HTTPD(apache)基本介绍
httpd的主配置文件分为三部分,分别是:
Global Environment:全局配置段,主要定义与httpd工作特性相关的配置
Main Server Configuration:中心主机配置段,主要用于定义中心主机的配置,httpd默认开启中心主机
Virtual Host:虚拟主机配置段,分别定义不同的虚拟主机相关的配置
同时,在httpd配置文件的conf.d目录下所有以.conf结尾的文件也是其配置文件,要实现不同功能,可以在不同位置的配置文件中进行定义。
实验环境
使用 yum 安装 httpd 软件,配置一个默认的 index.html 页面,启动测试。这里用的是最小化安装的centos8系统。关闭防火墙以及selinux。主机位centos8,对应IP为192.168.32.8
[root@centos8 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:a5:39:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.8/24 brd 192.168.32.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
[root@centos8 ~]#
[root@centos8 ~]#cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)
[root@centos8 ~]#firewall-cmd --state
not running
[root@centos8 ~]#getenforce
Disabled
[root@centos8 ~]#
[root@centos8 ~]#
[root@centos8 ~]#yum list httpd*
Installed Packages
httpd.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db @centos8
httpd-filesystem.noarch 2.4.37-12.module_el8.0.0+185+5908b0db @centos8
httpd-tools.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db @centos8
Available Packages
httpd-devel.x86_64 2.4.37-12.module_el8.0.0+185+5908b0db centos8
httpd-manual.noarch 2.4.37-12.module_el8.0.0+185+5908b0db centos8
[root@centos8 ~]#dnf install httpd -y
[root@centos8 ~]#rpm -qi httpd
Name : httpd
Version : 2.4.37
Release : 12.module_el8.0.0+185+5908b0db
Architecture: x86_64
Install Date: Tue 10 Dec 2019 09:02:53 AM CST
Group : System Environment/Daemons
Size : 5148135
License : ASL 2.0
Signature : RSA/SHA256, Thu 10 Oct 2019 05:33:32 AM CST, Key ID 05b555b38483c65d
Source RPM : httpd-2.4.37-12.module_el8.0.0+185+5908b0db.src.rpm
Build Date : Tue 08 Oct 2019 05:42:59 AM CST
Build Host : x86-01.mbox.centos.org
Relocations : (not relocatable)
Packager : CentOS Buildsys <bugs@centos.org>
Vendor : CentOS
URL : https://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
[root@centos8 ~]#
[root@centos8 ~]#echo "This is a HTTPD(apache) test for kaivi" > /var/www/html/index.html
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#systemctl start httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#
[root@centos8 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#
访问页面是否成功:
1 指定服务器名
[root@centos8 ~]#httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.32.8. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
#ServerName www.example.com:80
ServerName www.likaiandkaivi.org #指定服务器名字
[root@centos8 ~]#httpd -t #配置文件语法检查,如果没有设置服务器名会和上述一样显示提示
Syntax OK
2 显示服务器版本信息
ServerTokens Major|Minor|Min[imal]|Prod
[uctOnly]|OS|Full #默认值
ServerTokens Prod[uctOnly] :Server: Apache
ServerTokens Major: Server: Apache/2
ServerTokens Minor: Server: Apache/2.0
ServerTokens Min[imal]: Server: Apache/2.0.41
ServerTokens OS: Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified): Server: Apache/2.0.41 (Unix) PHP/4.2.2
MyMod/1.2
建议使用:ServerTokens Prod
[root@centos8 ~]#curl -I 192.168.32.8
HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 12:34:26 GMT
Server: Apache/2.4.37 (centos) #默认显示服务器响应报文头的服务器版本信息
Last-Modified: Tue, 10 Dec 2019 12:14:51 GMT
ETag: "27-59958758d9495"
Accept-Ranges: bytes
Content-Length: 39
Content-Type: text/html; charset=UTF-8
[root@centos8 ~]#
#修改为ServerTokens Prod
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep ServerTokens
ServerTokens Prod
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl -I 192.168.32.8
HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 12:42:23 GMT
Server: Apache # Prod模式的显示服务器响应报文头的服务器版本信息
Last-Modified: Tue, 10 Dec 2019 12:14:51 GMT
ETag: "27-59958758d9495"
Accept-Ranges: bytes
Content-Length: 39
Content-Type: text/html; charset=UTF-8
[root@centos8 ~]#
3 指定服务网络 ip 地址和监听端口
默认httpd服务端口为80
[root@centos8 ~]#
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep Listen
