Chapter III Management and optimization of Apache

1. Role of Apache:
http: / / is usually used when the web is accessed
http://  ## Hyper Text Transfer Protocol
http: / / hypertext transfer protocol provider software:
  Apache
  nginx
  stgw
  jfe
  Tengine

2. Install Apache
  dnf search Apache  # lookup
  dnf install httpd.x86_64 -y   # Installation services  

3. Enabling Apache
  systemctl   enable --now httpd   # Start the service and set the service to start
  firewall-cmd --list-all  ## View fire wall information
  firewall-cmd --permanent  -- add-service=http  # Permanently turn on HTTP access in the firewall
  firewall-cmd --reload  # Refresh the fire wall to make the settings take effect
  vim /var/www/html/index.html  # Modify default test page
   hello world

  Detection: 172.25.254.117 = = show hello   world

  4. Basic information of Apache:
1) Service Name: httpd
2) Profile:
  / etc/httpd/conf/httpd.conf  ## Master profile
  / etc/httpd/conf.d/*.conf    ## Sub profile
3) Default publishing Directory: / var/www/html
4) Default publishing file: index.html
5) Default port: 80  # http.   [443 #https ]
6) User: apache
7) Log: / etc/httpd/logs

5. Basic configuration of Apache
1) Apache port modification
vim /etc/httpd/conf/httpd.conf # modify Apache's main configuration file
  Listen 8080  # The default port is changed to 8080 (about 45 lines)
systemctl restart httpd   # Restart service
firewall-cmd --permanent --add-port=8080/tcp   # Add and permanently open a port to the TCP zone
firewall-cmd --reload  # Update fire wall


*Detection http://172.25.254.117:8080 [the previous port 80 cannot be accessed]


==After this experiment, restore the port number to the default==  

2) Default publish file

 cd /var/www/html
 vim test.html
   hello test
vim /etc/httpd/conf/httpd.conf
    DirectoryIndex test.html index.html
systemctl restart httpd


*Detection http://172.25.254.117== The display should be hello test


3) Default publishing directory
mkdir /westos/html -p


ls -Zd /var/www/html # view the security context of / var/www/html
ls -Zd /westos/html # view the security context of the / westos/html directory
semanage fcontext -a -t httpd_sys_content_t '/westos/html(/.*)?'   # Permanently modify the security context of the / westos / HTML directory
restorecon -RvvF /westos/html / # refresh
systemctl restart httpd  # Restart service


vim /westos/html/index.html
      /westos/html 's page
vim /etc/httpd/conf/httpd.conf
       * Comment out DocumentRoot "/var/www/html"
       DocumentRoot "/westos/html"
       <Directory "/westos/html">
            Require all granted
       </Directory>
systemctl restart httpd


*Detection http://172.25.254.117== The display should be / westos / HTML's page


**Restore environment after experiment = = uncomment DocumentRoot "/var/www/html"
Note: the security context of the newly created / westos/html directory must be changed to be the same as that of / var/www/html directory, otherwise the page accessed is a whole page of English by default

6. Access control of Apache
Experimental materials:

mkdir /var/www/html/westos
vim /var/www/html/westos/index.html
     /var/www/html/westos page


Detection: visit 172.25.254.117/westos = = = the page that appears is: / var/www/html/westos page


1) Access control based on client ip
ip whitelist

vim /etc/httpd/conf/httpd.conf
     DocumentRoot "/var/www/html"
    <Directory "/var/www/html/westos">
          Order Deny,Allow  #First, Denny is reading Allow
          Allow from 172.25.254.17  #Only this ip host is allowed to access. Be sure to write the ip address of the real host
          Deny from all 
    </Directory>
systemctl restart httpd


Detection: 172.25.254.117/westos / = = the page appearing is: / var/www/html/westos page


Note: the order of reading is who reads first. When writing ip, you must write the ip of the real host
ip blacklist

vim /etc/httpd/conf/httpd.conf
   DocumentRoot "/var/www/html"
   <Directory "/var/www/html/westos">
        Order Allow,Deny  #Read Allow first
        Allow from 172.25.254.17  
         Deny from all #Finally, the result of reading deny is that no ip can access it
    </Directory>
systemctl restart httpd


