Chapter III Management and optimization of Apache

1. Role of Apache:
http: / / is usually used when the web is accessed
http://  ## Hyper Text Transfer Protocol
http: / / hypertext transfer protocol provider software:

2. Install Apache
  dnf search Apache  # lookup
  dnf install httpd.x86_64 -y   # Installation services  

3. Enabling Apache
  systemctl   enable --now httpd   # Start the service and set the service to start
  firewall-cmd --list-all  ## View fire wall information
  firewall-cmd --permanent  -- add-service=http  # Permanently turn on HTTP access in the firewall
  firewall-cmd --reload  # Refresh the fire wall to make the settings take effect
  vim /var/www/html/index.html  # Modify default test page
   hello world

  Detection: = = show hello   world

  4. Basic information of Apache:
1) Service Name: httpd
2) Profile:
  / etc/httpd/conf/httpd.conf  ## Master profile
  / etc/httpd/conf.d/*.conf    ## Sub profile
3) Default publishing Directory: / var/www/html
4) Default publishing file: index.html
5) Default port: 80  # http.   [443 #https ]
6) User: apache
7) Log: / etc/httpd/logs

5. Basic configuration of Apache
1) Apache port modification
vim /etc/httpd/conf/httpd.conf # modify Apache's main configuration file
  Listen 8080  # The default port is changed to 8080 (about 45 lines)
systemctl restart httpd   # Restart service
firewall-cmd --permanent --add-port=8080/tcp   # Add and permanently open a port to the TCP zone
firewall-cmd --reload  # Update fire wall

*Detection [the previous port 80 cannot be accessed]

==After this experiment, restore the port number to the default==  

2) Default publish file

 cd /var/www/html
 vim test.html
   hello test
vim /etc/httpd/conf/httpd.conf
    DirectoryIndex test.html index.html
systemctl restart httpd

*Detection The display should be hello test

3) Default publishing directory
mkdir /westos/html -p

ls -Zd /var/www/html # view the security context of / var/www/html
ls -Zd /westos/html # view the security context of the / westos/html directory
semanage fcontext -a -t httpd_sys_content_t '/westos/html(/.*)?'   # Permanently modify the security context of the / westos / HTML directory
restorecon -RvvF /westos/html / # refresh
systemctl restart httpd  # Restart service

vim /westos/html/index.html
      /westos/html 's page
vim /etc/httpd/conf/httpd.conf
       * Comment out DocumentRoot "/var/www/html"
       DocumentRoot "/westos/html"
       <Directory "/westos/html">
            Require all granted
systemctl restart httpd

*Detection The display should be / westos / HTML's page

**Restore environment after experiment = = uncomment DocumentRoot "/var/www/html"
Note: the security context of the newly created / westos/html directory must be changed to be the same as that of / var/www/html directory, otherwise the page accessed is a whole page of English by default

6. Access control of Apache
Experimental materials:

mkdir /var/www/html/westos
vim /var/www/html/westos/index.html
     /var/www/html/westos page

Detection: visit = = = the page that appears is: / var/www/html/westos page

1) Access control based on client ip
ip whitelist

vim /etc/httpd/conf/httpd.conf
     DocumentRoot "/var/www/html"
    <Directory "/var/www/html/westos">
          Order Deny,Allow  #First, Denny is reading Allow
          Allow from  #Only this ip host is allowed to access. Be sure to write the ip address of the real host
          Deny from all 
systemctl restart httpd

Detection: / = = the page appearing is: / var/www/html/westos page

Note: the order of reading is who reads first. When writing ip, you must write the ip of the real host
ip blacklist

vim /etc/httpd/conf/httpd.conf
   DocumentRoot "/var/www/html"
   <Directory "/var/www/html/westos">
        Order Allow,Deny  #Read Allow first
        Allow from  
         Deny from all #Finally, the result of reading deny is that no ip can access it
systemctl restart httpd

##Note: delete the black-and-white list just added after this experiment

2) Based on user authentication
cd /etc/httpd/
htpasswd -cm .htauthfile admin  # Generate authentication, password 123
htpasswd -m .htauthfile lee  # Generate authentication, password 123
cat .htauthfile  # see
vim /etc/httpd/conf/httpd.conf  
    <Directory "/var/www/html/westos">
         AuthUserfile /etc/httpd/.htauthfile
         AuthName "Please input username and passwd !!!"
         AuthType basic
   #     Require user lee  # Specifies that Lee users can access. Then admin is not accessible
          Require valid-user  # Specify that all users can access

 systemctl restart httpd

Note: when / etc/httpd/htpasswdfile exists, do not add the - c parameter when adding users, otherwise the contents of the source file will be overwritten


7.Apache virtual host
In real machine:
    vim /etc/hosts  # Set client resolution (add in the host where the browser is located)

In virtual machine:

  mkdir -p /var/www/{linux,luck} #Create a storage directory
   echo linux > /var/www/ #Import linux into file
   echo luck > /var/www/ #Import the plug into the file and pay attention to the path
   cat /var/www/  #view file contents
   cat /var/www/ 
   cd /etc/httpd/conf.d/  #Switch directory
   vim vhost.conf #Note the absolute path when writing this file
     <VirtualHost _default_:80>
       DocumentRoot /var/www/html
       CustomLog logs/default.log combined


    <VirtualHost *:80>
       DocumentRoot /var/www/
       CustomLog logs/linux.log combined

    <VirtualHost *:80>
        DocumentRoot /var/www/
        CustomLog logs/luck.log combined

 systemctl restart httpd

 * Check = = = the displayed content is hello world = = = the display is linux = = = = = the displayed content is luck




