Web服务(三)httpd参数配置以及编译安装
一、参数配置
13、https协议的实现
实现https之前需要先了解openssl;需要实现CA机制。openssl详情请参考Openssl、加密、解密和私有CA的实现过程;
SSL握手要完成的工作:
交换协议版本号
选择双方都支持的加密方式
对两端实现身份验证
**交换
https是二进制格式的协议,监听与tcp:443端口。SSL会话是基于IP地址进行;不支持在基于FQDN的虚拟主机上实现。
下面直接来配置https:
CA这里直接使用的一台机器当CA和客户端;
创建CA和客户端证书签署
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
#创建CA;详细过程就不贴了;以下是步骤 [Linux85] #cd /etc/pki/CA/
[Linux85] #(umask 077;openssl genrsa -out private/cakey.pem 2048)
[Linux85] #openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[Linux85] #touch index.txt serial crlnumber
[Linux85] #echo 00 > serial
#生成客户端证书以及CA签署;CA与客户端都是同一台机器;也可以分为两台 [Linux85] #mkdir /etc/httpd/ssl
[Linux85] #cd /etc/httpd/ssl
[Linux85] #(umake 077;openssl genrsa -out httpd.key 1024)
[Linux85] #openssl req -new -key httpd.key -out httpd.csr
[Linux85] #openssl ca -in httpd.csr -out httpd.crt -days 365
#结束后把CA证书安装到windows中 |
安装mod_ssl模块和更改主配置文件实现支持ssl协议:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[Linux85] #yum -y install mod_ssl
[Linux85] #rpm -ql mod_ssl
/ etc / httpd / conf.d / ssl.conf
/ usr / lib64 / httpd / modules / mod_ssl.so
/ var / cache / mod_ssl
/ var / cache / mod_ssl / scache. dir
/ var / cache / mod_ssl / scache.pag
/ var / cache / mod_ssl / scache.sem
[Linux85] #
#配置 [Linux85] #vim ssl.conf
#定位ServerName;开启下面两项 # General setup for the virtual host, inherited from global configuration DocumentRoot "/var/www/html"
ServerName www.soul.org: 443
#下面两项关于**和证书文件的路径 # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. SSLCertificateFile / etc / httpd / ssl / httpd.crt
# Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile / etc / httpd / ssl / httpd.key
[Linux85] #service httpd start
[Linux85] #ss -tunl | grep 443
tcp LISTEN 0 128 ::: 443 ::: * #查看443端口以正常启动 |
提供主页文件
1
2
3
4
|
[Linux85] #vim /var/www/html/index.html
This is https test page!
# 把CA证书安装至windows中 |
测试访问正常;https协议正常使用。
14、配置httpd的status页面
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[Linux85] #httpd -M | grep status
#下述这个模块如存在即可配置 status_module (shared)
Syntax OK [Linux85] #
[Linux85] #vim /etc/httpd/conf/httpd.conf
#定位status;找到如下项开启 # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # <Location / server - status>
SetHandler server - status
AuthType Basic #为了确保安装;这里做了认证
AuthName "server status" AuthUserFile "/etc/httpd/conf/.htpasswd"
Require valid - user
Order deny,allow
Deny from all
Allow from 172.16 . 254.28 #限定只能改IP访问该页面
< / Location>
|
测试访问需要验证;并且可以显示详细的httpd服务器信息。
15、利用mod_deflate模块压缩页面优化传输速度
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
[Linux85] #httpd -M | grep deflate
deflate_module (shared)
Syntax OK [Linux85] #
# #主配置文件内没有定义;这里自己新建配置文件 [Linux85] #vim /etc/httpd/conf.d/deflate.conf
SetOutputFilter DEFLATE AddOutputFilterByType DEFLATE text / plain
AddOutputFilterByType DEFLATE text / html
AddOutputFilterByType DEFLATE application / xhtml + xml
AddOutputFilterByType DEFLATE text / xml
AddOutputFilterByType DEFLATE application / xml
AddOutputFilterByType DEFLATE application / x - javascript
AddOutputFilterByType DEFLATE text / javascript
AddOutputFilterByType DEFLATE text / css
# Level of compression (Highest 9 - Lowest 1) DeflateCompressionLevel 9
# Netscape 4.x has some problems. BrowserMatch ^Mozilla / 4 gzip - only - text / html
# Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla / 4 \. 0 [ 678 ] no - gzip
# MSIE masquerades as Netscape, but it is fine BrowserMatch \bMSI[E] !no - gzip !gzip - only - text / html
[Linux85] #service httpd restart
Stopping httpd: [ OK ] Starting httpd: [ OK ] [Linux85] #
|
测试成功。该功能并不是所有状态都适合;需要合理的判断。
二、httpd-2.4的编译安装
由于这篇一直未完成;后续的博客都以完成;且其中以含有2.4版本的编译安装。这里就不再赘述了。连接:Linux下编译安装LAMP并分离为多台服务器。
本文转自Mr_陈 51CTO博客,原文链接:http://blog.51cto.com/chenpipi/1390923,如需转载请自行联系原作者