("httpd",2309,4),("httpd",2310,4),("httpd",2311,4))
# httpd -D DUMP_MODULES
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
access_compat_module (shared)
auth_basic_module (shared)
reqtimeout_module (shared)
filter_module (shared)
mime_module (shared)
log_config_module (shared)
env_module (shared)
headers_module (shared)
setenvif_module (shared)
version_module (shared)
mpm_event_module (shared)
unixd_module (shared)
status_module (shared)
autoindex_module (shared)
dir_module (shared)
alias_module (shared)
浏览器测试一下
三、实验
实验规划
(一)虚拟主机
编辑/etc/httpd24/httpd.conf,启用虚拟主机
# Virtual hosts
Include /etc/httpd24/extra/httpd-vhosts.conf
编辑/etc/httpd24/extra/httpd-vhosts.conf
ServerAdmin webmaster@example.com
DocumentRoot "/web/vhosts/www.example.com"
ServerName www.example.com
ErrorLog "logs/www.example.com-error_log"
CustomLog "logs/www.example.com-access_log" common
Require all granted
ServerAdmin admin@www.test.com
DocumentRoot "/web/vhosts/www.test.com"
ServerName www.test.com
ErrorLog "logs/www.test.com-error_log"
CustomLog "logs/www.test.com-access_log" common
Require all granted
# httpd -t
Syntax OK
# apachectl restart
修改浏览器端Windows的C:\Windows\System32\drivers\etc\hosts文件,追加下面2句:
192.168.60.171 www.example.com
192.168.60.171 www.test.com
使用浏览器,分别测试www.example.com和www.test.com,成功。
(二)server-status处理器
这次在www.test.com中实现server-status
首先查看/etc/httpd24/httpd.conf,确保LoadModule status_module modules/mod_status.so启用。
再查看是否已经加载了该模块
# httpd -D DUMP_MODULES | grep status
status_module (shared)
编辑/etc/httpd24/extra/httpd-vhosts.conf
ServerAdmin admin@www.test.com
DocumentRoot "/web/vhosts/www.test.com"
ServerName www.test.com
ErrorLog "logs/www.test.com-error_log"
CustomLog "logs/www.test.com-access_log" common
SetHandler server-status
Require all granted
使用浏览器查看
(三)基于用户的访问控制
使用apache提供的工具htpasswd生成密码文件
# mkdir /usr/local/apache24/passwd/ -pv
mkdir: created directory `/usr/local/apache24/passwd/'
# htpasswd -cmb /usr/local/apache24/passwd/passwds admin admin
Adding password for user admin
# htpasswd -mb /usr/local/apache24/passwd/passwds test test
Adding password for user test
# cat /usr/local/apache24/passwd/passwds
admin:$apr1$GTF5UfZ2$Y66fn/HsTFWBNKRVGVyql/
test:$apr1$wGS5AyJJ$dCx6XjHj3LsK3bZG4BZ/k0
对server-status进行控制,修改/etc/httpd24/extra/httpd-vhosts.conf文件
ServerAdmin admin@www.test.com
DocumentRoot "/web/vhosts/www.test.com"
ServerName www.test.com
ErrorLog "logs/www.test.com-error_log"
CustomLog "logs/www.test.com-access_log" common
SetHandler server-status
# Require all granted
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache24/passwd/passwds
Require user admin
重启httpd服务,验证配置
http://192.168.60.171/server-status,返回404错误
http://www.example.com/server-status,返回404错误
http://www.test.com/server-status,提示输入用户名和密码。
由于只允许admin用户登录,输入后,打开server-status网页,不再演示。
(四)HTTPS配置
LoadModule ssl_module modules/mod_ssl.so
# Secure (SSL/TLS) connections
Include /etc/httpd24/extra/httpd-ssl.conf
然后编辑/etc/httpd24/extra/httpd-ssl.conf,其中指令很重要,指定目录的访问权限。否则即使以下所有步骤成功,也无法登录页面,返回403错误。
Listen 443
# General setup for the virtual host
DocumentRoot "/web/vhosts/www.ssl.com"
ServerName www.ssl.com
ServerAdmin master@ssl.com
ErrorLog "/usr/local/apache24/logs/ssl_error_log"
TransferLog "/usr/local/apache24/logs/ssl_access_log"
Require all granted
SSLCertificateFile "/etc/httpd24/server.crt"
SSLCertificateKeyFile "/etc/httpd24/server.key"
本地已经搭好了一个CA中心,使用openssl生成密钥,同时生成证书申请,CA来签发。放在指定的目录
# cd /etc/httpd24/
# (umask 077;openssl genrsa -out /etc/httpd24/server.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
............................................................................+++
e is 65537 (0x10001)
# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :JS
Locality Name (eg, city) :NJ
Organization Name (eg, company) :NJU
Organizational Unit Name (eg, section) :Heyuan
Common Name (eg, your name or your server's hostname) []:www.ssl.com
Email Address []:webmaster@ssl.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl ca -in server.csr -out server.crt -days 1500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Aug 10 05:03:20 2014 GMT
Not After : Sep 18 05:03:20 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = JS
organizationName = NJU
organizationalUnitName = Heyuan
commonName = www.ssl.com
emailAddress = webmaster@ssl.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
40:8C:41:3D:C2:A6:AA:4E:05:54:D8:A0:4C:84:B6:1F:60:70:6B:83
X509v3 Authority Key Identifier:
keyid:96:FC:F0:32:D4:A4:47:D0:77:D3:1D:C1:A4:56:44:4D:48:01:7A:B6
Certificate is to be certified until Sep 18 05:03:20 2018 GMT (1500 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
证书和密钥放到了指定的位置,下面做配置文件的语法检查,出错了。mod_socache_shmcb模块没有安装,启用LoadModule socache_shmcb_module modules/mod_socache_shmcb.so。重启服务,OK通过。
# httpd -t
AH00526: Syntax error on line 73 of /etc/httpd24/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
# httpd -t
Syntax OK
# apachectl restart
# httpd -D DUMP_MODULES | grep ssl
ssl_module (shared)
同样配置本地Windows的C:\Windows\System32\drivers\etc\hosts文件,追加如下记录:
192.168.60.171 www.ssl.com
好了,现在开始测试一下。已经安装过CA证书。
至此,所有实验完成。
页:
[1]