Remote: CentOS 7.4 x64 (django.example.com)

Python: Python3.6.5

Apache: Apache 2.4.6

Mod_wsgi: 4.6.4

Django: Django 2.0.4

一. 系统环境配置

1.关闭iptables和selinux

# su - root

# systemctl stop firewalld

# setenforce 0

# vi /etc/sysconfig/selinux

修改

SELINUX=disabled

2.添加本地host DNS

# vi /etc/hosts

127.0.0.1    django.example.com

二. Python配置

1.安装python3.6.5源及依赖包

# yum install epel-release -y

# yum groupinstall "Development tools" -y

# yum install zlib-devel bzip2-devel openssl-devel ncurses-devel zx-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel libffi-devel -y

2.编译安装python3.6.5以及pip package manager

# wget https://www.python.org/ftp/python/3.6.5/Python-3.6.5.tar.xz --no-check-certificate

# tar xf Python-3.6.5.tar.xz

# cd Python-3.6.5

# ./configure --prefix=/usr/local --with-ensurepip=install --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"

# make && make altinstall

3.安装virtualenv

# pip3.6 install --upgrade pip

# pip3.6 install virtualenv

三. Django环境配置

1. 配置Django virtualenv

# mkdir -p /var/www/html/django

# cd /var/www/html/django

# virtualenv -p /usr/local/bin/python3.6 .py3env

2. 开启virtualenv python3环境

# source .py3env/bin/activate

3. 在此环境安装Django相关模块

# pip install django pymysql

四. Apache配置

1. 安装apache package

# yum install httpd httpd-devel -y

2.安装mod_wsgi for python3

Tip:这里其实是一个远古巨坑, 网上90%以上资料的会粗心的直接使用yum install mod_wsgi去安装apache mod_wsgi模块, 这样做其实最终mod模块会调用本地默认的python2的所有库文件, 无论你后面如何配置django入口文件, apache都不会使用我们配置的virutalenv下隔离的python3, 导致apache无法调用python3而报错. 这里小伙伴要注意哦.

# pip install mod_wsgi 

3.导出apache所需的mod_wsgi模块

# mod_wsgi-express install-module

LoadModule wsgi_module "/usr/lib64/httpd/modules/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so"
WSGIPythonHome "/var/www/html/.py3env"

4.配置apache配置文件

# vi /etc/httpd/conf/httpd.conf

末行添加:

LoadModule wsgi_module "/usr/lib64/httpd/modules/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so"

# vi /etc/httpd/conf.d/django.conf

WSGIPythonHome "/var/www/html/django/.py3env"

Listen 8080
<VirtualHost *:8080>

ServerName django.example.com

Alias /static /var/www/html/django/static
<Directory /var/www/html/django/static>
 Require all granted
</Directory>

<Directory /var/www/html/django/myproject>
  <Files wsgi.py>
    Require all granted
  </Files>
</Directory>

WSGIDaemonProcess myproject python-path=/var/www/html/django/.py3env/lib/python3.6/site-packages
WSGIScriptAlias / /var/www/html/django/myproject/wsgi.py

</VirtualHost>

5.重启apache并设置开机自启动

# systemctl restart httpd

# systemctl enable httpd

五. Django项目配置

1. 保证virtualenv python3环境开启

# source /var/www/html/django/.py3env/bin/activate

2.创建一个Django项目

# cd /var/www/html/django/

# django-admin startproject myproject .

3.添加static目录

# vi myproject/settings.py

末行添加:

STATIC_ROOT = os.path.join(BASE_DIR, "static/")

4.创建本地SQLlite文件

Tip:这里使用SQLlite代替其他数据库作为我们项目的DB

# ./manage.py makemigrations
# ./manage.py migrate

Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying sessions.0001_initial... OK

5.创建项目管理员账户

# ./manage.py createsuperuser

Username (leave blank to use 'root'): root
Email address: admin@admin.com
Password:
Password (again):
Superuser created successfully.

6.生成项目静态文件目录

# ./manage.py collectstatic

7.修改wsgi入口文件

# vi myproject/wsgi.py

import os
import sys
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "myproject.settings")
sys.path.append('/var/www/html/django')

from django.core.wsgi import get_wsgi_application

application = get_wsgi_application()

8.添加ALLOWED_HOSTS

# vi myproject/settings.py

Update:

ALLOWED_HOSTS = ['django.example.com']

9.修改项目属主和权限

# chmod -R 755 /var/www/html

# chown -R apache:apache /var/www/html

查看最终目录下的生成的项目文件

# ls -l

-rwxr-xr-x 1 apache apache 38912 Apr 16 15:04 db.sqlite3
-rwxr-xr-x 1 apache apache   541 Apr 16 14:50 manage.py
drwxr-xr-x 3 apache apache  4096 Apr 16 15:21 myproject
drwxr-xr-x 3 apache apache  4096 Apr 16 15:05 static

最终浏览器访问django项目

Tip:保证windows本地添加django服务器的HOST域名

django测试页面

项目主页, 输入之前创建的管理员账号密码

项目后台

Finished...

解决方案：

一.环境部署

操作系统：        centos6.3 x64

SVN:             subversion-1.8.0

apache:          httpd-2.4.4

svn server(centos6.3 x64): node2.example.com

svn client(centos6.3 x64): node1.example.com

git server: https://github.com/leonIi/

一.关闭iptables和SELINUX

# service iptables stop

注：如需开启防火墙,则添加如下一条规则打开svn 3690端口

# iptables -A INPUT -p tcp  --dport 3690 -j ACCEPT

# setenforce 0

# vi /etc/sysconfig/selinux

---------------

SELINUX=disabled

---------------

二.同步时间

# ntpdate cn.pool.ntp.org

三.安装apache

传送门：http://www.showerlee.com/archives/6

四.关闭系统自带svnserve

# service svnserve stop

# chkconfig svnserve off

注：本文档为了与apache2.4.4配合不发生兼容问题，所以使用了最新编译版本的svn,这里关闭是为了保证与rpm的版本不冲突.

