



  • CentOS6系列的默认httpd版本是httpd-2.2版本的rpm包
  • CentOS7系列的默认httpd版本是httpd-2.4版本的rpm包


名称 特点
高度模块化 core + modules,核心加模块,想要什么功能添加什么模块;
DSO Dynamic Shared Object,动态共享库;
MPM Multipath processing Modules 多路处理模块。

3、 httpd的工作模型

  • prefork:两级进程模型,父进程管理子进程,每个进程响应一个请求
# 工作模型 一个主进程:     负责生成子进程及回收子进程     负责创建套接字、接受请求,并将其派发给某子进程进行处理 n个子进程:     每个子进程处理一个请求  # 注意: 会预先生成几个空闲进程,随时等待用于响应用户请求,最大不会超过1024个 
  • worker:三级进程模型,父进程管理子进程,子进程通过线程响应用户请求,每个线程处理一个用户请求
# 工作模型 一个主进程:   负责生成子进程、创建套接字、接受请求,并将其派发给某子进程进行处理 多个子进程:   每个子进程负责生成多个线程 每个线程:   负责响应用户请求 
  • event:两级模型,父进程管理子进程,子进程通过事件驱动event-driven机制直接响应n个请求
# 工作模型: 一个主进程:     负责生成子进程、创建套接字、接受请求,并将其派发给某子进程进行处理 子进程:     基于事件驱动机制直接响应多个请求 


文件/目录 对应的功能
/var/log/httpd/access.log 访问日志
/var/log/httpd/error_log 错误日志
/var/www/html/ 站点文档目录
/usr/lib64/httpd/modules/ 模块文件路径
/etc/httpd/conf/httpd.conf 主配置文件
/etc/httpd/conf.modules.d/*.conf 模块配置文件
/etc/httpd/conf.d/*.conf 辅助配置文件


工具 功能
htpasswd basic认证基于文件实现时,用到的帐号密码生成工具
apachectl httpd自带的服务控制脚本,支持start,stop,restart
apxs 由httpd-devel包提供的,扩展httpd使用第三方模块的工具
rotatelogs 日志滚动工具
suexec 访问某些有特殊权限配置的资源时,临时切换至指定用户运行的工具
ab apache benchmark,httpd的压力测试工具


6.1 安装httpd服务

[root@localhost ~]# dnf install -y httpd   //用dnf安装httpd服务 [root@localhost ~]# systemctl status httpd  //服务默认是未开启的 ● httpd.service - The Apache HTTP Server    Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>    Active: inactive (dead)      Docs: man:httpd.service(8) [root@localhost ~]# systemctl stop firewalld  //开启服务前关闭防火墙 [root@localhost ~]# systemctl start httpd  //开启httpd服务 [root@localhost ~]# systemctl status httpd  //查看服务是否开启成功 ● httpd.service - The Apache HTTP Server    Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>    Active: active (running) since Thu 2022-07-21 21:16:35 CST; 14s ago      Docs: man:httpd.service(8)  Main PID: 15207 (httpd)    Status: "Running, listening on: port 80"     Tasks: 213 (limit: 11202)    Memory: 24.8M    CGroup: /system.slice/httpd.service            ├─15207 /usr/sbin/httpd -DFOREGROUND            ├─15208 /usr/sbin/httpd -DFOREGROUND            ├─15209 /usr/sbin/httpd -DFOREGROUND            ├─15210 /usr/sbin/httpd -DFOREGROUND            └─15211 /usr/sbin/httpd -DFOREGROUND 


6.2 访问控制法则

法则 功能
Require all granted 允许所有主机访问
Require all deny 拒绝所有主机访问
Require ip IPADDR 授权指定来源地址的主机访问
Require not ip IPADDR 拒绝指定来源地址的主机访问
Require host HOSTNAME 授权指定来源主机名的主机访问
Require not host HOSTNAME 拒绝指定来源主机名的主机访问
IP: Network/mask: Network/Length: Net:192.168 FQDN:特定主机的全名 DOMAIN:指定域内的所有主机


