Linux下Web服务器架设笔录教学内容.doc

Good is good, but better carries it.精益求精，善益求善。Linux下Web服务器架设笔录-Linux下Web服务器架设笔录本文环境：CentOS5.4+ApacheApache的安装CentOS默认已安装Apache服务器软件，可使用rpm命令检查安装情况：dxlocalhost$rpm-qa|grephttpdhttpd-2.2.3-31.el5.centos若没有默认安装，可在安装光盘内找到rpm包并进行安装：dxlocalhost$rpmivhhttpd-2.2.3-31.e15.i386.rpm安装成功后，几个重要的文件分布如下：/etc/httpd/conf/httpd.confApache的主配置文件/etc/httpd/logsApache的日志存放目录/etc/httpd/modulesApache的模块存放目录/usr/lib/httpd/modulesApache模块存放的另一目录/usr/sbin/apachectlApache控制脚本(非目录)，用于启动、停止等操作Httpd进程运行时需要apache用户的支持，CentOS在安装时一般情况下已默认创建了这个用户，如果系统中没有这个用户，应该重新创建。运行ApacheApache安装完成之后，有一套默认的配置文件可以启动：rootlocalhostdx#/usr/sbin/apachectlstart查看进程的启动状态：rootlocalhostdx#ps-eaf|grephttpdroot111961014:54?00:00:00/usr/sbin/httpd-kstartapache1119711196014:54?00:00:00/usr/sbin/httpd-kstartapache1119811196014:54?00:00:00/usr/sbin/httpd-kstartapache1119911196014:54?00:00:00/usr/sbin/httpd-kstartapache1120011196014:54?00:00:00/usr/sbin/httpd-kstartapache1120111196014:54?00:00:00/usr/sbin/httpd-kstartapache1120211196014:54?00:00:00/usr/sbin/httpd-kstartapache1120311196014:54?00:00:00/usr/sbin/httpd-kstartapache1120411196014:54?00:00:00/usr/sbin/httpd-kstart可以看到，有9个Apache的进程，其中一个是由root用户身份运行，另外8个以apache用户身份运行，这8个进程是第1个进程的子进程。启动多个进程的目的是为了更好地为客户端提供服务，初始子进程的个数可以在配置文件中指定。设置Apache随系统启动而启动：rootlocalhostdx#chkconfig-listhttpdhttpd0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭rootlocalhostdx#chkconfighttpdonrootlocalhostdx#chkconfig-listhttpdhttpd0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭检查端口监听状态：rootlocalhostdx#netstat-an|grep:80tcp00:80:*LISTEN确定端口状态后，只要防火墙有设置http为信任的协议，就可以在客户端访问Apache的测试页面了：http:/172.18.20.243/Apache服务器的全局配置Apache服务器的配置主要集中在主配置文件/etc/httpd/conf/httpd.conf中，本节先介绍Apache服务器的全局基本配置，之后再介绍目录访问控制，用户个人网站配置，虚拟主机配置等其他高级配置。Apache的例子配置文件包含了很多的配置选项，涵盖了Apache服务器的大部分的重要功能，里面的配置指令包括全局配置、主服务器配置和虚拟主机配置三大部分，这里首先解释一下例子配置文件中有关全局配置的指令，他们决定了Apache服务器的总体性能。rootlocalhostconf#more/etc/httpd/conf/httpd.conf#ThisisthemainApacheserverconfigurationfile.Itcontainsthe#configurationdirectivesthatgivetheserveritsinstructions.#See<URL:http:/httpd.apache.org/docs/2.2/>fordetailedinformation.#Inparticular,see#<URL:http:/httpd.apache.org/docs/2.2/mod/directives.html>#foradiscussionofeachconfigurationdirective.#DoNOTsimplyreadtheinstructionsinherewithoutunderstanding#whattheydo.They'rehereonlyashintsorreminders.Ifyouareunsure#consulttheonlinedocs.Youhavebeenwarned.#Theconfigurationdirectivesaregroupedintothreebasicsections:#1.DirectivesthatcontroltheoperationoftheApacheserverprocessasa#whole(the'globalenvironment').#2.Directivesthatdefinetheparametersofthe'main'or'default'server,#whichrespondstorequeststhataren'thandledbyavirtualhost.#Thesedirectivesalsoprovidedefaultvaluesforthesettings#ofallvirtualhosts.#3.Settingsforvirtualhosts,whichallowWebrequeststobesentto#differentIPaddressesorhostnamesandhavethemhandledbythe#sameApacheserverprocess.