五.安装svn server

传送门：http://www.showerlee.com/archives/350

注:安装完毕后:

svn根目录: /data/svn_repo

http访问URL: http://node2.example.com/svn/'具体仓库'

六.SVN到GIT迁移

1.首先在github上面创建一个repository(略)

2.创建一个SVN仓库(svn server)

# cd /data/svn_repo/

# svnadmin create project01

重启svn与apache

# killall svnserve

# /usr/local/svn/bin/svnserve -d -r /data/svn_repo/

# /usr/local/apache2/bin/apachectl restart

3.SVN checkin and checkout(svn client)

1).客户端安装svn(若安装可略过)

# yum install svn -y

2). svn checkout

# cd ~

# mkdir svn_client_repo

# cd svn_client_repo

# svn co http://node2.example.com/svn/project01

3). svn status

# svn status project01

# cd project01

# touch test01 test02 test03

4). svn add (添加)

# svn add test01

# svn add test02

# svn add test03

5). svn checkin(提交)

# svn ci -m”project01”

6). svn log (查看文件日志注释)

# svn log 1

常见错误提示:

Commit failed (details follow):

Error normalizing log message to internal format

Can't convert string from native encoding to 'UTF-8':

解决方法:

# vi ~/.subversion/config

修改:log-encoding = UTF-8

svn: Can't open file '/data/svn_repo/project01/db/txn-current-lock': Permission denied

解决方法:

将server端 /data/svn_repo/project01目录属主修改为apache用户,默认为daemon

# chown -R daemon.daemon /data/svn_repo/project01

2.使用git迁移(svn client)

1).客户端安装git(若安装可略过)

# yum install git* git-svn -y

# cd ~

# mkdir git_client_repo

# cd git_client_repo

建立SVN用户到git用户的映射文件

# echo "(no author) = test <test@123.com>" > userinfo.txt 

# git svn init http://node2.example.com/svn/project01 project01

# cd project01

将svn用户映射到git上.

# git svn fetch --authors-file=../userinfo.txt

# git log

-------------------------------------------------------------------------------------------------------------------------

commit edc2cdd658f8844ad4a883d083b84ef5dad2320c

Author: test <test@123.com>

Date:   Mon Aug 11 05:50:09 2014 +0000

    project01
    

    git-svn-id: http://node2.example.com/svn/project01@2 595a6c50-5861-48b1-ab0a-b1b54e0fc7cc

commit 9bde3c02fbfa6f22088b442a519cfd3870433ebc

Author: test <test@123.com>

Date:   Fri Aug 8 07:55:54 2014 +0000

    <E2><80><9D>project01<E2><80><9D>
    

    git-svn-id: http://node2.example.com/svn/project01@1 595a6c50-5861-48b1-ab0a-b1b54e0fc7cc

-----------------------------------------------------------------------------------------------------------------------

当然上面的两步，可以作一步处理

# git svn clone http://node2.example.com/svn/project01  --authors-file=userinfo.txt  project01

注: git svn fetch 这个步骤，可能碰到只想从某个版本开始进行fetch，那么请需要 –r 参数。

例如：

# git svn fetch -r 1342:HEAD

注：1342是你想要从这个版本开始fetch，如何查看这个版本号，你可以使用 svn 命令（windows下需要安装Subversion Client，e.g. sliksvn），简单使用就是 svn log svn_url 

这个时候，你可能看到整屏在刷新，没关系，看到log就行。当然更简单的就是使用TortoiseSVN-> Show log。

亦或者你可以这样使用：

# git svn clone http://node2.example.com/svn/project01 -sr 1342:HEAD project01

2)创建本地SSH keys并上传到github,详见:

https://help.github.com/articles/generating-ssh-keys

并更改连接到github SSH端口

# vim ~/.ssh/config

增加:

————————————————————————————

Host github.com

  Hostname ssh.github.com

  Port 443

————————————————————————————

3).到这步的时候，本地已经clone了SVN仓库，现在需要的就是提交到远程了。首先，关联github远程仓库，如下：

# git remote add origin git@github.com:leonIi/project01

# git fetch

# git commit -a -m "add file"

# git add .

# git push -f 

到github上面查看这个仓库(repository),大致效果如下（https://github.com/leonIi/project01.git）

大功告成…

NOW,本篇文档我们会详细介绍如何利用CHEF独有的框架语言来批量部署安装APACHE,并加载其HTTPS模块等功能.

相信如果你看了本篇文档,利用CHEF实现一个批量自动化部署将不是什么难事.

CHEF环境部署详见: http://showerlee.blog.51cto.com/2047005/1408467

操作系统：CentOS-6.3-x86-64

CHEF：   chef-server-11.0.12-1.el6.x86_64

Server :            10.107.91.251 (chef.example.com)

Workstation:     10.107.91.251 (chef.example.com)

node:                10.107.91.252 (node1.example.com)

一. 创建一个空的cookbook实例,并命名为apache (chef.example.com)

# su -

# cd ~/chef-repo/cookbooks/

# knife cookbook create apache

# ls

------------------------------------------------------------------------------------------------

README.md  apache  quick_start

------------------------------------------------------------------------------------------------

# cd apache

# ls 

------------------------------------------------------------------------------------------------

CHANGELOG.md  attributes   files      metadata.rb  recipes    templates

README.md     definitions  libraries  providers    resources

------------------------------------------------------------------------------------------------

二. 创建SSL秘钥证书并复制到apache的cookbook对应文件夹 (chef.example.com)

1.证书配置:

1).下载并解压ssl证书生成压缩包:

# cd ~/chef-repo/cookbooks/apache/files/default

# mkdir certificates

# cd certificates

# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz

# tar zxvf ssl.ca-0.1.tar.gz

# cd ssl.ca-0.1

2).利用ssl内脚本生成根证书:

# ./new-root-ca.sh  

----------------------------------------------------------------------------------------------

No Root CA key round. Generating one

Generating RSA private key, 1024 bit  long modulus

………………………++++++

….++++++

e is 65537 (0×10001)

Enter  pass phrase for ca.key: (输入一个密码)

Verifying – Enter pass phrase for ca.key:  (再输入一次密码)

……

Self-sign the root CA… (签署根证书)

Enter pass phrase for  ca.key: (输入刚刚设置的密码)

……..