8.Apache language support

cd /var/www/html/
mkdir /var/www/html/php  #Create a php directory and pay attention to the path
dnf install php -y  #Install php
systemctl restart httpd  #Restart the service [you must restart the program after installation!!!]
cd php/
vim index.php  #Create a php program and pay attention to the path
systemctl restart httpd



mkdir /var/www/html/cgi  #When creating a cgi directory, be sure to pay attention to the path
cd /var/www/html/cgi
vim index.cgi  #Write cgi program
    print "Content-type: text/html\n\n";
    print `date`;
perl index.cgi  #Execution procedure
   Content-type: text/html
   Fri Nov  5 09:58:07 CST 2021
chmod +x /var/www/html/cgi/index.cgi   #Add executable permissions
vim /etc/httpd/conf.d/vhost.conf   
   <Directory "/var/www/html/cgi">   #The path must be written correctly
      Options +ExecCGI
      AddHandler cgi-script .cgi
      Directoryindex index.cgi
systemctl restart httpd
semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html/cgi(/.*)?' #Permanently modify the security context of the directory
restorecon -RvvF /var/www/html/cgi  #Refresh




mkdir /var/www/html/wsgi #Create storage directory
vim /var/www/html/wsgi/index.wsgi  #Write swgi program. The content must be aligned, and python has strict requirements for format
   def application(env,westos):
       westos('200 ok',[('Content-Type', 'text/html')])
       return [b'hello westos']
dnf install python3-mod_wsgi -y   #Download and install
systemctl restart httpd
vim /etc/httpd/conf.d/vhost.conf #Write virtual machine master profile
    <VirtualHost *:80>
         ServerName  #Service name
         WSGIScriptAlias / /var/www/html/wsgi/index.wsgi  #The path is written correctly
systemctl restart httpd


In the host: vim /etc/hosts  # It must be a super user



9. Encrypted access to Apache

dnf install mod_ssl -y  #Install encryption plug-in
systemctl restart httpd  #Be sure to restart the service after each download
mkdir /etc/httpd/tls  
openssl  req --newkey rsa:2048 -nodes -sha256 -keyout /etc/httpd/tls/ -x509 -days 365 --out /etc/httpd/tls/[x509 Certificate format;-req Request;-in Load visa name]  #Generate certificate, private key [cannot be less than 2048] and certificate signature file
vim /etc/httpd/conf.d/ssl.conf  #Write configuration file [specify certificate and key file, and the path must be correct]
  #Lines 85 and 93 are commented out, then copied and changed to:
  SSLCertificateFile /etc/httpd/tls/ #Specify the certificate. 85 lines. The path must be written correctly
  SSLCertificateKeyFile /etc/httpd/tls/  #Specify the key file. Line 93, the path must be correct
systemctl restart httpd  #Restart service
mkdir /var/www/  #Create a storage directory  
echo login\'s page > /var/www/ hold login\'s page Import into path file
cat /var/www/  #view file contents
  login's page
vim /etc/httpd/conf.d/vhost.conf  #Write virtual machine master profile
   <VirtualHost *:80>
      RewriteEngine on
      RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1   # [^ (/. *) $## customer address field;% {http_host} ## customer host; $1  ## Value of the first string of characters following RewriteRule]

   <VirtualHost *:443> #443 is a hypertext encryption transmission protocol
       DocumentRoot "/var/www/"
       SSLEngine on
       SSLCertificateFile /etc/httpd/tls/
       SSLCertificateKeyFile /etc/httpd/tls/
systemctl restart httpd

In the host: vim /etc/hosts  # It must be a super user

Detection: visit and it will automatically become an encrypted address  






  squid forward proxy

Forward proxy: when the cached page is accessed for the second time, the browser will directly obtain the request data from the local proxy server instead of requesting data from the original web site, which saves the network broadband and improves the access speed

Two hosts are required. One host can access the Internet (squid agent), one host cannot access the Internet, and the host that cannot access the Internet can access the web page through the host that can access the Internet
Experimental results: the single network card host can not access the Internet, but the browser can access the Internet web page

In nodea, a dual network card host: [ensure that the software warehouse is successfully built]

nmcli connection show 
nmcli connection delete Wired\ connection\ 1
cd /etc/sysconfig/network-scripts/
vim ifcfg-ens3   #Configure network ip address
nmcli connection reload
nmcli connection up ens3
nmcli connection show
dnf install squid -y  #Download squid
vim /etc/squid/squid.conf   #Modify master profile
   Line 59 should read http_access allow all
   Line 65 uncomment 
systemctl start squid   #Turn on squid service
firewall-cmd --permanent --add-service=squid    #Permanently add squid service to the fire wall
firewall-cmd --reload   #Refresh fire wall
firewall-cmd --add-masquerade  #Open address camouflage


  In nodeb of single network card host: [be sure to pay attention to the path]

nmcli connection show
nmcli connection delete Wired\ connection\ 1
cd /etc/sysconfig/network-scripts/   #Configure network files
vim ifcfg-ens3
nmcli connection reload
nmcli connection up ens3
nmcli connection show
dnf install firefox -y
ping  #ping failed

    Open Firefox and set it in Firefox


squid reverse proxy  

In nodeb

dnf install httpd -y  #Download a software
systemctl start httpd   #Start httpd service
firewall-cmd --add-service=http    #Set http permanently in the fire wall
echo > /var/www/html/index.html   Put Import/var/www/html/index.html In the file

In nodea

vim /etc/squid/squid.conf  #Add in main profile
   http_port 80 vhost vport
   cache_peer parent 80  0 proxy-only
systemctl restart squid.service    #Restart squid service
firewall-cmd --add-service=http    #Permanently add http to the fire wall

  Visit on Firefox


Tags: Operation & Maintenance Apache Nginx

Posted on Thu, 11 Nov 2021 16:21:53 -0500 by mrblom