Table of Contents

Сервис HTTP

URL

<схема>://<логин>:<пароль>@<хост>:<порт>/<URL‐путь>?<параметры>#<якорь>

Пример HTTP диалога

# nc -C ya.ru 80

# telnet ya.ru 80
GET / HTTP/1.1
Host: ya.ru
Accept-Encoding: gzip, deflate

Примеры HTML

Статический документ

# cat /var/www/html/index.html
<HTML>
  <HEAD>
    <META HTTP-EQUIV="Refresh" CONTENT="4;URL=http://google.ru">
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=UTF-8">
  </HEAD>
  <BODY text="blue">
    <!--
      THis is comment
    -->
    <PRE>
text
  as
    is
    </PRE>
    <H1>Go to Google</H1>
    <A HREF=https://freebsd.org/>
    <IMG SRC=https://www.freebsd.org/logo/logo-full.png>
    </A> 
  </BODY>
</HTML>

Форма

# mkdir /var/www/html/asterisk/

# cat /var/www/html/asterisk/index.html
<html>
<body>
  <h1>Enter phone number</h1>
  <form action=call.php>
    <input name=phone>
    <input value="Call me" type=submit>
  </form>
</body>
</html>

Установка и запуск сервера Apache

Debian/Ubuntu

root@server:~# apt install apache2

FreeBSD

[server:~] # pkg install apache24

[server:~] # sysrc apache24_enable=yes

[server:~] # service apache24 start

CentOS

[root@server ~]# yum install httpd

[root@server ~]# systemctl status httpd

Windows

Базовая конфигурация

Управление кодировкой

# cat /etc/apache2/sites-available/000-default.conf
...
        AddDefaultCharset utf-8
...

Изменение порта

Свойство Indexes каталогов

FreeBSD

[server:~] # rm /usr/local/www/apache24/data/index.html

[server:~] # cp /etc/hosts /usr/local/www/apache24/data/

[server:~] # rcsdiff /usr/local/etc/apache24/httpd.conf
389c389

Debian/Ubuntu

root@server:~# DOCROOT='/var/www/html'

root@server:~# rm $DOCROOT/index.html

root@server:~# cp /etc/hosts $DOCROOT

root@server:~# rcsdiff /etc/apache2/sites-available/default

root@server:~# rcsdiff /etc/apache2/sites-available/*default.conf
11c11

FreeBSD/Ubintu

<     Options Indexes FollowSymLinks 
---
>     Options FollowSymLinks 

Использование алиасов

Alias /share "/usr/share/"

<Directory "/usr/share/">
  Options Indexes FollowSymLinks
  AllowOverride All
  Require all granted
  Allow from all
</Directory>

FreeBSD

[server:~] # cat /usr/local/etc/apache24/httpd.conf
...
Include etc/apache24/extra/httpd-manual.conf
...

http://www.corpX.un/manual/

Debian/Ubuntu

root@server:~# cat /etc/apache2/sites-available/default

root@server:~# cat /etc/apache2/sites-available/*default.conf
...
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
#        Order deny,allow
#        Deny from all
#        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
... 

Использование домашних каталогов

Debian/Ubuntu

root@server:~# a2enmod userdir

root@server:~# service apache2 restart

ubuntu24# chmod 755 /home/user1

Debian/Ubuntu

server# mkdir ~user1/public_html/

server# cat ~user1/public_html/index.html
<h1>Hello World from user1</h1>
server# chown -R user1 ~user1/public_html/

Использование виртуальных хостов

Debian/Ubuntu

root@server:~# cat /etc/apache2/sites-available/mail.conf
<VirtualHost *:80>
     ServerName mail.corpX.un
#    ServerAlias www.mail.corpX.un
     DocumentRoot /var/lib/roundcube
</VirtualHost>
root@server:~# a2ensite mail

root@server:~# apachectl -t
root@server:~# cat /etc/apache2/sites-available/user1.conf
<VirtualHost *:80>
     ServerName user1.corpX.un
#    ServerAlias www.user1.corpX.un
     DocumentRoot /home/user1/public_html
</VirtualHost>
root@server:~# a2ensite user1

root@server:~# apachectl -t

FreeBSD

[server:~] # cat /usr/local/etc/apache24/extra/httpd-vhosts.conf
<VirtualHost *>
    DocumentRoot /usr/local/www/apache24/data/
</VirtualHost>

