Home > Article > Backend Development > Detailed explanation of Apache configuration (the best APACHE configuration tutorial)_PHP tutorial
Detailed explanation of Apache configuration (the best APACHE configuration tutorial)_PHP tutorial
- WBOYOriginal
- 2016-07-21 15:36:46870browse
Main site configuration (basic configuration)
(1) Basic configuration:
ServerRoot "/mnt/software/apache2" #The location where your apache software is installed. If no absolute path is specified for other specified directories, the directories are relative to this directory.
PidFile logs/httpd.pid #The process number file location of the first httpd process (the parent process of all other processes).
Listen 80 #The port number that the server listens to.
ServerName www.jb51.net:80 #Main site name (host name of the website).
ServerAdmin admin@jb51.net #Administrator’s email address.
DocumentRoot "/mnt/web/clusting" #The web page storage location of the main site.
The following is the access control for the directory of the main site:
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
In the above directory attribute configuration, there are mainly the following options:
Options: Configure which features are used in a specific directory, common values and basic The meaning is as follows:
ExecCGI: CGI scripts are allowed to be executed in this directory.
FollowSymLinks: Allow file systems to use symbolic links in this directory.
Indexes: When the user accesses the directory, if the user cannot find the homepage file (such as index.html) specified by DirectoryIndex, the file list in the directory will be returned to the user.
SymLinksIfOwnerMatch: When using symbolic links, access is only possible if the file owner of the symbolic link is the same as the owner of the actual file.
For other available values and meanings, please see: http://www.jb51.net/Apache/ApacheManual/mod/core.html#options
AllowOverride: Allow directive types that exist in .htaccess files (The .htaccess file name can be changed, and its file name is determined by the AccessFileName directive):
None: When AllowOverride is set to None. Do not search for .htaccess files in this directory (can reduce server overhead).
All: All directives can be used in .htaccess files.
For other available values and meanings (such as: Options FileInfo AuthConfig Limit, etc.), please refer to: http://www.jb51.net/Apache/ApacheManual/mod/core.html#AllowOverride
Order: Control in Which of the two access rules Allow or Deny takes precedence during access:
Allow: List of hosts allowed to be accessed (available domain names or subnets, for example: Allow from 192.168.0.0/16).
Deny: List of hosts that are denied access.
For more detailed usage, please refer to: http://www.jb51.net/Apache/ApacheManual/mod/mod_access.html#order
DirectoryIndex index.html index.htm index.php #Home page file settings ( In this example, the home page files are set to: index.html, index.htm and index.php)
(2) Server optimization (MPM: Multi-Processing Modules)
The main advantage of apache2 is that it can The processor has better support, and the --with-mpm option is used to determine the working mode of apache2 when compiling. If you know what working mechanism the current apache2 uses, you can use the httpd -l command to list all modules of apache, and you can know how it works:
prefork: If httpd -l lists prefork.c, you need to modify the following Section configuration:
StartServers 5 #The number of httpd processes started when starting apache.
MinSpareServers 5 #Minimum number of idle processes maintained by the server.
MaxSpareServers 10 #The maximum number of idle processes maintained by the server.
MaxClients 150 #Maximum number of concurrent connections.
MaxRequestsPerChild 1000 #How many times each child process is requested for service before it is killed. 0 means no limit, and it is recommended to set it to 1000.
In this working mode, 5 httpd processes are started after the server starts (a total of 6 including the parent process, which can be seen through the ps -ax|grep httpd command). When a user connects, Apache will use an idle process to serve the connection, and the parent process will fork a child process. Until the number of idle processes in memory reaches MaxSpareServers. This mode is for compatibility with some older versions of programs. My default compile time options.
worker: If httpd -l lists worker.c, you need to configure the following sections:
StartServers 2 #The number of httpd processes started when starting apache.
MaxClients 150 #Maximum number of concurrent connections.
MinSpareThreads 25 #The minimum number of idle threads maintained by the server.
MaxSpareThreads 75 #The maximum number of idle threads maintained by the server.
ThreadsPerChild 25 #The number of threads generated by each child process.
MaxRequestsPerChild 0 #How many times each child process is requested for service before it is killed. 0 means no limit, and it is recommended to set it to 1000.
This mode uses threads to monitor client connections. When a new client connects, one of the idle threads accepts the connection. The server starts two processes at startup, and the number of threads generated by each process is fixed (determined by ThreadsPerChild), so there are 50 threads at startup. When 50 threads are not enough, the server automatically forks a process and generates 25 more threads.
perchild: If httpd -l lists perchild.c, you need to configure the following section:
NumServers 5 #The child process started when the server starts Number
StartThreads 5 #The number of threads started when each child process starts
MinSpareThreads 5 #The minimum number of idle threads in memory
MaxSpareThreads 10 #The maximum number of idle threads
MaxThreadsPerChild 2000 #The maximum number of idle threads in each thread How many times to request before exiting. 0 is not restricted.
