第31篇 集群架构-Apache网站服务
1.Apache基础概述2.Apache安装配置3.Apache基础配置4.Apache虚拟主机5.Apache动态网站6.Apache访问控制7.Apache安全服务8.Apache反向代理8.1.环境准备8.2.Node节点部署8.3.反向代理部署
1.Apache基础概述
动态和静态资源
静态元素:.html .img js css mp4
动态元素:.php .jsp .py
常见Web Server服务
Nginx、openresty、Tengine、Apache、IIS
Web常见中间件
1php: PHP-fpm、HHVM
2py: wsgi
3jsp: Tomcat、JBOSS、Resin、Weblogic
主流组合架构
1LNMP (Linux + Nginx + MySQL + PHP) //php-fpm 进程
2LAMP (Linux + Apache + MySQL + PHP) //php 作为 Apache 的模块
3Nginx + Tomcat //取代 Apache 与 Tomcat 结合
软件包
1 http 服务端口: 80/tcp(http)
2 https 服务端口: 443/tcp(https,http+ssl)
配置文件
1/etc/httpd/conf/httpd.conf //主配置文件
2/etc/httpd/conf.d/*.conf //包含配置文件
3/etc/httpd/conf.d/welcome.conf //默认测试页面
配置进程和线程
1针对apache2.2仅针对面试
2# prefork MPM //进程模式
3<IfModule prefork.c> StartServers 10 //初始建立的进程数
4MinSpareServers 10 //最小空闲的进程数
5MaxSpareServers 15 //最大空闲的进程数
6ServerLimit 2000 //最大启动的进程数 默认 256
7MaxClients 2000 //最大并发连接数 默认 256
8MaxRequestsPerChild 4000 //每个子进程在其生命周期内允许响应的最大请求数,0 不限制
9</IfModule>
10# worker MPM //线程模式
11<IfModule worker.c> StartServers 2 //初始建立的进程数
12ThreadsPerChild 50 //每个进程建立的线程数
13MinSpareThreads 100 //最小空闲的线程数
14MaxSpareThreads 200 //最大空间的线程数
15MaxClients 2000 //最大的并发访问量(线程)
16MaxRequestsPerChild 0 //每个子进程在其生命周期内允许响应的最大请求数,0 不限制
17</IfModule>
2.Apache安装配置
1.环境准备
1[root@liyanzhao ~]# yum update
2[root@liyanzhao ~]# systemctl stop firewalld
3[root@liyanzhao ~]# systemctl disable firewalld
4[root@liyanzhao ~]# sed -ri '/^SELINUX=/cSELINUX=disabled' /etc/selinux/config
5[root@liyanzhao ~]# setenforce 0
2.安装Apache服务
1[root@liyanzhao ~]# yum install -y httpd
2[root@liyanzhao ~]# systemctl start httpd
3[root@liyanzhao ~]# systemctl enable httpd
4//如果必须启动防火墙的情况执行如下指令
5[root@liyanzhao ~]# firewall-cmd --permanent --add-service=http
6[root@liyanzhao ~]# firewall-cmd --reload
3.添加默认静态页面
1//定义首页文件
2[root@liyanzhao ~]# echo "Web is First" >> /var/www/html/index.html
3//访问测试, 也可使用浏览器访问
4[root@liyanzhao ~]# curl http://192.168.56.11
5Web is First
3.Apache基础配置
查看Apache重要配置文件
1IncludeOptional conf.d/*.conf
2[root@liyanzhao ~]# grep '^[a-Z]' /etc/httpd/conf/httpd.conf
3ServerRoot "/etc/httpd" //安装目录
4Listen 80 //监听端口
5Include conf.modules.d/*.conf //包含模块目录配置文件
6User apache //运行Apache进程的用户
7Group apache //运行Apache进程的用户组
8ServerAdmin root@localhost //管理员邮箱
9DocumentRoot "/var/www/html" //站点目录
10ErrorLog "logs/error_log" //错误日志
11LogLevel warn //日志级别
12AddDefaultCharset UTF-8 //字符集
13EnableSendfile on //
14IncludeOptional conf.d/*.conf //包含conf.d目录下的所有conf结尾的文件
15//类型模块
16<IfModule mime_module>
17 TypesConfig /etc/mime.types
18 AddType application/x-compress .Z
19 AddType application/x-gzip .gz .tgz
20 AddType text/html .shtml
21 AddOutputFilter INCLUDES .shtml
22</IfModule>
23//日志模块
24ErrorLog "logs/error_log"
25LogLevel warn
26<IfModule log_config_module>
27 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
