Chapter III Management and optimization of Apache

1. Role of Apache: http: / / is usually used when the web is accessedhttp://  ## Hyper Text Transfer Protocol http:...

1. Role of Apache:
http: / / is usually used when the web is accessed
http://  ## Hyper Text Transfer Protocol
http: / / hypertext transfer protocol provider software:
Apache
nginx
stgw
jfe
Tengine

2. Install Apache
  dnf search Apache  # lookup
  dnf install httpd.x86_64 -y   # Installation services  

3. Enabling Apache
  systemctl   enable --now httpd   # Start the service and set the service to start
  firewall-cmd --list-all  ## View fire wall information
  firewall-cmd --permanent  -- add-service=http  # Permanently turn on HTTP access in the firewall
  firewall-cmd --reload  # Refresh the fire wall to make the settings take effect
  vim /var/www/html/index.html  # Modify default test page
hello world

  Detection: 172.25.254.117 = = show hello   world

  4. Basic information of Apache:
1) Service Name: httpd
2) Profile:
  / etc/httpd/conf/httpd.conf  ## Master profile
  / etc/httpd/conf.d/*.conf    ## Sub profile
3) Default publishing Directory: / var/www/html
4) Default publishing file: index.html
5) Default port: 80  # http.   [443 #https ]
6) User: apache
7) Log: / etc/httpd/logs

5. Basic configuration of Apache
1) Apache port modification
vim /etc/httpd/conf/httpd.conf # modify Apache's main configuration file
  Listen 8080  # The default port is changed to 8080 (about 45 lines)
systemctl restart httpd   # Restart service
firewall-cmd --permanent --add-port=8080/tcp   # Add and permanently open a port to the TCP zone
firewall-cmd --reload  # Update fire wall


*Detection http://172.25.254.117:8080 [the previous port 80 cannot be accessed]


==After this experiment, restore the port number to the default==  

2) Default publish file

cd /var/www/html vim test.html hello test vim /etc/httpd/conf/httpd.conf DirectoryIndex test.html index.html systemctl restart httpd


*Detection http://172.25.254.117== The display should be hello test


3) Default publishing directory
mkdir /westos/html -p


ls -Zd /var/www/html # view the security context of / var/www/html
ls -Zd /westos/html # view the security context of the / westos/html directory
semanage fcontext -a -t httpd_sys_content_t '/westos/html(/.*)?'   # Permanently modify the security context of the / westos / HTML directory
restorecon -RvvF /westos/html / # refresh
systemctl restart httpd  # Restart service


vim /westos/html/index.html
/westos/html 's page
vim /etc/httpd/conf/httpd.conf
       * Comment out DocumentRoot "/var/www/html"
DocumentRoot "/westos/html"
<Directory "/westos/html">
Require all granted
</Directory>
systemctl restart httpd


*Detection http://172.25.254.117== The display should be / westos / HTML's page


**Restore environment after experiment = = uncomment DocumentRoot "/var/www/html"
Note: the security context of the newly created / westos/html directory must be changed to be the same as that of / var/www/html directory, otherwise the page accessed is a whole page of English by default

6. Access control of Apache
Experimental materials:

mkdir /var/www/html/westos vim /var/www/html/westos/index.html /var/www/html/westos page


Detection: visit 172.25.254.117/westos = = = the page that appears is: / var/www/html/westos page


1) Access control based on client ip
ip whitelist

vim /etc/httpd/conf/httpd.conf DocumentRoot "/var/www/html" <Directory "/var/www/html/westos"> Order Deny,Allow #First, Denny is reading Allow Allow from 172.25.254.17 #Only this ip host is allowed to access. Be sure to write the ip address of the real host Deny from all </Directory> systemctl restart httpd


Detection: 172.25.254.117/westos / = = the page appearing is: / var/www/html/westos page


Note: the order of reading is who reads first. When writing ip, you must write the ip of the real host
ip blacklist

vim /etc/httpd/conf/httpd.conf DocumentRoot "/var/www/html" <Directory "/var/www/html/westos"> Order Allow,Deny #Read Allow first Allow from 172.25.254.17 Deny from all #Finally, the result of reading deny is that no ip can access it </Directory> systemctl restart httpd


