zoukankan      html  css  js  c++  java
  • Httpd

    Httpd

    安装httpd服务

    //以下为源码安装

    //1.准备工作
    [root@localhost ~]# yum -y install wget bzip2 gcc gcc-c++ make pcre-devel expat-devel libxml2-devel
    
    //2.下载源码包
    [root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
    [root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz
    [root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
    [root@localhost ~]# ls
    anaconda-ks.cfg  apr-1.7.0.tar.gz  apr-util-1.6.1.tar.gz  httpd-2.4.46.tar.bz2
    
    //3.安装apr
    [root@localhost ~]# tar xf apr-1.7.0.tar.gz 
    [root@localhost ~]# cd apr-1.7.0
    [root@localhost apr-1.7.0]# vi configure
    //注释这一行
    #   $RM "$cfgfile"
    [root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
    [root@localhost apr-1.7.0]# make
    [root@localhost apr-1.7.0]# make install
    
    //4.安装apr-util
    [root@localhost apr-1.7.0]# cd
    [root@localhost ~]# tar xf apr-util-1.6.1.tar.gz 
    [root@localhost ~]# cd apr-util-1.6.1
    [root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
    [root@localhost apr-util-1.6.1]# make
    [root@localhost apr-util-1.6.1]# make install
    
    //5.安装httpd
    [root@localhost apr-util-1.6.1]# cd
    [root@localhost ~]# tar xf httpd-2.4.46.tar.bz2 
    [root@localhost ~]# cd httpd-2.4.46
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/apache 
    --sysconfdir=/etc/httpd24 
    --enable-so 
    --enable-ssl 
    --enable-cgi 
    --enable-rewrite 
    --with-zlib 
    --with-pcre 
    --with-apr=/usr/local/apr 
    --with-apr-util=/usr/local/apr-util/ 
    --enable-modules=most 
    --enable-mpms-shared=all 
    --with-mpm=prefork
    [root@localhost httpd-2.4.46]# make
    [root@localhost httpd-2.4.46]# make install
    
    //6.设置环境变量
    [root@localhost ~]# vi /etc/profile.d/httpd.sh
    export PATH=$PATH:/usr/local/httpd/bin
    [root@localhost ~]# source /etc/profile.d/httpd.sh 
    
    //7.设置头文件链接
    [root@localhost ~]# ln -s /usr/local/httpd/include /usr/include/httpd
    
    //8.设置帮助文档(加入以下内容)
    [root@localhost ~]# vi /etc/man_db.conf 
    MANDATORY_MANPATH                       /usr/local/httpd/man
    MANDATORY_MANPATH                       /usr/local/httpd/manual
    
    //9.管理httpd
    [root@localhost ~]# apachectl start
    [root@localhost ~]# apachectl stop
    [root@localhost ~]# apachectl restart
    
    //10.关闭防火墙和SELiunx
    [root@localhost ~]# systemctl stop firewalld
    [root@localhost ~]# setenforce 0
    

    httpd配置

    切换使用MPM

    (编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):

    [root@localhost ~]# cd /etc/httpd/conf.modules.d/
    [root@localhost conf.modules.d]# ls
    00-base.conf  00-lua.conf  00-optional.conf  00-systemd.conf  10-h2.conf        README
    00-dav.conf   00-mpm.conf  00-proxy.conf     01-cgi.conf      10-proxy_h2.conf
    [root@localhost conf.modules.d]# vim 00-mpm.conf
    # Select the MPM module which should be used by uncommenting exactly
    # one of the following LoadModule lines.  See the httpd.conf(5) man
    # page for more information on changing the MPM.
    
    # prefork MPM: Implements a non-threaded, pre-forking web server
    # See: http://httpd.apache.org/docs/2.4/mod/prefork.html
    #
    # NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux
    # boolean should be enabled, to allow graceful stop/shutdown.
    #
    #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
    
    # worker MPM: Multi-Processing Module implementing a hybrid
    # multi-threaded multi-process web server
    # See: http://httpd.apache.org/docs/2.4/mod/worker.html
    #
    #LoadModule mpm_worker_module modules/mod_mpm_worker.so
    
    # event MPM: A variant of the worker MPM with the goal of consuming
    # threads only for connections with active processing
    # See: http://httpd.apache.org/docs/2.4/mod/event.html
    #
    LoadModule mpm_event_module modules/mod_mpm_event.so
    