28 LogFormat "%h %l %u %t \"%r\" %>s %b" common
29 <IfModule logio_module>
30 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
31 </IfModule>
32 CustomLog "logs/access_log" combined
33</IfModule>
34//不允许用户直接访问/目录
35<Directory />
36 DirectoryIndex index.html
37 AllowOverride none
38 Require all denied
39</Directory>
40//允许所有用户访问/var/www
41<Directory "/var/www">
42 DirectoryIndex index.html
43 AllowOverride None
44 Require all granted
45</Directory>
46//拒绝任何人访问包含.ht文件
47<Files ".ht*">
48 Require all denied
49</Files>
4.Apache虚拟主机
虚拟主机, 一个服务器上同时运行多个网站
1//建立默认虚拟主机
2# vim /etc/httpd/conf.d/00-default-vhost.conf
3<VirtualHost _default_:80>
4 DocumentRoot /srv/default/www/
5 CustomLog "logs/default-vhost.log" combined
6<Directory /srv/default/www/>
7 Options Indexes FollowSymLinks
8 AllowOverride None
9 Require all granted
10 </Directory>
11</VirtualHost>
12//建立www0.example.com的虚拟主机
13# vim /etc/httpd/conf.d/01-www0.example.com-vhost.conf
14<VirtualHost *:80>
15 Servername www0.example.com
16 DocumentRoot /srv/www0.example.com/www/
17 CustomLog "logs/www0.example.com-vhost.log" combined
18<Directory /srv/www0.example.com/www/>
19 Options Indexes FollowSymLinks
20 AllowOverride None
21 Require all granted
22 </Directory>
23</VirtualHost>
5.Apache动态网站
1.如果需要解析动态php程序, 则需要安装php
1//安装PHP
2[root@liyanzhao ~]# yum install -y php
3//php作为Apache的模块运行,并生成对应配置文件
4[root@liyanzhao ~]# ll /etc/httpd/modules/libphp5.so
5[root@liyanzhao ~]# ll /etc/httpd/conf.d/php.conf
6//重启Apache加载php
7[root@liyanzhao ~]# systemctl restart httpd
8//编写php状态页面
9[root@liyanzhao ~]# cat >> /var/www/html/info.php <<EOF
10<?php
11phpinfo();
12?>
13EOF
2.测试访问php状态页面
3.安装MariaDB数据库
1//安装MariaDB数据库, 启动并加入开机自启动
2[root@liyanzhao ~]# yum install mariadb mariadb-server -y
3[root@liyanzhao ~]# systemctl enable mariadb
4[root@liyanzhao ~]# systemctl start mariadb
5//简单配置mariadb数据库
6[root@liyanzhao ~]# mysql_secure_installation
7//输入y, 然后设定root密码
8Set root password? [Y/n]y
9New password: 123
10Re-enter new password: 123
11....后面暂时一路回车即可...
12//登陆MariaDB验证密码
13[root@apache ~]# mysql -uroot -p123
14MariaDB [(none)]> exit
15Bye
16//编辑php连接数据库文件
17[root@liyanzhao ~]# cat > /var/www/html/sql.php <<-EOF
18<?php \$link=mysql_connect('localhost','root','123');
19if(\$link)
20 echo "Successfuly";
21else
22 echo "Faile";mysql_close();
23?>
24EOF
25注意: 打开页面如果出现空白, 说明php无法连接MariaDB, 请按如下步骤操作:
26//安装php连接mariadb数据库模块
27[root@liyanzhao ~]# yum install php-mysql -y
28//检查是否有对应数据库模块
29[root@liyanzhao ~]# php -m |grep mysql
30mysql
31mysqli
32pdo_mysql
33//重启apache服务加载
34[root@liyanzhao ~]# systemctl restart httpd
4.验证php与mariaDB连接
5.如果觉得PHP版本过低, 可进行升级PHP版本
1//检查当前安装的PHP, 并移动旧版
2[root@http-server ~]# rpm -e $(yum list installed | grep php)
3//安装epel-扩展源, 安装php7
4[root@http-server ~]# yum install epel-release
5rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
