一、安装Apache
二、安装PHP
三、配置httpd支持PHP
四、配置Apache的虚拟主机
五、Apache加密认证
六、Apache域名跳转
七、Apache日志记录
八、Apache开启缓存
九、防盗链
十、Apache访问控制
十一、针对用户上传的文件夹限制PHP解析
十二、根据用户user_agent进行限制。
十三、PHP配置文件,日志相关配置。
十四、禁止跨站运行
十五、PHP扩展模块安装
一、安装Apache
安装apache依赖包
yum install -y gcc gcc-c++
yum install -y expat-devel
yum install -y pcre-devel
Apache官网:www.apache.org
wget http://mirrors.cnnic.cn/apache/httpd/httpd-2.4.27.tar.gz
wget http://mirrors.hust.edu.cn/apache/apr/apr-1.5.2.tar.gz
wget http://mirrors.hust.edu.cn/apache/apr/apr-util-1.5.4.tar.gz
apr和apr-util是一个通用的函数库,它让httpd可以不关心底层的操作系统平台,可以很方便地移植(从linux移植到windows)
apr编译安装:
tar zxvf apr-1.5.2.tar.gz
cd /usr/local/src/apr-1.5.2
./configure --prefix=/usr/local/apr
make && make install
apr-util编译安装:
tar zxvf apr-util-1.5.4.tar.gz
cd /usr/local/src/apr-util-1.5.4
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
make && make install
apache编译安装:
tar zxvf httpd-2.4.27.tar.gz
cd /usr/local/src/httpd-2.4.27
./configure \
--prefix=/usr/local/apache2.4 \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util \
--enable-so \
--enable-mods-shared=most
make && make install
查看已安装的所有的模块:
ls /usr/local/apache2.4/modules
查看加载的模块
/usr/local/apache2.4/bin/httpd -M
启动Apache服务
/usr/local/apache2.4/bin/apachectl start
二、安装PHP
PHP官网:www.php.net
php5编译安装:
yum install -y libxml2-devel
yum install -y openssl-devel
yum install -y bzip2-devel
yum install -y libjpeg-turbo-devel
yum install -y libpng-devel
yum install -y freetype-devel
yum install -y libmcrypt-devel
cd /usr/local/src/
wget http://cn2.php.net/distributions/php-5.6.30.tar.gz
tar zxf php-5.6.30.tar.gz
cd php-5.6.30
./configure --prefix=/usr/local/php --with-apxs2=/usr/local/apache2.4/bin/apxs --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-pdo-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-bz2 --with-openssl --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-mbstring --enable-sockets --enable-exif
make && make install
cp php.ini-production /usr/local/php/etc/php.ini
php7编译安装:
上面的依赖包也需要安装,如已安装则无需安装
cd /usr/local/src/
wget http://cn2.php.net/distributions/php-7.1.6.tar.bz2
tar jxvf php-7.1.6.tar.bz2
cd php-7.1.6
./configure --prefix=/usr/local/php7 --with-apxs2=/usr/local/apache2.4/bin/apxs --with-config-file-path=/usr/local/php7/etc --with-pdo-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-bz2 --with-openssl --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-mbstring --enable-sockets --enable-exif
make && make install
ls /usr/local/apache2.4/modules/libphp7.so
cp php.ini-production /usr/local/php7/etc/php.ini
一台电脑可以共存两个php,但是只能使用一个,可以在apache配置文件里面开启或者关闭。
LoadModule php5_module modules/libphp5.so
LoadModule php7_module modules/libphp7.so
不使用哪一个注释掉即可。
三、配置httpd支持PHP
修改httpd的主配置文件:
vim /usr/local/apache2.4/conf/httpd.conf
ServerName
Require all granted
AddType application/x-httpd-php .php
DirectoryIndex index.html index.php
测试配置文件是否正确:
/usr/local/apache2.4/bin/apachectl -t
重启启动服务
/usr/local/apache2.4/bin/apachectl restart
查看端口是否监听:
netstat -lntp
添加测试内容:
vim /usr/local/apache2.4/htodcs/test.php
<?php
phpinfo();
?>
测试:
http://IP/test.php
如果测试不通,则需要在防火墙开通80端口,检查配置文件是否正确。
如果防火墙关掉也不行。Require all granted在/usr/local/apache2.4/conf/httpd.conf改为原先的。
四、配置Apache的虚拟主机
一台服务器可以访问多个网站,每个网站都是一个虚拟主机,任何一个域名解析到这台机器,都可以访问的虚拟主机就是默认虚拟主机
httpd的默认虚拟主机:
vim /usr/local/apache2/conf/httpd.conf
Include conf/extra/httpd-vhosts.conf
开启Apache的虚拟主机,httpd.conf里面的DocumentRoot不会生效了。
httpd虚拟主机配文件存放位置:
/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot.com sot1.com