<VirtualHost *>
    ServerName user1.corpX.un
#    ServerAlias www.user1.corpX.un
    DocumentRoot /home/user1/public_html/
</VirtualHost>
[server:~] # cat /usr/local/etc/apache24/httpd.conf
...
LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
...
Include etc/apache24/extra/httpd-vhosts.conf
...

Использование директивы Redirect

Debian/Ubuntu

root@lan:~# cat /etc/apache2/sites-available/000-default.conf
#...
  Redirect permanent / https://www.corpX.un/
#... 

FreeBSD



Сокрытие версии сервиса

Debian/Ubuntu

# cat /etc/apache2/conf-enabled/security.conf
...
ServerTokens Prod
...
ServerSignature Off
...
/etc/init.d/apache2 restart

FreeBSD

# cat /usr/local/etc/apache24/extra/httpd-default.conf
...
ServerTokens Prod
...
ServerSignature Off
...
# cat /usr/local/etc/apache24/httpd.conf
...
Include etc/apache22/extra/httpd-default.conf
...
# /usr/local/etc/rc.d/apache24 restart

SSI интерфейс сервера

Debian/Ubuntu

# a2enmod include

# cat /etc/apache2/sites-available/000-default.conf
...
        <Directory /var/www/html/asterisk/>
             Options +Includes
             DirectoryIndex index.shtml
...
        </Directory>
...
# cat /var/www/html/asterisk/index.shtml
...
  <h1>Your ip address: <!--#echo var="REMOTE_ADDR" --><h1>
  <h1>Your login is: <!--#echo var="REMOTE_USER" --><h1>
<!--#if expr='-R "172.16.48.0/22"' -->
...
<!--#endif -->
...

CGI интерфейс сервера

ScriptAlias

Debian/Ubuntu

root@server:~# a2enmod cgid

root@server:~# cd /usr/lib/cgi-bin/

FreeBSD

[server:~] # cat /usr/local/etc/apache24/httpd.conf
...
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
...
<IfModule mpm_prefork_module>
        LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
...
[server:~] # cd /usr/local/www/apache24/cgi-bin/

Пример скрипта CGI

server# cat test-cgi
#!/bin/sh

echo Content-type: text/plain
echo

echo Hello $REMOTE_ADDR
echo You type: $QUERY_STRING

env
server# chmod 755 test-cgi

Свойство ExecCGI каталогов

FreeBSD

[server:~] # rcsdiff /usr/local/etc/apache24/extra/httpd-userdir.conf
18c18,19
<     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
---
>     Options ExecCGI MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
>     AddHandler cgi-script .cgi

Ubuntu

root@server:~# rcsdiff /etc/apache2/sites-available/default
11c11,12
<               Options FollowSymLinks MultiViews
---
>               Options ExecCGI FollowSymLinks MultiViews
>               AddHandler cgi-script .cgi .pl

FreeBSD/Ubuntu

server# cd ~user1/public_html/

server# cat test.cgi
#!/bin/sh

echo Content-type: text/plain
echo

echo Hello $REMOTE_ADDR
echo You type: $QUERY_STRING
server# chmod +x test.cgi

Проверки

Управление модулями http сервера

# apachectl -t -D DUMP_MODULES

Модуль php

Debian/Ubuntu

root@server:~# apt install libapache2-mod-php

root@server:~# ls /etc/apache2/mods-enabled/ | grep php
...