MaxRequestsPerChild 10000 #How many times each child process serves before being re-forked. 0 means no limit.
In this mode, the number of child processes is fixed and the number of threads is not limited. When the client connects to the server, the idle thread provides services. If the number of idle threads is not enough, the child process automatically generates threads to serve new connections. This mode is used for multisite servers.
(3) HTTP return information configuration:
ServerTokens Prod #This parameter sets the apache version information returned by the http header. The available values and meanings are as follows:
Prod: only the software name, for example: apache
Major: includes the major version number, for example: apache/2
Minor: includes the minor version number, for example: apache/2.0
Min: only the full version number of apache, for example: apache/2.0.54
OS: includes the operating system type, for example: apache/2.0.54 (Unix)
Full: includes the modules and module version numbers supported by apache, for example: Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL /0.9.7g
ServerSignature Off #Whether server version information appears when an error occurs on the page. The recommended setting is Off
(4) Persistent connection settings
KeepAlive On #Turn on the persistent connection function. That is, when the client connects to the server, it remains connected after downloading the data.
MaxKeepAliveRequests 100 #The maximum number of requests for a connection service.
KeepAliveTimeout 30 #How long to continue the connection. If the connection does not request data again, the connection will be disconnected. The default is 15 seconds.
Alias settings
For pages that are not in the directory specified by DocumentRoot, you can use either symbolic links or aliases. The alias settings are as follows:
Alias /download/ "/var/www/download/" #You can enter when accessing: http://www.jb51.net/download/
Options Indexes MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
CGI Settings
ScriptAlias /cgi-bin/ "/mnt/software/apache2/cgi-bin/" # When accessing: http://www.jb51.net/cgi-bin/. But the CGI script files in this directory need to have executable permissions!
AllowOverride None
Options None
Order allow,deny
Allow from all
Personal homepage settings (public_html)
UserDir public_html (The user's homepage is stored in the public_html directory under the user's home directory URL http://www.jb51.net/~ bearzhang/file.html will read /home/bearzhang/public_html/file.html file)
chmod 755 /home/bearzhang #Enable other users to read the file.
UserDir /var/html (the URL http://www.jb51.net/~bearzhang/file.html will read /var/html/bearzhang/file.html)
UserDir /var/www/ */docs (the URL http://www.jb51.net/~bearzhang/file.html will read /var/www/bearzhang/docs/file.html)
Log settings
(1) Error log settings
ErrorLog logs/error_log #Log storage location
LogLevel warn #Log level
The display format is as follows:
[Mon Oct 10 15:54:29 2005] [error ] [client 192.168.10.22] access to /download/ failed, reason: user admin not allowed access
(2) Access log settings
The default format of the log is as follows:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r " %>s %b" common #common is the log format name
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog The various parameters in the logs/access_log common
format are as follows:
%h --The client's ip address or host name
%l --The This is the RFC 1413 identity determined by the client's identd , the "-" symbol in the output indicates that the information here is invalid.
%u --The name of the client who accessed the webpage obtained by the HTTP authentication system. It is valid only with authentication. The "-" symbol in the output indicates that the information here is invalid.
%t – The time when the server completed processing the request.
"%r" --The quotation marks are the request content sent by the customer that contains a lot of useful information.
%>s --This is the status code returned by the server to the client.
%b --The last item is the number of bytes returned to the client excluding response headers.
"%{Referer}i" --This item specifies which web page the request was submitted from.
"%{User-Agent}i" --This item is the browser identification information provided by the customer's browser.
下面是一段访问日志的实例:
192.168.10.22 - bearzhang [10/Oct/2005:16:53:06 +0800] "GET /download/ HTTP/1.1" 200 1228
192.168.10.22 - - [10/Oct/2005:16:53:06 +0800] "GET /icons/blank.gif HTTP/1.1" 304 -
192.168.10.22 - - [10/Oct/2005:16:53:06 +0800] "GET /icons/back.gif HTTP/1.1" 304 -
各参数的详细解释,请参阅:http://www.jb51.net/Apache/ApacheManual/logs.html
用户认证的配置
(1)in the httpd.conf:
AccessFileName .htaccess
.........