    切换方式:用哪种模式就在相应的那一行取消注释,注意不能同时用两个模式,只能有一个启用。

    访问控制法则

    法则 功能
    Require all granted 允许所有主机访问
    Require all deny 拒绝所有主机访问
    Require ip IPADDR 授权指定来源地址的主机访问
    Require not ip IPADDR 拒绝指定来源地址的主机访问
    Require host HOSTNAME 授权指定来源主机名的主机访问
    Require not host HOSTNAME 拒绝指定来源主机名的主机访问

    默认首页在/var/www/html/index.html

    //在/var/www/html中创建一个test文件夹
    [root@localhost html]# mkdir test
    [root@localhost html]# echo 'haha' > /var/www/html/test/index.html
    

    访问192.168.21.129/test/

    1

    请问如果想让有些人能访问test,有些人不能访问,应该怎么做呢?

    比如192.168.21.1不让访问test:

    [root@localhost ~]# vim /etc/httpd/conf/httpd.conf
    <Directory "/var/www/html">
        #
        # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # http://httpd.apache.org/docs/2.4/mod/core.html#options
        # for more information.
        #
        Options Indexes FollowSymLinks
    
        #
        # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   Options FileInfo AuthConfig Limit
        #
        AllowOverride None
    
        #
        # Controls who can get stuff from this server.
        #
        Require all granted
    </Directory>
    
    //在后面加上这个访问控制法则,192.168.21.1为本机地址
    <Directory "/var/www/html/test">
        <RequireAll>
            Require not ip 192.168.21.1
            Require all granted
        </RequireAll>
    </Directory>
    [root@localhost ~]# systemctl restart httpd
    [root@localhost html]# curl http://192.168.21.129/test/index.html
    haha
    

    2

    如果将法则改为192.168.21.129:

    [root@localhost html]# vim /etc/httpd/conf/httpd.conf 
    
    <Directory "/var/www/html/test">
        <RequireAll>
            Require not ip 192.168.21.129
            Require all granted
        </RequireAll>
    </Directory>
    
    或
    
    <Directory "/var/www/html/test">
            Require ip 192.168.21.1
    </Directory>
    
    [root@localhost html]# systemctl restart httpd
    [root@localhost html]# curl http://192.168.21.129/test/index.html
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /test/index.html
    on this server.<br />
    </p>
    </body></html>
    

    则虚拟机无法访问,本机可以访问

    3

    三种虚拟主机的配置

    虚拟主机有三类:

    • 相同IP不同端口

    • 不同IP相同端口

    • 相同IP相同端口不同域名

    相同IP不同端口

    [root@localhost ~]# hostname
    localhost.localdomain
    [root@localhost ~]# hostnamectl set-hostname www.example.com
    [root@localhost ~]# bash
    [root@www ~]# hostname
    www.example.com
    [root@www ~]# cd /etc/httpd/conf.d
    [root@www conf.d]# find / -name *vhosts.conf
    /usr/share/doc/httpd/httpd-vhosts.conf
    [root@www conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
    [root@www conf.d]# ls
    autoindex.conf  httpd-vhosts.conf  README  userdir.conf  welcome.conf
    [root@www conf.d]# vim httpd-vhosts.conf
    <VirtualHost *:80>
        DocumentRoot "/var/www/html/"
        ServerName www.example.com
        ErrorLog "/var/log/httpd/www.example.com-error_log"
        CustomLog "/var/log/httpd/www.example.com-access_log" common
    </VirtualHost>
    [root@www conf.d]# systemctl restart httpd
    

    在源码之家上下2个HTML5实例

    [root@www ~]# ls
    anaconda-ks.cfg  HTML5_Windows10.zip  taikongheidongdonghua.zip
    [root@www ~]# unzip HTML5_Windows10.zip taikongheidongdonghua.zip 
    [root@www ~]# mv HTML5模仿Windows10桌面代码 win10
    [root@www ~]# mv HTML5太空黑洞动画代码 taikong
    [root@www ~]# ls
    anaconda-ks.cfg  HTML5_Windows10.zip  taikong  taikongheidongdonghua.zip  win10
    [root@www ~]# mv taikong win10 /var/www/html/
    [root@www ~]# cd /var/www/html/
    [root@www html]# ls
    index.html  taikong  test  win10
    [root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
    <VirtualHost *:80>
        DocumentRoot "/var/www/html/win10"
        ServerName win10.example.com
        ErrorLog "/var/log/httpd/win10.example.com-error_log"
        CustomLog "/var/log/httpd/win10.example.com-access_log" common
    </VirtualHost>
    