…….. (下面开始签署)

Country Name (2 letter code)  [MY]:CN

State or Province Name (full name) [Perak]:JiangSu

Locality Name  (eg, city) [Sitiawan]:NanJing

Organization Name (eg, company) [My Directory  Sdn Bhd]:example Co.,Ltd

Organizational Unit Name (eg, section)  [Certification Services Division]:example

Common Name (eg, MD Root CA)  []:example

Email Address []:info@example.com

---------------------------------------------------------------------------------------------

这样就生成了ca.key和ca.crt两个文件

3).生成服务端证书:

# ./new-server-cert.sh server  

注:证书名为server

-----------------------------------------------------------------------------------------------

……

……

Country Name (2 letter code) [MY]:CN

State or  Province Name (full name) [Perak]:JiangSu

Locality Name (eg, city)  [Sitiawan]:NanJing

Organization Name (eg, company) [My Directory Sdn  Bhd]:example Co.,Ltd

Organizational Unit Name (eg, section) [Secure Web  Server]:example

Common Name (eg, http://www.domain.com)  []:www.example.com

Email Address  []:info@example.com

------------------------------------------------------------------------------------------------

这样就生成了server.csr和server.key这两个文件。

4).签署服务端证书:

#  ./sign-server-cert.sh server

--------------------------------------------------------------------------------------------

CA signing: server.csr ->  server.crt:

Using configuration from ca.config

Enter pass phrase for  ./ca.key: (输入上面设置的根证书密码)

Check that the request matches the  signature

Signature ok

The Subject’s Distinguished Name is as  follows

countryName   RINTABLE:’CN’

stateOrProvinceName   RINTABLE:’JiangSu’

localityName   RINTABLE:’NanJing’

organizationName   RINTABLE:’example Co.,Ltd’

organizationalUnitName:PRINTABLE:’example’

commonName   RINTABLE:’www.example.com’

emailAddress  :IA5STRING:’info@example.com’

Certificate is to be certified until Jul 16  12:55:34 2005 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1  certificate requests certified, commit? [y/n]y

Write out database with 1 new  entries

Data Base Updated

CA verifying: server.crt <-> CA  cert

server.crt: OK

--------------------------------------------------------------------------------------

2.复制证书到cookbook相应位置

# pwd

--------------------------------------------------------------------------------------

/root/chef-repo/cookbooks/apache/files/default/certificates/ssl.ca-0.1

--------------------------------------------------------------------------------------

# cp server.crt server.key ca.crt ..

# cd ..

# ls

--------------------------------------------------------------------------------------

ca.crt  server.crt  server.key  ssl.ca-0.1  ssl.ca-0.1.tar.gz

--------------------------------------------------------------------------------------

三. 定义cookbook变量属性 (chef.example.com)

# cd ~/chef-repo/cookbooks/apache/attributes

# vi default.rb

--------------------------------------------------------------------------------------

default['apache']['dir']     = "/etc/httpd"

default['apache']['sslpath']    = "/etc/httpd/ssl"

default['apache']['servername'] = "node1.example.com"

--------------------------------------------------------------------------------------

四.编写recipes(可按照实际部署需求修改) (chef.example.com)

# cd ~/chef-repo/cookbooks/apache/recipes

# vi default.rb

--------------------------------------------------------------------------------------

# Cookbook Name:: apache

# Recipe:: default

#

# Copyright 2013, YOUR_COMPANY_NAME

#

# All rights reserved - Do Not Redistribute

#

# Install httpd package but don't start it

package "httpd" do

       action [:install]

end

# Install mod_ssl package to enable ssl module in apache

package "mod_ssl" do

       action [:install]

end

# Stop iptables service permanently

service "iptables" do

       action [:disable,:stop]

end

# Stop ip6tables service permanently 

service "ip6tables" do

       action [:disable,:stop]

end

# Create /etc/httpd/ssl directory on chef client

directory "#{node['apache']['dir']}/ssl" do
      action :create

      recursive true

      mode 0755

end

# Copy ssl certificates from certificates folder to client's /etc/httpd/ssl folder

remote_directory "#{node['apache']['dir']}/ssl" do

       source "certificates"

       files_owner "root"

       files_group "root"

       files_mode 00644

       owner "root"

       group "root"

       mode 0755

end

# This will make changes to ssl.conf 

template "/etc/httpd/conf.d/ssl.conf" do

       source "ssl.conf.erb"

       mode 0644

       owner "root"

       group "root"

       variables(

:sslcertificate => "#{node['apache']['sslpath']}/server.crt",

               :sslkey => "#{node['apache']['sslpath']}/server.key",

               :sslcacertificate => "#{node['apache']['sslpath']}/ca.crt",

               :servername => "#{node['apache']['servername']}"

       )

end

# start httpd service

service "httpd" do

   action [:enable,:start]

end

--------------------------------------------------------------------------------------

五.定义templates (chef.example.com)

注:这里实际上就是将apache原有的配置文件中需要修改的参数添加chef自有的变量属性,部署到client端,实现apache的自定义配置.

此处仅仅更改了SSL证书的具体路径,如果有其他需要可按此语法格式进行修改.

# cd ~/chef-repo/cookbooks/apache/templates/default

# vi ssl.conf.erb

--------------------------------------------------------------------------------------

#

# This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailing information about these

# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html&gt;

#

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned.