配置示例: 允许除了IP192.168.111.1以外的所有主机访问

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf  ......  #     # Controls who can get stuff from this server.     #     Require all granted </Directory> <Directory "/var/www/html/Tanke">     <RequireAll>         Require not         Require all granted     </RequireAll> </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # ...... [root@localhost ~]# httpd -t AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message Syntax OK [root@localhost ~]# vim /etc/httpd/conf/httpd.conf   //把#ServerName前的#删掉 # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # #ServerName [root@localhost ~]# httpd -t Syntax OK 

6.3 虚拟主机


  • 相同IP不同端口
  • 不同IP相同端口
  • 相同IP相同端口不同域名


  1. 先在全局范围内找*vhosts.conf文件
  2. 把*vhosts.conf文件复制到当前路径中


[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf  ...... <VirtualHost *:80>     DocumentRoot "/var/www/html/Tanke"     ServerName     ErrorLog "/var/log/httpd/"     CustomLog "/var/log/httpd/" common </VirtualHost>  Listen 81 <VirtualHost *:81>     DocumentRoot "/var/www/html/Feiji"     ServerName     ErrorLog "/var/log/httpd/"     CustomLog "/var/log/httpd/" common </VirtualHost> ...... [root@localhost ~]# httpd -t Syntax OK [root@localhost ~]# systemctl restart httpd [root@localhost ~]# ss -anlt State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port  Process   LISTEN   0        128      *               LISTEN   0        128                    *:80                  *:*               LISTEN   0        128                    *:81                  *:*               LISTEN   0        128                 [::]:22               [::]:*    


[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf  ...... <VirtualHost>     DocumentRoot "/var/www/html/Tanke"     ServerName     ErrorLog "/var/log/httpd/"     CustomLog "/var/log/httpd/" common </VirtualHost>  <VirtualHost>     DocumentRoot "/var/www/html/Feiji"     ServerName     ErrorLog "/var/log/httpd/"     CustomLog "/var/log/httpd/" common </VirtualHost> ...... [root@localhost ~]# httpd -t Syntax OK [root@localhost ~]# ip a  //查看是否存在IP192.168.111.136 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00     inet scope host lo        valid_lft forever preferred_lft forever     inet6 ::1/128 scope host         valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000     link/ether 00:0c:29:bb:22:82 brd ff:ff:ff:ff:ff:ff     inet brd scope global dynamic noprefixroute ens160        valid_lft 1537sec preferred_lft 1537sec     inet6 fe80::3d5c:b9d6:55f:48e9/64 scope link noprefixroute         valid_lft forever preferred_lft forever [root@localhost ~]# ip addr add dev ens160  //添加IP [root@localhost ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00     inet scope host lo        valid_lft forever preferred_lft forever     inet6 ::1/128 scope host         valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000     link/ether 00:0c:29:bb:22:82 brd ff:ff:ff:ff:ff:ff     inet brd scope global dynamic noprefixroute ens160        valid_lft 1463sec preferred_lft 1463sec     inet scope global secondary ens160        valid_lft forever preferred_lft forever     inet6 fe80::3d5c:b9d6:55f:48e9/64 scope link noprefixroute         valid_lft forever preferred_lft forever [root@localhost ~]# systemctl restart httpd  //重启httpd服务 


[root@localhost ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf ...... <VirtualHost *:80>     DocumentRoot "/var/www/html/Tanke"     ServerName     ErrorLog "/var/log/httpd/"     CustomLog "/var/log/httpd/" common </VirtualHost>  <VirtualHost *:80>     DocumentRoot "/var/www/html/Feiji"     ServerName     ErrorLog "/var/log/httpd/"     CustomLog "/var/log/httpd/" common </VirtualHost> ...... [root@localhost ~]# httpd -t Syntax OK [root@localhost ~]# systemctl restart httpd 


