centos7 httpd配置
标签(空格分隔): 未分类
隐藏server信息
修改httpd.conf 设置,添加如下两行
ServerSignature Off ServerTokens Prod
开启长连接
KeepAlive on KeepAliveTimeout 60 #超时时间 MaxKeepAliveRequests 100 #超时时间内达到100个请求也将断开连接
启用文件压缩配置
在conf.d目录下新建配置文件compress.conf
SetOutputFilter DEFLATE
# mod_deflate configuration
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css
# Level of compression (Highest 9 - Lowest 1)
DeflateCompressionLevel 9
# Netscape 4.x has some problems.
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
httpd内置状态页面
在conf.d目录下编辑httpd-info.conf
<Location /server-status>
SetHandler server-status
require all denied
Require ip 172.16.138.1
</Location>
extendedstatus on
配置https
安装mod_ssl模块
yum install mod_ssl -y
在conf.d目录下编辑ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/httpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/usr/local/httpd/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/httpd/logs/error_log"
TransferLog "/usr/local/httpd/logs/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/httpd/conf/server.crt"
SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #购买证书需修改此处配置
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt #自建证书修改配置
#修改上面四行的证书文件路径,
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
配置http强制跳转https
在主配置文件中添加如下字段
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
强制301重定向到https
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>
引用:https://blog.csdn.net/ithomer/article/details/78986266
配置basic访问验证
<Directory "/var/www/html"> Options Indexes FollowSymLinks #允许索引,和链接文件 AllowOverride None authtype basic #认证类型 authname "test" #浏览器弹框提示信息 authuserfile /etc/httpd/.htpass #认证用户文件 #authgroupfile /etc/httpd/allow.group #认证组文件 #require group test require valid-user #所有userfile文件的用户都可以访问 #require user user1 user2 #user1 user2 可以访问 </Directory> htpasswd -m -c /etc/httpd/.htpass tom 添加验证用户 #-c创建用户文件
组文件
mygroup: bob joe anne
配置digest访问验证
<Directory "/var/www/html"> Options Indexes FollowSymLinks #允许索引,和链接文件 AllowOverride None authtype digest authname "digest test" authdigestprovider file authuserfile /etc/httpd/.htpass require valid-user </Directory> require valid-user #所有userfile文件的用户都可以访问 </Directory>
创建用户文件
htdigest -c /etc/httpd/.htpass "digest test" tom #此处引号中内容需要与authname定义内容相同
虚拟主机配置
基于主机名的虚拟主机,在conf.d目录下编辑配置文件vhost-servername.conf
<VirtualHost *:80>
DocumentRoot "/data/vhost1/"
<Directory "/data/vhost1">
<requireall>
require all granted
</requireall>
</Directory>
ServerName a.test.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/vhost.-error_log"
CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/data/vhost2"
<Directory "/data/vhost2">
<requireall>
require all granted
</requireall>
</Directory>
ServerName b.test.com
ErrorLog "logs/vhost2-error_log"
CustomLog "logs/vhost2-access_log" common
</VirtualHost>
基于端口的虚拟主机,在conf.d目录下编辑配置文件vhost-port.conf
listen 80
listen 8080
<VirtualHost *:8080>
DocumentRoot "/data/vhost1/"
<Directory "/data/vhost1">
<requireall>
require all granted
</requireall>
</Directory>
ServerName a.test.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/vhost.-error_log"
CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/data/vhost2"
<Directory "/data/vhost2">
<requireall>
require all granted
</requireall>
</Directory>
ServerName b.test.com
ErrorLog "logs/vhost2-error_log"
CustomLog "logs/vhost2-access_log" common
</VirtualHost>
基于IP的虚拟主机,在conf.d目录下编辑配置文件vhost-ip.conf
listen 80
<VirtualHost 192.168.0.100:80>
DocumentRoot "/data/vhost1/"
<Directory "/data/vhost1">
<requireall>
require all granted
</requireall>
</Directory>
ServerName a.test.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/vhost.-error_log"
CustomLog "logs/vhost-access_log" common
</VirtualHost>
<VirtualHost 192.168.0.200:80>
DocumentRoot "/data/vhost2"
<Directory "/data/vhost2">
<requireall>
require all granted
</requireall>
</Directory>
ServerName b.test.com
ErrorLog "logs/vhost2-error_log"
CustomLog "logs/vhost2-access_log" common
</VirtualHost>
反向代理
在主配置文件中或者虚拟主机中添加如下字段
ProxyRequests off #<Proxy /> # Order deny,allow # Allow from all #</Proxy> ProxyPass / http://172.16.138.129 ProxyPassReverse / http://172.16.138.129
设置反向代理后端服务器日志记录真实IP地址
在代理服务器配置中添加如下配置
RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy 172.16.138.129 #此处地址为后端服务器地址
后端服务器日志格式修改
默认格式为:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
修改为:
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
参考:https://blog.csdn.net/qq_22227087/article/details/91519602
日志字段说明
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
%h:客户端IP地址;
%l:Remote User, 通常为一个减号(“-”);
%u:Remote user (from auth; may be bogus if return status (%s) is 401);非为登录访问时,其为一个减号;
%t:服务器收到请求时的时间;
%r:First line of request,即表示请求报文的首行;记录了此次请求的“方法”,“URL”以及协议版本;
%>s:响应状态码;
%b:响应报文的大小,单位是字节;不包括响应报文的http首部;
%{Referer}i:请求报文中首部“referer”的值;即从哪个页面中的超链接跳转至当前页面的;
%{User-Agent}i:请求报文中首部“User-Agent”的值;即发出请求的应用程序;
在线文档说明
http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats