Detailed explanation of HTTP service construction examples-Linux Operation and Maintenance-php.cn

1. Introduction

1. Get to know

Encrypted web page (https): tcp:443　　　Clear text web page (http): tcp: 80

survey.netcraft.net 　　　　 --You can check the latest website server usage on this website

Hypertext Transfer Protocol (HTTP, HyperText Transfer Protocol) is the The most widely used network protocol. All WWW files must comply with this standard. The original purpose of designing HTTP was to provide a method for publishing and receiving HTML pages

2. Apache

Apache HTTP Server (referred to as Apache ) is an open source web server from the Apache Software Foundation, which can run on most computer operating systems. It is widely used due to its multi-platform and security and is one of the most popular web server-side software. Its Features are as follows: 

1. Supports the latest HTTP/1.1 communication protocol

2. Has a simple and powerful file-based configuration process

 3. Support common gateway interface

4. Support IP-based and domain name-based virtual hosts

5. Support multiple methods of HTTP authentication

6. Integrate Perl processing module 

7. Integrated proxy server module

8. Supports real-time monitoring of server status and customized server logs

9. Supports server-side inclusion instructions (SSI)

10. Support Secure Socket Layer (SSL)

11. Provide tracking of user session process

12. Support FastCGI

13. Support JavaServlets# through third-party modules 

##3. Installation: www.apache.org --apache official website

# yum install httpd* --installation httpd service

# httpd -t --Check the correctness of the configuration file

# rm -rf /etc/httpd/conf.d/welcome.conf --Delete the welcome interface; because it is installed httpd-manual, so you can access

/ServerIp/manual

 4. Run in two modes: prefork, worker

prefork mode: prefork is the default (default) MPM on Unix platforms,  uses multiple child processes, each child process has only one thread . Each process can only maintain one connection at a certain time, which is highly efficient, but takes up a lot of memory. 
This multiprocessing module (MPM) implements a non-threaded, pre-forked web server that works similar to Apache 1.3. It is suitable for systems that do not have thread-safe libraries and need to avoid thread compatibility issues. It is the best MPM when each request is required to be independent of each other, so that if a problem occurs with one request, it will not affect other requests. 
worker mode: 
worker uses  multiple sub-processes, each sub-process has multiple threads , each thread at a certain time Only one connection can be maintained,  the memory usage is relatively small, suitable for high-traffic http servers . The disadvantage is that if a thread crashes, the entire process will "die" along with any of its threads, so to ensure that a program must be recognized by the system as "every thread is safe" when it is running. 
This multi-processing module (MPM) enables the network server to support mixed multi-threading and multi-processing. Because threads are used to process requests, massive requests can be processed with less system resource overhead than process-based MPM. But it also uses multiple processes, each with multiple threads, to gain the stability of process-based MPM. 
# httpd -l --View the running mode, the default is prefork.c
# mv -v /usr/sbin/httpd{,.prefork} --Backup prefork mode
# mv -v /usr/sbin/httpd{.worker,} --Use worker mode
 
2. Detailed explanation of configuration file
1. Global environment parameters
ServerTokens OS --When the server responds to the host header (header) information, the Apache version and operating system name are displayed
ServerRoot "/etc/httpd"  --The base directory of the server. Generally speaking, it will contain the conf/ and logs/ subdirectories. The relative paths of other configuration files are based on this directory. 
PidFile run/httpd.pid --The process number file location of the first httpd process (the parent process of all other processes). 
Timeout 60 --If no data is received or sent after 60 seconds, the connection will be cut off
KeepAlive Off --Not used by default The function of keeping the connection, that is, the client can only respond to one file at a time by requesting a connection.  It is recommended to allow 
MaxKeepAliveRequests 100 --When the connection is kept, set the client to request one time The maximum upper limit of the connection that can respond to files. If it exceeds the limit, it will be disconnected. 
KeepAliveTimeout 15 --When using the keep-alive function, if the time interval between two adjacent connections exceeds 15 seconds, it will be disconnected. connect
.................
Listen 80  --The port number that the server listens to; You can open more listening ports 
Include conf.d/*.conf --Will All configuration files ending with conf in the /etc/httpd/conf.d directory are included
User apache --The user of the sub-process that provides services
Group apache --The user group of the child process that provides the service
ServerAdmin root@george.com --The administrator’s email address
 ServerName mail.george.com:80 --Main site name (host name of the website) 
UseCanonicalName Off
DocumentRoot "/var/www/html" --Set the Web document root directory; but you can use symbolic links and aliases to point to other locations; if it is not an absolute path, it is assumed to be a path relative to ServerRoot
 2. Path control parameters 
DirectoryIndex index.html index.html.var --The default web page file name of the website, the left side takes precedence 
AccessFileName .htaccess --Specify the name of the protected directory configuration file
---------------------------------- -------------------------------------------------- --------------------------
 --Used to encapsulate a group directive, making it effective only for a certain directory and its subdirectories. For a directory on the file system
##Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Deny from 192.168.133.22
Directory-path -- can be a complete directory A path, or a wildcard string containing Unix shell matching syntax. In a wildcard string, "?" matches any single character, and "*" matches any sequence of characters. You can also use "[]" to determine the character range. You can also use regular expressions after the "~" character 
Options --The value of this command can be "None", "All", or the following options Any combination of: Indexes (with '-' in front, the function of listing directories on the website is turned off, without it, and vice versa); Includes; FollowSymLinks; SymLinksifOwnerMatch; ExecCGI; MultiViewsAllowOverride --Control directives placed in .htaccess files. It can be All, None (cannot see any configuration in .htaccess), or a combination of the following directives: Options;FileInfo;AuthConfig;Limit
Order,Allow ,Deny --Control who can get services. The parameters of oreder are ultimately based on the one on the right, and the order can be reversed
------------------------ -------------------------------------------------- ----------------------------------
 --For the specified file ,  can be under a certain Directory or globally  
Order deny,allow
Allow from all
 -------------------------------------------------- -------------------------------------------------- -----
 -- Allow viewing in the form of URL "http://servername/server-status" Server status (or information); Location mainly controls the URL
##SetHandler server-status(server-info)
Order deny,allow
Allow from all
------------------ -------------------------------------------------- -------------------------------------
Alias ​​ /url-path /filesystem-path --Map URL to file system path; (You can also use ln -s soft link on the system to achieve it)
3. User password control for directory access (non-system users)
 --Theory can also be found in Location,file
Options Indexes FollowSymLinks
AllowOverride None Order allow,deny
Allow from all
authname "Authenticate yourself"　——Browser prompts for opening the url
authtype basic
authuserfile /etc/httpd/userpasswd　 --User & password file location
require valid-user
# htpasswd -c /etc/httpd/userpasswd frank --Create a user allowed to access 
# htpasswd /etc/httpd/userpasswd george - -Create another one, remember the '-c' parameter, which is to create the password file and can only be used when creating the first user. 
Note: If a directory uses password-controlled access, the directory will not be visible when its parent directory is listed through a web browser; that is, the directory will be hidden. But it can be accessed by directly entering the url (even if you have an account and password). 
4. Domain name-based virtual host
NameVirtualHost *:80 --Add this configuration to set port 80 as the virtual host port 
 --The first virtual host
ServerName www.george.com
DocumentRoot /var/www/html/
.............
< /Directory>
 
