一、下载相关软件包

http://httpd.apache.org/download.cgi

http://apr.apache.org/download.cgi

https://sourceforge.net/projects/pcre/files/pcre/

http://tomcat.apache.org/download-connectors.cgi

https://www.openssl.org/source/

二、安装过程

1、apr 安装

# tar -zxvf apr-1.6.3.tar.gz

# cd apr-1.6.3

# ./configure --prefix=/usr/local/apr/

# make && make install

2、apr-util安装

yum install expat-devel -y

# tar -zxvf apr-util-1.6.1.tar.gz

# cd apr-util-1.6.1

# ./configure --prefix=/usr/local/apr-util/ --with-apr=/usr/local/apr/

# make && make install

3、pcre安装

# tar -zxvf pcre-8.41.tar.gz

# cd pcre-8.41

# ./configure --prefix=/usr/local/pcre/

# make && make install

4、openssl安装

centos安装3.0.0 以上版本:

yum install -y perl-CPAN

perl -MCPAN -e shell

install IPC/Cmd.pm

# tar -zxvf openssl-1.0.2n.tar.gz

# cd openssl-1.0.2n

./config -fPIC --prefix=/usr/local/openssl  --openssldir=/usr/local/openssl shared zlib-dynamic enable-camellia
make && make install

5、http 安装

# tar -zxvf httpd-2.4.29.tar.gz

# cp -r apr-1.6.3 httpd-2.4.29/srclib/apr

# cp -r apr-util-1.6.1 httpd-2.4.29/srclib/apr-util

# cd httpd-2.4.29/srclib/apr/

# make clean

# cd httpd-2.4.29/srclib/apr-util/

# make clean

# cd httpd-2.4.29

#./configure --prefix=/usr/local/apache2 --enable-so --enable-modules=all --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre --with-ssl=/usr/local/openssl --with-included-apr

(错误：configure: error: Did not find pcre-config script at"pcre"，解决方案将标志--with-pcre=/usr/local/pcre更改为--with-pcre=/usr/local/pcre/bin/pcre-config)

# make && make install

6、tomcat-connectors 安装

# tar -zxvf tomcat-connectors-1.2.42-src.tar.gz

# cd tomcat-connectors-1.2.42-src/native/

# ./configure --with-apxs=/usr/local/apache2/bin/apxs

# make && make install

三、代理相关配置

注意conf/httpd.conf 文件中 ServerName xxx.xxx.com:80 需要改为 ServerName 127.0.0.1:80

1. 反向代理，启用Apache的mod_proxy相关模块：

vi /usr/local/apache2/conf/httpd.conf

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

开启 httpd-vhosts.conf ：

Include conf/extra/httpd-vhosts.conf

httpd-vhosts.conf 相关配置参考：

<VirtualHost *:80>

ServerAdmin nic@abc.com

ServerName www.abc.com

RewriteEngine on
RewriteCond   %{HTTPS} !=on
RewriteRule   ^(.*)$  https://%{SERVER_NAME}$1 [L,R]

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.abc.com$ [NC]
RewriteRule ^(.*)$ http://www.server.com/$1 [L,R]

Proxypass / http://127.0.0.1:8080/llms/

ProxypassReverse / http://127.0.0.1:8080/llms/

Proxypass /llms/ ajp://127.0.0.1:8000/llms/

ProxypassReverse /llms/ ajp://127.0.0.1:8000/llms/

ProxyPass /wordpress/  !

ProxypassReverse /wordpress/  !