Linux 和MAC系统中修改 /etc/host

windows主机名解析 在C:/windows/system32/drivers/etc/hosts找到文件无法修改,需要把文件拖到桌面修改,添加解析,再放回原位


https(全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 http 通道,在 http 的基础上通过传输加密和身份认证保证了传输过程的安全性。

1. mod_ssl模块

mod_ssl 模块可以实现https加密认证。

//安装mod_ssl模块 [root@localhost ~]# dnf install -y mod_ssl 


[root@localhost ~]# mkdir /etc/pki/CA [root@localhost ~]# cd /etc/pki/CA [root@localhost CA]# mkdir private [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)  #生成密钥 Generating RSA private key, 2048 bit long modulus (2 primes) ....+++++ ....................................................+++++ e is 65537 (0x010001) [root@localhost CA]# openssl rsa -in private/cakey.pem -pubout  #提取公钥 writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2vmOLM61l3syZOvzhO3O 9YzRUTF8IuGVv3F2ASWfUuvYTwq9Q7C5xxqaCOSR73iieQU9mkrtv98a8AoY/Oyd 9fehZbrMxgDUFL7skcRxhYpacYeLfhnDlMLCU73ilVa4K2ZSm4MNLJ6DKDzgOozu wzOTNvvy7wrkHXyMDt4M0DOFc051sPwT4ncBQQKcHjDpi9A8iCAgWTbInNXvLjHg FV2E4HxPlhgzNwf99D01JJVK8qZSeL+aj0gYlmpBvh60czHfi28nqp8qqZocmUXf BDUHK27usf8s3Pmdi/9I1mwGYPOQoH/SzTC3ce9RTd2inzSaQCMdbZe7pmp4rPW2 rwIDAQAB -----END PUBLIC KEY----- 

