centos7 httpd配置

centos7 httpd配置

标签（空格分隔）： 未分类

---

隐藏server信息

修改httpd.conf 设置，添加如下两行

ServerSignature Off
ServerTokens Prod

开启长连接

KeepAlive on
KeepAliveTimeout 60      #超时时间
MaxKeepAliveRequests 100   #超时时间内达到100个请求也将断开连接

启用文件压缩配置

在conf.d目录下新建配置文件compress.conf

	SetOutputFilter DEFLATE
    # mod_deflate configuration
	# Restrict compression to these MIME types
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE application/xml
	AddOutputFilterByType DEFLATE application/x-javascript
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE text/css
	# Level of compression (Highest 9 - Lowest 1)
	DeflateCompressionLevel 9
	# Netscape 4.x has some problems.
	BrowserMatch ^Mozilla/4  gzip-only-text/html
	# Netscape 4.06-4.08 have some more problems
	BrowserMatch  ^Mozilla/4\.0[678]  no-gzip
	# MSIE masquerades as Netscape, but it is fine
	BrowserMatch \bMSI[E]  !no-gzip !gzip-only-text/html

httpd内置状态页面

在conf.d目录下编辑httpd-info.conf

<Location /server-status>
    SetHandler server-status
    require all denied
    Require ip 172.16.138.1
</Location>
extendedstatus on

配置https

安装mod_ssl模块

yum install mod_ssl -y

在conf.d目录下编辑ssl.conf

Listen 443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLHonorCipherOrder on 

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/usr/local/httpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>

DocumentRoot "/usr/local/httpd/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"

SSLEngine on

SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt　　＃购买证书需修改此处配置
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt  ＃自建证书修改配置
#修改上面四行的证书文件路径，

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/httpd/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

配置http强制跳转https

在主配置文件中添加如下字段

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

强制301重定向到https

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>

引用：https://blog.csdn.net/ithomer/article/details/78986266

配置basic访问验证

<Directory "/var/www/html">
 Options Indexes FollowSymLinks  #允许索引，和链接文件
 AllowOverride None
 authtype basic   #认证类型
 authname "test"   #浏览器弹框提示信息
 authuserfile /etc/httpd/.htpass   #认证用户文件
 #authgroupfile /etc/httpd/allow.group  #认证组文件
 #require group test
 require valid-user  #所有userfile文件的用户都可以访问
 #require user user1 user2  #user1 user2 可以访问
</Directory>

htpasswd -m -c /etc/httpd/.htpass tom 添加验证用户   #-c创建用户文件

组文件

mygroup: bob joe anne

配置digest访问验证

<Directory "/var/www/html">
 Options Indexes FollowSymLinks  #允许索引，和链接文件
 AllowOverride None
 authtype digest
 authname "digest test"
 authdigestprovider file
 authuserfile /etc/httpd/.htpass
 require valid-user
</Directory>

 require valid-user  #所有userfile文件的用户都可以访问 

</Directory>

创建用户文件

htdigest -c /etc/httpd/.htpass "digest test" tom #此处引号中内容需要与authname定义内容相同

虚拟主机配置

基于主机名的虚拟主机，在conf.d目录下编辑配置文件vhost-servername.conf

<VirtualHost *:80>
    DocumentRoot "/data/vhost1/"
    <Directory "/data/vhost1">
        <requireall>
                require all granted
        </requireall>
    </Directory>
    ServerName a.test.com

    ServerAlias www.dummy-host.example.com
    ErrorLog "logs/vhost.-error_log"
    CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot "/data/vhost2"
        <Directory "/data/vhost2">
                <requireall>
                        require all granted
                </requireall>
        </Directory>

    ServerName b.test.com
    ErrorLog "logs/vhost2-error_log"
    CustomLog "logs/vhost2-access_log" common
</VirtualHost>

基于端口的虚拟主机，在conf.d目录下编辑配置文件vhost-port.conf

listen 80
listen 8080
<VirtualHost *:8080>
    DocumentRoot "/data/vhost1/"
    <Directory "/data/vhost1">
        <requireall>
                require all granted
        </requireall>
    </Directory>
    ServerName a.test.com

    ServerAlias www.dummy-host.example.com
    ErrorLog "logs/vhost.-error_log"
    CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot "/data/vhost2"
        <Directory "/data/vhost2">
                <requireall>
                        require all granted
                </requireall>
        </Directory>

    ServerName b.test.com
    ErrorLog "logs/vhost2-error_log"
    CustomLog "logs/vhost2-access_log" common
</VirtualHost>

基于IP的虚拟主机，在conf.d目录下编辑配置文件vhost-ip.conf

listen 80
<VirtualHost 192.168.0.100:80>
    DocumentRoot "/data/vhost1/"
    <Directory "/data/vhost1">
        <requireall>
                require all granted
        </requireall>
    </Directory>
    ServerName a.test.com

    ServerAlias www.dummy-host.example.com
    ErrorLog "logs/vhost.-error_log"
    CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost 192.168.0.200:80>
    DocumentRoot "/data/vhost2"
        <Directory "/data/vhost2">
                <requireall>
                        require all granted
                </requireall>
        </Directory>

    ServerName b.test.com
    ErrorLog "logs/vhost2-error_log"
    CustomLog "logs/vhost2-access_log" common
</VirtualHost>

反向代理

在主配置文件中或者虚拟主机中添加如下字段

ProxyRequests off

#<Proxy />
#    Order deny,allow
#    Allow from all
#</Proxy>
ProxyPass / http://172.16.138.129
ProxyPassReverse / http://172.16.138.129

设置反向代理后端服务器日志记录真实IP地址

在代理服务器配置中添加如下配置

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 172.16.138.129    #此处地址为后端服务器地址

后端服务器日志格式修改

默认格式为：
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
修改为：
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

参考：https://blog.csdn.net/qq_22227087/article/details/91519602

日志字段说明

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

%h：客户端IP地址；
%l：Remote User, 通常为一个减号（“-”）；
%u：Remote user (from auth; may be bogus if return status (%s) is 401)；非为登录访问时，其为一个减号；
%t：服务器收到请求时的时间；
%r：First line of request，即表示请求报文的首行；记录了此次请求的“方法”，“URL”以及协议版本；
%>s：响应状态码；
%b：响应报文的大小，单位是字节；不包括响应报文的http首部；
%{Referer}i：请求报文中首部“referer”的值；即从哪个页面中的超链接跳转至当前页面的；
%{User-Agent}i：请求报文中首部“User-Agent”的值；即发出请求的应用程序；

在线文档说明

http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats