'Memo/Linux/Apache/' には、下位層のページがありません。
httpd -S
RewriteEngine On RewriteCond %{REMOTE_ADDR} !^127.0.0.1$ RewriteCond %{REMOTE_ADDR} !^192.168. RewriteCond %{HTTP:X-Forwarded-For} !^127.0.0.1$ RewriteCond %{HTTP:X-Forwarded-For} !^192.168. RewriteCond %{HTTPS} !on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
netstat -nat | grep :80 tcp6 0 0 :::80 :::* LISTEN
sudo vim /etc/httpd/conf/httpd.conf ---- Listen 0.0.0.0:80 ---- sudo service httpd restart # tcp(IPv4)でlistenするようになった netstat -nat | grep :80 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
sudo vi /etc/httpd/conf/httpd.conf ---- TraceEnable off ---- sudo service httpd restart
curl -X TRACE 127.0.0.1 ... <title>405 Method Not Allowed</title>
Apache/2.2.15 (CentOS) Server at 192.168.1.10 Port 80
vim /etc/httpd/conf/httpd.conf ---- ServerTokens ProductOnly ServerSignature Off ---- service httpd restart
vim /etc/httpd/conf.d/ssl.conf ---- SSLEngine on # SSLv3の無効化(POODLE脆弱性対応) SSLProtocol all -SSLv2 -SSLv3 # ELB Security Policy-2015-05: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html SSLCipherSuite 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA' # 暗号化方式をサーバで指定 (Apache 2.1以上) SSLHonorCipherOrder On # SSL圧縮を無効(Apache 2.2.24以上) SSLCompression off ---- service httpd configtest service httpd restart
openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ...
ロードバランサ配下にあるapacheの場合、アクセスログに残るIPはロードバランサのIPになる。アクセス元IPも残したい場合。
mod_rpafを使う方法もある。
# /check.html: load balancer health check SetEnvIf Request_URI "/check.html" no_log LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D \"%{X-Forwarded-For}i\" \"%{X-Forwarded-Proto}i\"" elb-combined ErrorLog logs/www.example.com-error_log CustomLog logs/www.example.com-access_log elb-combined env=!no_log
yum install httpd mod_ssl mod_authz_ldap vim /etc/httpd/conf.d/authz_ldap.conf ---- LoadModule authz_ldap_module modules/mod_authz_ldap.so # 証明書のチェック(SSL自己証明書の場合はOFF。ldapsを使う場合にも影響) LDAPVerifyServerCert Off # LDAP問い合わせキャッシュ秒 #LDAPOpCacheTTL 1 ---- vim /etc/httpd/conf.d/vhost_base.conf ---- NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin root@localhost ServerName 127.0.0.1 DocumentRoot /var/www/html # no_log: load balancer health check SetEnvIf Request_URI "/check.html" no_log ErrorLog logs/error_log CustomLog logs/access_log combined env=!no_log <Directory /> Options -Indexes FollowSymLinks AllowOverride All </Directory> </VirtualHost> ---- vim /etc/httpd/conf.d/example.com.conf ---- <VirtualHost *:80> ServerAdmin root@localhost ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/vhost/example.com/public_html # no_log: load balancer health check SetEnvIf Request_URI "/check.html" no_log ErrorLog logs/example.com-error_log CustomLog logs/example.com-access_log combined env=!no_log ProxyPass / http://localhost:10080/ ProxyPassReverse / http://localhost:10080/ <Proxy *> AllowOverride None AuthType Basic AuthName "Auth LDAP" AuthBasicProvider ldap AuthLDAPUrl "ldaps://ldapserver:639/ou=users,dc=example,dc=com?uid" AuthLDAPBindDN "cn=connector,ou=admin,dc=example,dc=com" AuthLDAPBindPassword "********" AuthzLDAPAuthoritative off Require valid-user </Proxy> <Directory /> Options -Indexes FollowSymLinks AllowOverride All </Directory> </VirtualHost> ----
RewriteCond %{REQUEST_URI} =/server-status RewriteRule ^.*$ /server-status [L]
visudo ---- %sample ALL=NOPASSWD: /sbin/service httpd start ---- su - sample sudo /sbin/service httpd restart
RewriteCond %{REMOTE_ADDR} !^XXX\.XXX\.XXX\.XXX$ RewriteRule ^.*$ - [F,L]
RewriteEngine on RewriteCond %{REMOTE_ADDR} ^127\.0\.0\.1$ [OR] RewriteCond %{REMOTE_ADDR} ^xxx\.xxx\.xxx\.xxx$ RewriteRule ^/$ /noauth/ [R=302]
AuthType Basic AuthUserFile /var/www/vhost/example.com/.htpasswd AuthName "password" Require valid-user
Satisfy any order allow,deny allow from all