root@server:~# cd /var/www/html

FreeBSD

[server:~] # pkg install mod_php56 php56
[server:~] # cat /usr/local/etc/apache24/httpd.conf
...
LoadModule php5_module        libexec/apache2?/libphp5.so
...
<IfModule dir_module>
    DirectoryIndex index.html index.php
...
<IfModule mime_module>
    AddType application/x-httpd-php .php
...
[server:~] # service apache24 restart

[server:~] # cd /usr/local/www/apache24/data/

Windows

Вариант 1

http://www.apachefriends.org/en/xampp.html

Вариант 2

http://windows.php.net/download/

C:\>notepad++ Apache22\conf\httpd.conf
...
LoadModule php5_module C:\php\php5apache2_2.dll
...
<IfModule dir_module>
    DirectoryIndex index.html index.php
...
<IfModule mime_module>
    AddType application/x-httpd-php .php
...

Настройка

FreeBSD/Ubuntu/Windows

Поддержка протокола HTTPS

Debian/Ubuntu

# a2enmod ssl

# cat /etc/apache2/sites-available/default-ssl*
...
       SSLCertificateFile    /root/www.crt
       SSLCertificateKeyFile /root/www.key
...
       # SSLProtocol All -SSLv2 -SSLv3
...
# a2ensite default-ssl

# service apache2 restart

Редирект HTTP на HTTPS

# a2enmod rewrite

# cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
...
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
...
# service apache2 restart

FreeBSD

# cat /usr/local/etc/apache24/httpd.conf
...
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
...
LoadModule ssl_module libexec/apache24/mod_ssl.so
...
Include etc/apache24/extra/httpd-ssl.conf
...
# cat /usr/local/etc/apache24/extra/httpd-ssl.conf
...
ServerName www.corpX.un:443
ServerAdmin noc@corpX.un
...
#SSLProtocol All -SSLv2 -SSLv3
...
SSLCertificateFile "/root/www.crt"
...
SSLCertificateKeyFile "/root/www.key"
...

Управление доступом к HTTP серверу

Управление доступом к HTTP серверу на основе сетевых адресов

Debian/Ubuntu

root@server:~# cat /etc/apache2/sites-available/000-default*
...
        <Directory /var/www/html>
                #Order Deny,Allow
                #Deny from all
                #Allow from 192.168.X.0/24
                #Allow from 127.0.0.1
                Require ip 127.0.0.1 192.168.X.0/24
        </Directory>

...

FreeBSD

[server:~] # cat /usr/local/etc/apache24/httpd.conf
...
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
        Order Deny,Allow
        Deny from all
        Allow from 192.168.X.0/24
        Allow from 127.0.0.1
...

Управление доступом к HTTP серверу на основе Basic аутентификации

Debian/Ubuntu/FreeBSD

# touch /etc/http_passwd

# htpasswd /etc/http_passwd user1
New password: password1
...

# htpasswd /etc/http_passwd 401
New password: password1
...

# cat /etc/http_passwd
...

# cat /etc/http_group
group1: user1 user2
# htpasswd -D /etc/http_passwd user1

Debian/Ubuntu

root@server:~# cat /etc/apache2/sites-available/000-default.conf
...
        <Directory /var/www/html/phoneconf>
#            AllowOverride AuthConfig

#            AuthType Basic
#            AuthName "Require Auth"
#            AuthUserFile /etc/http_passwd
#            Require valid-user
#            Require user user1 user2
#            AuthGroupFile /etc/http_group
#            Require group group1
        </Directory>
...

FreeBSD

[server:~] # cat /usr/local/etc/apache24/extra/httpd-vhosts.conf
...
    <Directory /usr/local/www/apache24/data/asterisk>
#            AllowOverride AuthConfig

#            AuthType Basic
#            AuthName "Require Auth"
#            AuthUserFile /etc/http_passwd
#            Require valid-user
#            Require user user1 user2
#            AuthGroupFile /etc/http_group
#            Require group group1
    </Directory>
...