    Listen 81
    <VirtualHost *:81>
        DocumentRoot "/var/www/html/taikong"
        ServerName taikong.example.com
        ErrorLog "/var/log/httpd/taikong.example.com-error_log"
        CustomLog "/var/log/httpd/taikong.example.com-access_log" common
    </VirtualHost>
    [root@www ~]# systemctl restart httpd
    

    访问192.168.21.129:80

    4

    访问192.168.21.129:81

    5

    不同IP相同端口

    [root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
    <VirtualHost 192.168.21.129:80>
        DocumentRoot "/var/www/html/win10"
        ServerName win10.example.com
        ErrorLog "/var/log/httpd/win10.example.com-error_log"
        CustomLog "/var/log/httpd/win10.example.com-access_log" common
    </VirtualHost>
    
    <VirtualHost 192.168.21.250:80>
        DocumentRoot "/var/www/html/taikong"
        ServerName taikong.example.com
        ErrorLog "/var/log/httpd/taikong.example.com-error_log"
        CustomLog "/var/log/httpd/taikong.example.com-access_log" common
    </VirtualHost>
    [root@www ~]# systemctl restart httpd
    [root@www ~]# ip a
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:c8:3e:c8 brd ff:ff:ff:ff:ff:ff
        inet 192.168.21.129/24 brd 192.168.21.255 scope global dynamic noprefixroute ens160
           valid_lft 908sec preferred_lft 908sec
        inet6 fe80::197b:f289:f6a9:5e1d/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
    [root@www ~]# ip addr add 192.168.21.250/24 dev ens160
    [root@www ~]# ip a
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:c8:3e:c8 brd ff:ff:ff:ff:ff:ff
        inet 192.168.21.129/24 brd 192.168.21.255 scope global dynamic noprefixroute ens160
           valid_lft 1783sec preferred_lft 1783sec
        inet 192.168.21.250/24 scope global secondary ens160
           valid_lft forever preferred_lft forever
        inet6 fe80::197b:f289:f6a9:5e1d/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
    

    访问192.168.21.129

    6

    访问192.168.21.250

    7

    相同IP相同端口不同域名

    [root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
    <VirtualHost *:80>
        DocumentRoot "/var/www/html/win10"
        ServerName win10.example.com
        ErrorLog "/var/log/httpd/win10.example.com-error_log"
        CustomLog "/var/log/httpd/win10.example.com-access_log" common
    </VirtualHost>
    
    <VirtualHost *:80>
        DocumentRoot "/var/www/html/taikong"
        ServerName taikong.example.com
        ErrorLog "/var/log/httpd/taikong.example.com-error_log"
        CustomLog "/var/log/httpd/taikong.example.com-access_log" common
    </VirtualHost>
    [root@www ~]# systemctl restart httpd
    

    IP地址映射:

    hosts目录

    C:WindowsSystem32driversetchosts

    192.168.21.129 win10.example.com taikong.example.com

    访问win10.example.com

    8

    访问taikong.example.com

    9

    https配置

    CA的配置文件:/etc/pki/tls/openssl.cnf

    CA生成一对密钥

     [root@www ~]# cd /etc/pki/CA
    bash: cd: /etc/pki/CA: No such file or directory
    [root@www ~]# mkdir /etc/pki/CA
    [root@www ~]# cd /etc/pki/CA
    //生成密钥
    [root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
    genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
    [root@www CA]# mkdir private
    [root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .....................................................................................+++++
    ................................+++++
    e is 65537 (0x010001)
    [root@www CA]# ls private/
    cakey.pem
    //提取公钥
    [root@www CA]# openssl rsa -in private/cakey.pem -pubout
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1vk5foqHDeMcPTXJHFeS
    ZjICQsb/Af8SJH6351kuG5kL5Axjq1XsUbuM3FZyIwJ7HpV1CQBlfhJJ1ku6EkfU
    1wRq+9G+ZE03sONBIpXqUsuTnMw0CDBZWXHFlwzi2iI3PpIVZLNNkk4DiHN3jJVm
    ypjclmA0r25SSXdClyP68/63OaeIgg0GZptsulKdTzaxPxDwByE4mGjX4497aFzY
    FKEYKDLkUAhK4LJcUoCuLmu3Vj+3hnHl/YvOLKgm9D+I3UO5ATQaIrVEbSWUyoDl
    EzvHz/dAf6eUXMN+pcwnJZpuPEkXFdu0oMWvTeu7vI1Dx7uS9ydQjTZvb5UW/vKe
    fwIDAQAB
    -----END PUBLIC KEY-----
    

