Web服務(三)httpd參數配置以及編譯安裝

接上篇Web服務(二)httpd配置參數詳細介紹這邊繼續介紹部分參數的配置實現；以及httpd-2.4的編譯安裝。

1、參數配置

1三、https協議的實現

實現https以前須要先了解openssl；須要實現CA機制。openssl詳情請參考Openssl、加密、解密和私有CA的實現過程；

SSL握手要完成的工做：

   交換協議版本號

   選擇雙方都支持的加密方式

   對兩端實現身份驗證

   密鑰交換

https是二進制格式的協議，監聽與tcp:443端口。SSL會話是基於IP地址進行；不支持在基於FQDN的虛擬主機上實現。

下面直接來配置https：

CA這裏直接使用的一臺機器當CA和客戶端；

建立CA和客戶端證書籤署

#建立CA；詳細過程就不貼了；如下是步驟
[Linux85]#cd /etc/pki/CA/
[Linux85]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
[Linux85]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[Linux85]#touch index.txt serial crlnumber
[Linux85]#echo 00 > serial
                             
#生成客戶端證書以及CA簽署；CA與客戶端都是同一臺機器；也能夠分爲兩臺
[Linux85]#mkdir /etc/httpd/ssl
[Linux85]#cd /etc/httpd/ssl
[Linux85]#(umake 077;openssl genrsa -out httpd.key 1024)
[Linux85]#openssl req -new -key httpd.key -out httpd.csr
[Linux85]#openssl ca -in httpd.csr -out httpd.crt -days 365
                          
#結束後把CA證書安裝到windows中

安裝mod_ssl模塊和更改主配置文件實現支持ssl協議：

[Linux85]#yum -y install mod_ssl
[Linux85]#rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
[Linux85]#
                                                                                                                                                                                                                                                             
#配置
[Linux85]#vim ssl.conf
#定位ServerName;開啓下面兩項
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName www.soul.org:443
                                                                                                                                                                                                                                                             
#下面兩項關於密鑰和證書文件的路徑
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
                                                                                                                                                                                                                                                        
[Linux85]#service httpd start
[Linux85]#ss -tunl | grep 443
tcp    LISTEN     0      128                   :::443                  :::*   
#查看443端口以正常啓動

提供主頁文件

[Linux85]#vim /var/www/html/index.html
This is https test page!
#
把CA證書安裝至windows中

測試訪問正常；https協議正常使用。

1四、配置httpd的status頁面

[Linux85]#httpd -M | grep status
#下述這個模塊如存在便可配置
 status_module (shared)
Syntax OK
[Linux85]#
                                                                                                                                                                                               
[Linux85]#vim /etc/httpd/conf/httpd.conf
#定位status；找到以下項開啓
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
<Location /server-status>
    SetHandler server-status
    AuthType    Basic            #爲了確保安裝；這裏作了認證
    AuthName    "server status"  
    AuthUserFile "/etc/httpd/conf/.htpasswd"
    Require valid-user
    Order deny,allow
    Deny from all
    Allow from 172.16.254.28    #限定只能改IP訪問該頁面
</Location>

測試訪問須要驗證；而且能夠顯示詳細的httpd服務器信息。

1五、利用mod_deflate模塊壓縮頁面優化傳輸速度

[Linux85]#httpd -M | grep deflate
 deflate_module (shared)
Syntax OK
[Linux85]#
#
#主配置文件內沒有定義；這裏本身新建配置文件
[Linux85]#vim /etc/httpd/conf.d/deflate.conf
SetOutputFilter DEFLATE
                                                                                                                                  
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
                                                                                                                                  
# Level of compression (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
                                                                                                                                                           
# Netscape 4.x has some problems.
BrowserMatch ^Mozilla/4 gzip-only-text/html
                                                                                                                                                           
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
                                                                                                                                                       
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
                                                                                                                                
[Linux85]#service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[Linux85]#

測試成功。該功能並非全部狀態都適合；須要合理的判斷。

2、httpd-2.4的編譯安裝

因爲這篇一直未完成；後續的博客都以完成；且其中以含有2.4版本的編譯安裝。這裏就再也不贅述了。鏈接：Linux下編譯安裝LAMP並分離爲多臺服務器。

若有錯誤；懇請糾正。