#

LoadModule ssl_module modules/mod_ssl.so

#

# When we also provide SSL we have to listen to the

# the HTTPS port in addition.

#

Listen 443

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)

SSLSessionCacheTimeout  300

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

SSLMutex default

#   Pseudo Random Number Generator (PRNG):

#   Configure one or more sources to seed the PRNG of the

#   SSL library. The seed data should be of good random quality.

#   WARNING! On some platforms /dev/random blocks if not enough entropy

#   is available. This means you then cannot use the /dev/random device

#   because it would lead to very long connection times (as long as

#   it requires to make more entropy available). But usually those

#   platforms additionally provide a /dev/urandom device which doesn't

#   block. So, if available, use this one instead. Read the mod_ssl User

#   Manual for more details.

SSLRandomSeed startup file:/dev/urandom  256

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

#

# Use "SSLCryptoDevice" to enable any supported hardware

# accelerators. Use "openssl engine -v" to list supported

# engine names.  NOTE: If you enable an accelerator and the

# server does not start, consult the error logs and ensure

# your accelerator is functioning properly.

#

SSLCryptoDevice builtin

#SSLCryptoDevice ubsec

##

## SSL Virtual Host Context

##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration

#DocumentRoot "/var/www/html"

ServerName <%= @servername %>:443

# Use separate log files for the SSL virtual host; note that LogLevel

# is not inherited from httpd.conf.

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   SSL Protocol support:

# List the enable protocol levels with which clients will be able to

# connect.  Disable SSLv2 access by default:

SSLProtocol all -SSLv2

#   SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#   Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate.  If

# the certificate is encrypted, then you will be prompted for a

# pass phrase.  Note that a kill -HUP will prompt again.  A new

# certificate can be generated using the genkey(1) command.

SSLCertificateFile <%= @sslcertificate %>

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile <%= @sslkey %>

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

SSLCACertificateFile <%= @sslcacertificate %>

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

   SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/cgi-bin">

   SSLOptions +StdEnvVars

</Directory>

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

        nokeepalive ssl-unclean-shutdown \

        downgrade-1.0 force-response-1.0

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog logs/ssl_request_log \

         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

--------------------------------------------------------------------------------------

六.上传cookbook (chef.example.com)

# cd /root/chef-repo/cookbooks

# knife cookbook upload apache

--------------------------------------------------------------------------------------

Uploading apache         [0.1.0]

Uploaded 1 cookbook.

--------------------------------------------------------------------------------------

七.创建Role (chef.example.com)

注:简单来说Role就是实现一个能在Server端批量下发cookbook并自动开始对所有client的部署,此前的方法部署client端需要登录其SHELL执行chef-client,方能开始部署,少量部署无所谓,但批量的话执行效率会大大降低.

1). 设置editor环境变量

# echo 'export EDITOR=$(which vi)' >> ~/.bashrc

# source ~/.bashrc

2). 编写Role,将默认替换成如下内容.

# knife role create webserver

--------------------------------------------------------------------------------------

{

 "run_list": [

   "recipe[apache]"

 ],

 "chef_type": "role",

 "env_run_lists": {

 },

 "description": "apache webserver",

 "override_attributes": {

 },

 "json_class": "Chef::Role",

 "default_attributes": {

 },

 "name": "webserver"

}

--------------------------------------------------------------------------------------

八. Bootstrap客户端.

注: bootstrap是一个将CHEF具体的cookbook实例部署到目标客户端的程序,因此他可以在server端实现client本地执行最后部署命令chef-client的功能

1. 首先需要做一个CHEF的server端到client端的SSH秘钥认证,实现server端无需输入SSH密码即可登录client执行部署.

1) .在CHEF的Server端(SSH客户端)创建秘钥对：(chef.example.com)

# su - root

# ssh-keygen -t dsa

一路回车即可

----------------------

Generating public/private dsa key pair.

Enter file in which to save the key (/root/.ssh/id_dsa):

Created directory '/root/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_dsa.

Your public key has been saved in /root/.ssh/id_dsa.pub.

The key fingerprint is:

e9:5e:4a:7f:79:64:c5:ae:f2:06:a7:26:e4:41:5c:0e root@chef.example.com

The key's randomart image is:

+--[ DSA 1024]----+

|                 |

|          E .    |

|         . +   . |

|         .o .   o|

|        S.     o |

|       .  o . + .|

|        oo.. B . |

|       o +o * +  |

|        o .+ =.  |

+-----------------+

----------------------

2). 查看生成的秘钥对：(chef.example.com)

# ls -lda ~/.ssh

-----------------

drwx------ 2 root root 4096 6月   6 23:03 .ssh

-----------------

# cd .ssh

# ls -la

------------------

总用量 16

drwx------   2 root root 4096 6月   6 23:03 .

dr-xr-x---. 26 root root 4096 6月   6 23:03 ..

-rw-------   1 root root  668 6月   6 23:03 id_dsa

-rw-r--r--   1 root root  613 6月   6 23:03 id_dsa.pub

------------------

秘钥生成完毕

3) .将公钥（锁）分发到SSH服务端(CHEF客户端)：(chef.example.com)

# ssh-copy-id -i .ssh/id_dsa.pub node1.example.com

注：若非root用户，以及自定义SSH端口，则格式为：

# ssh-copy-id -i .ssh/id_rsa.pub "-p 22 user@server"

输入yes,然后密码后回车：

----------------------------

The authenticity of host 'node1.example.com (10.107.91.252)' can't be established.

RSA key fingerprint is fc:9b:2e:38:3b:04:18:67:16:8f:dd:94:a8:bd:08:03.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'node1.example.com' (RSA) to the list of known hosts.

Address node1.example.com maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

root@node1.example.com's password:  输入密码

Now try logging into the machine, with "ssh 'node1.example.com'", and check in:

 .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

-----------------------------

公钥分发完毕

4) .SSH服务端(CHEF客户端)查看收到的分发文件：(node1.example.com)

# ll /root/.ssh

-------------

总用量 4

-rw------- 1 root root 613 6月   6 23:29 authorized_keys

-------------

成功收到

2.执行bootstrap部署 (chef.example.com)

# knife bootstrap node1.example.com -x root --sudo -r "role[webserver]"

--------------------------------------------------------------------------------------------------------------  

Connecting to node1.example.com

node1.example.com Starting first Chef Client run...

node1.example.com [2014-05-09T06:08:53+08:00] WARN: 

node1.example.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 

node1.example.com SSL validation of HTTPS requests is disabled. HTTPS connections are still

node1.example.com encrypted, but chef is not able to detect forged replies or man in the middle

node1.example.com attacks.