    CA生成自签署证书

    //生成自签署证书
    [root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:HB
    Locality Name (eg, city) [Default City]:WH
    Organization Name (eg, company) [Default Company Ltd]:yuqinghao
    Organizational Unit Name (eg, section) []:xuexi
    Common Name (eg, your name or your server's hostname) []:taikong.example.com
    Email Address []:1@2.com 
    //读出cacert.pem证书的内容
    [root@www CA]# openssl x509 -text -in cacert.pem
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                59:86:ea:fc:15:3a:a5:05:9c:7f:01:0d:82:6e:ec:b8:6e:47:b8:6e
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = cn, ST = HB, L = WH, O = runtime, OU = peixun, CN = taikong.example.com, emailAddress = 1@2.com
            Validity
                Not Before: Dec 21 14:49:18 2020 GMT
                Not After : Dec 21 14:49:18 2021 GMT
            Subject: C = cn, ST = HB, L = WH, O = runtime, OU = peixun, CN = taikong.example.com, emailAddress = 1@2.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:d6:f9:39:7e:8a:87:0d:e3:1c:3d:35:c9:1c:57:
                        92:66:32:02:42:c6:ff:01:ff:12:24:7e:b7:e7:59:
                        2e:1b:99:0b:e4:0c:63:ab:55:ec:51:bb:8c:dc:56:
                        72:23:02:7b:1e:95:75:09:00:65:7e:12:49:d6:4b:
                        ba:12:47:d4:d7:04:6a:fb:d1:be:64:4d:37:b0:e3:
                        41:22:95:ea:52:cb:93:9c:cc:34:08:30:59:59:71:
                        c5:97:0c:e2:da:22:37:3e:92:15:64:b3:4d:92:4e:
                        03:88:73:77:8c:95:66:ca:98:dc:96:60:34:af:6e:
                        52:49:77:42:97:23:fa:f3:fe:b7:39:a7:88:82:0d:
                        06:66:9b:6c:ba:52:9d:4f:36:b1:3f:10:f0:07:21:
                        38:98:68:d7:e3:8f:7b:68:5c:d8:14:a1:18:28:32:
                        e4:50:08:4a:e0:b2:5c:52:80:ae:2e:6b:b7:56:3f:
                        b7:86:71:e5:fd:8b:ce:2c:a8:26:f4:3f:88:dd:43:
                        b9:01:34:1a:22:b5:44:6d:25:94:ca:80:e5:13:3b:
                        c7:cf:f7:40:7f:a7:94:5c:c3:7e:a5:cc:27:25:9a:
                        6e:3c:49:17:15:db:b4:a0:c5:af:4d:eb:bb:bc:8d:
                        43:c7:bb:92:f7:27:50:8d:36:6f:6f:95:16:fe:f2:
                        9e:7f
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
                X509v3 Authority Key Identifier: 
                    keyid:4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
    