##Note: delete the black-and-white list just added after this experiment
 

2) Based on user authentication
cd /etc/httpd/
ls
htpasswd -cm .htauthfile admin  # Generate authentication, password 123
htpasswd -m .htauthfile lee  # Generate authentication, password 123
cat .htauthfile  # see
vim /etc/httpd/conf/httpd.conf  
    <Directory "/var/www/html/westos">
         AuthUserfile /etc/httpd/.htauthfile
         AuthName "Please input username and passwd !!!"
         AuthType basic
   #     Require user lee  # Specifies that Lee users can access. Then admin is not accessible
          Require valid-user  # Specify that all users can access
   </Directory>

 systemctl restart httpd


Note: when / etc/httpd/htpasswdfile exists, do not add the - c parameter when adding users, otherwise the contents of the source file will be overwritten

  testing:

7.Apache virtual host
In real machine:
    vim /etc/hosts  # Set client resolution (add in the host where the browser is located)
       172.25.254.117 www.westos.org  linux.westos.org  luck.westos.org


In virtual machine:

  mkdir -p /var/www/westos.org/{linux,luck} #Create a storage directory
   echo linux > /var/www/westos.org/linux/index.html #Import linux into file
   echo luck > /var/www/westos.org/luck/index.html #Import the plug into the file and pay attention to the path
   cat /var/www/westos.org/luck/index.html  #view file contents
   cat /var/www/westos.org/linux/index.html 
   cd /etc/httpd/conf.d/  #Switch directory
   vim vhost.conf #Note the absolute path when writing this file
     <VirtualHost _default_:80>
       DocumentRoot /var/www/html
       CustomLog logs/default.log combined
     </VirtualHost>

 

    <VirtualHost *:80>
       ServerName linux.westos.org
       DocumentRoot /var/www/westos.org/linux
       CustomLog logs/linux.log combined
    </VirtualHost>

    <VirtualHost *:80>
        ServerName luck.westos.org
        DocumentRoot /var/www/westos.org/luck
        CustomLog logs/luck.log combined
    </VirtualHost>

 systemctl restart httpd


 * Check www.westos.org = = = the displayed content is hello world
      linux.westos.org = = = the display is linux
      luck.westos.org = = = = = the displayed content is luck

 

 

 

8.Apache language support
1)php
 

cd /var/www/html/
mkdir /var/www/html/php  #Create a php directory and pay attention to the path
dnf install php -y  #Install php
systemctl restart httpd  #Restart the service [you must restart the program after installation!!!]
cd php/
vim index.php  #Create a php program and pay attention to the path
  <?php
     phpinfo();
  ?>
systemctl restart httpd


Detection: 172.25.254.117/php/index.php

2)cgi(perl)
 

mkdir /var/www/html/cgi  #When creating a cgi directory, be sure to pay attention to the path
cd /var/www/html/cgi
vim index.cgi  #Write cgi program
    #!/usr/bin/perl
    print "Content-type: text/html\n\n";
    print `date`;
perl index.cgi  #Execution procedure
   Content-type: text/html
   Fri Nov  5 09:58:07 CST 2021
chmod +x /var/www/html/cgi/index.cgi   #Add executable permissions
vim /etc/httpd/conf.d/vhost.conf   
   <Directory "/var/www/html/cgi">   #The path must be written correctly
      Options +ExecCGI
      AddHandler cgi-script .cgi
      Directoryindex index.cgi
   </Directory>
systemctl restart httpd
semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html/cgi(/.*)?' #Permanently modify the security context of the directory
restorecon -RvvF /var/www/html/cgi  #Refresh


Test: 172.25.254.117/cgi/

 

3)wsgi(python)
 

mkdir /var/www/html/wsgi #Create storage directory
vim /var/www/html/wsgi/index.wsgi  #Write swgi program. The content must be aligned, and python has strict requirements for format
   def application(env,westos):
       westos('200 ok',[('Content-Type', 'text/html')])
       return [b'hello westos']
dnf install python3-mod_wsgi -y   #Download and install
systemctl restart httpd
vim /etc/httpd/conf.d/vhost.conf #Write virtual machine master profile
    <VirtualHost *:80>
         ServerName wsgi.westos.org  #Service name
         WSGIScriptAlias / /var/www/html/wsgi/index.wsgi  #The path is written correctly
    </VirtualHost>
systemctl restart httpd

 

In the host: vim /etc/hosts  # It must be a super user
          172.25.254.117  wsgi.westos.org


Detection: wsgi.westos.org

 