Alias /download/ "/var/www/download/"
Options Indexes
AllowOverride AuthConfig
(2) create a password file:
/usr/local/apache2/bin/htpasswd -c /var/httpuser/passwords bearzhang
(3)onfigure the server to request a password and tell the server which users are allowed access.
vi /var/www/download/.htaccess:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/httpuser/passwords
Require user bearzhang
#Require valid-user #all valid user
虚拟主机的配置
(1)基于IP地址的虚拟主机配置
Listen 80
DocumentRoot /www/example1
ServerName www.example1.com
DocumentRoot /www/example2
ServerName www.example2.org
(2) 基于IP和多端口的虚拟主机配置
Listen 172.20.30.40:80
Listen 172.20.30.40:8080
Listen 172.20.30.50:80
Listen 172.20.30.50:8080
DocumentRoot /www/example1-80
ServerName www.example1.com
DocumentRoot /www/example1-8080
ServerName www.example1.com
DocumentRoot /www/example2-80
ServerName www.example1.org
DocumentRoot /www/example2-8080
ServerName www.example2.org
(3)单个IP地址的服务器上基于域名的虚拟主机配置:
# Ensure that Apache listens on port 80
Listen 80
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80
DocumentRoot /www/example1
ServerName www.example1.com
ServerAlias example1.com. *.example1.com
# Other directives here
DocumentRoot /www/example2
ServerName www.example2.org
# Other directives here
(4)在多个IP地址的服务器上配置基于域名的虚拟主机:
Listen 80
# This is the "main" server running on 172.20.30.40
ServerName server.domain.com
DocumentRoot /www/mainserver
# This is the other address
NameVirtualHost 172.20.30.50
DocumentRoot /www/example1
ServerName www.example1.com
# Other directives here ...
DocumentRoot /www/example2
ServerName www.example2.org
# Other directives here ...
(5)在不同的端口上运行不同的站点(基于多端口的服务器上配置基于域名的虚拟主机):
Listen 80
Listen 8080
NameVirtualHost 172.20.30.40:80
NameVirtualHost 172.20.30.40:8080
ServerName www.example1.com
DocumentRoot /www/domain-80
ServerName www.example1.com
DocumentRoot /www/domain-8080
ServerName www.example2.org
DocumentRoot /www/otherdomain-80
ServerName www.example2.org
DocumentRoot /www/otherdomain-8080
(6)基于域名和基于IP的混合虚拟主机的配置:
Listen 80
NameVirtualHost 172.20.30.40
DocumentRoot /www/example1
ServerName www.example1.com
DocumentRoot /www/example2
ServerName www.example2.org
DocumentRoot /www/example3
ServerName www.example3.net
SSL加密的配置
首先在配置之前先来了解一些基本概念:
The concept of certificate: first there must be a root certificate, and then the root certificate is used to issue the server certificate and client certificate. It is generally understood that the server certificate and client certificate are in a horizontal relationship. SSL must install a server certificate for authentication. Therefore: in this environment, there must be at least three certificates: root certificate, server certificate, client certificate. Before generating a certificate, there is usually a private key, and the private key is used to generate a certificate request, and then the certificate server's root certificate is used to issue the certificate.
The certificate used by SSL can be generated by yourself or signed by a commercial CA (such as Verisign or Thawte).
Issues with issuing certificates: If you are using a commercial certificate, please check the instructions of the relevant seller for the specific signing method; if it is a certificate issued by a close friend, you can use the CA.sh script tool that comes with openssl.
If you do not issue a certificate for a separate client, the client certificate does not need to be generated. The client and server use the same certificate.
(1) The main parameters in the conf/ssl.conf configuration file are configured as follows:
Listen 443
SSLPassPhraseDialog buildin
#SSLPassPhraseDialog exec:/path/to/program
SSLSessionCache dbm:/ usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
CustomLog /usr/local/apache2 /logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
(2) Create and use a self-signed certificate:
a.Create a RSA private key for your Apache server
/usr/local/openssl/bin/openssl genrsa -des3 -out /usr/local/apache2/conf/ssl.key/server.key 1024
b. Create a Certificate Signing Request (CSR)
/usr/local/openssl/bin/openssl req -new -key /usr/local/apache2/conf/ssl.key/server.key -out /usr/local /apache2/conf/ssl.key/server.csr
c. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA
/usr/local/openssl/bin/openssl req - x509 -days 365 -key /usr/local/apache2/conf/ssl.key/server.key -in /usr/local/apache2/conf/ssl.key/server.csr -out /usr/local/apache2/conf /ssl.crt/server.crt
/usr/local/openssl/bin/openssl genrsa 1024 -out server.key
/usr/local/openssl/bin/openssl req -new -key server.key - out server.csr
/usr/local/openssl/bin/openssl req -x509 -days 365 -key server.key -in server.csr -out server.crt
(3) Create your own CA (certification certificate) and use that CA to sign the server's certificate.
mkdir /CA
cd /CA
cp openssl-0.9.7g/apps/CA.sh /CA
./CA.sh -newca
openssl genrsa -des3 -out server. key 1024
openssl req -new -key server.key -out server.csr
cp server.csr newreq.pem
./CA.sh -sign
cp newcert.pem /usr/local /apache2/conf/ssl.crt/server.crt
cp server.key /usr/local/apache2/conf/ssl.key/