node1.example.com 

node1.example.com To fix this issue add an entry like this to your configuration file:

node1.example.com 

node1.example.com ```

node1.example.com   # Verify all HTTPS connections (recommended)

node1.example.com   ssl_verify_mode :verify_peer

node1.example.com 

node1.example.com   # OR, Verify only connections to chef-server

node1.example.com   verify_api_cert true

node1.example.com ```

node1.example.com 

node1.example.com To check your SSL configuration, or troubleshoot errors, you can use the

node1.example.com `knife ssl check` command like so:

node1.example.com 

node1.example.com ```

node1.example.com   knife ssl check -c /etc/chef/client.rb

node1.example.com ```

node1.example.com 

node1.example.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 

node1.example.com 

node1.example.com Starting Chef Client, version 11.12.4

node1.example.com resolving cookbooks for run list: ["apache"]

node1.example.com Synchronizing Cookbooks:

node1.example.com   - apache

node1.example.com Compiling Cookbooks...

node1.example.com Converging 8 resources

node1.example.com Recipe: apache::default

node1.example.com   * package[httpd] action install (up to date)

node1.example.com   * package[mod_ssl] action install (up to date)

node1.example.com   * service[iptables] action disable (up to date)

node1.example.com   * service[iptables] action stop (up to date)

node1.example.com   * service[ip6tables] action disable (up to date)

node1.example.com   * service[ip6tables] action stop (up to date)

node1.example.com   * directory[/etc/httpd/ssl] action create (up to date)

node1.example.com   * remote_directory[/etc/httpd/ssl] action createRecipe: <Dynamically Defined Resource>

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/sign-user-cert.sh] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/sign-server-cert.sh] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/server.key] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/server.csr] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/server.crt] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/random-bits] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/p12.sh] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/new-user-cert.sh] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/new-server-cert.sh] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/new-root-ca.sh] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/ca.key] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/ca.db.serial] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/ca.db.index.attr] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/ca.db.index] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/ca.db.certs/01.pem] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/ca.crt] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/VERSION] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/README] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1/COPYING] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ssl.ca-0.1.tar.gz] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/server.key] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/server.crt] action create (up to date)

node1.example.com   * cookbook_file[/etc/httpd/ssl/ca.crt] action create (up to date)

node1.example.com  (up to date)

node1.example.com Recipe: apache::default

node1.example.com   * template[/etc/httpd/conf.d/ssl.conf] action create (up to date)

node1.example.com   * service[httpd] action enable (up to date)

node1.example.com   * service[httpd] action start (up to date)

node1.example.com 

node1.example.com Running handlers:

node1.example.com Running handlers complete

node1.example.com 

node1.example.com Chef Client finished, 0/34 resources updated in 9.1690343 seconds

--------------------------------------------------------------------------------------------------------------  

部署成功....

九.验证 (node1.example.com)

# cd /etc/httpd/

# ls

--------------------------------------------------------------------------------------------------------------  

conf  conf.d  logs  modules  run  ssl

--------------------------------------------------------------------------------------------------------------  

# service httpd status

--------------------------------------------------------------------------------------------------------------  

httpd (pid  10492) is running...

--------------------------------------------------------------------------------------------------------------  

# lsof -i:80

--------------------------------------------------------------------------------------------------------------

COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

httpd   10492   root    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10494 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10495 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10496 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10497 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10498 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10499 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10500 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

httpd   10501 apache    4u  IPv6  48097      0t0  TCP *:http (LISTEN)

# lsof -i:443

--------------------------------------------------------------------------------------------------------------

COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

httpd   10492   root    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10494 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10495 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10496 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10497 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10498 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10499 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10500 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

httpd   10501 apache    6u  IPv6  48101      0t0  TCP *:https (LISTEN)

--------------------------------------------------------------------------------------------------------------

如图:

大功告成。。。。

windows下环境配置相对较linux下简单,这里我们就开始干活...

操作系统:           Windows7_sp1_x64

WAMP:               WampServer Version 2.4

TOMCAT:             Apache-tomcat-7.0.50

jdk:                Jdk1.7.0_17

tomcat-connectors:  tomcat-connectors-1.2.37-windows-x86_64-httpd-2.4.x

注:这个tomcat-connectors是一个压缩包,解压后有一个mod_jk.so的模块,可以理解为是apache的一个扩展模块,作用其实和我们平时使用WAMP或LAMP平台加载PHP扩展模块是一个道理,就是tomcat-connectors作为一个接口,让apache可以识别jsp语言,实现web页面解析,平时我们通常使用apache-tomcat这个通用web服务开启8080端口实现jsp解析,这里等于是apache去调用tomcat8080端口实现apache80端口jsp解析

刚好朋友想实现jsp和php同目录混编,利用这种方法即可实现.

之前实现apache-tomcat与apache对接的老方法是利用apache的代理功能,将访问80端口的请求统一跳转到tomcat的8080端口上,算是一种解决方案,但能否实现jsp和php同目录混编,有待进一步考证.

一.安装WAMP

下载地址:

http://optimate.dl.sourceforge.net/project/wampserver/WampServer%202/Wampserver%202.4/Wampserver2.4-x64.exe

这个不用多讲了吧,各种无脑下一步,最后安装完毕,双击桌面的WampServer图标即可.