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/data/wwwroot/goodsou"
ServerName www.goodsou.com
ServerAlias goodsou.com goodsou1.com
ErrorLog "logs/goodsou-error_log"
CustomLog "logs/goodsou-access_log" common
</VirtualHost>
<VirtualHost *:80>
</VirtualHost>
curl -x命令:
curl -x127.0.0.1:80 sot.com
五、Apache加密认证
针对目录进行认证:
编辑虚拟主机配置文件:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
<Directory /data/wwwroot/sot/>
AllowOverride AuthConfig
AuthName "www.sot.com user auth"
AuthType Basic
AuthUserFile /data/.htpasswd
require valid-user
</Directory>
ServerAlias sot1.com sot.com
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" common
</VirtualHost>
/usr/local/apache2.4/bin/htpasswd -cm /data/.htpasswd test
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
使用浏览器进行测试,也可以使用curl -x进行测试:
curl -x127.0.0.1:80 www.sot.com
curl -x127.0.0.1:80 -utest:test www.sot.com
针对单个文件进行加密认证:
同上编辑配置文件:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot/"
ServerName www.sot.com
<FilesMatch admin.php>
AllowOverride AuthConfig
AuthName "www.sot.com user auth"
AuthType Basic
AuthUserFile /data/.htpasswd
require valid-user
</FilesMatch>
</VirtualHost>
其余的配置和上面的一样。
六、Apache域名跳转
需求,把sot.com域名跳转到www.sot.com,配置如下:
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.sot.com$
RewriteRule ^/(.*)$ http://www.sot.com/$1 [R=301,L]
</IfModule>
</VirtualHost>
/usr/local/apache2/bin/apachectl -M|grep -i rewrite
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
测试:
curl -x127.0.0.1:80 -I sot.com
七、Apache日志记录
Apache访问日志有两种,默认是common
查看日志格式:
vim /usr/local/apache2.4/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
combined比common多个两个功能:
User-Agent
Referer
把虚拟主机配置文件改成如下:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot/"
ServerName www.sot.com
ServerAlias sot.com
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined
</VirtualHost>
重新检查、加载配置文件 -t, graceful
---------------------------------------------------------------------------------------------------------
访问日志不记录指定类型的文件:
把虚拟主机配置文件改成如下:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined env=!img
</VirtualHost>
重新检查、加载配置文件 -t, graceful
----------------------------------------------------------------------------------------------------------
切割日志文件:logs/sot.com-access_%Y%m%d.log,
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/sot.com-access_%Y%m%d.log 86400" combined env=!img
重新检查、加载配置文件 -t, graceful
八、Apache开启缓存
浏览器访问网站的图片时会把静态的文件缓存在本地电脑里,这样下次再访问时就不用去远程下载了:
增加配置:
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<IfModule mod_expires.c>
ExpiresActive on //打开该功能的开关
ExpiresByType image/gif "access plus 1 days"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByType image/png "access plus 24 hours"
ExpiresByType text/css "now plus 2 hour"
ExpiresByType application/x-javascript "now plus 2 hours"
ExpiresByType application/javascript "now plus 2 hours"
ExpiresByType application/x-shockwave-flash "now plus 2 hours"
ExpiresDefault "now plus 0 min"
</IfModule>
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined env=!img
需要在httpd.conf配置文件里开启expires_module这个模块。
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
九、防盗链
通过限制referer来实现防盗链的功能
配置文件增加如下内容
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<Directory /data/wwwroot/sot/>
SetEnvIfNoCase Referer "http://www.sot.com" local_ref
SetEnvIfNoCase Referer "http://sot.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif|png)">
Order Allow,Deny
Allow from env=local_ref
</filesmatch>
</Directory>
