1. httpd简介
httpd是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程,它会建立一个处理请求的子进程或线程的池。
通常,httpd不应该被直接调用,而应该在类Unix系统中由apachectl调用,在Windows中作为服务运行。
2. httpd版本
本文主要介绍httpd的两大版本,httpd-2.2和httpd-2.4。
- CentOS6系列的版本默认提供的是httpd-2.2版本的rpm包
- CentOS7系列的版本默认提供的是httpd-2.4版本的rpm包
2.1 httpd的特性
httpd有很多特性,下面就分别来说说httpd-2.2版本和httpd-2.4版本各自的特性。
版本 | 特性 |
---|---|
2.2 | 事先创建进程 按需维持适当的进程 模块化设计,核心比较小,各种功能通过模块添加(包括PHP),支持运行时配置,支持单独编译模块 支持多种方式的虚拟主机配置,如基于ip的虚拟主机,基于端口的虚拟主机,基于域名的虚拟主机等 支持https协议(通过mod_ssl模块实现) 支持用户认证 支持基于IP或域名的ACL访问控制机制 支持每目录的访问控制(用户访问默认主页时不需要提供用户名和密码,但是用户访问某特定目录时需要提供用户名和密码) 支持URL重写 支持MPM(Multi Path Modules,多处理模块)。用于定义httpd的工作模型(单进程、单进程多线程、多进程、多进程单线程、多进程多线程) |
2.4 | httpd-2.4的新特性:MPM支持运行DSO机制(Dynamic Share Object,模块的动态装/卸载机制),以模块形式按需加载 支持event MPM,eventMPM模块生产环境可用 支持异步读写 支持每个模块及每个目录分别使用各自的日志级别 每个请求相关的专业配置,使用<If>来配置 增强版的表达式分析器 支持毫秒级的keepalive timeout 基于FQDN的虚拟主机不再需要NameVirtualHost指令 支持用户自定义变量 支持新的指令(AllowOverrideList)降低对内存的消耗 |
工作模型 | 工作方式 |
---|---|
prefork | 多进程模型,预先生成进程,一个请求用一个进程响应 一个主进程负责生成n个子进程,子进程也称为工作进程 每个子进程处理一个用户请求,即使没有用户请求,也会预先生成多个空闲进程,随时等待请求到达,最大不会超过1024个 |
worker | 基于线程工作,一个请求用一个线程响应(启动多个进程,每个进程生成多个线程) |
event | 基于事件的驱动,一个进程处理多个请求 |
模块 | 功能 |
---|---|
mod_proxy_fcgi | 反向代理时支持apache服务器后端协议的模块 |
mod_ratelimit | 提供速率限制功能的模块 |
mod_remoteip | 基于ip的访问控制机制被改变,不再支持使用Order,Deny,Allow来做基于IP的访问控制 |
2.2 httpd-2.4新增的模块
httpd-2.4在之前的版本基础上新增了几大模块,下面就几个常用的来介绍一下。
3. httpd基础
3.1 httpd自带的工具程序
工具 | 功能 |
---|---|
htpasswd | basic认证基于文件实现时,用到的帐号密码生成工具 |
apachectl | httpd自带的服务控制脚本,支持start,stop,restart |
apxs | 由httpd-devel包提供的,扩展httpd使用第三方模块的工具 |
rotatelogs | 日志滚动工具 |
suexec | 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具 |
ab | apache benchmark,httpd的压力测试工具 |
3.2 rpm包安装的httpd程序环境
文件/目录 | 对应的功能 |
---|---|
/var/log/httpd/access.log | 访问日志 |
/var/log/httpd/error_log | 错误日志 |
/var/www/html/ | 站点文档目录 |
/usr/lib64/httpd/modules/ | 模块文件路径 |
/etc/httpd/conf/httpd.conf | 主配置文件 |
/etc/httpd/conf.modules.d/*.conf | 模块配置文件 |
/etc/httpd/conf.d/*.conf | 辅助配置文件 |
mpm:以DSO机制提供,配置文件为/etc/httpd/conf.modules.d/00-mpm.conf
3.3 web相关的命令
3.3.1 curl命令
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP,FTPS,HTTP,HTTPS,GOPHER,TELNET,DICT,FILE及LDAP等协议。
curl支持以下功能:
- https认证
- http的POST/PUT等方法
- ftp上传
- kerberos认证
- http上传
- 代理服务器
- cookies
- 用户名/密码认证
- 下载文件断点续传
- socks5代理服务器
- 通过http代理服务器上传文件到ftp服务器
//语法:curl [options] [URL ...]