二.安装jdk和apache-tomcat

下载地址:

http://download.oracle.com/otn-pub/java/jdk/7u51-b13/jdk-7u51-windows-x64.exe

http://mirror.esocc.com/apache/tomcat/tomcat-7/v7.0.50/bin/apache-tomcat-7.0.50.exe

这里建议将apache-tomcat安装到wamp目录下

如图:

三.配置tomcat-connectors

1.下载匹配环境的tomcat-connectors,这里我们使用的是匹配apache2.4和win7_x64的版本

下载地址:

http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/windows/tomcat-connectors-1.2.37-windows-x86_64-httpd-2.4.x.zip

2.下载完毕,将压缩包内的mod_jk.so解压到wamp目录下apache的module目录中

如图:

3.进入Tomcat文件夹下的conf目录,创建workers.properties文件

内容如下：

--------------------------------------

workers.tomcat_home="E:\Program Files\wamp\tomcat"

workers.java_home="C:\Program Files\Java\jdk1.7.0_17"

worker.list=ajp13

worker.ajp13.port=8009

worker.ajp13.type=ajp13

worker.ajp13.host=localhost

worker.ajp13.lbfactor=1

--------------------------------------

注:workers.tomcat_home和workers.java_home分别为你的tomcat和jdk安装目录

4.配置tomcat的conf目录下的server.xml文件,修改tomcat默认根目录到WAMP的apache根目录

搜索"<Host"

将

-----------------------------------------------

<Host name="localhost"  appBase="webapps"

           unpackWARs="true" autoDeploy="true">

------------------------------------------------

改成

-----------------------------------------------

<Host name="localhost"  appBase="H:\MyProject"

           unpackWARs="true" autoDeploy="true">

------------------------------------------------

注:这里的"H:\MyProject"为我自定义的apache的DocumentRoot根目录,安装好默认目录在E:\Program Files\wamp\www下,这里请注意

并在该行下添加如下内容:

------------------------------------------------

<Context path="" docBase="H:\MyProject"></Context>

------------------------------------------------

5.配置apache主配置文件,加载mod_jk.so模块

注:确保之前将下载的JK包中的mod_jk.so解压到apache的module目录下

在E:\Program Files\wamp\bin\apache\Apache2.4.4\conf\http.conf中加入下面内容：

----------------------------------------------

LoadModule jk_module modules/mod_jk.so

JkWorkersFile "E:/Program Files/wamp/tomcat/conf/workers.properties"

JkLogFile "E:/Program Files/wamp/bin/apache/Apache2.4.4/logs/mod_jk.log"

JkMount /*.jsp ajp13

JkMount /servlet/* ajp13

JkLogLevel info

----------------------------------------------

6.重启tomcat与apache服务,测试jsp页面是否加载

在H:\MyProject下创建test.jsp文件，内容如下：

--------------------------------------

<%@ page contentType="text/html;charset=gb2312" %>

   <HTML>

     <HEAD><TITLE>JSP测试页面</TITLE></HEAD>

     <BODY><%out.println("<h1>Hello World! </h1>");%></BODY>

   </HTML>

---------------------------------------

打开浏览器,访问如下页面

http://localhost/test.jsp

http://localhost:8080/test.jsp

如图:

测试成功,说明apache调用tomcat进行jsp页面解析成功...

注:这里需要保证tomcat与apache同时开启

可以：

* 使用多域名SSL证书，可以实现一个IP，一个443端口上多个SSL虚拟主机；

* 一个ip，为所有SSL虚拟主机配置单独的端口。比如，默认的虚拟主机使用443，其他的使用8080或8081等，且每个SSL虚拟主机必须独占一个端口；

* 为Apache服务器配置多个IP，每个SSL虚拟主机独占IP。如果只有一张物理网卡，可以配置为网卡配置子接口；

* 使用mod_gnutls模块，创建多个SSL虚拟主机 

1. Apache中同一IP多个HTTPS虚拟主机的实现

在 Apache 文档中提到，不能在单个 IP 上同时有多个按名字识别的虚拟主机("named virtual host")。不完全是这样。

HTTPS协议的过程是：服务器首先与客户机之间进行服务器身份验证并协商安全会话，然后，客户端向服务器发送 HTTP 请求。这样一来，在客户端开始发送HTTP请求之前，服务器就已经把证书发给了客户端（客户端根据本地的根证书去验证证书链，等等）。而最重要的是，为了表明身份，这个证书的"Common Name"填写的应该是域名，否则浏览器会给出警告。

既然在这个过程中，客户端就所访问的域名所处的地位是"被告知"的地位，因此，客户端再发出的 Host: 请求头也就显得不那么有意义了。另一方面，如果客户请求的域名与Common Name不符，浏览器也会给出警告。至少，在表面上看是这样。

不过，对于自行签署的证书，以及一些发证机构而言，其实还可以签署一种普适HTTPS证书，这种证书的Common Name一栏是 *.domain.tld 这样的形式，即其主机名部分可以是任意字符串，而只有域名部分是确定的。
当然，这种证书的安全性有一定的负面影响：由于一个证书可以验证整个域下面的所有服务器，一旦其被破解，则所有加密通讯也就同时失密了（当然，可以每台服务器使用自己的单独的证书），不过这个问题并不是太严重，通常还算是尚可接受的范围。另一个潜在的影响是，某些手机上运行的浏览器不能正确处理这种证书，不过这个问题仅限于希望给手机提供服务的网站。

因此，简而言之，符合这样几个条件的前提下，是可以在同一个IP上部署多个HTTPS虚拟主机的：

a) 这些虚拟主机是同属于同一域名的子域名 

b) 拥有普适证书 

c) 正确地配置Apache。

如果要在一个IP地址上需要部署多个SSL网站，

（1）一种方法：如果要在同一个IP地址的443端口上部署多个网站，必须保证这些网站的域名都能匹配相同的一张SSL证书。这是因为SSL握手协议过程中,是通过IP+Port来进行通信，一个IP的一个端口只能返给客户一张SSL证书（即使有多张证书，也只能返回第一张，因为无法分辨用户会需要返回哪张证书），如果这张证书能够满足这些网站的主机名匹配要求（访问b.test.com时，使用a.test.com段的证书，证书中包含a.test.com,于虚拟主机中的主机名之一匹配），就可以使用。
一般能匹配多个主机名的证书有通配符证书*.domain.com和多域名证书(www.domain.com,ftp.domain.com 等)，以下我们提供一个典型同一个IP上的多主机名部署配置，www.domain.com对应的根目录在WWW下，ftp.domain.com对应的根目录在FTP下，

当然，这种证书的安全性有一定的负面影响：由于一个证书可以验证整个域下面的所有服务器，一旦其被破解，则所有加密通讯也就同时失密了（当然，可以每台服务器使用自己的单独的证书），不过这个问题并不是太严重，通常还算是尚可接受的范围。另一个潜在的影响是，某些手机上运行的浏览器不能正确处理这种证书，不过这个问题仅限于希望给手机提供服务的网站。