b). CA生成自签署证书

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365  #生成自签署证书 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:zsl Organizational Unit Name (eg, section) []:mxx Common Name (eg, your name or your server's hostname) [] Email Address [] [root@localhost CA]# openssl x509 -text -in cacert.pem  #读出cacert.pem证书的内容 Certificate:     Data:         Version: 3 (0x2)         Serial Number:             76:a0:c6:d4:e7:7a:4d:dc:21:1b:71:ba:25:8e:74:f3:1b:41:5b:2a         Signature Algorithm: sha256WithRSAEncryption         Issuer: C = cn, ST = hb, L = wh, O = zsl, OU = mxx, CN =, emailAddress =         Validity             Not Before: Jul 21 15:31:42 2022 GMT             Not After : Jul 21 15:31:42 2023 GMT         Subject: C = cn, ST = hb, L = wh, O = zsl, OU = mxx, CN =, emailAddress =         Subject Public Key Info:             Public Key Algorithm: rsaEncryption                 RSA Public-Key: (2048 bit)                 Modulus:                     00:da:f9:8e:2c:ce:b5:97:7b:32:64:eb:f3:84:ed:                     ce:f5:8c:d1:51:31:7c:22:e1:95:bf:71:76:01:25:                     9f:52:eb:d8:4f:0a:bd:43:b0:b9:c7:1a:9a:08:e4:                     91:ef:78:a2:79:05:3d:9a:4a:ed:bf:df:1a:f0:0a:                     18:fc:ec:9d:f5:f7:a1:65:ba:cc:c6:00:d4:14:be:                     ec:91:c4:71:85:8a:5a:71:87:8b:7e:19:c3:94:c2:                     c2:53:bd:e2:95:56:b8:2b:66:52:9b:83:0d:2c:9e:                     83:28:3c:e0:3a:8c:ee:c3:33:93:36:fb:f2:ef:0a:                     e4:1d:7c:8c:0e:de:0c:d0:33:85:73:4e:75:b0:fc:                     13:e2:77:01:41:02:9c:1e:30:e9:8b:d0:3c:88:20:                     20:59:36:c8:9c:d5:ef:2e:31:e0:15:5d:84:e0:7c:                     4f:96:18:33:37:07:fd:f4:3d:35:24:95:4a:f2:a6:                     52:78:bf:9a:8f:48:18:96:6a:41:be:1e:b4:73:31:                     df:8b:6f:27:aa:9f:2a:a9:9a:1c:99:45:df:04:35:                     07:2b:6e:ee:b1:ff:2c:dc:f9:9d:8b:ff:48:d6:6c:                     06:60:f3:90:a0:7f:d2:cd:30:b7:71:ef:51:4d:dd:                     a2:9f:34:9a:40:23:1d:6d:97:bb:a6:6a:78:ac:f5:                     b6:af                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Subject Key Identifier:                  8F:33:2D:51:A9:40:12:AC:BA:56:09:42:A1:CC:38:E3:4C:2B:79:DF             X509v3 Authority Key Identifier:                  keyid:8F:33:2D:51:A9:40:12:AC:BA:56:09:42:A1:CC:38:E3:4C:2B:79:DF              X509v3 Basic Constraints: critical                 CA:TRUE     Signature Algorithm: sha256WithRSAEncryption          22:a1:8f:18:0d:53:a7:1f:59:41:cc:f1:b7:04:0e:9e:9c:23:          2b:ab:e7:47:d0:1c:39:de:e9:b4:99:72:44:ec:1d:40:7c:71:          73:d6:9c:98:d4:03:92:9a:5e:83:60:52:53:db:08:b9:e0:a0:          6b:98:7d:e5:13:0e:6a:3e:04:0f:0c:09:40:bb:1d:94:61:f8:          09:57:d2:d3:6e:32:b7:e5:02:ed:47:88:b7:3a:13:e9:a2:45:          0a:5d:b4:fd:40:96:fb:8f:0a:9d:8b:b4:a6:12:a4:14:b0:95:          ee:66:df:3f:3f:a1:bf:cd:e9:ad:7b:48:d5:67:11:4d:22:98:          4e:e3:b5:31:18:41:5d:ee:39:9f:ae:89:ba:69:76:11:3d:82:          37:09:02:69:3e:c2:26:c5:17:8e:97:a3:e4:10:bc:a2:8a:e3:          83:be:83:05:91:59:82:29:fa:34:d8:0d:31:7c:37:3e:28:48:          96:3c:04:38:d1:43:55:da:c5:de:65:ef:bb:3d:db:e8:66:50:          9f:7d:cf:77:4f:d9:55:c9:69:8e:c2:fa:ea:8f:8a:50:5a:c8:          da:b1:c5:50:60:fb:74:60:30:3c:01:ce:3e:c5:6c:f6:e2:04:          d1:ca:63:70:e8:84:90:b8:32:96:67:22:d2:7d:15:47:34:07:          c1:2a:47:70 -----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgIUdqDG1Od6TdwhG3G6JY508xtBWyowDQYJKoZIhvcNAQEL BQAwdzELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmhiMQswCQYDVQQHDAJ3aDEMMAoG A1UECgwDenNsMQwwCgYDVQQLDANteHgxFzAVBgNVBAMMDnd3dy5UYW5rZTEuY29t MRkwFwYJKoZIhvcNAQkBFgoxMjNAcXEuY29tMB4XDTIyMDcyMTE1MzE0MloXDTIz MDcyMTE1MzE0MlowdzELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmhiMQswCQYDVQQH DAJ3aDEMMAoGA1UECgwDenNsMQwwCgYDVQQLDANteHgxFzAVBgNVBAMMDnd3dy5U YW5rZTEuY29tMRkwFwYJKoZIhvcNAQkBFgoxMjNAcXEuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2vmOLM61l3syZOvzhO3O9YzRUTF8IuGVv3F2 ASWfUuvYTwq9Q7C5xxqaCOSR73iieQU9mkrtv98a8AoY/Oyd9fehZbrMxgDUFL7s kcRxhYpacYeLfhnDlMLCU73ilVa4K2ZSm4MNLJ6DKDzgOozuwzOTNvvy7wrkHXyM Dt4M0DOFc051sPwT4ncBQQKcHjDpi9A8iCAgWTbInNXvLjHgFV2E4HxPlhgzNwf9 9D01JJVK8qZSeL+aj0gYlmpBvh60czHfi28nqp8qqZocmUXfBDUHK27usf8s3Pmd i/9I1mwGYPOQoH/SzTC3ce9RTd2inzSaQCMdbZe7pmp4rPW2rwIDAQABo1MwUTAd BgNVHQ4EFgQUjzMtUalAEqy6VglCocw440wred8wHwYDVR0jBBgwFoAUjzMtUalA Eqy6VglCocw440wred8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC AQEAIqGPGA1Tpx9ZQczxtwQOnpwjK6vnR9AcOd7ptJlyROwdQHxxc9acmNQDkppe g2BSU9sIueCga5h95RMOaj4EDwwJQLsdlGH4CVfS024yt+UC7UeItzoT6aJFCl20 /UCW+48KnYu0phKkFLCV7mbfPz+hv83prXtI1WcRTSKYTuO1MRhBXe45n66Juml2 ET2CNwkCaT7CJsUXjpej5BC8oorjg76DBZFZgin6NNgNMXw3PihIljwEONFDVdrF 3mXvuz3b6GZQn33Pd0/ZVclpjsL66o+KUFrI2rHFUGD7dGAwPAHOPsVs9uIE0cpj cOiEkLgylmci0n0VRzQHwSpHcA== -----END CERTIFICATE----- [root@localhost CA]# mkdir certs newcerts crl [root@localhost CA]# touch index.txt && echo 01 > serial 