//常用的options:
-A/--user-agent <string> //设置用户代理发送给服务器
-basic //使用Http基本认证
--tcp-nodelay //使用TCP_NODELAY选项
-e/--referer <URL> //来源网址
--cacert <file> //CA证书(SSL)
--compressed //要求返回时压缩的格式
-H/--header <line> //自定义请求首部信息传递给服务器
-I/--head //只显示响应报文首部信息
--limit-rate <rate> //设置传输速度
-u/--user <user[:password]> //设置服务器的用户和密码
-0/--http1 //使用http 1.0版本,默认使用1.1版本。这个选项是数字0而不是字母o
-o/--output //把输出写到文件中
-#/--progress-bar //进度条显示当前的传送状态
//通过curl下载文件
[root@20liuzhenchao ~]# curl -o myblog.html http://blog.51cto.com/itchentao
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 180 0 180 0 0 1339 0 --:--:-- --:--:-- --:--:-- 1343
[root@20liuzhenchao ~]# ls |grep myblog
myblog.html
3.3.2 httpd命令
//语法:httpd [options]
//常用的options:
-l //查看静态编译的模块,列出核心中编译了哪些模块。 \
//它不会列出使用LoadModule指令动态加载的模块
-M //输出一个已经启用的模块列表,包括静态编译在服务 \
//器中的模块和作为DSO动态加载的模块
-v //显示httpd的版本,然后退出
-V //显示httpd和apr/apr-util的版本和编译参数,然后退出
-X //以调试模式运行httpd。仅启动一个工作进程,并且 \
//服务器不与控制台脱离
-t //检查配置文件是否有语法错误
[root@20liuzhenchao ~]# httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
event.c
[root@20liuzhenchao ~]# httpd -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_event_module (static)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
access_compat_module (shared)
......
......
[root@20liuzhenchao ~]# httpd -v
Server version: Apache/2.4.39 (Unix)
Server built: Apr 19 2019 11:45:25
[root@20liuzhenchao ~]# httpd -V
Server version: Apache/2.4.39 (Unix)
Server built: Apr 19 2019 11:45:25
Server's Module Magic Number: 20120211:84
Server loaded: APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr/local/apache"
-D SUEXEC_BIN="/usr/local/apache/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
4. 编译安装httpd-2.4
httpd依赖于apr-1.4+,apr-util-1.4+,[apr-icon]
apr:apache portable runtime
//安装开发环境
[root@20liuzhenchao ~]# yum groupinstall "Development Tools"
已加载插件:fastestmirror, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
base | 3.6 kB 00:00:00
作为依赖被升级:
cpp.x86_64 0:4.8.5-36.el7_6.1 elfutils-libelf.x86_64 0:0.172-2.el7 elfutils-libs.x86_64 0:0.172-2.el7
libgcc.x86_64 0:4.8.5-36.el7_6.1 libgfortran.x86_64 0:4.8.5-36.el7_6.1 libgomp.x86_64 0:4.8.5-36.el7_6.1
libquadmath.x86_64 0:4.8.5-36.el7_6.1 libquadmath-devel.x86_64 0:4.8.5-36.el7_6.1 libstdc++.x86_64 0:4.8.5-36.el7_6.1
libstdc++-devel.x86_64 0:4.8.5-36.el7_6.1 perl-Git.noarch 0:1.8.3.1-20.el7 rpm.x86_64 0:4.11.3-35.el7
rpm-build-libs.x86_64 0:4.11.3-35.el7 rpm-libs.x86_64 0:4.11.3-35.el7 rpm-python.x86_64 0:4.11.3-35.el7
systemtap-client.x86_64 0:3.3-3.el7 systemtap-devel.x86_64 0:3.3-3.el7 systemtap-runtime.x86_64 0:3.3-3.el7
完毕!