yum -y install gcc rpm-build httpd-devel checkinstall --enablerepo=rpmforge cd /tmp/ git clone https://github.com/ttkzw/mod_rpaf-0.6.git cd mod_rpaf-0.6/ make # ソースからインストール make install # checkinstallを使う場合 checkinstall -R --backup=no --deldoc=yes --fstrans=no --default rpm -ivh /root/rpmbuild/RPMS/x86_64/mod_rpaf-0.6-1.x86_64.rpm cp mod_rpaf.conf /etc/httpd/conf.d/rpaf.conf vi /etc/httpd/conf.d/rpaf.conf ---- RPAFenable On RPAFsethostname Off RPAFproxy_ips 192.168.1.100 10. ---- service httpd restart
yum -y install gcc rpm-build httpd-devel checkinstall --enablerepo=rpmforge cd /usr/src/redhat/ wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz tar xvfz mod_rpaf-0.6.tar.gz patch -p0 < mod_rpaf_degtine.patch patch -p0 < mod_rpaf-2.0.c.classA.patch cd mod_rpaf-0.6 perl -p -i -e 's#^APXS2=.+#APXS2=/usr/sbin/apxs#' "Makefile" make rpaf-2.0 # ソースからインストールする場合 make install-2.0 # rpmパッケージを作成する場合 checkinstall -R --backup=no --deldoc=yes --fstrans=no --default cat >> /etc/httpd/conf.d/rpaf.conf << EOS LoadModule rpaf_module modules/mod_rpaf.so <IfModule mod_rpaf.c> RPAFenable On RPAFsethostname Off RPAFproxy_ips 192.168.1.100 10. </IfModule> EOS service httpd restart
# vi .htaccess ---- AuthUserFile /var/www/vhost/example.com/.htpasswd AuthName "Password" AuthType Basic Require valid-user Satisfy Any SetEnvIf Request_URI "/registers" allow_url Order Deny,Allow Deny from all allow from env=allow_url ----
exec("sudo mkdir /home/memorycraft/hoge; sudo ls -l /home/memorycraft/;", $out, $status);
# yum install sudo # visudo --------------------- Defaults requiretty コメントアウト↓ #Defaults requiretty 追記↓ apache ALL=(ALL) NOPASSWD: /bin/mkdir, /bin/ls
cat >> /etc/httpd/conf.d/range-CVE-2011-3192.conf << 'EOS' # Apache 2.2 # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (?:,.*?){5,5} bad-range=1 RequestHeader unset Range env=bad-range # We always drop Request-Range; as this is a legacy # dating back to MSIE3 and Netscape 2 and 3. RequestHeader unset Request-Range # optional logging. CustomLog logs/range-CVE-2011-3192.log common env=bad-range CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range EOS service httpd graceful
cat >> /etc/httpd/conf.d/range-CVE-2011-3192.conf << 'EOS' # Apache Pre 2.2 and 1.3 # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) # RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$) RewriteRule .* - [F] # We always drop Request-Range; as this is a legacy # dating back to MSIE3 and Netscape 2 and 3. RequestHeader unset Request-Range EOS service httpd graceful
cat >> /var/www/html/h.php << 'EOS' <?php $headers = apache_request_headers(); var_export($headers); EOS curl \ -H "HEAD / HTTP/1.1" \ -H "Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-" \ -H "Request-Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-" \ -H "Connection: close" \ http://127.0.0.1/h.php
openssl genrsa -aes256 2048 > server.key パスワードは適当 openssl rsa -in server.key -out server-nopass.key パスワード無しに変換 openssl req -new -x509 -days 3653 -text -key server-nopass.key > server.crt Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:*.example.com Email Address []:webmaster@example.com mv server-nopass.key /etc/pki/tls/private/wild.example.com.key mv server.crt /etc/pki/tls/certs/wild.example.com.crt vim /etc/httpd/conf.d/sample.example.com.conf ---- <VirtualHost *:443> ServerAdmin webmaster@example.com ServerName sample.example.com SSLEngine on SSLCertificateFile /etc/pki/tls/certs/wild.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/wild.example.com.key SetEnv HTTPS on DocumentRoot /var/www/vhost/sample.example.com/public_html ErrorLog logs/sample.example.com-ssl_error_log CustomLog logs/sample.example.com-ssl_access_log combined env=!no_log <Directory /> Options -Indexes FollowSymLinks AllowOverride All </Directory> </VirtualHost>
openssl genrsa -out www.example.com.key 2048
openssl req -new -key www.example.com.key -out www.example.com.csr Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []: Higashi Ikebukuro, Toshima-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]: Example Corp Organizational Unit Name (eg, section) []: Network Administration Common Name (eg, YOUR name) []: www.example.com Email Address []: A challenge password []: An optional company name []:
openssl req -in CSRファイル -text
openssl x509 -in 証明書ファイル -text
openssl s_client -connect www.example.com:443
openssl pkcs12 -export -out www.example.com.p12 -in www.example.com.crt -inkey www.example.com.key
ab -n 1 -c 1 -H "host: example.jp" http://127.0.0.1/
ab -n 1 -c 1 -H "User-agent: DoCoMo/2.0 P905i(c100;TB;W24H15)" http://example.jp/ "ApacheBench/2.0.40-dev, DoCoMo/2.0 P905i(c100;TB;W24H15)"
ab -n 1 -c 1 -H "host: example.jp" -H "User-agent: DoCoMo/2.0 P905i(c100;TB;W24H15)" http://127.0.0.1/
hostsにFQDNが設定されていないと、apache再起動や「httpd -S」等で表示されるワーニング
$ sudo vi /etc/hosts ---- 127.0.0.1 web1.jp ---- $ sudo vi /etc/httpd/conf.d/vhost00_ipaddr.conf ---- ServerAlias web1.jp ---- $ sudo /sbin/service httpd graceful
# vi /etc/httpd/conf/httpd.conf ---- KeepAlive On HostnameLookups Off ----
# httpd -l # vi /etc/httpd/conf/httpd.conf ---- <IfModule prefork.c> # default 8 StartServers 4 # default 5 MinSpareServers 3 # default 20 MaxSpareServers 10 # default 256 ServerLimit 128 # default 256 MaxClients 128 # default 4000 MaxRequestsPerChild 400 </IfModule> ---- # service httpd restart
RewriteEngine On RewriteLog "/tmp/rewrite.log" RewriteLoglevel 2 RewriteCond %{REQUEST_URI} ^/ctg/ RewriteRule ^/test/([^\/]*) /test.php?id=$1&%{QUERY_STRING}
%{QUERY_STRING}
-CustomLog logs/access_log combined +SetenvIf Remote_Addr 10\.0\.1\.(1|252|253) bigip +CustomLog logs/access_log combined env=!bigip
お試しでHTTPSサーバを立ててみたいときとか。実験用。 ブラウザによっては毎回認証するか聞いてくる(Opera9.02)
# 秘密鍵の作成 openssl genrsa -aes128 1024 > server.key # パスフレーズ無しの秘密鍵へ変換 openssl rsa -in server.key > server-nopass.key # 公開鍵の作成 openssl req -new -key server-nopass.key > server.csr ----- Country Name (2 letter code) [XX]: JP State or Province Name (full name) []: Tokyo Locality Name (eg, city) [Default City]: Akasaka, Minato-ku Organization Name (eg, company) [Default Company Ltd]: Example Inc. Organizational Unit Name (eg, section) []: Example Section Common Name (eg, your name or your servers hostname) []: www.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ---- # デジタル証明書の作成 openssl x509 -in server.csr -days 365 -req -signkey server-nopass.key > server.crt # デフォルトパスへコピー cp server.crt /etc/pki/tls/certs/ cp server-nopass.key /etc/pki/tls/private/ chmod 600 /etc/pki/tls/private/server-nopass.key /etc/pki/tls/certs/server.crt
yum -y install mod_ssl vi /etc/httpd/conf.d/ssl.conf ---- DocumentRoot "/var/www/html" ServerName www.example.com:443 SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server-nopass.key ---- service httpd restart
サブドメインまで有効なSSL証明書(*.foo.com)をインストールしてあっても、Opera9.0では「SSL証明書とドメイン名が異なっています。」と毎回ダイアログが出る。
IE6.0やFirefox1.5では表示されない。
その場合は、apacheのServerNameが適切に設定するかを確認する。
#ServerName localhost.localdomain:80 DocumentRoot "/var/www/html" ServerName bar.foo.com
DocumentRoot "/var/www/html" #ServerName www.example.com:443 ServerName bar.foo.com:443
# service httpd graceful
親プロセスを殺さずに、新しい子プロセスから新しい設定を適用する事ができます。
よってサービスを停止せずに新しい設定を適用できます。
# service httpd graceful
たとえば、*.php、*.inc、*.cls、*.classファイルをphpとして実行させたい場合は以下のように設定します。
vi /etc/httpd/conf.d/php.conf
<Files ~ "\.(php|inc|class|cls)$"> </Files>
<Directory "パス"> AddType application/x-httpd-php .php AddType application/x-httpd-php .inc AddType application/x-httpd-php .cls AddType application/x-httpd-php .class </Directory>
Apacheがデフォルトでhttp headerにcharsetを指定している場合があります。
以下のようにデフォルトでUTF-8が設定されていると文字化けしました。
AddDefaultCharset UTF-8
# vi /etc/httpd/conf/httpd.conf
# AddDefaultCharset UTF-8
# service httpd restart
以下の結果が、httpd.confのMaxClientsを上回っているならば、MaxClientsを要調整。
$ netstat -a | grep http | wc -l
比較サイト
http://awstats.sourceforge.net/docs/awstats_compare.html
<Directory /> Options FollowSymLinks AllowOverride Options </Directory>
Options Indexes