6[root@http-server ~]# yum install -y php72-php php72-php-gd php72-php-mysqlnd \
7php72-php-pecl-mysql php72-php-pecl-mysql-xdevapi php72-php-opcache \
8php72-php-pecl-memcache php72-php-pecl-memcached php72-php-pecl-redis
6.Apache访问控制
目录访问控制, 基于IP或者主机访问控制(仅限httpd2.4版本可用)
1//匹配本机
2Require local
3//匹配所有的访问请求,并且授权访问
4Require all granted
5//匹配所有的访问请求,并且拒绝访问
6Require all denied
7//匹配指定IP的客户端访问
8Require ip 192.168.56.11
9//匹配某个IP网段
10Require ip 192.168.56.0/255.255.0.0
11Require ip 192.168.56.0/24
12//不匹配该IP的请求
13Require not ip 192.168.56.11
14//匹配主机名的客户端访问
15Require host desktop0.example.com
16//匹配某个域或主机名
17Require host example.com moreidiots.example
18 example.com
19 server0.example.com
20 node.example.com
21 *.example.com
22//不匹配所有以.gov结尾域
23Require not host gov
24//注意: not不能单独只用,必须使用在RequireAll, RequireAny,RequireNone容器标签里, 如下
25<RequireAll>
26 Require all granted
27 Require not ip 192.168.56.11
28</RequireAll>
1.实践环境准备
1[root@http-server ~]# mkdir /var/www/html/download/
2[root@http-server ~]# echo "web Server Apache" > /var/www/html/download/index.html
3[root@http-server ~]# echo "htaccess" > /var/www/html/download/.htaccess
案例1: 允许所有主机访问
1<VirtualHost *:80>
2 ServerName test.bgx.com
3 DocumentRoot "/var/www/html/download"
4</VirtualHost>
5<Directory "/var/www/html/download">
6 AllowOverride None
7 Require all granted
8</Directory>
9//AllowOverride All允许子目中的.htaccess 中的设置覆盖当前设置
10//AllowOverride None 不允许子目中的.htaccess 中的设置覆盖当前设置
案例2: 只允许网段192.168.56|69.0/24访问
1<VirtualHost *:80>
2 ServerName test.bgx.com
3 DocumentRoot "/var/www/html/download"
4</VirtualHost>
5<Directory "/var/www/html/download">
6 AllowOverride None
7 Require ip 192.168.69.0/24
8 Require ip 192.168.56.0/24
9</Directory>
案例3: 所有请求都允许,只拒绝某些主机访问
1<VirtualHost *:80>
2 ServerName test.bgx.com
3 DocumentRoot "/var/www/html/download"
4</VirtualHost>
5<Directory "/var/www/html/download">
6 AllowOverride None
7 //用于封装一组规则的授权,其中必须没有失败的授权
8 //至少必须有一个规则成功才允许访问
9 <RequireAll>
10 Require all granted
11 Require not host desktop0.example.com
12 #Require not ip 192.168.56.0/24
13 </RequireAll>
14</Directory>
限制原理:
1.要求
2.desktop0.example.com满足第一条规则
3.desktop0.example.com不满足第二条规则随意不能访问
案例4: 拒绝所有人访问, 但允许个别主机可以访问
1<VirtualHost *:80>
2 ServerName test.bgx.com
3 DocumentRoot "/var/www/html/download"
4</VirtualHost>
5<Directory "/var/www/html/download">
6 AllowOverride None
7 Require ip 192.168.160.161
8 Require all denied
9</Directory>
案例5: 特别的规则组合
1//最终的结果居然是只能是本机访问
2//<RequireAll> 要求所有规则都必须通过,不能有一个失败
3<VirtualHost *:80>
4 ServerName test.bgx.com
5 DocumentRoot "/var/www/html/download"
6</VirtualHost>
7<Directory "/var/www/html/download">
8 AllowOverride None
9 //用于封装一组规则的授权,其中必须没有失败的授权
10 //至少必须有一个规则成功才允许访问
11 <RequireAll>
12 Require all granted
13 Require local
14 </RequireAll>
15</Directory>
16//只有desktop0.example.com能访问.