//创建系统帐户apache
[root@20liuzhenchao ~]# groupadd -r apache
[root@20liuzhenchao ~]# useradd -r -g apache apache
//安装依赖库
[root@20liuzhenchao ~]# yum -y install openssl-devel pcre-devel expat-devel libtool
作为依赖被升级:
e2fsprogs.x86_64 0:1.42.9-13.el7 e2fsprogs-libs.x86_64 0:1.42.9-13.el7 krb5-libs.x86_64 0:1.15.1-37.el7_6 libcom_err.x86_64 0:1.42.9-13.el7
libselinux.x86_64 0:2.5-14.1.el7 libselinux-python.x86_64 0:2.5-14.1.el7 libselinux-utils.x86_64 0:2.5-14.1.el7 libsepol.x86_64 0:2.5-10.el7
libss.x86_64 0:1.42.9-13.el7 openssl.x86_64 1:1.0.2k-16.el7_6.1 openssl-libs.x86_64 1:1.0.2k-16.el7_6.1
完毕!
//下载apr-1.4+、apr-util-1.4+和httpd
[root@20liuzhenchao ~]# cd /usr/src
[root@20liuzhenchao src]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.39.tar.bz2 http://mirror.bit.edu.cn/apache//apr/apr-1.6.5.tar.bz2 http://mirror.bit.edu.cn/apache//apr/apr-util-1.6.1.tar.bz2
FINISHED --2019-04-19 14:23:58--
Total wall clock time: 20s
Downloaded: 3 files, 7.9M in 19s (437 KB/s)
//全部解压
[root@20liuzhenchao src]# tar -xf apr-1.6.5.tar.bz2
[root@20liuzhenchao src]# tar -xf apr-util-1.6.1.tar.bz2
[root@20liuzhenchao src]# tar -xf httpd-2.4.39.tar.bz2
[root@20liuzhenchao src]# ls
apr-1.6.5 apr-1.6.5.tar.bz2 apr-util-1.6.1 apr-util-1.6.1.tar.bz2 httpd-2.4.39 httpd-2.4.39.tar.bz2
//编译安装apr
[root@20liuzhenchao src]# cd apr-1.6.5
[root@20liuzhenchao apr-1.6.5]# vim configure
cfgfile="${ofile}T"
trap "$RM \"$cfgfile\"; exit 1" 1 2 15
# $RM "$cfgfile" //将此行加上注释,或者删除此行
[root@20liuzhenchao apr-1.6.5]# ./configure --prefix=/usr/local/apr
配置过程略...
[root@20liuzhenchao apr-1.6.5]# make && make install
编译安装过程略...
//编译安装apr-util
[root@20liuzhenchao apr-1.6.5]# cd ../apr-util-1.6.1
[root@20liuzhenchao apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
配置过程略...
[root@20liuzhenchao apr-util-1.6.1]# make && make install
编译安装过程略...
//编译安装httpd
[root@20liuzhenchao apr-util-1.6.1]# cd ../httpd-2.4.39
[root@20liuzhenchao httpd-2.4.39]# ./configure --prefix=/usr/local/apache \
> --sysconfdir=/etc/httpd24 \
> --enable-so \
> --enable-ssl \
> --enable-cgi \
> --enable-rewrite \
> --with-zlib \
> --with-pcre \
> --with-apr=/usr/local/apr \
> --with-apr-util=/usr/local/apr-util/ \
> --enable-modules=most \
> --enable-mpms-shared=all \
> --with-mpm=prefork
[root@20liuzhenchao httpd-2.4.39]# make && make install
编译安装过程略...
//添加环境变量
[root@20liuzhenchao ~]# echo 'export PATH=/usr/local/apache/bin:$PATH' >/etc/profile.d/httpd.sh
[root@20liuzhenchao ~]# cat /etc/profile.d/httpd.sh
export PATH=/usr/local/apache/bin:$PATH
//启动服务
[root@20liuzhenchao ~]# apachectl start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::20c:29ff:fefc:116c. Set the 'ServerName' directive globally to suppress this message
报错了但服务仍已启动
[root@20liuzhenchao ~]# ss -antl|grep 80
LISTEN 0 128 :::80 :::*
//解决报错
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf # it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80 //将此行注释解除即可
[root@20liuzhenchao ~]# httpd -t
Syntax OK
[root@20liuzhenchao ~]# apachectl start
[root@20liuzhenchao ~]#
5. httpd常用配置
切换使用MPM(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):
//LoadModule mpm_NAME_module modules/mod_mpm_NAME.so
//NAME有三种,分别是:
prefork
event
worker
编译安装的修改/etc/httpd24/httpd.conf文件,取消前面注释即可
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
访问控制法则:
法则 | 功能 |
---|---|
Require all granted | 允许所有主机访问 |
Require all deny | 拒绝所有主机访问 |
Require ip IPADDR | 授权指定来源地址的主机访问 |
Require not ip IPADDR | 拒绝指定来源地址的主机访问 |
Require host HOSTNAME | 授权指定来源主机名的主机访问 |
Require not host HOSTNAME | 拒绝指定来源主机名的主机访问 |
IPADDR的类型 | HOSTNAME的类型 |
---|---|
IP:192.168.1.1/Network/mask:192.168.1.0/255.255.255.0Network/Length:192.168.1.0/24/Net:192.168 | FQDN:特定主机的全名/DOMAIN:指定域内的所有主机 |
注意:httpd-2.4版本默认是拒绝所有主机访问的,所以安装以后必须做显示授权访问
示例:
<Directory /var/www/html/www>
<RequireAll>
Require not ip 192.168.56.25
Require all granted
</RequireAll>
</Directory>
虚拟主机:
虚拟主机有三类:
- 相同IP不同端口
- 不同IP相同端口
- 相同IP相同端口不同域名
//设置主机名
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf
......