#Configurationandlogfilenames:Ifthefilenamesyouspecifyformany#oftheserver'scontrolfilesbeginwith"/"(or"drive:/"forWin32),the#serverwillusethatexplicitpath.Ifthefilenamesdo*not*begin#with"/",thevalueofServerRootisprepended-so"logs/foo.log"#withServerRootsetto"/etc/httpd"willbeinterpretedbythe#serveras"/etc/httpd/logs/foo.log".#Section1:GlobalEnvironment#全局配置部分指令#ThedirectivesinthissectionaffecttheoveralloperationofApache,#suchasthenumberofconcurrentrequestsitcanhandleorwhereit#canfinditsconfigurationfiles.#Don'tgiveawaytoomuchinformationaboutallthesubcomponents#wearerunning.Commentoutthislineifyoudon'tmindremotesites#findingoutwhatmajoroptionalmodulesyouarerunningServerTokensOS#连接时显示Apache的版本和操作系统的名称#ServerRoot:Thetopofthedirectorytreeunderwhichtheserver's#configuration,error,andlogfilesarekept.#NOTE!IfyouintendtoplacethisonanNFS(orotherwisenetwork)#mountedfilesystemthenpleasereadtheLockFiledocumentation#(availableat<URL:http:/httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);#youwillsaveyourselfalotoftrouble.#DoNOTaddaslashattheendofthedirectorypath.#ServerRoot"/etc/httpd"#指定服务器的根目录，以后在配置文件中指定起始符号不是”/”的路径时，以该目录作为起始目录，如logs/error_log即表示/etc/httpd/logs/error_log#PidFile:Thefileinwhichtheservershouldrecorditsprocess#identificationnumberwhenitstarts.#PidFilerun/httpd.pid#Timeout:Thenumberofsecondsbeforereceivesandsendstimeout.#Timeout120#客户端建立连接后如果连续120秒内没有响应，则切断连接#KeepAlive:Whetherornottoallowpersistentconnections(morethan#onerequestperconnection).Setto"Off"todeactivate.#KeepAliveOff#“Off”表示不使用持久连接功能，即在一个TCP连接中只传送一个请求和一个应答消息。建议设置为on，可提高服务器性能。#MaxKeepAliveRequests:Themaximumnumberofrequeststoallow#duringapersistentconnection.Setto0toallowanunlimitedamount.#Werecommendyouleavethisnumberhigh,formaximumperformance.#MaxKeepAliveRequests100#使用持久连接时，该连接允许发送的最大请求消息数。如果设为0，表示没有限制。#KeepAliveTimeout:Numberofsecondstowaitforthenextrequestfromthe#sameclientonthesameconnection.#KeepAliveTimeout15#使用持久连接功能时，客户端的下一个请求消息超过15秒还未到达，就切断该连接。#Server-PoolSizeRegulation(MPMspecific)#设置使用preforkMPM运行方式的参数，CentOS中默认以此方式运行Apache服务器。#配置Apache运行时启动多少个进程来处理客户端的请求。#preforkMPM#StartServers:numberofserverprocessestostart#MinSpareServers:minimumnumberofserverprocesseswhicharekeptspare#MaxSpareServers:maximumnumberofserverprocesseswhicharekeptspare#ServerLimit:maximumvalueforMaxClientsforthelifetimeoftheserver#MaxClients:maximumnumberofserverprocessesallowedtostart#MaxRequestsPerChild:maximumnumberofrequestsaserverprocessserves<IfModuleprefork.c>#模块定义开始StartServers8#初始的httpd子进程数为8个MinSpareServers5#最小的空闲httpd子进程总数为5个MaxSpareServers20#最大的空闲httpd子进程总数为20个ServerLimit256#最大的httpd子进程数允许值为256个MaxClients256#最大客户端连接数为256MaxRequestsPerChild4000#每个httpd子进程处理了4000个请求后要关闭</IfModule>#模块定义结束#设置workerMPM方式的参数，与preforkMPM类似，但设置的是线程数。