[root@localhost CA]# cd /etc/httpd && mkdir ssl && cd ssl [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ...........................................................................+++++ e is 65537 (0x010001) 


[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:zsl Organizational Unit Name (eg, section) []:mxx Common Name (eg, your name or your server's hostname) [] Email Address []  Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 


[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 1 (0x1)         Validity             Not Before: Jul 21 15:35:07 2022 GMT             Not After : Jul 21 15:35:07 2023 GMT         Subject:             countryName               = cn             stateOrProvinceName       = hb             organizationName          = zsl             organizationalUnitName    = mxx             commonName                =             emailAddress              =         X509v3 extensions:             X509v3 Basic Constraints:                  CA:FALSE             Netscape Comment:                  OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                  EA:D9:52:5A:E7:84:C2:09:1A:15:5B:4D:F2:77:23:F0:1D:C1:F9:D0             X509v3 Authority Key Identifier:                  keyid:8F:33:2D:51:A9:40:12:AC:BA:56:09:42:A1:CC:38:E3:4C:2B:79:DF  Certificate is to be certified until Jul 21 15:35:07 2023 GMT (365 days) Sign the certificate? [y/n]:y   1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 

2. 在ssl.conf 中配置证书的位置

[root@localhost ~]# cd /etc/httpd/conf.d/ [root@localhost conf.d]# vim ssl.conf ...... //把#DocumentRoot "/var/www/html/Feiji" #ServerName号删除并指定其使用目录路径 <VirtualHost _default_:443>  # General setup for the virtual host, inherited from global configuration DocumentRoot "/var/www/html/Feiji" ServerName  //配置证书的路径 SSLCertificateFile /etc/httpd/ssl/httpd.crt  #   Server Private Key: #   If the key is not combined with the certificate, use this #   directive to point at the key file.  Keep in mind that if #   you've both a RSA and a DSA private key you can configure #   both in parallel (to also allow the use of DSA ciphers, etc.) #   ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ...... 

3. 检查配置文件是否有语法错误

[root@localhost conf.d]# httpd -t Syntax OK 

4. 重启服务

[root@localhost conf.d]# systemctl restart httpd [root@localhost conf.d]# ss -anlt State      Recv-Q     Send-Q           Local Address:Port           Peer Address:Port     Process      LISTEN     0          128                  *                     LISTEN     0          128                          *:443                       *:*                     LISTEN     0          128                          *:80                        *:*                     LISTEN     0          128                       [::]:22                     [::]:* 