                X509v3 Basic Constraints: critical
                    CA:TRUE
        Signature Algorithm: sha256WithRSAEncryption
             83:94:d7:ee:a6:a1:a5:1e:8a:5a:ab:ad:62:31:88:dd:c3:9f:
             3a:59:92:99:d3:b7:f8:ba:91:ea:7d:62:e1:7b:53:de:28:2b:
             53:77:0d:fe:68:26:62:53:77:fe:2a:6e:42:de:a7:ef:d1:99:
             e0:89:a6:f6:4d:73:11:d9:f1:e0:3a:9a:e6:a2:af:14:70:f2:
             98:bc:ab:7c:77:11:0a:1d:5a:5a:ab:cc:9b:0a:51:9f:8f:8c:
             dd:20:0a:86:85:31:d4:6f:74:ed:c5:f7:d6:7f:1d:5e:ec:01:
             c1:e9:e9:bd:d2:e6:da:42:3c:c7:df:14:6a:41:c1:73:dc:93:
             79:cb:95:bf:48:76:58:20:f9:99:5f:58:4a:41:3e:b6:58:08:
             b1:68:b2:44:78:0c:da:1b:9f:a2:61:78:5b:14:0d:73:90:0c:
             56:ce:2b:90:97:11:1c:e9:b9:7d:4c:57:8e:dc:ba:bd:8d:91:
             3b:b3:0c:1c:6c:38:e3:6d:3d:8f:c3:9d:40:a8:67:f1:d4:98:
             a4:c1:1e:94:ea:38:34:ce:2f:15:99:ee:e0:e5:45:97:6a:43:
             ca:6c:27:f8:13:e6:c4:a7:59:d8:ce:2e:90:4b:df:5b:6a:5d:
             de:9f:3c:3f:42:08:69:84:b9:43:1e:ef:d5:80:f4:14:9d:29:
             14:2e:a7:30
    -----BEGIN CERTIFICATE-----
    MIID4zCCAsugAwIBAgIUWYbq/BU6pQWcfwENgm7suG5HuG4wDQYJKoZIhvcNAQEL
    BQAwgYAxCzAJBgNVBAYTAmNuMQswCQYDVQQIDAJIQjELMAkGA1UEBwwCV0gxEDAO
    BgNVBAoMB3J1bnRpbWUxDzANBgNVBAsMBnBlaXh1bjEcMBoGA1UEAwwTdGFpa29u
    Zy5leGFtcGxlLmNvbTEWMBQGCSqGSIb3DQEJARYHMUAyLmNvbTAeFw0yMDEyMjEx
    NDQ5MThaFw0yMTEyMjExNDQ5MThaMIGAMQswCQYDVQQGEwJjbjELMAkGA1UECAwC
    SEIxCzAJBgNVBAcMAldIMRAwDgYDVQQKDAdydW50aW1lMQ8wDQYDVQQLDAZwZWl4
    dW4xHDAaBgNVBAMME3RhaWtvbmcuZXhhbXBsZS5jb20xFjAUBgkqhkiG9w0BCQEW
    BzFAMi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW+Tl+iocN
    4xw9NckcV5JmMgJCxv8B/xIkfrfnWS4bmQvkDGOrVexRu4zcVnIjAnselXUJAGV+
    EknWS7oSR9TXBGr70b5kTTew40EilepSy5OczDQIMFlZccWXDOLaIjc+khVks02S
    TgOIc3eMlWbKmNyWYDSvblJJd0KXI/rz/rc5p4iCDQZmm2y6Up1PNrE/EPAHITiY
    aNfjj3toXNgUoRgoMuRQCErgslxSgK4ua7dWP7eGceX9i84sqCb0P4jdQ7kBNBoi
    tURtJZTKgOUTO8fP90B/p5Rcw36lzCclmm48SRcV27Sgxa9N67u8jUPHu5L3J1CN
    Nm9vlRb+8p5/AgMBAAGjUzBRMB0GA1UdDgQWBBRPBdP4qDrQo4a/m+jWqisCfnzO
    FjAfBgNVHSMEGDAWgBRPBdP4qDrQo4a/m+jWqisCfnzOFjAPBgNVHRMBAf8EBTAD
    AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDlNfupqGlHopaq61iMYjdw586WZKZ07f4
    upHqfWLhe1PeKCtTdw3+aCZiU3f+Km5C3qfv0Zngiab2TXMR2fHgOprmoq8UcPKY
    vKt8dxEKHVpaq8ybClGfj4zdIAqGhTHUb3TtxffWfx1e7AHB6em90ubaQjzH3xRq
    QcFz3JN5y5W/SHZYIPmZX1hKQT62WAixaLJEeAzaG5+iYXhbFA1zkAxWziuQlxEc
    6bl9TFeO3Lq9jZE7swwcbDjjbT2Pw51AqGfx1JikwR6U6jg0zi8Vme7g5UWXakPK
    bCf4E+bEp1nYzi6QS99bal3enzw/QghphLlDHu/VgPQUnSkULqcw
    -----END CERTIFICATE-----
    [root@www CA]# mkdir certs newcerts crl
    [root@www CA]# touch index.txt && echo 01 > serial
    [root@www CA]# ls
    cacert.pem  certs  crl  index.txt  newcerts  private  serial
    