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.example.com:80 //取消此行前面的#号
......
相同IP不同端口(80端口不允许192.168.56.25访问,81端口允许所有主机访问)
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf
//在配置文件的最后加上如下内容(Directory "/usr/local/apache/htdocs"默认all granted)
#virtual host 1 # 虚拟主机1的配置
<VirtualHost 192.168.56.20:80>
ServerName www.liuzhenchao.com
DocumentRoot "/usr/local/apache/htdocs/www"
ErrorLog "/usr/local/apache/logs/www-error_log"
CustomLog "/usr/local/apache/logs/www-access_log" combined
<Directory /usr/local/apache/htdocs/www>
<RequireAll>
Require all granted
Require not ip 192.168.56.25
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 # 虚拟主机2的配置
<VirtualHost 192.168.56.20:81>
ServerName blog.liuzhenchao.com
DocumentRoot "/usr/local/apache/htdocs/blog"
ErrorLog "/usr/local/apache/logs/blog/error_log"
CustomLog "/usr/local/apache/logs/blog/access_log" combined
</VirtualHost>
//创建网页目录并修改属主属组
[root@20liuzhenchao log]# mkdir /usr/local/apache/htdocs/www
[root@20liuzhenchao log]# mkdir /usr/local/apache/htdocs/blog
[root@20liuzhenchao ~]# chown -R apache.apache /usr/local/apache/htdocs/www
[root@20liuzhenchao ~]# chown -R apache.apache /usr/local/apache/htdocs/blog
[root@20liuzhenchao ~]# ll /usr/local/apache/htdocs/blog -d
drwxr-sr-x 2 apache apache 24 4月 19 16:45 /usr/local/apache/htdocs/blog
[root@20liuzhenchao ~]# ll /usr/local/apache/htdocs/www -d
drwxr-sr-x 2 apache apache 24 4月 19 16:45 /usr/local/apache/htdocs/www
//创建网页
[root@20liuzhenchao log]# echo 'www' >/usr/local/apache/htdocs/www/index.html
[root@20liuzhenchao log]# echo 'blog' >/usr/local/apache/htdocs/blog/index.html
//监听80和81端口
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf
//在配置文件的最后加上如下内容
Listen 80
Listen 81
//创建相应网页的日志目录
[root@20liuzhenchao log]# mkdir /usr/local/apache/logs/blog
[root@20liuzhenchao ~]# mkdir /usr/local/apache/logs/www
//启动服务并查看是否有80和81端口
[root@20liuzhenchao log]# apachectl -t
Syntax OK
[root@20liuzhenchao ~]# ss -antl |egrep '80|81'
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::81 :::*
//在客户机上验证
1.修改hosts文件
[root@25liuzhenchao ~]# vim /etc/hosts
[root@25liuzhenchao ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
//添加以下2行
192.168.56.20 www.liuzhenchao.com
192.168.56.20 blog.liuzhenchao.com
2.curl下载网页进行测试(IP和域名)
//IP验证
[root@25liuzhenchao ~]# curl 192.168.56.20:81
blog
[root@25liuzhenchao ~]# curl 192.168.56.20:80
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
//域名验证
[root@25liuzhenchao ~]# curl blog.liuzhenchao.com:81
blog
[root@25liuzhenchao ~]# curl www.liuzhenchao.com:80
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
3.本地浏览器验证(IP为192.168.56.10)
//配置本地hosts
在C:\Windows\System32\drivers\etc目录下将hosts文件拖至桌面进行编辑
添加如下内容:
192.168.56.20 www.liuzhenchao.com
192.168.56.20 blog.liuzhenchao.com
//编辑完成后拖回至原处
//打开浏览器输入域名进行访问
不同IP相同端口(192.168.56.20不允许192.168.56.25访问,192.168.56.21允许所有主机访问)
//修改配置文件(Directory "/usr/local/apache/htdocs"默认all granted)
# 虚拟主机1的配置
<VirtualHost 192.168.56.20:80>
