标签：启动服务   匹配   protocol   forbidden   blank   ccf   无法   自己的   grant   

1. http: Hyper Text Transfer Protocol, 80/tcp
2. 常用 http/1.1
   1.支持cache, MIME（支持传送多媒体文件）, method
   2.POST命令和HEAD命令 头信息是 ASCII 码，后面数据可为任何格式。服务器回应时会告诉客户 端，数据是什么格式，即Content-Type字段的作用。这些数据类型总称为 MIME 多用途互联网邮件扩展，每个值包括一级类型和二级类型，预定义的 类型，也可自定义类型
   3.持久连接（persistent connection），即TCP连接默认不 关闭，可以被多个请求复用，不用声明Connection: keep-alive 。对于同一个域名，大多数浏览器允许同时建立6个持久连接
   4.管道机制（pipelining），即在同一个TCP连接里，客户端 可以同时发送多个请求，进一步改进了HTTP协议的效率
   5.支持GET、PUT、PATCH、OPTIONS、DELETE方法
   • 问题
     1.同一个TCP连接里面，所有的数据通信是按次序进行的。服务器 只能顺序处理回应，前面的回应慢，会有许多请求排队，造成" 队头堵塞"（Head-of-line blocking） ?
     为避免上述问题，两种方法：一是减少请求数，二是同时多开持 久连接。网页优化技巧，比如合并脚本和样式表、将图片嵌入 CSS代码、域名分片（domain sharding）等 ?
     2.HTTP 协议不带有状态，每次请求都必须附上所有信息。请求的 很多字段都是重复的，浪费带宽，影响速度
   • http请求基本过程
     1、建立连接
     2、接收请求
     3、处理请求
     4、访问资源
     5、构建响应报文 头部
     6、发送响应报文
     7、记录日志
3. 方法介绍
   GET：从服务器获取一个资源
   HEAD：只从服务器获取文档的响应首部
   POST：向服务器输入数据，通常会再由网关程序继续处理 例如提交用户密码或者信息
   PUT：将请求的主体部分存储在服务器中，如上传文件
   DELETE：请求删除服务器上指定的文档
   TRACE：追踪请求到达服务器中间经过的代理服务器
   OPTIONS：请求服务器返回对指定资源支持使用的请求方法
4. 状态码介绍
   1xx：100-101 信息提示 ?
   2xx：200-206 成功 ?
   3xx：300-305 重定向 ?
   4xx：400-415 错误类信息，客户端错误 ?
   5xx：500-505 错误类信息，服务器端错误
   200： 成功，请求数据通过响应报文的entity-body部分发送;OK ?
   301： 请求的URL指向的资源已经被删除；但在响应报文中通过首部 Location指明了资源现在所处的新位置；Moved Permanently ?
   302： 响应报文Location指明资源临时新位置 Moved Temporarily
   304：服务器上的资源未曾发生改变，使用本机缓存
   401： 需要输入账号和密码认证方能访问资源；Unauthorized ?
   403： 请求被禁止；Forbidden ?
   404： 服务器无法找到客户端请求的资源；Not Found ?
   500： 服务器内部错误；Internal Server Error ?
   502： 代理服务器从后端服务器收到了一条伪响应，如无法连接到网关；Bad Gateway ? 无法连接到调度的服务器
   503 – 服务不可用，临时服务器维护或过载，服务器无法处理请求 ?
   504 – 网关超时

2.基于httpd实现网站用户访问控制

1.安装httpd服务
2.准备好主页

[root@centos7 ~]#echo ‘welcome to here!‘ > /var/www/html/index.html

3.启动服务

[root@centos7 ~]#systemctl start httpd

4.测试网页

5.利用htpasswd命令生成用户和密码，注意文件要能被apache账号读取

[root@centos7 conf.d]#htpasswd -c /data/user dcrfan
New password: 
Re-type new password: 
Adding password for user dcrfan
[root@centos7 conf.d]#htpasswd  /data/user zhang
New password: 
Re-type new password: 
Adding password for user zhang
[root@centos7 ~]#chown apache /data/user

6.修改httpd配置文件

 <Directory "/var/www/html">
   Options Indexes FollowSymLinks
   AllowOverride None
   AuthType Basic   #加密类型
   AuthName "please input your name"  #提示字符串
   AuthUserFile  "/data/user"            #用户密码验证文件                                            
   Require  user  dcrfan                #允许访问用户
 </Directory>