    客户端(例如httpd服务器)生成密钥

    [root@www CA]# cd /etc/httpd && mkdir ssl && cd ssl
    [root@www ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ..+++++
    ..........................+++++
    e is 65537 (0x010001)
    

    客户端生成证书签署请求

    [root@www ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
    Ignoring -days; not generating a certificate
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn     
    State or Province Name (full name) []:HB
    Locality Name (eg, city) [Default City]:WH
    Organization Name (eg, company) [Default Company Ltd]:yuqinghao
    Organizational Unit Name (eg, section) []:xuexi
    Common Name (eg, your name or your server's hostname) []:taikong.example.com  
    Email Address []:1@2.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

    CA签署客户端提交上来的证书

    [root@www ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Dec 21 15:15:55 2020 GMT
                Not After : Dec 21 15:15:55 2021 GMT
            Subject:
                countryName               = cn
                stateOrProvinceName       = HB
                organizationName          = yuqinghao
                organizationalUnitName    = xuexi
                commonName                = taikong.example.com
                emailAddress              = 1@2.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    F2:02:61:22:44:F9:AC:3E:61:2D:27:CF:2A:AE:E5:37:95:2B:FD:6A
                X509v3 Authority Key Identifier: 
                    keyid:4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
    
    Certificate is to be certified until Dec 21 15:15:55 2021 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    

    修改配置文件

    [root@www ~]# yum -y install mod_ssl
    [root@www ~]# vim /etc/httpd/conf.d/ssl.conf 
    <VirtualHost _default_:443>
    
    # General setup for the virtual host, inherited from global 
    //取消注释修改为taikong
    configurationDocumentRoot "/var/www/html/taikong/"
    ServerName taikong.example.com:443
    
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase.  Note that restarting httpd will prompt again.  Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    #   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
    #   require an ECC certificate which can also be configured in
    #   parallel.
    //修改为刚刚生成证书的位置
    SSLCertificateFile /etc/httpd/ssl/httpd.crt
    
    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    #   ECC keys, when in use, can also be configured in parallel
    //修改为刚刚生成私钥的位置
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
    
    [root@www ~]# systemctl restart httpd
    [root@www ~]# ss -antl
    State     Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    
    LISTEN    0          128                  0.0.0.0:22                0.0.0.0:*   
    LISTEN    0          128                     [::]:22                   [::]:*   
    LISTEN    0          128                        *:443                     *:*   
    LISTEN    0          128                        *:80                      *:*   
    

    访问https://taikong.example.com

    10

    高级-接受风险并继续

    11

    访问https://win10.example.com

    12

    以下是一步一步安装httpd时可能会遇到的错误及解决的方式

    //下载源码包
    [root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
    [root@localhost ~]# ls
    anaconda-ks.cfg  httpd-2.4.46.tar.bz2
    
    //解压并进入
    [root@localhost ~]# tar xf httpd-2.4.46.tar.bz2 
    [root@localhost ~]# ls
    anaconda-ks.cfg  httpd-2.4.46  httpd-2.4.46.tar.bz2
    [root@localhost ~]# cd httpd-2.4.46
    [root@localhost httpd-2.4.46]# ls
    ABOUT_APACHE     BuildBin.dsp    emacs-style     LAYOUT        NOTICE            srclib
    acinclude.m4     buildconf       httpd.dep       libhttpd.dep  NWGNUmakefile     support
    Apache-apr2.dsw  CHANGES         httpd.dsp       libhttpd.dsp  os                test
    Apache.dsw       CMakeLists.txt  httpd.mak       libhttpd.mak  README            VERSIONING
    apache_probes.d  config.layout   httpd.spec      LICENSE       README.cmake
    ap.d             configure       include         Makefile.in   README.platforms
    build            configure.in    INSTALL         Makefile.win  ROADMAP
    BuildAll.dsp     docs            InstallBin.dsp  modules       server
    
    //尝试安装httpd
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
    checking for APR... no
    configure: error: APR not found.  Please read the documentation.
    