ServerName www.liuzhenchao.com
DocumentRoot "/usr/local/apache/htdocs/www"
ErrorLog "/usr/local/apache/logs/www-error_log"
CustomLog "/usr/local/apache/logs/www-access_log" combined
<Directory /usr/local/apache/htdocs/www>
<RequireAll>
Require all granted
Require not ip 192.168.56.25
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 # 虚拟主机2的配置
<VirtualHost 192.168.56.21:80>
ServerName blog.liuzhenchao.com
DocumentRoot "/usr/local/apache/htdocs/blog"
ErrorLog "/usr/local/apache/logs/blog/error_log"
CustomLog "/usr/local/apache/logs/blog/access_log" combined
</VirtualHost>
//重启服务确保80端口已启动
[root@20liuzhenchao ~]# ss -antl |grep 80
LISTEN 0 128 :::80 :::*
//客户端验证
[root@25liuzhenchao ~]# curl 192.168.56.21
blog
[root@25liuzhenchao ~]# curl 192.168.56.20
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
相同IP相同端口不同域名(www.liuzhenchao.com不允许192.168.56.25访问,blog.liuzhenchao.com允许所有主机访问)
//修改配置文件(Directory "/usr/local/apache/htdocs"默认all granted)
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf
# 虚拟主机1的配置
<VirtualHost 192.168.56.20:80>
ServerName www.liuzhenchao.com
DocumentRoot "/usr/local/apache/htdocs/www"
ErrorLog "/usr/local/apache/logs/www-error_log"
CustomLog "/usr/local/apache/logs/www-access_log" combined
<Directory /usr/local/apache/htdocs/www>
<RequireAll>
Require all granted
Require not ip 192.168.56.25
</RequireAll>
</Directory>
</VirtualHost>
# virtual host 2 # 虚拟主机2的配置
<VirtualHost 192.168.56.20:80>
ServerName blog.liuzhenchao.com
DocumentRoot "/usr/local/apache/htdocs/blog"
ErrorLog "/usr/local/apache/logs/blog/error_log"
CustomLog "/usr/local/apache/logs/blog/access_log" combined
</VirtualHost>
//重启服务确保80端口开启
[root@20liuzhenchao ~]# apachectl restart
[root@20liuzhenchao ~]# ss -antl |grep 80
LISTEN 0 128 :::80 :::*
//客户端验证
[root@25liuzhenchao ~]# curl www.liuzhenchao.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
[root@25liuzhenchao ~]# curl blog.liuzhenchao.com
blog
配置https
//启用模块:编辑/etc/httpd24/httpd.conf文件,添加下面这行,如果已经有了但是注释了,则取消注释即可
LoadModule ssl_module modules/mod_ssl.so
openssl生成私有证书
1.进入目录
[root@25liuzhenchao ~]# cd /etc/pki/CA
[root@25liuzhenchao CA]# ls
certs crl newcerts private
2.生成密钥
[root@25liuzhenchao CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....+++
....................+++
e is 65537 (0x10001)
[root@25liuzhenchao CA]# ls private/
cakey.pem
3.提取公钥
[root@25liuzhenchao CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbyF3vp9KN7awfP8Xzjz
1JfM6ctvKCjSSIdMkxppItdZBbDbawB5mmvoMqIB+2O9s4VQ9ztFL3cPXiWRrZjL
8bSV2PnAEl4UvRE+f2eKEKmzhEFMKcYh/kSOK6iN0OQ10SD6W5TSQwDa6aFxtOq/
lwC49dyA8o5VeDdUVNTt2zT3s5EOCyVNiFr8RgNkzmb7EUTiiA8XBXjbUW3P5kWj
twe+LFSAGbiXkCiJrLHUTs+YEpEMTDXFvkO7QY2q+S6kGDCfcXKnFl+Mqm4naU8p
5/nbxef1xEsaae6DjNITGnYfiCxUVhm+OCBhV8auv+50CStu0OAan+UwW08Ft5ro
GQIDAQAB
-----END PUBLIC KEY-----
//将生成的公钥暂存于一个地方
[root@25liuzhenchao CA]# vim /root/a.pub
添加
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbyF3vp9KN7awfP8Xzjz
1JfM6ctvKCjSSIdMkxppItdZBbDbawB5mmvoMqIB+2O9s4VQ9ztFL3cPXiWRrZjL