##Note: delete the black-and-white list just added after this experiment

2) Based on user authentication
cd /etc/httpd/
ls
htpasswd -cm .htauthfile admin  # Generate authentication, password 123
htpasswd -m .htauthfile lee  # Generate authentication, password 123
cat .htauthfile  # see
vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/westos">
AuthUserfile /etc/httpd/.htauthfile
AuthName "Please input username and passwd !!!"
AuthType basic
   #     Require user lee  # Specifies that Lee users can access. Then admin is not accessible
          Require valid-user  # Specify that all users can access
</Directory>

systemctl restart httpd


Note: when / etc/httpd/htpasswdfile exists, do not add the - c parameter when adding users, otherwise the contents of the source file will be overwritten

  testing:

7.Apache virtual host
In real machine:
    vim /etc/hosts  # Set client resolution (add in the host where the browser is located)
172.25.254.117 www.westos.org linux.westos.org luck.westos.org


In virtual machine:

mkdir -p /var/www/westos.org/ #Create a storage directory echo linux > /var/www/westos.org/linux/index.html #Import linux into file echo luck > /var/www/westos.org/luck/index.html #Import the plug into the file and pay attention to the path cat /var/www/westos.org/luck/index.html #view file contents cat /var/www/westos.org/linux/index.html cd /etc/httpd/conf.d/ #Switch directory
vim vhost.conf #Note the absolute path when writing this file <VirtualHost _default_:80> DocumentRoot /var/www/html CustomLog logs/default.log combined </VirtualHost> <VirtualHost *:80> ServerName linux.westos.org DocumentRoot /var/www/westos.org/linux CustomLog logs/linux.log combined </VirtualHost> <VirtualHost *:80> ServerName luck.westos.org DocumentRoot /var/www/westos.org/luck CustomLog logs/luck.log combined </VirtualHost> systemctl restart httpd


 * Check www.westos.org = = = the displayed content is hello world
      linux.westos.org = = = the display is linux
      luck.westos.org = = = = = the displayed content is luck

8.Apache language support
1)php

cd /var/www/html/ mkdir /var/www/html/php #Create a php directory and pay attention to the path dnf install php -y #Install php systemctl restart httpd #Restart the service [you must restart the program after installation!!!] cd php/ vim index.php #Create a php program and pay attention to the path <?php phpinfo(); ?> systemctl restart httpd


Detection: 172.25.254.117/php/index.php

2)cgi(perl)

mkdir /var/www/html/cgi #When creating a cgi directory, be sure to pay attention to the path cd /var/www/html/cgi vim index.cgi #Write cgi program #!/usr/bin/perl print "Content-type: text/html\n\n"; print `date`; perl index.cgi #Execution procedure Content-type: text/html Fri Nov 5 09:58:07 CST 2021 chmod +x /var/www/html/cgi/index.cgi #Add executable permissions
vim /etc/httpd/conf.d/vhost.conf <Directory "/var/www/html/cgi"> #The path must be written correctly Options +ExecCGI AddHandler cgi-script .cgi Directoryindex index.cgi </Directory> systemctl restart httpd semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html/cgi(/.*)?' #Permanently modify the security context of the directory restorecon -RvvF /var/www/html/cgi #Refresh


Test: 172.25.254.117/cgi/

3)wsgi(python)

mkdir /var/www/html/wsgi #Create storage directory vim /var/www/html/wsgi/index.wsgi #Write swgi program. The content must be aligned, and python has strict requirements for format def application(env,westos): westos('200 ok',[('Content-Type', 'text/html')]) return [b'hello westos'] dnf install python3-mod_wsgi -y #Download and install systemctl restart httpd
vim /etc/httpd/conf.d/vhost.conf #Write virtual machine master profile <VirtualHost *:80> ServerName wsgi.westos.org #Service name WSGIScriptAlias / /var/www/html/wsgi/index.wsgi #The path is written correctly </VirtualHost> systemctl restart httpd

In the host: vim /etc/hosts  # It must be a super user
172.25.254.117 wsgi.westos.org