17//其他机器都不能匹配到Require host desktop0.example.com
18<VirtualHost *:80>
19 ServerName test.bgx.com
20 DocumentRoot "/var/www/html/download"
21</VirtualHost>
22<Directory "/var/www/html/download">
23 AllowOverride None
24 //用于封装一组规则的授权,其中必须没有失败的授权
25 //至少必须有一个规则成功才允许访问
26 <RequireAll>
27 Require all granted
28 Require host desktop0.example.com
29 </RequireAll>
30</Directory>
31
32文件访问控制
33//不允许在/var/www/edusoho/web/upload 目录中执行.php 文件
34<Directory /webroot/baidu/upload>
35AllowOverride None
36Require all granted
37<Files ~ " \.php$" >
38 Order allow,deny
39 Deny from all
40</Files>
41</Directory>
用户访问控制, 访问站点需要用户与密码httpd官方参考文档
1//1.安装加密工具
2[root@http-server ~]# yum install -y httpd-tools
3//2.建立密码文件
4[root@http-server ~]# htpasswd -c -b /etc/httpd/webpass bgx 123
5//如果需要新增用户, 可使用如下方式
6[root@http-server ~]# htpasswd -b /etc/httpd/webpass bgx1 123
7//配置httpd支持认证
8<VirtualHost *:80>
9 ServerName test.bgx.com
10 DocumentRoot "/var/www/html/download"
11</VirtualHost>
12<Directory "/var/www/html/download">
13 AuthType "Basic"
14 AuthName "Hai I's To Bgx"
15 AuthBasicProvider file
16 AuthUserFile "/etc/httpd/webpass"
17 Require valid-user
18</Directory>
7.Apache安全服务
使用虚拟主机技术部署两个网站, 按要求配置HTTPS网站
• 网站1:
○ 绑定域名 www0.example.com
○ 目录在 /srv/www0/www
○ 要求支持https加密访问
○ 所有通过http访问该网站都会自动调转到https
• 网站2:
○ 绑定域名 webapp0.example.com
§ 目录在 /srv/webapp0/www
§ 要求支持https加密访问
§ 所有通过http访问该网站都会自动调转到https
1.安装httpd mod_ssl实现 http和https服务
1[root@http-server ~]# yum install httpd mod_ssl -y
2[root@http-server ~]# systemctl enable httpd
3[root@http-server ~]# systemctl start httpd
2.建立https网站需要的相关证书和密钥文件
1http://classroom.example.com/pub/example-ca.crt #根证书
2http://classroom.example.com/pub/tls/certs/www0.crt # www0网站的证书
3http://classroom.example.com/pub/tls/private/www0.key # www0网站的私钥
4http://classroom.example.com/pub/tls/certs/webapp0.crt # webapp0网站的证书
5http://classroom.example.com/pub/tls/private/webapp0.key # webapp0网站的私钥
3.建立相关目录文件
1[root@http-server ~]# mkdir -p /srv/{www0,webapp0}/www
2[root@http-server ~]# echo "www0" > /srv/www0/www/index.html
3[root@http-server ~]# echo "webapp0" > /srv/webapp0/www/index.html
4[root@http-server ~]# chown apache:apache -R /srv/*
4.建立对应两台虚拟主机
1# vim /etc/httpd/conf.d/www0.conf
2<VirtualHost *:443>
3DocumentRoot "/srv/www0/www"
4ServerName www0.example.com
5SSLEngine on
6SSLProtocol all -SSLv2
7SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
8SSLCertificateFile /etc/pki/tls/certs/www0.crt
9SSLCertificateKeyFile /etc/pki/tls/private/www0.key
10 <Directory /srv/www0/www>
11 Require all granted
12 </Directory>
13</VirtualHost>
14<VirtualHost *:80>
15 Servername www0.example.com
16 RewriteEngine On
17 RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=301]
18</VirtualHost>
19//第二台虚拟主机
20[root@http-server ~]# cp /etc/httpd/conf.d/{www0,webapp0}.conf
21[root@http-server ~]# sed -i 's/www0/webapp0/g' /etc/httpd/conf.d/webapp0.conf
8.Apache反向代理
反向代理(Reverse Proxy)方式是指以代理服务器来接受internet上的连接请求,然后将请求转发给内部网络上的服务器,并将从服务器上得到的结果返回给internet上请求连接的客户端,此时代理服务器对外就表现为一个反向代理服务器。
8.1.环境准备
8.2.Node节点部署
在两台web-node节点中均使用Yum安装一个Apache用于做真实机,监听8080端口
web-node1.com部署
1[root@web-node1 ~]# rpm -ivh \
2http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
3[root@web-node1 ~]# yum install -y gcc glibc gcc-c++ make screen tree lrzsz
4##部署web-node1 httpd服务
5[root@web-node1 ~]# yum install -y httpd
6[root@web-node1 ~]# sed -i 's/Listen 80/Listen 8080/g' /etc/httpd/conf/httpd.conf
7[root@web-node1 ~]# systemctl start httpd
8[root@web-node1 ~]# echo "web-node1.com" > /var/www/html/index.html
9[root@web-node1 ~]# curl http://192.168.90.201:8080/
10web-node1.com
11web-node2.com部署
12[root@web-node1 ~]# rpm -ivh \
13http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