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
Listen 80
[root@centos8 ~]#
配置监听 8080号端口:
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep Listen
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
#Listen 80
Listen 8080 #配置服务端口8080
[root@centos8 ~]#
[root@centos8 ~]#systemctl reload httpd
[root@centos8 ~]#
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl 192.168.32.8
curl: (7) Failed to connect to 192.168.32.8 port 80: Connection refused #访问拒绝
[root@centos8 ~]#curl 192.168.32.8:8080
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#
指定 ip 地址的 8080号端口:
[root@centos8 ~]#curl 127.0.0.1:8080
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep Listen
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
#Listen 80
Listen 192.168.32.8:8080 #指定特定地址和端口
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 192.168.32.8:8080 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#curl 127.0.0.1:8080
curl: (7) Failed to connect to 127.0.0.1 port 8080: Connection refused
[root@centos8 ~]#curl 192.168.32.8:8080
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#
指定任意 ip 地址的 8080 号端口:
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep Listen
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
#Listen 80
Listen *:8080
[root@centos8 ~]#
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#
[root@centos8 ~]#curl 192.168.32.8:8080
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#curl 127.0.0.1:8080
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#curl 0.0.0.0:8080
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#
4 持久连接
Persistent Connection:连接建立,每个资源获取完成后不会断开连接,而是继续等待其它的请求完成,默认关闭持久连接 断开条件:时间限制:以秒为单位, 默认5s,httpd-2.4 支持毫秒级 副作用:对并发访问量大的服务器,持久连接会使有些请求得不到响应折中:使用较短的持久连接时间
持久连接相关指令:
KeepAlive On|Off
KeepAliveTimeout 15 #连接持续15s,可以以ms为单位,默认值为5s
MaxKeepAliveRequests 500 #持久连接最大接收的请求数,默认值100
测试方法:
telnet WEB_SERVER_IP PORT
GET /URL HTTP/1.1
Host: WEB_SERVER_IP
[root@centos8 ~]#yum install telnet -y #安装telnet测试工具
默认情况下响应完请求信息后连接就断开了
[root@centos8 ~]#telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
GET / HTTP/1.1
Host:127.0.0.1
HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 13:24:46 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Tue, 10 Dec 2019 12:14:51 GMT
ETag: "27-59958758d9495"
Accept-Ranges: bytes
Content-Length: 39
Content-Type: text/html; charset=UTF-8
This is a HTTPD(apache) test for kaivi
Connection closed by foreign host.
下面我们修改默认的超时时间,单位为秒:
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf|grep Keepalive
Keepalive on
Keepalivetimeout 30 #设置超时时间为30s
[root@centos8 ~]#
[root@centos8 ~]#telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
GET / HTTP/1.1
Host: 127.0.0.1
HTTP/1.1 200 OK
Date: Tue, 10 Dec 2019 13:32:05 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Tue, 10 Dec 2019 12:14:51 GMT
ETag: "27-59958758d9495"
Accept-Ranges: bytes
Content-Length: 39
Content-Type: text/html; charset=UTF-8
This is a HTTPD(apache) test for kaivi
......等待超时时间结束才断开
Connection closed by foreign host.
[root@centos8 ~]#
特殊场景下,可以设置超时时间为毫秒级,指定 ms 时间单位即可:
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf|grep Keepalive
Keepalive on
Keepalivetimeout 30000ms
[root@centos8 ~]#
5 静态功能模块和动态功能模块
httpd 有静态功能模块和动态功能模块组成,分别使用 httpd -l 和 httpd -M 查看
Dynamic Shared Object,加载动态模块配置,不需重启即生效
动态模块所在路径: /usr/lib64/httpd/modules/
主配置 /etc/httpd/conf/httpd.conf 文件中指定加载模块配置文件
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
配置指定实现模块加载格式:
LoadModule <mod_name> <mod_path>
模块文件路径可使用相对路径:相对于ServerRoot(默认/etc/httpd)
范例:查看模块加载的配置文件
[root@centos8 ~]#ls /etc/httpd/conf.modules.d/
00-base.conf 00-lua.conf 00-optional.conf 00-systemd.conf 10-h2.conf README
00-dav.conf 00-mpm.conf 00-proxy.conf 01-cgi.conf 10-proxy_h2.conf
[root@centos8 ~]#cat /etc/httpd/conf.modules.d/00-base.conf
