Detailed explanation of HTTP service construction examples

1. Introduction

1. Get to know

Encrypted web page (https): tcp:443　　　Clear text web page (http): tcp: 80

survey.netcraft.net 　　　　 --You can check the latest website server usage on this website

Hypertext Transfer Protocol (HTTP, HyperText Transfer Protocol) is the The most widely used network protocol. All WWW files must comply with this standard. The original purpose of designing HTTP was to provide a method for publishing and receiving HTML pages

2. Apache

Apache HTTP Server (referred to as Apache ) is an open source web server from the Apache Software Foundation, which can run on most computer operating systems. It is widely used due to its multi-platform and security and is one of the most popular web server-side software. Its Features are as follows:

1. Supports the latest HTTP/1.1 communication protocol

2. Has a simple and powerful file-based configuration process

3. Support common gateway interface

4. Support IP-based and domain name-based virtual hosts

5. Support multiple methods of HTTP authentication

6. Integrate Perl processing module

7. Integrated proxy server module

8. Supports real-time monitoring of server status and customized server logs

9. Supports server-side inclusion instructions (SSI)

10. Support Secure Socket Layer (SSL)

11. Provide tracking of user session process

12. Support FastCGI

13. Support JavaServlets# through third-party modules

##3. Installation: www.apache.org --apache official website

# yum install httpd* --installation httpd service

# httpd -t --Check the correctness of the configuration file

# rm -rf /etc/httpd/conf.d/welcome.conf --Delete the welcome interface; because it is installed httpd-manual, so you can access

/ServerIp/manual

4. Run in two modes: prefork, worker

prefork mode:

prefork is the default (default) MPM on Unix platforms, uses multiple child processes, each child process has only one thread . Each process can only maintain one connection at a certain time, which is highly efficient, but takes up a lot of memory.

This multiprocessing module (MPM) implements a non-threaded, pre-forked web server that works similar to Apache 1.3. It is suitable for systems that do not have thread-safe libraries and need to avoid thread compatibility issues. It is the best MPM when each request is required to be independent of each other, so that if a problem occurs with one request, it will not affect other requests.

worker mode:

worker uses multiple sub-processes, each sub-process has multiple threads , each thread at a certain time Only one connection can be maintained, the memory usage is relatively small, suitable for high-traffic http servers . The disadvantage is that if a thread crashes, the entire process will "die" along with any of its threads, so to ensure that a program must be recognized by the system as "every thread is safe" when it is running.

This multi-processing module (MPM) enables the network server to support mixed multi-threading and multi-processing. Because threads are used to process requests, massive requests can be processed with less system resource overhead than process-based MPM. But it also uses multiple processes, each with multiple threads, to gain the stability of process-based MPM.

# httpd -l --View the running mode, the default is prefork.c

# mv -v /usr/sbin/httpd{,.prefork} --Backup prefork mode

# mv -v /usr/sbin/httpd{.worker,} --Use worker mode

2. Detailed explanation of configuration file

1. Global environment parameters

ServerTokens OS --When the server responds to the host header (header) information, the Apache version and operating system name are displayed

ServerRoot "/etc/httpd" --The base directory of the server. Generally speaking, it will contain the conf/ and logs/ subdirectories. The relative paths of other configuration files are based on this directory.

PidFile run/httpd.pid --The process number file location of the first httpd process (the parent process of all other processes).

Timeout 60 --If no data is received or sent after 60 seconds, the connection will be cut off

KeepAlive Off --Not used by default The function of keeping the connection, that is, the client can only respond to one file at a time by requesting a connection. It is recommended to allow

MaxKeepAliveRequests 100 --When the connection is kept, set the client to request one time The maximum upper limit of the connection that can respond to files. If it exceeds the limit, it will be disconnected.

KeepAliveTimeout 15 --When using the keep-alive function, if the time interval between two adjacent connections exceeds 15 seconds, it will be disconnected. connect

.................

Listen 80 --The port number that the server listens to; You can open more listening ports

Include conf.d/*.conf --Will All configuration files ending with conf in the /etc/httpd/conf.d directory are included

User apache --The user of the sub-process that provides services

Group apache --The user group of the child process that provides the service

ServerAdmin root@george.com --The administrator’s email address

ServerName mail.george.com:80 --Main site name (host name of the website)

UseCanonicalName Off

DocumentRoot "/var/www/html" --Set the Web document root directory; but you can use symbolic links and aliases to point to other locations; if it is not an absolute path, it is assumed to be a path relative to ServerRoot

2. Path control parameters

DirectoryIndex index.html index.html.var --The default web page file name of the website, the left side takes precedence

AccessFileName .htaccess --Specify the name of the protected directory configuration file

---------------------------------- -------------------------------------------------- --------------------------

--Used to encapsulate a group directive, making it effective only for a certain directory and its subdirectories. For a directory on the file system

##Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all

Deny from 192.168.133.22

Directory-path -- can be a complete directory A path, or a wildcard string containing Unix shell matching syntax. In a wildcard string, "?" matches any single character, and "*" matches any sequence of characters. You can also use "[]" to determine the character range. You can also use regular expressions after the "~" character

Options --The value of this command can be "None", "All", or the following options Any combination of: Indexes (with '-' in front, the function of listing directories on the website is turned off, without it, and vice versa); Includes; FollowSymLinks; SymLinksifOwnerMatch; ExecCGI; MultiViews