 --The second virtual host
ServerName mail.george .com
DocumentRoot /var/www/cgi-bin/openwebmail/
ScriptAlias ​​/mail /var/www/cgi-bin/openwebmail/openwebmail.pl
< ;Location />
......................
 
 If the SeverName parameter of this experiment is connected to the IP address, we can also make an IP-based virtual host
5. Log parameters
 ErrorLog logs/error_log --The storage location of the error log
LogLevel warn --Define the error log level, include: debug, info, notice, warn, error, crit, alert, emerg.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- Agent}i\"" combined
............
LogFormat "%{User-agent}i" agent --The four items areDefault format of access log
CustomLog logs/access_log combined --Use combined access log format
%h –Client’s ip address or host name
%l –The This is the RFC 1413 identity determined by the client's identd. The "-" symbol in the output indicates that the information here is invalid. 
%u – The name of the client who accessed the webpage obtained by the HTTP authentication system. It is only valid if there is authentication. The "-" symbol in the output indicates that the information here is invalid. 
%t – The time when the server completed processing the request. 
"%r" – The quotation marks are the content of the request sent by the customer that contains a lot of useful information. 
%>s – This is the status code returned by the server to the client. 
%b – The last item is the number of bytes returned to the client excluding response headers. 
"%{Referer}i" – This item indicates which web page the request was submitted from. 
"%{User-Agent}i" – This item is the browser identification information provided by the customer's browser. 
6. SSL encryption configuration
# yum install -y mod_ssl --Install encryption module
# vim /etc/httpd/conf.d /ssl.conf
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/pki/tls/certs/localhost.crt --配置公钥文件
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key --配置秘钥文件
SSLOptions +StdEnvVars
ServerName www.george.com
DocumentRoot /var/www/cgi-bin/openwebmail/
ScriptAlias /mail /var/www/cgi-bin/openwebmail/openwebmail.pl
SSLOptions +StdEnvVars
Options Indexes
order deny,allow
Allow from all
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
6.1、自己配置证书
# mkdir /etc/pki/test/
# cd /etc/pki/test
# openssl genrsa -out /etc/pki/test/test.key 1024 --秘钥
# openssl req -new -key test.key -out test.csr
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:guangDong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:IT
Organizational Unit Name (eg, section) []:maintenance
Common Name (eg, your name or your server's hostname) []:www.george.com 
Email Address []:root@mail.george.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Azt
# openssl req -x509 -days 365 -key test.key -in test.csr -out test.crt --Public key
# ls --Then configure the following test.crt && test.key to /etc /httpd/conf.d/ssl.conf
test.crt test.csr test.key 
6.2. Test the certificate you configured
But the certificate we created ourselves is recognized in the browser as untrusted; The certificate status is also "Because the CA root certificate is not in the "Trusted Root Certification Authority" store, it is not trusted. ”
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　We need to manually import the certificate (test.crt) we created ourselves in the browser to the "Trusted Root Certification Authority"&&"Trusted Publisher" ". Taking Google Chrome as the column, the steps are as follows:  Then, several more dialog boxes will pop up. We click "Next" - "Finish" - "Yes ". That's OK. 
　
At this time, use a browser to open our website and check the status of the certificate "There is no problem with the certificate." 

The above is the detailed content of Detailed explanation of HTTP service construction examples. For more information, please follow other related articles on the PHP Chinese website!