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
......省略
查看静态编译的模块:httpd -l
查看静态编译及动态装载的模块:httpd –M
范例:
#列出静态编译模块
[root@centos8 ~]#httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
#列出静态和动态编译的模块
[root@centos8 ~]#httpd -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
......省略
动态模块加载内容在 httpd 主配置文件中有定义:
[root@centos8 ~]#cat /etc/httpd/conf/httpd.conf |grep modules.d
[root@centos8 ~]#ls -al /etc/httpd/conf.modules.d/
[root@centos8 ~]#ls -al /usr/lib64/httpd/modules/
6 MPM (Multi-Processing Module) 多路处理模块
httpd 支持三种MPM工作模式:prefork, worker, event
查看centos8中默认的MPM:
[root@centos8 ~]#cat /etc/httpd/conf.modules.d/00-mpm.conf |grep mpm
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule mpm_event_module modules/mod_mpm_event.so
[root@centos8 ~]#
可以看出默认的MPM模块为event
[root@centos8 ~]#ps aux|grep httpd
root 6459 0.0 0.5 271684 10720 ? Ss 21:24 0:00 /usr/sbin/httpd -DFOREGROUND
apache 6771 0.0 0.3 286364 8016 ? S 21:31 0:00 /usr/sbin/httpd -DFOREGROUND
apache 6772 0.0 0.6 1933708 13580 ? Sl 21:31 0:00 /usr/sbin/httpd -DFOREGROUND
apache 6773 0.0 0.5 1802572 11528 ? Sl 21:31 0:00 /usr/sbin/httpd -DFOREGROUND
apache 6774 0.0 0.6 1802572 13824 ? Sl 21:31 0:00 /usr/sbin/httpd -DFOREGROUND
apache 6991 0.0 0.7 1802572 15608 ? Sl 21:32 0:00 /usr/sbin/httpd -DFOREGROUND
root 7459 0.0 0.0 12112 1092 pts/0 S+ 22:01 0:00 grep --color=auto httpd
[root@centos8 ~]#pstree -p 6459
httpd(6459)─┬─httpd(6771)
├─httpd(6772)─┬─{httpd}(6775)
│ ├─{httpd}(6776)
│ ├─{httpd}(6777)
│ ├─{httpd}(6778)
│ ├─{httpd}(6779)
......省略
修改centos8中的MPM工作模式为mod_mpm_worker.so
[root@centos8 ~]#vim /etc/httpd/conf.modules.d/00-mpm.conf
[root@centos8 ~]#cat /etc/httpd/conf.modules.d/00-mpm.conf |grep mpm
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#ps aux|grep httpd
root 7608 0.1 0.5 271656 10560 ? Ss 22:10 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7609 0.0 0.4 285996 8084 ? S 22:10 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7610 0.0 0.5 1802552 11468 ? Sl 22:10 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7611 0.0 0.6 1933680 13516 ? Sl 22:10 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7612 0.0 0.7 1802552 15548 ? Sl 22:10 0:00 /usr/sbin/httpd -DFOREGROUND
root 7826 0.0 0.0 12112 1096 pts/0 S+ 22:10 0:00 grep --color=auto httpd
[root@centos8 ~]#pstree -p 7608
httpd(7608)─┬─httpd(7609)
├─httpd(7610)─┬─{httpd}(7686)
│ ├─{httpd}(7695)
│ ├─{httpd}(7696)
│ ├─{httpd}(7697)
│ ├─{httpd}(7698)
│ ├─{httpd}(7699)
......省略
扩展centos7
profork 模式下进程属性在centos8中已经集成到模块中,这里实验是在相同环境centos7中实验
查看centos7中默认的PMP:mod_mpm_prefork.so为默认模块
[root@centos7 ~]#systemctl start httpd
[root@centos7 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@centos7 ~]#cat /etc/httpd/conf.modules.d/00-mpm.conf |grep mpm
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@centos7 ~]#
[root@centos7 ~]#ps aux|grep httpd
root 9257 0.0 0.2 230408 5168 ? Ss 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9266 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9267 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9268 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9269 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9270 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
root 9286 0.0 0.0 112708 976 pts/0 S+ 22:06 0:00 grep --color=auto httpd
[root@centos7 ~]#pstree -p 9257
httpd(9257)─┬─httpd(9266)
├─httpd(9267)
├─httpd(9268)
├─httpd(9269)
└─httpd(9270)
[root@centos7 ~]#
默认profork 模式
配置 httpd profork 模式下进程属性
prefork 模式相关的配置
/etc/httpd/conf.d/mpm.conf
StartServers 2000 #开始访问进程
MinSpareServers 2000 #最小空闲进程
MaxSpareServers 2000 #无人访问时,留下空闲的进程
ServerLimit 2560 #最多进程数,最大值 20000
MaxRequestWorkers 2560 #最大的并发连接数,默认256
MaxConnectionsPerChild 4000 #子进程最多能处理的请求数量。在处理MaxRequestsPerChild 个请求之后,子进程将会被父进程终止,
#这时候子进程占用的内存就会释放(为0时永远不释放)