AllowOverride --Control directives placed in .htaccess files. It can be All, None (cannot see any configuration in .htaccess), or a combination of the following directives: Options;FileInfo;AuthConfig;Limit

Order,Allow ,Deny --Control who can get services. The parameters of oreder are ultimately based on the one on the right, and the order can be reversed

------------------------ -------------------------------------------------- ----------------------------------

--For the specified file , can be under a certain Directory or globally

Order deny,allow

Allow from all

-------------------------------------------------- -------------------------------------------------- -----

-- Allow viewing in the form of URL "http://servername/server-status" Server status (or information); Location mainly controls the URL

##SetHandler server-status(server-info)

Order deny,allow

Allow from all

------------------ -------------------------------------------------- -------------------------------------

Alias ​​ /url-path /filesystem-path --Map URL to file system path; (You can also use ln -s soft link on the system to achieve it)

3. User password control for directory access (non-system users)

--

Theory can also be found in Location,file

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all

authname "Authenticate yourself"　——Browser prompts for opening the url

authtype basic

authuserfile /etc/httpd/userpasswd　 --User & password file location

require valid-user

# htpasswd -c /etc/httpd/userpasswd frank --Create a user allowed to access

# htpasswd /etc/httpd/userpasswd george - -Create another one, remember the '-c' parameter, which is to create the password file and can only be used when creating the first user.

Note: If a directory uses password-controlled access, the directory will not be visible when its parent directory is listed through a web browser; that is, the directory will be hidden. But it can be accessed by directly entering the url (even if you have an account and password).

4. Domain name-based virtual host

NameVirtualHost *:80 --Add this configuration to set port 80 as the virtual host port

--The first virtual host

ServerName www.george.com

DocumentRoot /var/www/html/

.............

--The second virtual host

ServerName mail.george .com

DocumentRoot /var/www/cgi-bin/openwebmail/

ScriptAlias ​​/mail /var/www/cgi-bin/openwebmail/openwebmail.pl

< ;Location />

......................

If the SeverName parameter of this experiment is connected to the IP address, we can also make an IP-based virtual host

5. Log parameters

ErrorLog logs/error_log --The storage location of the error log

LogLevel warn --Define the error log level, include: debug, info, notice, warn, error, crit, alert, emerg.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- Agent}i\"" combined

............

LogFormat "%{User-agent}i" agent --The four items areDefault format of access log

CustomLog logs/access_log combined --Use combined access log format

%h –Client’s ip address or host name

%l –The This is the RFC 1413 identity determined by the client's identd. The "-" symbol in the output indicates that the information here is invalid.

%u – The name of the client who accessed the webpage obtained by the HTTP authentication system. It is only valid if there is authentication. The "-" symbol in the output indicates that the information here is invalid.

%t – The time when the server completed processing the request.

"%r" – The quotation marks are the content of the request sent by the customer that contains a lot of useful information.

%>s – This is the status code returned by the server to the client.

%b – The last item is the number of bytes returned to the client excluding response headers.

"%{Referer}i" – This item indicates which web page the request was submitted from.

"%{User-Agent}i" – This item is the browser identification information provided by the customer's browser.

6. SSL encryption configuration

# yum install -y mod_ssl --Install encryption module

# vim /etc/httpd/conf.d /ssl.conf

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

SSLCertificateFile /etc/pki/tls/certs/localhost.crt --配置公钥文件

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key --配置秘钥文件

SSLOptions +StdEnvVars

ServerName www.george.com

DocumentRoot /var/www/cgi-bin/openwebmail/

ScriptAlias /mail /var/www/cgi-bin/openwebmail/openwebmail.pl

SSLOptions +StdEnvVars

Options Indexes

order deny,allow

Allow from all

SetEnvIf User-Agent ".*MSIE.*" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

6.1、自己配置证书

# mkdir /etc/pki/test/

# cd /etc/pki/test

# openssl genrsa -out /etc/pki/test/test.key 1024 --秘钥

# openssl req -new -key test.key -out test.csr

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:guangDong

Locality Name (eg, city) [Default City]:Shenzhen

Organization Name (eg, company) [Default Company Ltd]:IT

Organizational Unit Name (eg, section) []:maintenance

Common Name (eg, your name or your server's hostname) []:www.george.com

Email Address []:root@mail.george.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:Azt

# openssl req -x509 -days 365 -key test.key -in test.csr -out test.crt --Public key

# ls --Then configure the following test.crt && test.key to /etc /httpd/conf.d/ssl.conf

test.crt test.csr test.key

6.2. Test the certificate you configured

But the certificate we created ourselves is recognized in the browser as untrusted; The certificate status is also "Because the CA root certificate is not in the "Trusted Root Certification Authority" store, it is not trusted. ”

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　We need to manually import the certificate (test.crt) we created ourselves in the browser to the "Trusted Root Certification Authority"&&"Trusted Publisher" ". Taking Google Chrome as the column, the steps are as follows:

Then, several more dialog boxes will pop up. We click "Next" - "Finish" - "Yes ". That's OK.

　

At this time, use a browser to open our website and check the status of the certificate "There is no problem with the certificate."

The above is the detailed content of Detailed explanation of HTTP service construction examples. For more information, please follow other related articles on the PHP Chinese website!