    //解决apr not found问题
    //(需要安装apr)
    [root@localhost httpd-2.4.46]# cd
    [root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz
    [root@localhost ~]# tar xf apr-1.7.0.tar.gz 
    [root@localhost ~]# cd apr-1.7.0
    [root@localhost apr-1.7.0]# ls
    apr-config.in  build.conf        dso         libapr.rc     NOTICE         support
    apr.dep        buildconf         emacs-mode  LICENSE       NWGNUmakefile  tables
    apr.dsp        build-outputs.mk  encoding    locks         passwd         test
    apr.dsw        CHANGES           file_io     Makefile.in   poll           threadproc
    apr.mak        CMakeLists.txt    helpers     Makefile.win  random         time
    apr.pc.in      config.layout     include     memory        README         tools
    apr.spec       configure         libapr.dep  misc          README.cmake   user
    atomic         configure.in      libapr.dsp  mmap          shmem
    build          docs              libapr.mak  network_io    strings
    [root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
    [root@localhost apr-1.7.0]# echo $?
    0
    [root@localhost apr-1.7.0]# make
    [root@localhost apr-1.7.0]# echo $?
    0
    [root@localhost apr-1.7.0]# make install
    [root@localhost apr-1.7.0]# echo $?
    0
    
    //再尝试安装apache
    [root@localhost apr-1.7.0]# cd
    [root@localhost ~]# cd httpd-2.4.46
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
    checking for APR-util... no
    configure: error: APR-util not found.  Please read the documentation.
    
    //解决APR-util not found问题
    //(需要安装apr-util)
    [root@localhost httpd-2.4.46]# cd
    [root@localhost apr-util-1.6.1]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
    [root@localhost ~]# tar xf apr-util-1.6.1.tar.gz 
    [root@localhost ~]# cd apr-util-1.6.1
    [root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util
    configure: error: APR could not be located. Please use the --with-apr option.
    
    //解决APR could not be located问题
    //(安装apr-util时需要使用--with-apr=PATH)
    [root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
    [root@localhost apr-util-1.6.1]# make
    xml/apr_xml.c:35:10: fatal error: expat.h: No such file or directory
    
    //解决缺少expat库问题
    //(需要安装expat-devel)
    [root@localhost apr-util-1.6.1]# yum -y install expat-devel
    [root@localhost apr-util-1.6.1]# echo $?
    [root@localhost apr-util-1.6.1]# 0
    [root@localhost apr-util-1.6.1]# make install
    [root@localhost apr-util-1.6.1]# echo $?
    [root@localhost apr-util-1.6.1]# 0
    
    //再尝试安装httpd
    [root@localhost apr-util-1.6.1]# cd
    [root@localhost ~]# cd httpd-2.4.46
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
    checking for APR-util... no
    configure: error: APR-util not found.  Please read the documentation.
    
    //解决APR-util还是not found问题
    //(安装httpd时需要使用--with-apr=PATH --with-apr-util=PATH)
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
    configure: error: pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/
    
    //解决pcre not found问题
    //(需要安装pcre-devel)
    [root@localhost httpd-2.4.46]# yum -y install pcre-devel
    
    //再尝试安装httpd
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
    configure: summary of build options:
        Server Version: 2.4.46
        Install prefix: /usr/local/httpd
        C compiler:     gcc
        CFLAGS:          -g -O2 -pthread  
        CPPFLAGS:        -DLINUX -D_REENTRANT -D_GNU_SOURCE  
        LDFLAGS:           
        LIBS:             
        C preprocessor: gcc -E
    [root@localhost httpd-2.4.46]# echo $?
    0
    [root@localhost httpd-2.4.46]# make
    collect2: error: ld returned 1 exit status
    make[2]: *** [Makefile:48: htpasswd] Error 1
    make[2]: Leaving directory '/root/httpd-2.4.46/support'
    make[1]: *** [/root/httpd-2.4.46/build/rules.mk:75: all-recursive] Error 1
    make[1]: Leaving directory '/root/httpd-2.4.46/support'
    make: *** [/root/httpd-2.4.46/build/rules.mk:75: all-recursive] Error 1
    [root@localhost httpd-2.4.46]# echo $?
    2
    
    //缺少了xml相关的库,需要安装libxml2-devel包。直接安装并不能解决问题,因为httpd调用的apr-util已经安装好了,但是apr-util并没有libxml2-devel包支持。
    //(需要安装libxml2-devel)
    [root@localhost httpd-2.4.46]# yum -y install libxml2-devel
    