MaxRequestsPerChild 4000 #从 httpd.2.3.9开始被MaxConnectionsPerChild代替
[root@centos7 ~]#cat /etc/httpd/conf.modules.d/00-mpm.conf |grep mpm
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@centos7 ~]#ps aux|grep httpd
root 9257 0.0 0.2 230408 5168 ? Ss 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9266 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9267 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9268 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9269 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9270 0.0 0.1 230408 3012 ? S 22:03 0:00 /usr/sbin/httpd -DFOREGROUND
root 9286 0.0 0.0 112708 976 pts/0 S+ 22:06 0:00 grep --color=auto httpd
[root@centos7 ~]#pstree -p 9257
httpd(9257)─┬─httpd(9266)
├─httpd(9267)
├─httpd(9268)
├─httpd(9269)
└─httpd(9270)
[root@centos7 ~]#vim /etc/httpd/conf.d/mpm.conf
[root@centos7 ~]#cat /etc/httpd/conf.d/mpm.conf
StartServers 10
MinSpareServers 5
MaxSpareServers 20
ServerLimit 2560
Maxclients 1000
MaxRequestsPerChild 4000
[root@centos7 ~]#
[root@centos7 ~]#systemctl restart httpd
[root@centos7 ~]#
[root@centos7 ~]#ps aux |grep httpd
root 9331 0.1 0.3 231048 5820 ? Ss 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9333 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9334 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9335 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9336 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9337 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9338 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9339 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9340 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9341 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
apache 9342 0.0 0.1 231048 3032 ? S 22:21 0:00 /usr/sbin/httpd -DFOREGROUND
root 9344 0.0 0.0 112708 976 pts/0 S+ 22:21 0:00 grep --color=auto httpd
[root@centos7 ~]#ps aux | grep httpd | wc -l
12
使用 ab 进行测试:
[root@centos7 ~]#ab -c 1000 -n 100000 http://127.0.0.1/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 127.0.0.1 (be patient)
Completed 10000 requests
Completed 20000 requests
Completed 30000 requests
Completed 40000 requests
Completed 50000 requests
Completed 60000 requests
Completed 70000 requests
Completed 80000 requests
Completed 90000 requests
Completed 100000 requests
Finished 100000 requests
Server Software: Apache/2.4.6
Server Hostname: 127.0.0.1
Server Port: 80
Document Path: /
Document Length: 4897 bytes
Concurrency Level: 1000
Time taken for tests: 28.766 seconds
Complete requests: 100000
Failed requests: 114
(Connect: 0, Receive: 0, Length: 114, Exceptions: 0)
Write errors: 0
Non-2xx responses: 99886
Total transferred: 516210848 bytes
HTML transferred: 489141742 bytes
Requests per second: 3476.29 [#/sec] (mean)
Time per request: 287.663 [ms] (mean)
Time per request: 0.288 [ms] (mean, across all concurrent requests)
Transfer rate: 17524.39 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 43 197.3 2 3009
Processing: 0 52 712.4 11 21025
Waiting: 0 27 75.5 9 1877
Total: 0 95 738.4 14 21025
Percentage of the requests served within a certain time (ms)
50% 14
66% 17
75% 20
80% 23
90% 203
95% 409
98% 1022
99% 1032
100% 21025 (longest request)
[root@centos7 ~]#ps aux | grep http | wc -l
507
[root@centos7 ~]#ps aux | grep http | wc -l
500
[root@centos7 ~]#ps aux | grep http | wc -l
497
过一段时间再次查看进程数量:
[root@centos7 ~]#ps aux | grep http | wc -l
213
[root@centos7 ~]#
空闲线程会慢慢的减少。
[root@centos7 ~]#ps aux |grep http | wc -l
22
[root@centos7 ~]#
采用 worker 模式
[root@centos7 ~]#vim /etc/httpd/conf.modules.d/00-mpm.conf
[root@centos7 ~]#cat /etc/httpd/conf.modules.d/00-mpm.conf |grep mpm
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
[root@centos7 ~]#
[root@centos7 ~]#systemctl restart httpd