8bSV2PnAEl4UvRE+f2eKEKmzhEFMKcYh/kSOK6iN0OQ10SD6W5TSQwDa6aFxtOq/
lwC49dyA8o5VeDdUVNTt2zT3s5EOCyVNiFr8RgNkzmb7EUTiiA8XBXjbUW3P5kWj
twe+LFSAGbiXkCiJrLHUTs+YEpEMTDXFvkO7QY2q+S6kGDCfcXKnFl+Mqm4naU8p
5/nbxef1xEsaae6DjNITGnYfiCxUVhm+OCBhV8auv+50CStu0OAan+UwW08Ft5ro
GQIDAQAB
-----END PUBLIC KEY-----
4.生成自签署证书
[root@25liuzhenchao CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:www.liuzhenchao.com
Organizational Unit Name (eg, section) []:www.liuzhenchao.com
Common Name (eg, your name or your server's hostname) []:www.liuzhenchao.com
Email Address []:1@2.com
5.查看cacert.pem文件
[root@25liuzhenchao CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16784191559212065646 (0xe8ed6d4bf0f1e36e)
Signature Algorithm: sha1WithRSAEncryption
......
6.创建文件
[root@25liuzhenchao CA]# touch index.txt && echo 01 > serial
[root@25liuzhenchao CA]# ls
cacert.pem certs crl index.txt newcerts private serial
7.在服务器上创建CA
[root@20liuzhenchao ~]# cd /etc/httpd24/
[root@20liuzhenchao httpd24]# mkdir ssl && cd ssl
[root@20liuzhenchao ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:www.liuzhenchao.com
Organizational Unit Name (eg, section) []:www.liuzhenchao.com
Common Name (eg, your name or your server's hostname) []:www.liuzhenchao.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
8.把证书发给客户端
[root@20liuzhenchao ssl]# scp httpd.csr root@192.168.56.25:/root/
9.客户端签署发过来的证书
[root@25liuzhenchao ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 20 18:23:24 2019 GMT
Not After : Apr 19 18:23:24 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = HuBei
organizationName = www.liuzhenchao.com
organizationalUnitName = www.liuzhenchao.com
commonName = www.liuzhenchao.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:38:EF:00:66:61:E6:CC:49:B9:84:91:81:5D:93:7F:4B:A3:F7:58
X509v3 Authority Key Identifier:
keyid:F1:EB:F2:C4:99:F8:79:9B:76:77:7C:AA:0C:9F:59:6F:73:7E:4D:73
Certificate is to be certified until Apr 19 18:23:24 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
10.将生成的证书发送给服务端
[root@25liuzhenchao ~]# scp httpd.crt root@192.168.56.20:/root
//把证书移至网站的位置
[root@20liuzhenchao ~]# mv httpd.crt /etc/httpd24/ssl/
[root@20liuzhenchao ~]# cd /etc/httpd24/ssl/
[root@20liuzhenchao ssl]# ls
httpd.crt httpd.csr httpd.key
配置ssl
1.编辑配置文件
[root@20liuzhenchao ~]# vim /etc/httpd24/httpd.conf
去掉下一行的注释
Include /etc/httpd24/extra/httpd-ssl.conf
2.配置https网站和证书
[root@20liuzhenchao ~]# vim /etc/httpd24/extra/httpd-ssl.conf
DocumentRoot "/usr/local/apache/htdocs/www"
ServerName www.liuzhenchao.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/www-error_log"
TransferLog "/usr/local/apache/logs/www-access_log"
SSLCertificateFile "/etc/httpd24/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key"
注释掉如下一行
#SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
2.重启服务并查看443端口是否启动
[root@20liuzhenchao ~]# apachectl restart
[root@20liuzhenchao ~]# ss -antl |grep 443
LISTEN 0 128 :::443 :::*
验证ssl
浏览器上https访问https://www.liuzhenchao.com进行验证