因此，简而言之，符合这样几个条件的前提下，是可以在同一个IP上部署多个HTTPS虚拟主机的：

a) 这些虚拟主机是同属于同一域名的子域名 

b) 拥有普适证书 

c) 正确地配置Apache。

如果要在一个IP地址上需要部署多个SSL网站，

（1）一种方法：如果要在同一个IP地址的443端口上部署多个网站，必须保证这些网站的域名都能匹配相同的一张SSL证书。这是因为SSL握手协议过程中,是通过IP+Port来进行通信，一个IP的一个端口只能返给客户一张SSL证书（即使有多张证书，也只能返回第一张，因为无法分辨用户会需要返回哪张证书），如果这张证书能够满足这些网站的主机名匹配要求（访问b.test.com时，使用a.test.com段的证书，证书中包含a.test.com,于虚拟主机中的主机名之一匹配），就可以使用。

一般能匹配多个主机名的证书有通配符证书*.domain.com和多域名证书(www.domain.com,ftp.domain.com 等)，以下我们提供一个典型同一个IP上的多主机名部署配置，www.domain.com对应的根目录在WWW下，ftp.domain.com对应的根目录在FTP下，http://www.domain.com与http://ftp.domain.com使用相同的证书：

NameVirtualHost 11.22.33.44:443

<VirtualHost 11.22.33.44:443>

DocumentRoot "C:/Apache2.2/htdocs/www"

ServerName http://www.domain.com

SSLEngine on

SSLCertificateFile "C:/Apache2.2/conf/server.cer"

SSLCertificateKeyFile "C:/Apache2.2/conf/server.key"

</VirtualHost>

<VirtualHost 11.22.33.44:443>

DocumentRoot "C:/Apache2.2/htdocs/ftp"

ServerName http://ftp.domain.com

SSLEngine on

SSLCertificateFile "C:/Apache2.2/conf/server.cer"

SSLCertificateKeyFile "C:/Apache2.2/conf/server.key"

</VirtualHost>

（2）另一种办法就是给每个网站分配不同的端口号；

<VirtualHost 11.22.33.44:443>

DocumentRoot "C:/Apache2.2/htdocs/www"

ServerName http://www.domain.com

SSLEngine on

SSLCertificateFile "C:/Apache2.2/conf/server.cer"

SSLCertificateKeyFile "C:/Apache2.2/conf/server.key"

</VirtualHost>

<VirtualHost 11.22.33.44:8443>

DocumentRoot "C:/Apache2.2/htdocs/ftp"

ServerName http://ftp.domain.com

SSLEngine on

SSLCertificateFile "C:/Apache2.2/conf/server.cer"

SSLCertificateKeyFile "C:/Apache2.2/conf/server.key"

</VirtualHost>

基于域名的虚拟主机只能使用同一个证书，或者说，即使有不同的证书，最终使用的都是排在前面的默认的第一个

2. Apache中一张网卡绑定不同IP实现多个HTTPS虚拟主机

一张网卡绑定多个ip，ifconfig eth0:0......

<VirtualHost 220.181.75.109:8443>

     ServerAdmin lala@corp.net.com

     DocumentRoot /home/lala/apache/htdocs/test

     ServerName a.test.com

     SSLEngine on

     SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

     SSLCertificateFile /home/lala/apache/conf/ssl.key/server.crt

     SSLCertificateKeyFile /home/lala/apache/conf/ssl.key/server.key

     #Include /home/lala/apache/conf/ssl.conf

     #ErrorLog logs/dummy-a.test.com-error_log

     #CustomLog logs/a.test.com-access_log common

</VirtualHost>

<VirtualHost 220.181.75.65:8443>

     ServerAdmin lala@corp.net.com

     DocumentRoot /home/lala/apache/htdocs/test2

     ServerName d.test.com

     SSLEngine on

     SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

     SSLCertificateFile /home/lala/apache/conf/ssl.key/server2.crt

     SSLCertificateKeyFile /home/lala/apache/conf/ssl.key/server2.key

     #Include /home/lala/apache/conf/ssl.conf

     #ErrorLog logs/dummy-a.test.com-error_log

     #CustomLog logs/a.test.com-access_log common

</VirtualHost>

------------------------------------

<VirtualHost *:80>

    DocumentRoot "/usr/local/www/www.abc.com.cn/"

    ServerAlias 1.1.1.1

    <Location />

    Order Deny,Allow

    Deny from all

    </Location>

</VirtualHost>

-------------------------------------

Apache自带的ab压力测试工具好，安装使用也特别方便。

1、适用系统：Linux

2、编译安装：

# wget http://blog.s135.com/soft/linux/webbench/webbench-1.5.tar.gz

# tar zxvf webbench-1.5.tar.gz

# cd webbench-1.5

# make && make install

3、使用：

# webbench -c 500 -t 30 http://127.0.0.1/test.jpg

参数说明：-c表示并发数，-t表示时间(秒)

4、测试结果示例：

Webbench - Simple Web Benchmark 1.5

Copyright (c) Radim Kolar 1997-2004, GPL Open Source Software.

Benchmarking: GET http://127.0.0.1/test.jpg

500 clients, running 30 sec.

Speed=3230 pages/min, 11614212 bytes/sec.

Requests: 1615 susceed, 0 failed.