[root@centos7 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@centos7 ~]#ps -aux |grep httpd
root 10490 0.0 0.2 230620 5392 ? Ss 08:38 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10491 0.0 0.1 230368 2992 ? S 08:38 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10492 0.0 0.2 517448 5540 ? Sl 08:38 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10493 0.0 0.2 517448 5540 ? Sl 08:38 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10494 0.0 0.2 582984 5544 ? Sl 08:38 0:00 /usr/sbin/httpd -DFOREGROUND
root 10580 0.0 0.0 112708 976 pts/3 S+ 08:39 0:00 grep --color=auto httpd
[root@centos7 ~]#
[root@centos7 ~]#pstree -p 10490
httpd(10490)─┬─httpd(10491)
├─httpd(10492)─┬─{httpd}(10525)
│ ├─{httpd}(10526)
......部分省略
│ ├─{httpd}(10555)
│ └─{httpd}(10556)
├─httpd(10493)─┬─{httpd}(10497)
│ ├─{httpd}(10498)
│ ├─{httpd}(10499)
......部分省略
│ ├─{httpd}(10534)
│ └─{httpd}(10535)
└─httpd(10494)─┬─{httpd}(10504)
├─{httpd}(10505)
......部分省略
├─{httpd}(10574)
└─{httpd}(10575)
[root@centos7 ~]#
采用 event 模式
[root@centos7 ~]#vim /etc/httpd/conf.modules.d/00-mpm.conf
[root@centos7 ~]#cat /etc/httpd/conf.modules.d/00-mpm.conf |grep mpm
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule mpm_event_module modules/mod_mpm_event.so
[root@centos7 ~]#systemctl restart httpd
[root@centos7 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@centos7 ~]#ps -aux |grep httpd
root 10599 0.2 0.2 230632 5400 ? Ss 08:41 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10600 0.0 0.1 230380 2992 ? S 08:41 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10601 0.0 0.2 517460 5556 ? Sl 08:41 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10602 0.0 0.2 517460 5556 ? Sl 08:41 0:00 /usr/sbin/httpd -DFOREGROUND
apache 10603 0.0 0.2 517460 5564 ? Sl 08:41 0:00 /usr/sbin/httpd -DFOREGROUND
root 10689 0.0 0.0 112708 976 pts/3 S+ 08:41 0:00 grep --color=auto httpd
[root@centos7 ~]#pstree -p 10599
httpd(10599)─┬─httpd(10600)
├─httpd(10601)─┬─{httpd}(10632)
│ ├─{httpd}(10633)
......部分省略
│ └─{httpd}(10658)
├─httpd(10602)─┬─{httpd}(10606)
│ ├─{httpd}(10607)
......部分省略
│ └─{httpd}(10631)
└─httpd(10603)─┬─{httpd}(10659)
├─{httpd}(10660)
├─{httpd}(10661)
......部分省略
├─{httpd}(10683)
└─{httpd}(10684)
[root@centos7 ~]#
worker和event 模式相关的配置
ServerLimit 16
StartServers 2
MaxRequestWorkers 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
7 定义Main server的文档页面路径
DocumentRoot “/path”
<directory /path>
Require all granted
</directory>
说明:
DocumentRoot指向的路径为URL路径的起始位置
/path 必须显式授权后才可以访问
范例:
DocumentRoot "/data/html“
<directory /data/html>
Require all granted
</directory>
http://HOST:PORT/test/index.html --> /data/www/test/index.html
定义站点主页面
[root@centos8 ~]#httpd -M |grep dir
dir_module (shared)
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
指定 httpd 存放文件资源的系统路径和默认主页配置:
[root@centos8 ~]#
[root@centos8 ~]#cat /var/www/html/index.html
This is a HTTPD(apache) test for kaivi
[root@centos8 ~]#echo "This is a HTTPD(apache) test for default PATH !
[root@centos8 ~]#echo "This is a HTTPD(apache) test for default PATH !" > /var/www/html/index.html
[root@centos8 ~]#cat /var/www/html/index.html
This is a HTTPD(apache) test for default PATH !
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl 192.168.32.8
This is a HTTPD(apache) test for default PATH !
[root@centos8 ~]#
上面指定的主页存放于 /var/www/html 路径下, 下面修改默认的资源存放路径,指定为 /data/html
[root@centos8 ~]#mkdir /data/html
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
#DocumentRoot "/var/www/html" #注释默认的路径
DocumentRoot "/data/html" #修改资源存放路径
#<Directory "/var/www/">
<Directory "/data/html"> #给权限
AllowOverride None
# Allow open access:
Require all granted
</Directory>
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#cat /var/www/html/index.html
This is a HTTPD(apache) test for default PATH !