Detection: wsgi.westos.org

9. Encrypted access to Apache

dnf install mod_ssl -y #Install encryption plug-in systemctl restart httpd #Be sure to restart the service after each download mkdir /etc/httpd/tls openssl req --newkey rsa:2048 -nodes -sha256 -keyout /etc/httpd/tls/www.westos.org.key -x509 -days 365 --out /etc/httpd/tls/www.westos.org.crt[x509 Certificate format;-req Request;-in Load visa name] #Generate certificate, private key [cannot be less than 2048] and certificate signature file vim /etc/httpd/conf.d/ssl.conf #Write configuration file [specify certificate and key file, and the path must be correct] #Lines 85 and 93 are commented out, then copied and changed to: SSLCertificateFile /etc/httpd/tls/www.westos.org.crt #Specify the certificate. 85 lines. The path must be written correctly SSLCertificateKeyFile /etc/httpd/tls/www.westos.org.key #Specify the key file. Line 93, the path must be correct systemctl restart httpd #Restart service
mkdir /var/www/westos.org/login #Create a storage directory   echo login\'s page > /var/www/westos.org/login/index.html hold login\'s page Import into path file cat /var/www/westos.org/login/index.html #view file contents login's page
vim /etc/httpd/conf.d/vhost.conf #Write virtual machine master profile <VirtualHost *:80> ServerName login.westos.org RewriteEngine on RewriteRule ^(/.*)$ https://%$1  # [^ (/. *) $## customer address field;% ## customer host; $1  ## Value of the first string of characters following RewriteRule] </VirtualHost> <VirtualHost *:443> #443 is a hypertext encryption transmission protocol ServerName login.westos.org DocumentRoot "/var/www/westos.org/login" SSLEngine on SSLCertificateFile /etc/httpd/tls/www.westos.org.crt SSLCertificateKeyFile /etc/httpd/tls/www.westos.org.key </VirtualHost> systemctl restart httpd


In the host: vim /etc/hosts  # It must be a super user
172.25.254.117 login.westos.org


Detection: visit login.westos.org and it will automatically become an encrypted address  

10.squid

  squid forward proxy

Forward proxy: when the cached page is accessed for the second time, the browser will directly obtain the request data from the local proxy server instead of requesting data from the original web site, which saves the network broadband and improves the access speed


Two hosts are required. One host can access the Internet (squid agent), one host cannot access the Internet, and the host that cannot access the Internet can access the web page through the host that can access the Internet
Experimental results: the single network card host can not access the Internet, but the browser can access the Internet web page
Operation:

In nodea, a dual network card host: [ensure that the software warehouse is successfully built]

nmcli connection show nmcli connection delete Wired\ connection\ 1 cd /etc/sysconfig/network-scripts/ vim ifcfg-ens3 #Configure network ip address DEVICE=ens3 ONBOOT=yes BOOTPROTO=none IPADDR=172.25.254.170 NETMASK=255.255.255.0 NAME=ens3 DNS1=114.114.114.114 GATEWAY=172.25.254.70 nmcli connection reload nmcli connection up ens3 nmcli connection show
dnf install squid -y #Download squid vim /etc/squid/squid.conf #Modify master profile Line 59 should read http_access allow all Line 65 uncomment systemctl start squid #Turn on squid service firewall-cmd --permanent --add-service=squid #Permanently add squid service to the fire wall firewall-cmd --reload #Refresh fire wall firewall-cmd --add-masquerade #Open address camouflage

  In nodeb of single network card host: [be sure to pay attention to the path]

nmcli connection show nmcli connection delete Wired\ connection\ 1 cd /etc/sysconfig/network-scripts/ #Configure network files vim ifcfg-ens3 DEVICE=ens3 ONBOOT=yes BOOTPROTO=none IPADDR=172.25.254.200 NETMASK=255.255.255.0 NAME=ens3 nmcli connection reload nmcli connection up ens3 nmcli connection show dnf install firefox -y ping www.baidu.com #ping failed

   Open Firefox and set it in Firefox

squid reverse proxy  

In nodeb

dnf install httpd -y #Download a software systemctl start httpd #Start httpd service firewall-cmd --add-service=http #Set http permanently in the fire wall echo 172.25.254.200 > /var/www/html/index.html Put 172.25.254.200 Import/var/www/html/index.html In the file

In nodea

vim /etc/squid/squid.conf #Add in main profile http_port 80 vhost vport cache_peer 172.25.254.200 parent 80 0 proxy-only systemctl restart squid.service #Restart squid service firewall-cmd --add-service=http #Permanently add http to the fire wall

  Visit on Firefox

11 November 2021, 16:21 | Views: 2940

Add new comment

For adding a comment, please log in
or create account

0 comments