Alias /wordpress/  /home/wordpress/

<Directory "/home/wordpress/">

Options Indexes FollowSymLinks

DirectoryIndex index.html index.php

AllowOverride All

Order Deny,Allow

Allow from all

Require all granted

</Directory>

ErrorLog "logs/www.abc.com-error_log"

CustomLog "logs/www.abc.com-access_log" common

</VirtualHost>

限制登录范围

ProxyPass /login.html !
ProxyPassReverse  /login.html !
<Location /login.html>
SetHandler login.html
Order Deny,Allow
Deny from all
Allow from xx.xx.xx
</Location>

2 . 负载均衡配置

模块 Apache做负载均衡,需要启用Apache的mod_proxy相关模块：

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

2.1定义集群 添加下列配置信息：

vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

ProxyPass / balancer://proxy/ stickysession=JSESSIONID nofailover=On lbmethod=bybusyness
ProxyPassReverse / balancer://proxy/

<Proxy balancer://proxy>
BalancerMember ajp://172.31.1.44:9211 loadfactor=1 route=sms9011 timeout=600 keepalive=on
BalancerMember ajp://172.31.1.44:9212 loadfactor=1 route=sms9012 timeout=600 keepalive=on

ProxySet stickysession=ROUTEID
</Proxy>

SetEnv force-proxy-request-1.0.1
SetEnv proxy-nokeepalive 1

<Location />
Require all granted
</Location>
#管理端
ProxyPass /balancer-manager !
ProxyPassReverse  /balancer-manager !
<Location /balancer-manager>
SetHandler balancer-manager
Order Deny,Allow
Deny from all
Allow from all
</Location>

Proxy为集群名称；

BalancerMember指令可以添加负载均衡组中的真实服务器地址，协议ajp也可替换成http；

loadfactor为权重（本配置为轮询）；

ProxyPass/ ProxyPassReverse为反向代理，修改并指向集群‘proxy’；

<Location /balancer-manager>是用来监视负载均衡的工作情况，生产环境建议关闭；

访问 http://localhost/balancer-manager/ 即可看到负载均衡的工作状况。

2.2权重修改

如果不想平均分配请修改 BalancerMember 的 loadfactor 参数即可，取值范围为1-100。

定义ProxySet lbmethod可以改变算法：

lbmethod=byrequests 按照请求次数均衡(默认)

lbmethod=bytraffic 按照流量均衡

lbmethod=bybusyness 按照繁忙程度均衡(总是分配给活跃请求数最少的服务器)

四、常规安全配置

1. 隐藏和伪装APACHE的版本
添加到apache的httpd.conf文件中：
ServerSignature Off
ServerTokens Prod

2. 减少CGI和SSL风险。
#ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
#<Directory "/usr/local/apache2/cgi-bin">
#    AllowOverride None
#    Options None
#    Order allow,deny
#    Allow from all
#</Directory>

3. 禁止Apache遍历目录 ,把选项设置成:
Options FollowSymLinks

4. 关闭TraceEnable
在httpd.conf的尾部添加：
TraceEnable off
和：
确认rewrite模块激活（httpd.conf，下面一行前面没有#）：
LoadModule rewrite_module modules/mod_rewrite.so
– 在各虚拟主机的配置文件里添加如下语句：
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]

5. 防止拒绝服务攻击
AcceptFilter http data
AcceptFilter https data

6. 禁止非GET、POST之外的(比如PROPFIND、OPTIONS等)请求方式

<Location />
<LimitExcept GET POST >
Order deny,allow
Deny from all
</LimitExcept>
</Location>

7. Timeout与KeepAlive配置
Timeout 300
ProxyTimeout 300
KeepAlive On
KeepAliveTimeout 300

8.设置错误页面重定向
ErrorDocument 400 /custom.html
ErrorDocument 401 /custom.html
ErrorDocument 403 /custom.html
ErrorDocument 404 /custom.html
ErrorDocument 405 /custom.html
ErrorDocument 500 /custom.html

9. 监听地址绑定
Listen xx.xx.xx.xx:80

10.防止慢速攻击
<IfModule reqtimeout_module>
RequestReadTimeout header=20-40,MinRate=500 body=20-100,MinRate=500
</IfModule>

安装mod_qos
cd mod_qos-11.36/apache2
/usr/local/apache2/bin/apxs -i -c mod_qos.c

11. 关闭任何不必要的模块
Apache通常会安装几个模块，但以下几个模块通常被激活而并无大用：mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex

12. 确保Apache以其自身的用户账号和组运行,慎重对待对.htaccess文件的支持 ,使用最高和最新安全版本

13.让apache支持shtml文件，实现include文件解析

确认加载include.so模块，将注释去掉。

LoadModule include_module modules/mod_include.so

AddType部分去掉这两段注释：

AddType text/html .shtml

AddOutputFilter INCLUDES .shtml

目录权限里找到Options Indexes FollowSymLinks,增加Includes

修改为：Options Indexes FollowSymLinks Includes。

14.apache加大网站并发量

<IfModule mpm_event_module>
ServerLimit            200
StartServers             5
MinSpareThreads        25
MaxSpareThreads        150
ThreadsPerChild         50
MaxRequestWorkers     8000
MaxConnectionsPerChild   0
</IfModule>

15.apache加大文件上传限制500M

LimitRequestBody 524288000

16.Apache 按天生成日志

CustomLog "logs/access.log" common 将其改为：CustomLog "|/usr/local/apache2/bin/rotatelogs  logs/www.xx.com%Y_%m_%d-access_log 86400 480" common

ErrorLog "logs/error.log"  将其改为：ErrorLog "|/usr/local/apache2/bin/rotatelogs  logs/www.xx.com%Y_%m_%d-error_log 86400 480"

17.Apache限制IP并发数和流量控制

使用mod_limitipconn模块限制IP并发连接数

下载地址：http://dominia.org/djao/limit/mod_limitipconn-0.24.tar.bz2

安装：

tar -jxvf mod_limitipconn-0.24.tar.bz2

cd mod_limitipconn-0.24

/usr/local/apache2/bin/apxs -c -i mod_limitipconn.c

编辑httpd.conf
LoadModule limitipconn_module modules/mod_limitipconn.so

ExtendedStatus On

<virtualHost *:80>
<ifModule mod_limitipconn.c>
<location />
MaxConnPerIP 5
NoIPLimit image/*
</location>
</ifModule>

</virtualHost>

使用mod_bandwidth模块限制带宽

下载地址：http://bwmod.sourceforge.net/files/mod_bw-0.7.tgz

tar -zxvf mod_bw-0.7.tgz
cd mod_bw
/usr/local/apache2/bin/apxs -c -i mod_bw.c

错误解决办法：

vi mod_bw.c

把所有的remote_ip和remote_addr分别替换成client_ip和client_addr

和

#ifdef APR_MAJOR_VERSION  //添加这行
#if (APR_MAJOR_VERSION < 1)
#define apr_atomic_inc32 apr_atomic_inc
#define apr_atomic_dec32 apr_atomic_dec
#define apr_atomic_add32 apr_atomic_add
#define apr_atomic_cas32 apr_atomic_cas
#define apr_atomic_set32 apr_atomic_set
#endif
#endif //添加这行

编辑httpd.conf

LoadModule bw_module modules/mod_bw.so

<virtualHost *:80>
ServerName xxxxx
DocumentRoot  /xxxx
BandwidthModule On
ForceBandWidthModule On
Bandwidth all 10240000
MinBandwidth all 500000
LargeFileLimit * 500 50000
MaxConnection all 6
</virtualHost>

17.https 协议配置

SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +TLSv1.3

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!3DES:+MEDIUM

18. http反向代理https，需要启动SSLProxyEngine

SSLProxyEngine On

ProxyPass   /career-api/  https://career.hkust-gz.edu.cn/career/external/zpcareer/zpHubList
ProxyPassReverse   /career-api/   https://career.hkust-gz.edu.cn/career/external/zpcareer/zpHubList
19. apache 做反向代理，向后端转发客户端真实 IP

依赖模块
LoadModule remoteip_module modules/mod_remoteip.so
http.conf 添加配置
RemoteIPHeader x-forwarded-for
RemoteIPInternalProxy 127.0.0.1