    //删除apr-util安装目录,并重新编译安装
    [root@localhost httpd-2.4.46]# rm -rf /usr/local/apr-util/
    [root@localhost httpd-2.4.46]# cd
    [root@localhost ~]# cd apr-util-1.6.1
    
    //清除之前配置时的缓存
    [root@localhost apr-util-1.6.1]# make clean
    
    //重新安装apr-util
    [root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
    [root@localhost apr-util-1.6.1]# echo $?
    0
    [root@localhost apr-util-1.6.1]# make
    [root@localhost apr-util-1.6.1]# echo $?
    0
    [root@localhost apr-util-1.6.1]# make install
    [root@localhost apr-util-1.6.1]# echo $?
    0
    
    //重新编译安装httpd
    [root@localhost apr-util-1.6.1]# cd
    [root@localhost ~]# cd httpd-2.4.46
    [root@localhost httpd-2.4.46]# make clean
    [root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd  --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
    configure: summary of build options:
        Server Version: 2.4.46
        Install prefix: /usr/local/httpd
        C compiler:     gcc
        CFLAGS:          -g -O2 -pthread  
        CPPFLAGS:        -DLINUX -D_REENTRANT -D_GNU_SOURCE  
        LDFLAGS:           
        LIBS:             
        C preprocessor: gcc -E
    [root@localhost httpd-2.4.46]# echo $?
    0
    [root@localhost httpd-2.4.46]# make
    [root@localhost httpd-2.4.46]# echo $?
    0
    [root@localhost httpd-2.4.46]# make install
    [root@localhost httpd-2.4.46]# echo $?
    0
    
    //关闭防火墙修改配置文件并重启服务
    [root@localhost httpd-2.4.46]# systemctl stop firewalld
    [root@localhost httpd-2.4.46]# setenforce 0
    [root@localhost httpd-2.4.46]# getenforce 
    Permissive
    [root@localhost httpd-2.4.46]# /usr/local/httpd/bin/apachectl start
    [root@localhost httpd-2.4.46]# vi /usr/local/httpd/conf/httpd.conf 
    ServerName localhost:80
    [root@localhost httpd-2.4.46]# /usr/local/httpd/bin/apachectl restart
    
    //设置环境变量
    [root@localhost httpd-2.4.46]# cd
    [root@localhost ~]# vi /etc/profile.d/apache.sh
    export PATH=$PATH:/usr/local/httpd/bin/
    [root@localhost ~]# source /etc/profile.d/apache.sh
    
    //设置头文件链接
    [root@localhost ~]# ln -s /usr/local/httpd/include/ /usr/include/httpd
    
    //设置帮助文档(加入以下内容)
    [root@localhost man]# vi /etc/man_db.conf
    MANDATORY_MANPATH                       /usr/local/httpd/man
    MANDATORY_MANPATH                       /usr/local/httpd/manual
    
    //测试httpd服务
    [root@localhost man]# cd
    [root@localhost ~]# apachectl stop
    [root@localhost ~]# ss -antl
    State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port 
    LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*   
    LISTEN      0           128                       [::]:22                       [::]:*   
    [root@localhost ~]# apachectl start
    [root@localhost ~]# ss -antl
    State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port 
    LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*   
    LISTEN      0           128                          *:80                          *:*   
    LISTEN      0           128                       [::]:22                       [::]:*  
    [root@localhost ~]# ip a
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:f9:ec:35 brd ff:ff:ff:ff:ff:ff
        inet 192.168.237.128/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
           valid_lft 1649sec preferred_lft 1649sec
        inet6 fe80::96da:6b44:5ce1:8588/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
    

    测试成功

    apache

  • 相关阅读:
    HTTP 筛选器 DLL C:WindowsMicrosoft.NetFrameworkv4.0.30319aspnet_filter.dll 加载失败。数据是错误。
    win7(iis7)无法加载运行CSS文件的解决方法
    MVC异步消息推送机制
    查看目录下所有文件的行数
    解决 mac全屏时不能隐藏Dock工具栏 killall Dock
    jetty中传java参数(spring-io中的配置项)
    nginx代理前端项目
    【转】mackbook wifi卡死未响应的问题
    WeekMap WeakSet的用途
    每日新知2019-08-23
  • 原文地址:https://www.cnblogs.com/yuqinghao/p/14137127.html
Copyright © 2011-2022 走看看