[root@centos8 ~]#curl 192.168.32.8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
上述中访问页面被拒绝是因为第一默认路径已经被修改,第二访问文件夹权限被修改。
这里继续/data/html/创建2个不同后缀的文件。
[root@centos8 ~]#vim /data/html/index.html
[root@centos8 ~]#vim /data/html/index.txt
[root@centos8 ~]#ll /data/html/
total 8
-rw-r--r-- 1 root root 72 Dec 11 09:43 index.html
-rw-r--r-- 1 root root 18 Dec 11 09:30 index.txt
[root@centos8 ~]#cat /data/html/index.html
This is a HTTPD(apache) test for Path priority testing!优先级测试
[root@centos8 ~]#cat /data/html/index.txt
likai and duanxin
[root@centos8 ~]#
[root@centos8 ~]#curl 192.168.32.8 #优先访问index.html
This is a HTTPD(apache) test for Path priority testing!优先级测试
[root@centos8 ~]#
修改配置,在他前面添加一个优先级更高的 index.txt
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
<IfModule dir_module>
DirectoryIndex index.txt index.html
# DirectoryIndex index.html
</IfModule>
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl 192.168.32.8 #访问优先级发生变化
likai and duanxin
[root@centos8 ~]#
下面我们删除 index.html 和 index.txt页面,httpd 依旧相应一个默认的 html 页面:
[root@centos8 ~]#rm -rf /data/html/index.*
[root@centos8 ~]#curl 192.168.32.8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
[root@centos8 ~]#
这是因为有一个默认的配置文件导致的:
[root@centos8 ~]#cat /etc/httpd/conf.d/welcome.conf
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
# NOTE: if this file is removed, it will be restored on upgrades.
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
上面的配置显示,当访问服务器时,提示的 http 错误代码为 403 时,实验 /.noindex.html 页面响应用户请求。
下面我们将配置文件重命名,使其不不生效:
[root@centos8 ~]#mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak
[root@centos8 ~]#systemctl restart httpd
下面我们直接访问,提示 http 404 错误信息
[root@centos8 ~]#curl -I 127.0.0.1
HTTP/1.1 403 Forbidden
Date: Wed, 11 Dec 2019 02:16:24 GMT
Server: Apache/2.4.37 (centos)
Content-Type: text/html; charset=iso-8859-1
[root@centos8 ~]#curl -I 127.0.0.1/index.html
HTTP/1.1 404 Not Found
Date: Wed, 11 Dec 2019 02:16:58 GMT
Server: Apache/2.4.37 (centos)
Content-Type: text/html; charset=iso-8859-1
8 可实现访问控制的资源
可以针对文件系统和URI的资源进行访问控制
URL不是全部,而是其中的一部分 /
文件系统路径:
#基于目录
<Directory “/path">
...
</Directory>
#基于文件
<File “/path/file”>
...
</File>
#基于文件通配符
<File “/path/*file*”>
...
</File>
#基于正则表达式
<FileMatch “regex”>
...
</FileMatch>
范例:
<FilesMatch ".+\.(gif|jpe?g|png)$">
# ...
</FilesMatch>
<FilesMatch "\.(gif|jpe?g|png)$">
<Files “?at.*”> 通配符
<Files ".ht*"> #禁止直接打开.ht* eg:.htaccess文件
Require all denied
</Files>
URL路径:
<Location "URL">
...
</Location>
<LocationMatch "regex">
...
</LocationMatch>
范例:
#/private1, /private1/,/private1/file.txt 匹配
#/private1other 不匹配
<Location "/private1">
# ... #注意斜线
</Location>
#/private2/,/private2/file.txt 匹配
#/private2,/private2other 不匹配
<Location "/private2/">
# ...
</Location>
范例:
<Location /status>
<LocationMatch "/(extra|special)/data">
9 针对目录实现访问控制
(1) Options指令:
后跟1个或多个以空白字符分隔的选项列表, 在选项前的+,- 表示增加或删除指定选项
常见选项:
Indexes:指明的URL路径下不存在与定义的主页面资源相符的资源文件时,返回索引列表给用户
FollowSymLinks:允许访问符号链接文件所指向的源文件
None:全部禁用
All: 全部允许
准备实验文件:
[root@centos8 ~]#cd /var/www/html/
[root@centos8 html]#ll
total 8
-rw-r--r-- 1 root root 28 Dec 11 10:37 f1.txt
-rw-r--r-- 1 root root 48 Dec 11 09:15 index.html
[root@centos8 html]#mkdir dir
[root@centos8 html]#cd dir/
[root@centos8 dir]#cp /etc/fstab ./f1.txt
[root@centos8 dir]#cp /etc/issue ./f2.txt
[root@centos8 dir]#ll
total 8
-rw-r--r-- 1 root root 709 Dec 11 10:47 f1.txt
-rw-r--r-- 1 root root 23 Dec 11 10:48 f2.txt
[root@centos8 dir]#cd ../
[root@centos8 html]#cat f1.txt
Options Instructions Test !