[root@centos7 conf.d]#systemctl  restart httpd 

7.测试网页

8.其他权限控制选项
Require all granted 允许所有主机访问：
Require all denied 拒绝所有主机访问
Require host HOSTNAME：授权特定主机访问
Require not host HOSTNAME：拒绝 特定主机访问
Require ip IPADDR：授权指定来源的IP访问
Require not ip IPADDR：拒绝特定的IP访问

?/不能有失败，至少有一个成功匹配才成功，即失败优先
<RequireAll>
Require all granted
Require not ip 172.16.1.1 拒绝特定IP
</RequireAll> ?
/多个语句有一个成功，则成功，即成功优先
<RequireAny>
Require all denied
require ip 172.16.1.1 允许特定IP
</RequireAny>

3.基于httpd实现网站虚拟主机

建立测试文件主页

[root@centos7 conf.d]#mkdir /var/www/html/{a,b,c} 
[root@centos7 conf.d]#echo "a">/var/www/html/a/index.html
[root@centos7 conf.d]#echo "b">/var/www/html/b/index.html
[root@centos7 conf.d]#echo "c">/var/www/html/c/index.html

1.基于port实现虚拟主机
修改配置文件

[root@centos7 conf.d]#vim port.conf
  listen 808                                                                                                   
  listen 8080
   <virtualhost 192.168.0.109:80>
   servername www.a.com
  documentroot "/var/www/html/a"
   </virtualhost>
   <virtualhost 192.168.0.109:808>
 servername www.b.com
  documentroot "/var/www/html/b"
  </virtualhost>
 <virtualhost 192.168.0.109:8080>
 servername www.c.com                                                                                         
  documentroot "/var/www/html/c"
  </virtualhost>

重启服务并查看端口

[root@centos7 conf.d]#systemctl  restart httpd
    [root@centos7 ~]#ss -ntl
State       Recv-Q Send-Q           Local Address:Port                          Peer Address:Port              
LISTEN      0      128                          *:111                                      *:*                  
LISTEN      0      128                          *:41968                                    *:*                  
LISTEN      0      5                192.168.122.1:53                                       *:*                  
LISTEN      0      128                          *:22                                       *:*                  
LISTEN      0      128                  127.0.0.1:631                                      *:*                  
LISTEN      0      100                  127.0.0.1:25                                       *:*                  
LISTEN      0      128                         :::111                                     :::*                  
LISTEN      0      128                         :::8080                                    :::*                  
LISTEN      0      128                         :::80                                      :::*                  
LISTEN      0      128                         :::22                                      :::*                  
LISTEN      0      128                        ::1:631                                     :::*                  
LISTEN      0      100                        ::1:25                                      :::*                  
LISTEN      0      128                         :::53952                                   :::*                  
LISTEN      0      128                         :::808                                     :::*  

测试文件

[root@centos7 ~]#curl 192.168.0.109
a
[root@centos7 ~]#curl 192.168.0.109:808
b
[root@centos7 ~]#curl 192.168.0.109:8080
c
~        

2.基于ip实现虚拟主机
修改配置文件

<virtualhost 192.168.0.109:80>
servername www.a.com
documentroot "/var/www/html/a"
</virtualhost>
<virtualhost 192.168.0.110:80>
servername www.b.com
documentroot "/var/www/html/b"
</virtualhost>
<virtualhost 192.168.0.111:80>
servername www.c.com                                                                                             
documentroot "/var/www/html/c"
</virtualhost>

重启httpd服务

[root@centos7 conf.d]#systemctl  restart httpd

为本机临时添加ip地址

[root@centos7 ~]#ip address add 192.168.0.110/24 dev eth0
[root@centos7 ~]#ip address add 192.168.0.111/24 dev eth0

查看ip

[root@centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:53:4d:b3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.109/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 192.168.0.110/24 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet 192.168.0.111/24 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::47f0:15a7:5a66:13c7/64 scope link 
       valid_lft forever preferred_lft forever

测试

 [root@centos7 ~]#curl 192.168.0.109
a
[root@centos7 ~]#curl 192.168.0.110
b
[root@centos7 ~]#curl 192.168.0.111
c