#workerMPM#StartServers:initialnumberofserverprocessestostart#MaxClients:maximumnumberofsimultaneousclientconnections#MinSpareThreads:minimumnumberofworkerthreadswhicharekeptspare#MaxSpareThreads:maximumnumberofworkerthreadswhicharekeptspare#ThreadsPerChild:constantnumberofworkerthreadsineachserverprocess#MaxRequestsPerChild:maximumnumberofrequestsaserverprocessserves<IfModuleworker.c>#模块定义开始StartServers2#主控制进程生成2个httpd子进程MaxClients150#最大客户端连接数为150MinSpareThreads25#最小的空闲httpd线程总数为25个MaxSpareThreads75#最大的空闲httpd线程总数为75个ThreadsPerChild25#每个子进程可产生25个线程MaxRequestsPerChild0#每个子进程处理的最大请求数，0表示没有限制</IfModule>#模块定义结束#Listen:AllowsyoutobindApachetospecificIPaddressesand/or#ports,inadditiontothedefault.Seealsothe<VirtualHost>#directive.#ChangethistoListenonspecificIPaddressesasshownbelowto#preventApachefromglommingontoallboundIPaddresses(0.0.0.0)#Listen12.34.56.78:80Listen80#设置服务器的监听端口为80#DynamicSharedObject(DSO)Support#TobeabletousethefunctionalityofamodulewhichwasbuiltasaDSOyou#havetoplacecorrespondingLoadModule'linesatthislocationsothe#directivescontainedinitareactuallyavailable_before_theyareused.#Staticallycompiledmodules(thoselistedbyhttpd-l')donotneed#tobeloadedhere.#Example:#LoadModulefoo_modulemodules/mod_foo.so#加载动态模块(DSO)LoadModuleauth_basic_modulemodules/mod_auth_basic.soLoadModuleauth_digest_modulemodules/mod_auth_digest.soLoadModuleauthn_file_modulemodules/mod_authn_file.soLoadModuleauthn_alias_modulemodules/mod_authn_alias.soLoadModuleauthn_anon_modulemodules/mod_authn_anon.soLoadModuleauthn_dbm_modulemodules/mod_authn_dbm.soLoadModuleauthn_default_modulemodules/mod_authn_default.soLoadModuleauthz_host_modulemodules/mod_authz_host.soLoadModuleauthz_user_modulemodules/mod_authz_user.soLoadModuleauthz_owner_modulemodules/mod_authz_owner.soLoadModuleauthz_groupfile_modulemodules/mod_authz_groupfile.soLoadModuleauthz_dbm_modulemodules/mod_authz_dbm.soLoadModuleauthz_default_modulemodules/mod_authz_default.soLoadModuleldap_modulemodules/mod_ldap.soLoadModuleauthnz_ldap_modulemodules/mod_authnz_ldap.soLoadModuleinclude_modulemodules/mod_include.soLoadModulelog_config_modulemodules/mod_log_config.soLoadModulelogio_modulemodules/mod_logio.soLoadModuleenv_modulemodules/mod_env.soLoadModuleext_filter_modulemodules/mod_ext_filter.soLoadModulemime_magic_modulemodules/mod_mime_magic.soLoadModuleexpires_modulemodules/mod_expires.soLoadModuledeflate_modulemodules/mod_deflate.soLoadModuleheaders_modulemodules/mod_headers.soLoadModuleusertrack_modulemodules/mod_usertrack.soLoadModulesetenvif_modulemodules/mod_setenvif.soLoadModulemime_modulemodules/mod_mime.soLoadModuledav_modulemodules/mod_dav.soLoadModulestatus_modulemodules/mod_status.soLoadModuleautoindex_modulemodules/mod_autoindex.soLoadModuleinfo_modulemodules/mod_info.soLoadModuledav_fs_modulemodules/mod_dav_fs.soLoadModulevhost_alias_modulemodules/mod_vhost_alias.soLoadModulenegotiation_modulemodules/mod_negotiation.soLoadModuledir_modulemodules/mod_dir.soLoadModuleactions_modulemodules/mod_actions.soLoadModulespeling_modulemodules/mod_speling.soLoadModuleuserdir_modulemodules/mod_userdir.soLoadModulealias_modulemodules/mod_alias.soLoadModulerewrite_modulemodules/mod_rewrite.soLoadModuleproxy_modulemodules/mod_proxy.soLoadModuleproxy_balancer_modulemodules/mod_proxy_balancer.soLoadModuleproxy_ftp_modulemodules/mod_proxy_ftp.soLoadModuleproxy_http_modulemodules/mod_proxy_http.soLoadModuleproxy_connect_modulemodules/mod_proxy_connect.soLoadModulecache_modulemodules/mod_cache.soLoadModulesuexec_modulemodules/mod_suexec.soLoadModuledisk_cache_modulemodules/mod_disk_cache.soLoadModulefile_cache_modulemodules/mod_file_cache.soLoadModulemem_cache_modulemodules/mod_mem_cache.soLoadModulecgi_modulemodules/mod_cgi.soLoadModuleversion_modulemodules/mod_version.so#Thefollowingmodulesarenotloadedbydefault:#LoadModulecern_meta_modulemodules/mod_cern_meta.so#LoadModuleasis_modulemodules/mod_asis.so#Loadconfigfilesfromtheconfigdirectory"/etc/httpd/conf.d".#将conf.d/目录下的所有后缀名为.conf的文件内容包含进来，根据以上ServerRoot的配置，这个目录应该是：/etc/httpd/conf.d/*.conf#这个目录中包含了许多专用功能的配置，如JSP、PHP、SSL等的配置文件Includeconf.d/*.conf#ExtendedStatuscontrolswhetherApachewillgenerate"full"status#information(ExtendedStatusOn)orjustbasicinformation(ExtendedStatus#Off)whenthe"server-status"handleriscalled.ThedefaultisOff.#ExtendedStatusOn#Ifyouwishhttpdtorunasadifferentuserorgroup,youmustrun#httpdasrootinitiallyanditwillswitch.#User/Group:Thename(or#number)oftheuser/grouptorunhttpdas.#.OnSCO(ODT3)use"Usernouser"and"Groupnogroup".#.OnHPUXyoumaynotbeabletousesharedmemoryasnobody,andthe#suggestedworkaroundistocreateauserwwwandusethatuser.#NOTEthatsomekernelsrefusetosetgid(Group)orsemctl(IPC_SET)#whenthevalueof(unsigned)Groupisabove60000;#don'tuseGroup#-1onthesesystems!#指定运行httpd子进程的用户和用户组身份UserapacheGroupapacheApache主服务器配置Apache处理客户端的请求时，会根据URL来判断客户端是否需要访问虚拟主机。如果不是访问虚拟主机，则认为是访问主服务器。主服务器的配置将作为后面虚拟主机的默认配置，如果在虚拟主机中出现了同样的指令，则会覆盖对应的指令。#Section2:'Main'serverconfiguration#主服务器配置部分指令#Thedirectivesinthissectionsetupthevaluesusedbythe'main'#server,whichrespondstoanyrequeststhataren'thandledbya#<VirtualHost>definition.Thesevaluesalsoprovidedefaultsfor#any<VirtualHost>containersyoumaydefinelaterinthefile.#Allofthesedirectivesmayappearinside<VirtualHost>containers,#inwhichcasethesedefaultsettingswillbeoverriddenforthe#virtualhostbeingdefined.#ServerAdmin:Youraddress,whereproblemswiththeservershouldbe#e-mailed.Thisaddressappearsonsomeserver-generatedpages,such#aserrordocuments.e.g.adminyour-#ServerAdminrootlocalhost#管理员的E-Mail地址，会出现在一些出错页面中#ServerNamegivesthenameandportthattheserverusestoidentifyitself.#Thiscanoftenbedeterminedautomatically,butwerecommendyouspecify#itexplicitlytopreventproblemsduringstartup.