Debian/Ubuntu/FreeBSD

# cat asterisk/.htaccess
AuthType Basic
AuthName "Require Auth"
AuthUserFile /etc/http_passwd
Require user 401 402

Управление доступом к HTTP серверу на основе сертификатов

Debian/Ubuntu

# cat /etc/apache2/sites-available/default-ssl*
...
       DocumentRoot /var/www/html
       <Directory /var/www/html/>
#               SSLRequire %{SSL_CLIENT_S_DN_CN}  in {"user1","user2"}
#               SSLRequire %{SSL_CLIENT_S_DN_OU}  eq "group1"
       </Directory> 
...
       SSLCertificateFile /root/www.crt
       SSLCertificateKeyFile /root/www.key
...
       SSLCACertificateFile /root/ca.crt
...
       #SSLCARevocationFile /root/ca.crl
...
       SSLVerifyClient require 
... 

FreeBSD

# cat /usr/local/etc/apache24/extra/httpd-ssl.conf
...
<Directory "/usr/local/www/apache24/data">
#               SSLRequire %{SSL_CLIENT_S_DN_CN}  in {"user1","user2"}
#               SSLRequire %{SSL_CLIENT_S_DN_OU}  eq "group1"
</Directory>
...
SSLCertificateFile "/root/www.crt"
...
SSLCertificateKeyFile "/root/www.key"
...
SSLCACertificateFile "/root/ca.crt"
...
#SSLCARevocationFile "/root/ca.crl"
...
SSLVerifyClient require
...

Управление доступом к HTTP серверу с использованием GSSAPI аутентификации

Ubuntu

# apt-get install libapache2-mod-auth-kerb

# cat /etc/apache2/sites-available/default
...
        <Directory />
                AuthType Kerberos
                KrbMethodK5Passwd off
                KrbMethodNegotiate on
                Require valid-user
...

FreeBSD

# pkg_add -r mod_auth_kerb2

или

# cd /usr/ports/www/mod_auth_kerb2/

# make configure

# cat work/mod_auth_kerb-5.4/Makefile
...
#KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt
KRB5_LDFLAGS = -L/usr/lib -lgssapi_krb5 -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt

# make install clean

# cat /usr/local/etc/apache22/httpd.conf
...
LoadModule auth_kerb_module    modules/mod_auth_kerb.so
...
<Directory />
    AuthType Kerberos
    KrbMethodK5Passwd off
    KrbMethodNegotiate on
    Require valid-user
...

Firefox

http://grolmsnet.de/kerbtut/firefox.html

Управление доступом к HTTP серверу с использованием OpenID аутентификации

gate# apt install libapache2-mod-auth-openidc
# cat /etc/apache2/conf-available/serve-cgi-bin.conf
...
        <IfDefine ENABLE_USR_LIB_CGI_BIN>

                ## GitLab
                OIDCSSLValidateServer Off
                OIDCProviderMetadataURL https://server.corpX.un/.well-known/openid-configuration
                OIDCRedirectURI http://gate.corpX.un/cgi-bin/test-cgi
                OIDCClientID e...............................................4         #Application ID
                OIDCClientSecret 7.................................................4   #Secret
                OIDCCryptoPassphrase anystring

                ## Keycloak
                OIDCSSLValidateServer Off
                OIDCProviderMetadataURL https://keycloak.corpX.un/realms/corpX/.well-known/openid-configuration
                OIDCRedirectURI http://gate.corpX.un/cgi-bin/test-cgi
                #OIDCClientID test-cgi
                OIDCClientID any-client
                OIDCCryptoPassphrase anystring
...
                        #Require all granted
                        AuthType openid-connect
                        Require valid-user
...
# a2enmod auth_openidc
Проверка: http://gate.corpX.un/cgi-bin/test-cgi/    !!! Последний / обязательно !!!

