名词 | 说明 |
MPM |
Apache2引入的特性,即多处理模块(Multi-Processing Modules)。MPM是Apache用来处理网络请求的模块,其功能包括:绑定网络端口、接受请求、分发给子例程执行请求处理 引入MPM,可以实现针对平台、针对业务场景的优化:
要查看当前使用的MPM,可以使用命令: apachectl -V # 输出如下 # ... # Server MPM: prefork # threaded: no # forked: yes (variable process count) # Server compiled with.... 在同一时刻,只能有一个MPM被加载。 默认使用的MPM取决于Apache的编译配置选项--with-mpm |
#安装apache服务器 sudo apt-get install apache2 #可选:安装PHP模块 sudo apt-get install php5 libapache2-mod-php5 #可选:安装phpmyadmin apt-get install phpmyadmin
#方法一 a2enmod rewrite service apache2 restart #方法二:找到APACHE文件中的httpd.conf文件, 把#LoadModule rewrite_module modules/mod_rewrite.so 前的#去掉,加载rewrite模块 vim /etc/apache2/apache2.conf
a2enmod proxy_http proxy service apache2 restart
<IfModule mpm_prefork_module> StartServers 10 #初始启动的apache2进程数 MinSpareServers 10 #最小空闲进程数 MaxSpareServers 20 #最大空闲进程数,更多的空闲进程会被销毁 ServerLimit 2000 #进程总数硬性限制 MaxClients 300 #最大的客户端数,每个客户端都对应进程 MaxRequestsPerChild 1000 #进程重启前最多服务的次数 </IfModule>
Ubuntu 16.04等版本Apache2版本比较老旧,要使用最新的特性,可以使用第三方PPA安装:
sudo add-apt-repository ppa:ondrej/apache2 sudo apt update sudo apt install apache2
可以选择附带了Apache的PHP镜像:
docker pull php:5-apache
扩展此镜像,根据需要更改配置:
FROM php:5-apache ADD /root /root ADD /etc /etc RUN a2dissite 000-default.conf && a2ensite gmem.conf && a2enmod ssl && a2enmod proxy
构建镜像:
FROM php:5-apache ADD /etc /etc RUN a2dissite 000-default.conf && a2ensite gmem.conf && a2enmod ssl proxy rewrite && \ apt update && apt install -y php5-mysql ADD /root /root ADD /usr /usr
运行容器:
docker create --name apache2 -p 80:80 -p 443:443 -v /var/www/html:/var/www/html -v /etc/ssl/private:/etc/ssl/private -v /usr/share/ca-certificates:/usr/share/ca-certificates docker.gmem.cc/apache2 docker start apache2
在本机上测试时,发现PHP扩展的位置不正确,导致MySQL扩展无法加载,解决办法是填写PHP配置文件中extension的绝对路径:
; configuration for php MySQL module ; priority=20 extension=/usr/lib/php5/20131226/mysqli.so
安装XDebug:
apt-get install php5-xdebug # 查找SO位置 dpkg -L php5-xdebug # ... # /usr/lib/php5/20131226/xdebug.so
配置XDebug:
[xdebug] zend_extension = /usr/lib/php5/20131226/xdebug.so
然后重新启动容器。如果遇到问题,可以参考Ubuntu下安装PHP
管理用于基本认证的密码文件。
htpasswd [ -c ] [ -i ] [ -m | -B | -d | -s | -p ] [ -C cost ] [ -D ] [ -v ] passwdfile username htpasswd -b [ -c ] [ -m | -B | -d | -s | -p ] [ -C cost ] [ -D ] [ -v ] passwdfile username password htpasswd -n [ -i ] [ -m | -B | -d | -s | -p ] [ -C cost ] username htpasswd -nb [ -m | -B | -d | -s | -p ] [ -C cost ] username password
-b 批处理模式,密码从命令行参数直接读取,而非提示输入
-c 创建密码文件,如果已经存在则替换
-n 仅仅将结果打印到控制台,不更新密码文件
-m 对密码进行MD5编码。密码文件中显示为$apr1$
-B 对密码进行bcrypt编码。密码文件中显示为 $2y$
-s 对密码使用SHA编码。密码文件中显示为{SHA}
-p 密码使用明文
-D 删除用户
# 将基于Bcrypt加密的密码打印到控制台 htpasswd -nbB alex pswd # 添加一个用户到密码文件.passwd中 htpasswd -b .passwd alex 123456
Redirect / https://blog.gmem.cc
启用SSL模块
a2enmod ssl
修改Apache配置文件:
#vim /etc/apache2/apache2.conf #添加以下内容: DocumentRoot /var/www/html/blog ServerName blog.gmem.cc SSLEngine on SSLCipherSuite AES128+EECDH:AES128+EDH SSLCertificateFile /usr/share/ca-certificates/blog.gmem.cc.crt SSLCertificateKeyFile /etc/ssl/private/blog.gmem.cc.key SSLCertificateChainFile /usr/share/ca-certificates/AlphaSSLCA.crt #可选的,修改下面的内容 DocumentRoot /var/www/html/blog ServerName blog.gmem.cc Redirect permanent / https://blog.gmem.cc/ #添加这一行,强制重定向
启用proxy模块:
a2enmod proxy
转发请求给其它服务器处理:
SSLProxyEngine on ProxyPass "/" "http://l.yimg.com"
在上面的例子中,假设Apache服务器的域名是gmem.cc,那么,客户端访问https://gmem.cc/index.html会被转发给http://l.yimg.com/index.html。
如果正向代理的响应是302重定向时,可以将地址进行变换:
SSLProxyEngine on ProxyPass "/" "http://l.yimg.com" ProxyPassReverse "/yimg" "http://l.yimg.com"
假设用户访问https://gmem.cc/index.html,被转发给http://l.yimg.com/index.html,并且l.yimg.com返回302重定向到http://l.yimg.com/index.php。这种情况下,ProxyPassReverse会将其改写为http://gmem.cc/index.php。保证客户端总是访问gmem.cc而非l.yimg.com。
启用缓存模块:
a2enmod cache_disk
修改虚拟主机配置:
SSLProxyEngine on ProxyRequests On ProxyPreserveHost On ProxyPass "/" "http://repo1.maven.org/maven2" ProxyPassReverse "/" "http://repo1.maven.org/maven2" CacheEnable disk / CacheRoot /var/www/html/m2 CacheIgnoreNoLastMod On CacheDefaultExpire 2592000 Header unset Expires Header unset Cache-Control Header unset Pragma
如果Apache作为HA Proxy Protocol的后端运行,需要启用以下模块:
a2enmod remoteip
并且在你的站点中配置:
<VirtualHost *:80> RemoteIPProxyProtocol On </VirtualHost>
支持该命令的模块,需要在/etc/apache2/mods-available目录中配置,例如:
LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so
然后,执行:
sudo a2enmod wsgi sudo service apache2 restart
类似的,你可以禁用模块:
a2dismod wsgi
Apache错误日志:SSL Proxy requested for blog.gmem.cc:443 but not enabled [Hint: SSLProxyEngine]
解决办法,添加指令:SSLProxyEngine on
cd ~ mkdir gmem.cc cd gmem.cc #创建密钥对 openssl genrsa -out blog.gmem.cc.key 2048 cp blog.gmem.cc.key /etc/ssl/private #生成证书请求 openssl req -new -sha256 -key blog.gmem.cc.key -out blog.gmem.cc.csr #申请并得到证书… #输入证书内容并保存,例如: vim /usr/share/ca-certificates/blog.gmem.cc.crt #-----BEGIN CERTIFICATE----- #MIIEwjCCA6qgAwIBAgISESGIh1S66rfir4xGsZxxAqTqMA0GCSqGSIb3DQEBCwUA #MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD #VQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE1MDkyMTAzMjcwMloX #DTE2MDkyMTAzMjcwMlowOjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh #dGVkMRUwEwYDVQQDEwxibG9nLmdtZW0uY2MwggEiMA0GCSqGSIb3DQEBAQUAA4IB #DwAwggEKAoIBAQCrOzCBJqH0njgeu8hDDugeeIvT5e0Iy3J3s8IcAOQ9uRXqDCdL #9mB9Z1gR6wyvG9yufTL0WK13Q95Q96BxhNR3EYLj5Qx7C1Xec+EoQDAOnddWhRac #3WDhop3tZFAkM4i01ootLQ6MJXHopJ3qqDxRF4fd26nPW/GIZSUlVX/ehR5VwCDm #/RBTK8TQqY9FYHnkjxp8DYhIDonckM+3CcAcUIPw8lp2aUldxvbvppFzrR17lg9C #NCPrZ4UNvAzI8Zgpq0KrRlw90rMhzRz7ZMrqiTUrtmGGilpY7bNw6oE8wESoVUfV #5WxwqNecYbQPGJymPg/pFvS9sH8VHAY8/2LxAgMBAAGjggGuMIIBqjAOBgNVHQ8B #Af8EBAMCBaAwSQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0 #cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wFwYDVR0RBBAwDoIM #YmxvZy5nbWVtLmNjMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG #AQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jcmwyLmFscGhhc3NsLmNv #bS9ncy9nc2FscGhhc2hhMmcyLmNybDCBiQYIKwYBBQUHAQEEfTB7MEIGCCsGAQUF #BzAChjZodHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFz #aGEyZzJyMS5jcnQwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu #LmNvbS9nc2FscGhhc2hhMmcyMB0GA1UdDgQWBBSh9VXXKm6v6J9mMBPtuSoqHeBd #0zAfBgNVHSMEGDAWgBT1zdU8CFD5ak86t5faVoPmadJo9zANBgkqhkiG9w0BAQsF #AAOCAQEA2GG9Lj1FWHjxJv59Bw/WpQDH5arlKEbyAeC+gDaqWbAJXWY1F4eEv57f #aKrofViZ2+hNDqioDrsjFMUNlqPZ1Shh853h5PKsSGSEKqySxgOGCd9jQba4WL8h #4HRaVVLUQfoJR09EXmKuZRZxx5iCu0V1dptTbVkBO24VGUBT9h8qQ5NKfXCUTVGd #7ZXbbh/fR4gp9xik9XkIDn47BrRFgvbjawRFucUCHPqdz1G2B/wGqv0DqHJLziw3 #wiO3/9lfNgmgexpnpTF9LxIpOU6OhLwwgE/C43pU9/A1b+M0jmxzbqvi6hgoOV4H #GPyhTFNeCKD/njpeHcSHHCo3tFuvfw== #-----END CERTIFICATE----- #保存中介证书AlphaSSL Intermediate CA vim /usr/share/ca-certificates/AlphaSSLCA.crt #-----BEGIN CERTIFICATE----- #MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG #A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv #b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw #MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i #YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy #MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj #kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL #dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs #MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA #cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn #kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het #ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C #AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE #VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw #b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu #Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6 #Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X #yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0 #XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS #xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG #l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV #odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm #MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZUw== #-----END CERTIFICATE-----
[…] 这种方式,需要后端支持代理协议(作为协议的服务器端)。对于Apache,启用代理协议的方法参考Apache HTTP Server知识集锦。 […]