[root@centos8 html]#cat index.html
This is a HTTPD(apache) test for default PATH !
[root@centos8 html]#
网页访问查看dir文件夹:
注意:(在dir文件中因为没有index.html文件,才会显示下面内容,如果index.html文件则会默认跳到index.html文件)
这样是不安全的。因为如果没有index.html文件就会把其他的目录显示出来。所以要修改配置。
[root@centos8 html]#cd
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
<directory /var/www/html/dir>
options -Indexes # - 号代表删除改功能
</directory>
[root@centos8 ~]#systemctl restart httpd
刷新网页访问查看dir文件夹:
创建一个软连接,把/etc的软连接放到/var/www/html/dir/中,同时关闭上述的options -Indexes
[root@centos8 ~]#cd /var/www/html/dir/
[root@centos8 dir]#ln -s /etc/ etc_dir
[root@centos8 dir]#ls
etc_dir f1.txt f2.txt
[root@centos8 dir]#vim /etc/httpd/conf/httpd.conf
<directory /var/www/html/dir>
#options -Indexes # 注释掉
</directory>
[root@centos8 dir]#systemctl restart httpd
[root@centos8 dir]#
网页访问查看dir文件夹:
可以访问软连接指定文件中的内容。这样也会导致很大的安全风险。
对下面配置进行修改:
[root@centos8 dir]#vim /etc/httpd/conf/httpd.conf
<directory /var/www/html/dir>
#options -Indexes
options -FollowSymLinks #减去软链接功能
</directory>
[root@centos8 dir]#systemctl restart httpd
[root@centos8 dir]#
网页访问查看dir文件夹:
发现软链接文件夹都已经隐藏不显示出来
也可以针对单个文件指定,实验的时候把welcome.conf取消即可,不然会弹出默认的界面
在主配置文件中也有 Options Indexes FollowSymLinks,这个是默认值。要禁用需要用“-”号明确的减去对应的指令
(2) AllowOverride指令
AllowOverride指令与访问控制相关的哪些指令可以放在指定目录下的.htaccess(由AccessFileName 指令指定,AccessFileName .htaccess 为默认值)文件中,覆盖之前的配置指令,只对语句有效
直接在对应的文件目录中新建一个.htaccess的文件
常见用法:
AllowOverride All: .htaccess中所有指令都有效
AllowOverride None: .htaccess 文件无效,此为httpd 2.3.9以后版的默认值
AllowOverride AuthConfig .htaccess 文件中,除了AuthConfig 其它指令都无法生效 指定精确指令
范例:
vim /etc/httpd/conf/httpd.conf
#Options Indexes FollowSymLinks
Options Indexes
#AllowOverride None
AllowOverride options=FollowSymLinks,indexes #注释上一行,修改为此行
[root@centos8 ~]#vim /var/www/html/dir1/.htaccess
Options FollowSymLinks indexes #加此行
[root@centos8 ~]#ln -s /app /var/www/html/dir1/applink
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf #把之前的配置全部注释
#<directory /var/www/html/dir>
#options -Indexes
#options -FollowSymLinks
#</directory>
[root@centos8 ~]#cd /var/www/html/dir/
[root@centos8 dir]#pwd
/var/www/html/dir
[root@centos8 dir]#vim .htaccess
[root@centos8 dir]#
[root@centos8 dir]#cat .htaccess
Options -FollowSymLinks #减去软链接指令
在httpd主文件配置中添加如下配置指令
[root@centos8 dir]#cd
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
<directory /var/www/html/dir>
AllowOverride All #允许/.htaccess中的指令覆盖主配置文件中的指令
</directory>
[root@centos8 ~]#systemctl restart httpd
访问网页前后对比:
重新刷新之后,软链接文件目录隐藏了
同理,如果想让目录也不显示出来,在.htaccess文件中减去Indexes即可:
[root@centos8 ~]#cd
[root@centos8 ~]#vim /var/www/html/dir/.htaccess
[root@centos8 ~]#cat /var/www/html/dir/.htaccess
Options -FollowSymLinks -indexes
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#
扩展:.htaccess文件风险。这个文件是放在数据文件下,是否存在直接打开的风险?