Протокол WebDAV

Debian/Ubuntu

# a2enmod dav

# a2enmod dav_fs

# mkdir /var/www/share
# chown www-data /var/www/share

# cat /etc/apache2/sites-available/000-default.conf
...
Alias /share /var/www/share

<Directory /var/www/share>
    Options Indexes
    DAV On
    Order allow,deny
    allow from all
</Directory>
...
# service apache2 restart

NGINX

gate# apt install nginx

Прокси "красивого" URL в приложение (пример 1)

gate# cat /etc/nginx/sites-available/user1
server {
        listen 80;
        server_name server.corpX.un corpX.un;
        location / {
                proxy_pass http://server.corpX.un/~user1/;
        }
}

Подключение, тестирование, применение и мониторинг конфигурации

# ln -s /etc/nginx/sites-available/user1 /etc/nginx/sites-enabled/user1

# service nginx configtest
# tail /var/log/nginx/error.log
  или
# nginx -t #-c /etc/nginx/nginx.conf
  или
# nginx -T

# service nginx restart

# tail -f /var/log/nginx/access.log -f /var/log/nginx/error.log
gate.isp.un$ wget -O - -q http://server.corpX.un

Прокси с балансировкой (пример 2)

# cat /etc/nginx/sites-available/myapp1
    upstream myapp1 {
        server server.corpX.un;
        server server2.corpX.un;
    }

    server {
        listen 80;
        server_name server.corpX.un corpX.un;

        location / {
            proxy_pass http://myapp1;
        }
    }

Прокси "красивого" URL в приложение (пример 3)

# host mail
# host webd
# host www
# host autoconfig
# host corpX.un

... has address 192.168.X.10

root@server# cat /var/opt/gitlab/nginx/conf/corpX.conf
#    upstream app {
#        server 172.18.0.1;
#        server 172.18.0.2;
#        server 172.18.0.3;
#    }
    server {
        listen 80;
        server_name webd.corpX.un;

        location / {
            proxy_pass http://192.168.49.2:30111/;
#            proxy_pass http://app;
        }
    }
    server {
        listen 80;
        server_name mail.corpX.un;
        return 301 http://server.corpX.un:81/mail;
#        return 301 http://gate.corpX.un:81/mail;
    }
    server {
        listen 80;
        server_name corpX.un www.corpX.un;

        location / {
            proxy_pass http://server.corpX.un:81/;
        }
    }
#    server {
#        listen 80;
#        server_name autoconfig.corpX.un;
#        location / {
#            proxy_pass http://gate.corpX.un:81/;
#        }
#    }
# cat /etc/gitlab/gitlab.rb
...
nginx['custom_nginx_config'] = "include /var/opt/gitlab/nginx/conf/corpX.conf;"
...
root@server# less /var/opt/gitlab/nginx/conf/nginx.conf
...
  include /var/opt/gitlab/nginx/conf/corpX.conf;
}
root@server# /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx -t
root@server# gitlab-ctl restart nginx

HTTPS Прокси (пример 4)

gate1# cat /etc/nginx/sites-available/gowebd
    server {
        listen 80;
        server_name gowebd.corpX.un;
        return 301 https://gowebd.corpX.un$request_uri;
    }

    server {
        listen 443 ssl;
        server_name gowebd.corpX.un;
        ssl_certificate /root/gowebd.crt;
        ssl_certificate_key /root/gowebd.key;

        location / {
#            proxy_pass http://192.168.X.10:8000;
#            proxy_pass http://192.168.100+X.10:NNNNN;
#            proxy_pass http://192.168.X.64;

#            proxy_set_header Host            $host;
#            proxy_set_header X-Forwarded-For $remote_addr;

#            proxy_set_header X-Forwarded-Proto $scheme;
#            proxy_set_header X-Forwarded-Port $server_port;
        }
    }

Нагрузочное тестирование

curl

wrk

vegeta

external-host# curl http://192.168.13.10:8000

external-host# echo "GET http://192.168.13.10:8000" | vegeta attack -duration=20s -rate=100 | vegeta report

server# tail -f /var/log/syslog