1.7 httpd：httpd-2.4配置压缩功能与https

 

1、curl命令

命令描述：
curl是基于URL语法在命令行方式下工作的文件传输工具，支持FTP，FTPS，HTTP，GOPHER，TELNET，DICT，FILE及LDAP等协议；
curl支持HTP的POST，PUT等方法，FTP上传，kerberos认证，HTTP上传，代理服务器，cookie，用户名/密码认证，上传下载文件的断点续传，
http代理服务器管道（proxy tunneling），甚至还支持IPv6，socks5代理服务器，通过http代理服务器上传文件到FTP服务器等；

命令格式：curl  [options]  [URL…]

常用选项：
-A, –user-agent  <agent string>       设置用户代理发送给服务器；
-e, –referer <URL>                             URL来源网址；
–compressed                                       要求返回的是压缩格式；
-I, –head                                               只显示响应报文首部信息；

–basic                                           使用HTTP基本认证；
-u, –user <user:password>     设置服务器的用户名、密码；
–tcp-nodelay                              使用tcp_nodelay选项；
–cacert <CA certificate>          CA证书；
-H, –header <header>             自定义首部信息传递给服务器；
–limit-rate <speed>                 设置传输速度；
-0, –http1.0                                使用HTTP 1.0版本；

2、elinks命令

命令描述：

Elinks is a text-based Web browser. Elinks does not display any images,but it does support frames, tables and most other HTML tags. 
Elinks'advantage over graphical browsers is its speed--Elinks starts and exits quickly and swiftly displays Web pages.

命令语法：elinks  [OPTION] …  [URL]…

命令选项：
-dump                  不进入交互式模式，而直接将URL的内容输出至标准输出；

*******************

3、配置压缩功能：
/etc/httpd/conf.d/compress.conf配置文件加入压缩机制：

1>压缩机制需用到模块’mod_deflate’；

[root@KOU ~]# httpd  -M |  grep  deflate
deflate_module  (shared)
[root@KOU ~]#

2>适用场景及注意事项；

目的是节约带宽，但会额外消耗CPU资源；
压缩对象一般为文本文件；
对有些不支持压缩功能的较老的浏览器需要单独定义；

3>配置压缩功能

SetOutputFilter DEFLATE

# mod_deflate configuration
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/css

AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/x-javascript


# Level of compression（Highest9-Lowest1）
DelateCompressionLevel 6

4、配置https（SSL）

SSL会话是基于IP地址创建的；在单IP的主机上，仅可以使用一个HTTPS虚拟主机；
https需要模块’mod_ssl’的支持，如果是YUM方式安装的HTTPD，则可通过命令安装此模块”yum  -y  install  mod_ssl”；

~]# yum  -y  install  mod_ssl

[root@KOU ~]# httpd  -M |  grep  ssl
ssl_module (shared)
[root@KOU ~]#

[root@KOU ~]# rpm  -ql  mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl
[root@KOU ~]#

/etc/httpd/conf.d/ssl.conf配置文件的默认内容：

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

 

配置过程（测试）：
================================

1>CA服务器端：创建CA，颁发自签证书；
—————————–

~]# (umask  077; openssl  genrsa  -out  /etc/pki/CA/private/cakey.pem 2048)

~]# openssl  req  -new  -x509  -key  /etc/pki/CA/private/cakey.pem  -out  /etc/pki/CA/cacert.pem  -days  730

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZHou
Organization Name (eg, company) [Default Company Ltd]:DStec
Organizational Unit Name (eg, section) []:OPs
Common Name (eg, your name or your server's hostname) []:ca.kouyuushinn.cn
Email Address []:lucifer@kouyuushinn.cn

如果如下目录及文件不存在，则需创建：目录”/etc/pki/CA{certs,crl,newcerts}”、文件”/etc/pki/CA/{serial,index.txt}”；

~]# echo  01 >  /etc/pki/CA/serial

2>客户端（httpd）安装’mod_ssl’模块：
———————————————

~]# yum  -y  install  mod_ssl

3>客户端（httpd）生成申请证书；
—————————————–

~]# cd  /etc/httpd
~]# mkdir  httpd_ssl
~]# cd  httpd_ssl
~]# (umask  077; openssl  genrsa  -out  httpd_key.pem  2048)
~]# openssl  req  -new  -key  httpd.key  -out httpd_csr.pem   -days  365

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZHou
Organization Name (eg, company) [Default Company Ltd]:DStec
Organizational Unit Name (eg, section) []:OPs
Common Name (eg, your name or your server's hostname) []:192.168.206.66
Email Address []:aa@kk.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4>CA颁发证书：
————————–

~]# openssl  ca  -in  httpd_csr.pem  -out  /etc/pki/CA/certs/httpd_crt.pem  -days  365

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 8 (0x8)
        Validity
            Not Before: May 31 17:16:12 2018 GMT
            Not After : May 31 17:16:12 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = DStec
            organizationalUnitName    = OPs
            commonName                = 192.168.206.66
            emailAddress              = aa@kk.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F3:88:B9:61:1C:E1:57:3C:54:0A:97:97:08:03:F6:E6:EE:1E:5C:07
            X509v3 Authority Key Identifier: 
                keyid:19:63:66:F9:1E:E3:B5:95:32:64:23:0F:96:DD:B5:5D:A7:F3:1F:E6

Certificate is to be certified until May 31 17:16:12 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5>配置httpd支持SSL模式：
———————————–

~]# cd  /etc/httpd/conf.d

~]# cp  ssl.conf   ssl.conf.bak

~]# vim   ssl.conf

ServerName 192.168.206.66                                    指定当前主机的IP地址

<Directory "/PATH/FROM/document_root">                        httpd-2.4的新特性：如果默认的documentroot路径做了更改，
  Options None                                          则需要指定一个容器，用来定义访问控制！！！！
  AllowOverride None
  Require all granted
</Directory>

SSLCertificateFile /etc/httpd/httpd_ssl/httpd_crt.pem        存放CA签发的证书路径<根据实际存放路径配置>；

SSLCertificateKeyFile /etc/httpd/httpd_ssl/httpd_key.pem     存放客户端私钥的路径<根据实际存放路径配置>；

6> 终端浏览器导入CA的自签证书，浏览器访问就不会出现安全警告；

直接在httpd所在的centos系统上测试访问：

开启了443端口后，不能使用命令”telnet  192.168.206.66  443″去访问，而要使用”openssl”去访问；
~]# openssl  s_client  [-connect  host:port]  [-cert  filename]  [-CApath  directory]  [-CAfile  filename]

~]# openssl  s_client  -connect  192.168.206.66:443  -CAfile  /etc/httpd/httpd_ssl/cacert.pem