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf |grep ".htaccess"
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
因为有主配置文件中设置了对应的文件拒绝全部访问,所以相对是安全的
10 基于客户端 IP 地址实现访问控制
针对各种资源,可以基于以下两种方式的访问控制:
客户端来源地址
用户账号
基于客户端的IP地址的访问控制:
无明确授权的目录,默认拒绝
允许所有主机访问:Require all granted
拒绝所有主机访问:Require all denied
控制特定的IP访问: Require ip IPADDR:授权指定来源的IP访问 Require not ip IPADDR:拒绝
特定的IP访问
控制特定的主机访问: Require host HOSTNAME:授权特定主机访问 Require not host
HOSTNAME:拒绝 HOSTNAME: FQDN:特定主机 domin.tld:指定域名下的所有主机
不能有失败,至少有一个成功匹配才成功,即失败优先(类似黑名单)
<RequireAll>
Require all granted
Require not ip 172.16.1.1 #拒绝特定IP
</RequireAll>
多个语句有一个成功,则成功,即成功优先(类似白名单)
<RequireAny>
Require all denied
require ip 172.16.1.1 #允许特定IP
</RequireAny>
也可以指定特定的网段:
<directory /var/www/html/dir>
<requireany>
require all denied
Require ip 192.168.39.0/24
</requireany>
</directory>
之前配置的 all guanted 允许任何客户端访问
<Directory "/var/www/html/dir">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
配置只允许特定的主机访问,这里特定主机为192.168.32.7
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/dir">
AllowOverride None
# Allow open access:
# Require all granted
<Requireany>
Require all denied
Require ip 192.168.32.7 #只允许特定的主机访问
</Requireany>
</Directory>
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl 192.168.32.8/dir/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don t have permission to access /dir/
on this server.<br />
</p>
</body></html>
[root@centos8 ~]#curl 127.0.0.1/dir/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /dir/
on this server.<br />
</p>
</body></html>
[root@centos8 ~]#
在特定主机centos7:192.168.32.7中访问成功
[root@centos7 ~]#curl 192.168.32.8/dir/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /dir</title>
</head>
<body>
<h1>Index of /dir</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th>
<th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?
C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent
Directory</a> </td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="etc_dir/">etc_dir/</a>
</td><td align="right">2019-12-11 13:35 </td><td align="right"> - </td><td> </td>
</tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="f1.txt">f1.txt</a>
</td><td align="right">2019-12-11 10:47 </td><td align="right">709 </td><td> </td>
</tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="f2.txt">f2.txt</a>
</td><td align="right">2019-12-11 10:48 </td><td align="right"> 23 </td><td> </td>
</tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
[root@centos7 ~]#
同理配置只拒绝特定的主机访问,这里特定主机为192.168.32.7为之拒绝
[root@centos8 ~]#vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/dir">
AllowOverride None
# Allow open access:
# Require all granted
<Requireall>
Require all granted
Require not ip 192.168.32.7
</Requireall>
</Directory>
[root@centos8 ~]#systemctl restart httpd
[root@centos8 ~]#curl 192.168.32.8/dir/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /dir</title>
</head>
<body>
<h1>Index of /dir</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th>
<th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?
C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent
Directory</a> </td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="etc_dir/">etc_dir/</a>
</td><td align="right">2019-12-11 13:35 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="f1.txt">f1.txt</a>
</td><td align="right">2019-12-11 10:47 </td><td align="right">709 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="f2.txt">f2.txt</a>
</td><td align="right">2019-12-11 10:48 </td><td align="right"> 23 </td><td> </td>
</tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
[root@centos8 ~]#curl 127.0.0.1/dir/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /dir</title>
</head>
<body>
<h1>Index of /dir</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th>
<th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?
C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent
Directory</a> </td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="etc_dir/">etc_dir/</a>
</td><td align="right">2019-12-11 13:35 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="f1.txt">f1.txt</a>
</td><td align="right">2019-12-11 10:47 </td><td align="right">709 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="f2.txt">f2.txt</a>
</td><td align="right">2019-12-11 10:48 </td><td align="right"> 23 </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
[root@centos8 ~]#
在特定主机centos7:192.168.32.7中访问被拒绝:
[root@centos7 ~]#curl 192.168.32.8/dir/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /dir/
on this server.<br />
</p>
</body></html>
[root@centos7 ~]#
限制指定 ip 的访问,还可以指定 ip 范围。
<directory /var/www/html/dir>
<requireany>
require all denied
Require ip 192.168.39.0/24
</requireany>
</directory>
扫一扫
919
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