14[root@web-node1 ~]# yum install -y gcc glibc gcc-c++ make screen tree lrzsz
15##部署web-node2 httpd服务
16[root@web-node2 ~]# yum install -y httpd
17[root@web-node2 ~]# sed -i 's/Listen 80/Listen 8080/g' /etc/httpd/conf/httpd.conf
18[root@web-node2 ~]# systemctl start httpd
19[root@web-node2 ~]# echo "web-node2.com" > /var/www/html/index.html
20[root@web-node2 ~]# curl http://192.168.90.202:8080/
21web-node2.com
8.3.反向代理部署
1.Apache源码编译安装,并监听80端口
1[root@lb-node1 ~]# yum install -y apr-devel apr-util-devel pcre-devel openssl-devel
2[root@lb-node1 ~]# cd /usr/local/src
3[root@lb-node1 src]# wget http://www-eu.apache.org/dist/httpd/httpd-2.4.23.tar.gz
4[root@lb-node1 src]# tar xf httpd-2.4.23.tar.gz
5[root@lb-node1 src]# cd httpd-2.4.23
6[root@lb-node1 httpd-2.4.23]# ./configure --prefix=/usr/local/httpd-2.4.23 --enable-so --enable-modules="all"
7[root@lb-node1 httpd-2.4.23]# make && make install
8[root@lb-node1 httpd-2.4.23]# ln -s /usr/local/httpd-2.4.23/ /usr/local/httpd
9## 测试配置并启动Apache
10[root@lb-node1 ~]# sed -i 's@#ServerName www.example.com:80@ServerName 192.168.90.203:80@g' /usr/local/httpd/conf/httpd.conf
11[root@lb-node1 ~]# /usr/local/httpd/bin/apachectl -t
12Syntax OK
13[root@lb-node1 ~]# /usr/local/httpd/bin/apachectl -k start
2.在/usr/local/httpd/conf/httpd.conf配置引用proxy配置文件
1Include conf/extra/httpd-proxy.conf
3.配置proxy反向代理
1[root@linux-node1 ~]# cat /usr/local/httpd/conf/extra/httpd-proxy.conf
2LoadModule proxy_module modules/mod_proxy.so
3LoadModule proxy_connect_module modules/mod_proxy_connect.so
4LoadModule proxy_http_module modules/mod_proxy_http.so
5LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
6LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
7LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
8LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
9LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
10ProxyRequests Off
11<Proxy balancer://web-cluster>
12BalancerMember http://192.168.90.201:8080 loadfactor=1
13BalancerMember http://192.168.90.202:8080 loadfactor=2
14</Proxy>
15ProxyPass /biaoganxu balancer://web-cluster
16ProxyPassReverse /biaoganxu balancer://web-cluster
17<Location /manager>
18 SetHandler balancer-manager
19 Order Deny,Allow
20 Allow from all
21</Location>
4.重载Apache服务
1[root@lb-node1 ~]# /usr/local/httpd/bin/apachectl -k graceful
5.测试反向代理
1[root@lb-node1 ~]# curl http://192.168.90.203/biaogan/
2web-node1.com
3[root@lb-node1 ~]# curl http://192.168.90.203/biaogan/
4web-node2.com
5[root@lb-node1 ~]# curl http://192.168.90.203/biaogan/
6web-node2.com
7[root@lb-node1 ~]# curl http://192.168.90.203/biaogan/
8web-node1.com
6.使用HTTP访问Apache管理页面
访问http://192.168.90.203/manager
Apache管理页面
7.APache proxy代理配置文件详解
1#proxy模块
2LoadModule proxy_module modules/mod_proxy.so
3#链接模块
4LoadModule proxy_connect_module modules/mod_proxy_connect.so
5#http代理模块
6LoadModule proxy_http_module modules/mod_proxy_http.so
7#负载均衡模块
8LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
9#算法默认是byrequest,可以是bytraffic或者bybusyness
10#算法模块,根据server的请求量
11LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
12#算法模块,根据server流量
13LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
14#算法模块,根据server繁忙
15LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
16LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
17ProxyRequests Off
18#LB集群组名称
19<Proxy balancer://web-cluster>
20#node节点并设置权重(可很多)
21BalancerMember http://192.168.90.201:8080 loadfactor=1
22BalancerMember http://192.168.90.202:8080 loadfactor=2
23</Proxy>
24#跳转至LB集群组名称,交由后端WEB节点处理
25ProxyPass /biaogan balancer://web-cluster
26ProxyPassReverse /biaogan balancer://web-cluster
27# Apache管理页面
28<Location /manager>
29 SetHandler balancer-manager
30 Order Deny,Allow
31 Allow from all
32</Location>