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
如果上面开启了缓存,测试的时候要清空缓存。
十、Apache访问控制
在虚拟主机配置文件里面修改:
针对目录进行限制:
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<Directory /data/wwwroot/sot/admin/>
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.10.43
</Directory>
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined
</VirtualHost>
针对文件进行限制:
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<Directory /data/wwwroot/sot/> 针对/data/wwwroot/sot/目录下的某个文件进行限制
<FilesMatch "admin.php(.*)">
Order deny,allow
Deny from all
Allow from 192.168.10.249 192.168.10.43
</FilesMatch>
</Directory>
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined
</VirtualHost>
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
十一、针对用户上传的文件夹限制PHP解析
针对用户上传的文件夹进行限制PHP解析
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<Directory /data/wwwroot/sot/upload>
php_admin_flag engine off
</Directory>
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined
</VirtualHost>
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
十二、根据用户user_agent进行限制。
user_agent可以理解为浏览器标识
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/sot"
ServerName www.sot.com
ServerAlias sot1.com sot.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
ErrorLog "logs/sot-error_log"
CustomLog "logs/sot-access_log" combined
</VirtualHost>
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
测试:
curl -A "123123" 指定user_agent
说明: NC表示忽略大小写,OR选项表示或者(不加任何选项表并且)连接下一个条件,F=forbidden禁止
十三、PHP配置文件,日志相关配置。
查看php配置文件的位置:
在Apache目录中新建一个phpinfo测试页
vim /data/wwwroot/sot/info.php
<?php
phpinfo();
?>
在浏览器打开,可以看到php配置文件路径的信息
cp /usr/local/src/php-5.6.30/php.ini-development /usr/local/php/etc/php.ini
关闭PHP危险函数,开启日志。
vim /usr/local/php/etc/php.ini
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
date.timezone = Asia/Shanghai
log_errors = On
display_errors = Off
error_log = /tmp/php_errors.log
error_reporting(0)
error_reporting = E_ALL
error_reporting(E_ERROR | E_WARNING | E_PARSE)
ini_set("error_reporting", E_ALL)
error_reporting(E_ALL & ~E_NOTICE)
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
十四、禁止跨站运行
仅允许访问这个目录,跟其他的网站目录没有关系
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
phphp_admin_value open_basedir "/data/wwwroot/sot:/tmp/"
</VirtualHost>
注意:
:tmp网站的一些文件是临时存/tmp/下,如果后面不加,访问的时候就会报错,所以一定要加上:/tmp/
/usr/local/apache2.4/conf/extra/httpd-vhosts.conf中设置了open_basedir之后, 虚拟用户就不会再自动继承php.ini中的open_basedir设置值了,这就难以达到灵活的配置措施,所以建议您不要在/usr/local/apache2.4/conf/extra/httpd-vhosts.conf中设置此项限制。可以在php.ini中设置open_basedir = .:/tmp/
也可以在虚拟目录中写多行:
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
phphp_admin_value open_basedir "/data/wwwroot/sot:/tmp/"
</VirtualHost>
<VirtualHost *:80>
phphp_admin_value open_basedir "/data/wwwroot/goodsou:/tmp/"
</VirtualHost>
检查配置是否正确:
/usr/local/apache2.4/bin/apachectl -t
重新加载配置文件:
/usr/local/apache2.4/bin/apachectl graceful
十五、PHP扩展模块安装
查看模块:
/usr/local/php/bin/php -m
安装一个redis的模块
cd /usr/local/src/
wget https://codeload.github.com/phpredis/phpredis/zip/develop
mv develop phpredis-develop.zip
unzip phpredis-develop.zip
cd phpredis-develop
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make && make install
查看扩展模块存放目录,我们可以在php.ini中去自定义该路径
/usr/local/php/bin/php -i |grep extension_dir
增加一行配置(可以放到文件最后一行)
vim /usr/local/php/etc/php.ini
extension = redis.so
----------------------------------------------------------------------------------------------
如果下载的php源码包中有(/usr/local/src/php-5.6.30/ext/),进入要添加模块的目录直接生成configure文件就行了
下面的使用方法一样