APACHE版本:apache2.42(编译安装)

1.配置Limit模块

#wget http://dominia.org/djao/limit/mod_limitipconn-0.24.tar.bz2

安装:

#tar jxvf mod_limitipconn-0.24.tar.bz2

#cd mod_limitipconn-0.24

#vi Makefile

找到APXS这行,改成

APXS=/usr/local/apache2/bin/apxs

#make && make install

全局变量范例:

< IfModule mod_limitipconn.c >

< Location / >    # 所有虚拟主机的/目录

MaxConnPerIP 3      # 每IP只允许3个并发连接

NoIPLimit image/*   # 对图片不做IP限制

< /Location >

< Location /mp3 >   # 所有主机的/mp3目录

MaxConnPerIP 1          # 每IP只允许一个连接请求

OnlyIPLimit audio/mpeg video     # 该限制只对视频和音频格式的文件

< /Location >

< /IfModule >

# vi /usr/local/apache2/conf/httpd.conf

--------------------

ExtendedStatus On  

LoadModule limitipconn_module modules/mod_limitipconn.so

<IfModule mod_limitipconn.c> 

<Location />

MaxConnPerIP 6

NoIPLimit image/* 

</Location>

</IfModule> 

-------------------

2、配置webbench对网站进行压力测试：

#wget http://blog.s135.com/soft/linux/webbench/webbench-1.5.tar.gz

#tar zxvf webbench-1.5.tar.gz

#cd webbench-1.5

#make && make install

3、使用：

webbench -c 500 -t 30 http://127.0.0.1/

参数说明：-c表示并发数，-t表示时间(秒)

4、测试结果示例：

Webbench - Simple Web Benchmark 1.5

Copyright (c) Radim Kolar 1997-2004, GPL Open Source Software.

Benchmarking: GET http://127.0.0.1/

500 clients, running 30 sec.

Speed=3230 pages/min, 11614212 bytes/sec.

Requests: 1615 susceed, 0 failed.

Apache:   http-2.4.2

代理端，web服务器（192.168.7.12）：

# mkdir /usr/local/apache2/htdocs/files.abc.cn/

首先将在主配置文件http.conf下Module的注释去掉 

# vi /usr/local/apache2/conf/http.conf

找到以下3行，去掉#注释

-----------------

LoadModule proxy_module modules/mod_proxy.so 

LoadModule proxy_http_module modules/mod_proxy_http.so 

Include conf/extra/httpd-vhosts.conf 

-----------------

进入虚拟主机配置：

# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>

    DocumentRoot "/usr/local/apache2/htdocs/files.abc.cn/"

    ServerAlias files.abc.cn

    proxypass /    http://192.168.7.11/

</VirtualHost>

被代理端，文件服务器（192.168.7.11）：

# vi /usr/local/apache2/conf/http.conf

找到下行，去掉#注释

-----------------

Include conf/extra/httpd-vhosts.conf

-----------------

进入虚拟主机配置：

# mkdir /usr/local/apache2/htdocs/files.abc.cn/

# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

-----------------

<VirtualHost *:80>

    DocumentRoot "/usr/local/apache2/htdocs/files.abc.cn/"

    ServerAlias 192.168.7.11

</VirtualHost>

-----------------

配置完毕

这样客户端浏览器访问域名http://files.abc.cn

通过http代理，即可访问到192.168.7.11上的资源

从而实现网站资源异步存储访问，缓解主服务器访问压力。

Apache 2.X  支持插入式并行处理模块，称为多路处理模块（MPM）。在编译apache时必须选择也只能选择一个MPM，对类UNIX系统，有几个不同的MPM可供选择，它们会影响到apache的速度和可伸缩性。

Prefork MPM : 这个多路处理模块(MPM)实现了一个非线程型的、预派生的web服务器，它的工作方式类似于Apache 1.3。它适合于没有线程安全库，需要避免线程兼容性问题的系统。它是要求将每个请求相互独立的情况下最好的MPM，这样若一个请求出现问题就不会影响到其他请求。

这个MPM具有很强的自我调节能力，只需要很少的配置指令调整。最重要的是将MaxClients设置为一个足够大的数值以处理潜在的请求高峰，同时又不能太大，以致需要使用的内存超出物理内存的大小。

Worker MPM : 此多路处理模块(MPM)使网络服务器支持混合的多线程多进程。由于使用线程来处理请求，所以可以处理海量请求，而系统资源的开销小于基于进程的MPM。但是，它也使用了多进程，每个进程又有多个线程，以获得基于进程的MPM的稳定性。

每个进程可以拥有的线程数量是固定的。服务器会根据负载情况增加或减少进程数量。一个单独的控制进程(父进程)负责子进程的建立。每个子进程可以建立ThreadsPerChild数量的服务线程和一个监听线程，该监听线程监听接入请求并将其传递给服务线程处理和应答。

不管是Worker模式或是Prefork 模式，Apache总是试图保持一些备用的(spare)或者是空闲的子进程（空闲的服务线程池）用于迎接即将到来的请求。这样客户端就不需要在得到服务前等候子进程的产生。

Event MPM：以上两种稳定的MPM方式在非常繁忙的服务器应用下都有些不足。尽管HTTP的Keepalive方式能减少TCP连接数量和网络负载，但是 Keepalive需要和服务进程或者线程绑定，这就导致一个繁忙的服务器会耗光所有的线程。 Event MPM是解决这个问题的一种新模型，它把服务进程从连接中分离出来。在服务器处理速度很快，同时具有非常高的点击率时，可用的线程数量就是关键的资源限 制，此时Event MPM方式是最有效的。一个以Worker MPM方式工作的繁忙服务器能够承受每秒好几万次的访问量（例如在大型新闻服务站点的高峰时），而Event MPM可以用来处理更高负载。值得注意的是，Event MPM不能在安全HTTP（HTTPS）访问下工作。

对于Event 模式，apache给出了以下警告：

This MPM is experimental, so it may or may not work as expected .

这种MPM目前处于试验状态，他可能不能按照预期的那样工作。

简单来讲：

1. prefork 中没有线程的概念，是多进程模型，一个进程处理一个连接；稳定；响应快。其缺点是在连接数比较大时就非常消耗内存。

2. worker 是多进程多线程模型，一个进程有多个线程，每个线程处理一个连接。与prefork相比，worker模式更节省系统的内存资源。不过，需要注意worker模式下的Apache与php等程序模块的兼容性。

3. event 是worker模式的变种，它把服务进程从连接中分离出来,在开启KeepAlive场合下相对worker模式能够承受的了更高的并发负载。event模式不能很好的支持https的访问（HTTP认证相关的问题）。