3.基于FQDN实现虚拟主机
修改配置文件并重启服务

<virtualhost *:80>
servername www.a.com
documentroot "/var/www/html/a"
</virtualhost>
<virtualhost *:80>
servername www.b.com
documentroot "/var/www/html/b"
</virtualhost>
<virtualhost *:80>                                                                                               
servername www.c.com                                                                                             
documentroot "/var/www/html/c"
</virtualhost>

修改测试客户端host文件，让其能解析这三个地址

[root@centos7 ~]#cat /etc/hosts       
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.109 www.a.com www.b.com www.c.com

测试

[root@centos7 ~]#curl www.a.com
a
[root@centos7 ~]#curl www.b.com
b
[root@centos7 ~]#curl www.c.com
c

注意：一般虚拟机不要与main主机混用；因此，要使用虚拟主机， 一般先禁用main主机
禁用方法：注释中心主机的DocumentRoot指令即可
还可以定制各自日志文件
ErrorLog "logs/host.example.com-error_log"
TransferLog "logs/host.example.com-access_log"

4.基于httpd实现网站https加密

要实现https加密需要搭建CA服务器实现加密通讯，安装mod_ssl模块，服务以443端口监听
1.在192.168.0.112搭建ca

[root@localhost ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.......+++
e is 65537 (0x10001)
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -days 7200 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:dcrfan
Organizational Unit Name (eg, section) []:dcrfan.cn
Common Name (eg, your name or your server‘s hostname) []:dcrfan
Email Address []:
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]# touch /etc/pki/CA/index.txt

2.在192.168.0.109生成密钥

root@centos7 ~]# (umask 066; openssl genrsa -out /etc/httpd/httpd.key 2048)       
Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
.............................+++
e is 65537 (0x10001)
[root@centos7 ~]# openssl req -new -key /etc/httpd/httpd.key  -out /etc/httpd/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:dcrfan  
Organizational Unit Name (eg, section) []:dcrfan.cn
Common Name (eg, your name or your server‘s hostname) []：www.a.com #与网站域名一致
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 ~]#scp /etc/httpd/httpd.csr 192.168.0.112:/data/

3.在192.168.0.112签名证书

[root@localhost ~]# openssl ca -in /data/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 160           
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  7 02:40:31 2019 GMT
            Not After : Jul 17 02:40:31 2019 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = gd
            organizationName          = dcrfan
            organizationalUnitName    = dcrfan.cn
            commonName                = www.a.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                48:30:32:22:C2:7F:68:A5:45:C6:99:3B:46:B5:6B:08:7F:94:86:DB
            X509v3 Authority Key Identifier: 
               keyid:29:BE:1C:83:B6:3E:49:D0:12:3F:80:A5:64:CB:17:02:8C:43:3B:1A
Certificate is to be certified until Jul 17 02:40:31 2019 GMT (160 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# scp /etc/pki/CA/certs/httpd.crt /etc/pki/CA/cacert.pem  192.168.0.109:/etc/httpd/

4.安装模块

[root@centos7 ~]#yum install mod_ssl

5.修改httpd配置文件

[root@centos7 ~]#ls /etc/httpd 
cacert.pem  conf  conf.d  conf.modules.d  httpd.crt  httpd.csr  httpd.key  logs  modules  run

[root@centos7 ~]#vim /etc/httpd/conf.d/ssl.conf
   DocumentRoot   "/var/www/html/"
  ServerName   www.a.com
  SSLCertificateFile    /etc/httpd/cacert.pem   #指定ca证书位置
   SSLCertificateKeyFile  /etc/httpd/httpd.key  #指定自己的私钥位置
   SSLCACertificateFile  /etc/httpd/httpd.crt    #指定ca签名的证书位置

6.实现HSTS，让网址自动应用https

vim /etc/httpd/conf/httpd.conf 
Header always set Strict-Transport-Security "maxage=31536000"
RewriteEngine on 
RewriteRule ^(/.*)$  https://%{HTTP_HOST}$1 [redirect=302] 

7.修改测试服务器/etc/hosts
192.168.0.109 www.a.com
8.测试（在浏览器添加ca证书）

http协议

标签：启动服务   匹配   protocol   forbidden   blank   ccf   无法   自己的   grant   

原文地址：http://blog.51cto.com/6289984/2348866