#IfthisisnotsettovalidDNSnameforyourhost,server-generated#redirectionswillnotwork.SeealsotheUseCanonicalNamedirective.#Ifyourhostdoesn'thavearegisteredDNSname,enteritsIPaddresshere.#Youwillhavetoaccessitbyitsaddressanyway,andthiswillmake#redirectionsworkinasensibleway.#ServerN:80#当Apache服务器引用自己的URL时，使用这里指定的域名和端口号。#UseCanonicalName:DetermineshowApacheconstructsself-referencing#URLsandtheSERVER_NAMEandSERVER_PORTvariables.#Whenset"Off",ApachewillusetheHostnameandPortsupplied#bytheclient.Whenset"On",Apachewillusethevalueofthe#ServerNamedirective.#UseCanonicalNameOff#当Apache构建引用自己的URL时，使用这里指定的域名和端口号，如果此选项打开，则使用由ServerName指定的主机名和端口。#DocumentRoot:Thedirectoryoutofwhichyouwillserveyour#documents.Bydefault,allrequestsaretakenfromthisdirectory,but#symboliclinksandaliasesmaybeusedtopointtootherlocations.#DocumentRoot"/var/www/html"#主服务器的根文档路径。#EachdirectorytowhichApachehasaccesscanbeconfiguredwithrespect#towhichservicesandfeaturesareallowedand/ordisabledinthat#directory(anditssubdirectories).#First,weconfigurethe"default"tobeaveryrestrictivesetof#features.#设置根目录的访问控制权<Directory/>OptionsFollowSymLinksAllowOverrideNone</Directory>#Notethatfromthispointforwardyoumustspecificallyallow#particularfeaturestobeenabled-soifsomething'snotworkingas#youmightexpect,makesurethatyouhavespecificallyenabledit#below.#ThisshouldbechangedtowhateveryousetDocumentRootto.#设置主服务器主目录的访问控制权<Directory"/var/www/html">#定义开始#PossiblevaluesfortheOptionsdirectiveare"None","All",#oranycombinationof:#IndexesIncludesFollowSymLinksSymLinksifOwnerMatchExecCGIMultiViews#Notethat"MultiViews"mustbenamed*explicitly*-"OptionsAll"#doesn'tgiveittoyou.#TheOptionsdirectiveisbothcomplicatedandimportant.Pleasesee#http:/httpd.apache.org/docs/2.2/mod/core.html#options#formoreinformation.#OptionsIndexesFollowSymLinks#AllowOverridecontrolswhatdirectivesmaybeplacedin.htaccessfiles.#Itcanbe"All","None",oranycombinationofthekeywords:#OptionsFileInfoAuthConfigLimit#AllowOverrideNone#Controlswhocangetstufffromthisserver.#Orderallow,denyAllowfromall</Directory>#定义结束#UserDir:Thenameofthedirectorythatisappendedontoauser'shome#directoryifauserrequestisreceived.#Thepathtotheenduseraccount'public_html'directorymustbe#accessibletothewebserveruserid.Thisusuallymeansthatuserid#musthavepermissionsof711,userid/public_htmlmusthavepermissions#of755,anddocumentscontainedthereinmustbeworld-readable.#Otherwise,theclientwillonlyreceivea"403Forbidden"message.#Seealso:http:/httpd.apache.org/docs/misc/FAQ.html#forbidden#<IfModulemod_userdir.c>#用户个人服务器#UserDirisdisabledbydefaultsinceitcanconfirmthepresence#ofausernameonthesystem(dependingonhomedirectory#permissions).#UserDirdisable#不允许用户使用个人服务器#Toenablerequeststo/user/toservetheuser'spublic_html#directory,removethe"UserDirdisable"lineabove,anduncomment#thefollowinglineinstead:#UserDirpublic_html</IfModule>#ControlaccesstoUserDirdirectories.Thefollowing