9. Encrypted access to Apache
 

dnf install mod_ssl -y  #Install encryption plug-in
systemctl restart httpd  #Be sure to restart the service after each download
mkdir /etc/httpd/tls  
openssl  req --newkey rsa:2048 -nodes -sha256 -keyout /etc/httpd/tls/www.westos.org.key -x509 -days 365 --out /etc/httpd/tls/www.westos.org.crt[x509 Certificate format;-req Request;-in Load visa name]  #Generate certificate, private key [cannot be less than 2048] and certificate signature file
vim /etc/httpd/conf.d/ssl.conf  #Write configuration file [specify certificate and key file, and the path must be correct]
  #Lines 85 and 93 are commented out, then copied and changed to:
  SSLCertificateFile /etc/httpd/tls/www.westos.org.crt #Specify the certificate. 85 lines. The path must be written correctly
  SSLCertificateKeyFile /etc/httpd/tls/www.westos.org.key  #Specify the key file. Line 93, the path must be correct
systemctl restart httpd  #Restart service
mkdir /var/www/westos.org/login  #Create a storage directory  
echo login\'s page > /var/www/westos.org/login/index.html hold login\'s page Import into path file
cat /var/www/westos.org/login/index.html  #view file contents
  login's page
vim /etc/httpd/conf.d/vhost.conf  #Write virtual machine master profile
   <VirtualHost *:80>
      ServerName login.westos.org
      RewriteEngine on
      RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1   # [^ (/. *) $## customer address field;% {http_host} ## customer host; $1  ## Value of the first string of characters following RewriteRule]
   </VirtualHost>

   <VirtualHost *:443> #443 is a hypertext encryption transmission protocol
       ServerName login.westos.org
       DocumentRoot "/var/www/westos.org/login"
       SSLEngine on
       SSLCertificateFile /etc/httpd/tls/www.westos.org.crt
       SSLCertificateKeyFile /etc/httpd/tls/www.westos.org.key
   </VirtualHost>
systemctl restart httpd


In the host: vim /etc/hosts  # It must be a super user
          172.25.254.117  login.westos.org


Detection: visit login.westos.org and it will automatically become an encrypted address  

 

 

 

 

10.squid

  squid forward proxy

Forward proxy: when the cached page is accessed for the second time, the browser will directly obtain the request data from the local proxy server instead of requesting data from the original web site, which saves the network broadband and improves the access speed


Two hosts are required. One host can access the Internet (squid agent), one host cannot access the Internet, and the host that cannot access the Internet can access the web page through the host that can access the Internet
Experimental results: the single network card host can not access the Internet, but the browser can access the Internet web page
Operation:

In nodea, a dual network card host: [ensure that the software warehouse is successfully built]

nmcli connection show 
nmcli connection delete Wired\ connection\ 1
cd /etc/sysconfig/network-scripts/
vim ifcfg-ens3   #Configure network ip address
   DEVICE=ens3
   ONBOOT=yes
   BOOTPROTO=none
   IPADDR=172.25.254.170
   NETMASK=255.255.255.0
   NAME=ens3
   DNS1=114.114.114.114
   GATEWAY=172.25.254.70   
nmcli connection reload
nmcli connection up ens3
nmcli connection show
dnf install squid -y  #Download squid
vim /etc/squid/squid.conf   #Modify master profile
   Line 59 should read http_access allow all
   Line 65 uncomment 
systemctl start squid   #Turn on squid service
firewall-cmd --permanent --add-service=squid    #Permanently add squid service to the fire wall
firewall-cmd --reload   #Refresh fire wall
firewall-cmd --add-masquerade  #Open address camouflage

 

  In nodeb of single network card host: [be sure to pay attention to the path]

nmcli connection show
nmcli connection delete Wired\ connection\ 1
cd /etc/sysconfig/network-scripts/   #Configure network files
vim ifcfg-ens3
   DEVICE=ens3
   ONBOOT=yes
   BOOTPROTO=none
   IPADDR=172.25.254.200
   NETMASK=255.255.255.0
   NAME=ens3
nmcli connection reload
nmcli connection up ens3
nmcli connection show
dnf install firefox -y
ping www.baidu.com  #ping failed

    Open Firefox and set it in Firefox

   

squid reverse proxy  

In nodeb
 

dnf install httpd -y  #Download a software
systemctl start httpd   #Start httpd service
firewall-cmd --add-service=http    #Set http permanently in the fire wall
echo 172.25.254.200 > /var/www/html/index.html   Put 172.25.254.200 Import/var/www/html/index.html In the file

In nodea

vim /etc/squid/squid.conf  #Add in main profile
   http_port 80 vhost vport
   cache_peer 172.25.254.200 parent 80  0 proxy-only
systemctl restart squid.service    #Restart squid service
firewall-cmd --add-service=http    #Permanently add http to the fire wall

  Visit on Firefox

 

Tags: Operation & Maintenance Apache Nginx

Posted on Thu, 11 Nov 2021 16:21:53 -0500 by mrblom