# 檢查系統(tǒng)版本
cat /etc/redhat-release
# 檢查內核版本
uname -r
# 檢查磁盤空間
df -h
# 檢查內存
free -m

# 更新系統(tǒng)軟件包
sudo yum update -y
# 安裝常用工具
sudo yum install -y wget vim net-tools

# 檢查防火墻狀態(tài)
sudo systemctl status firewalld
# 開放端口
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

# 檢查 SELinux 狀態(tài)
getenforce
# 臨時關閉（如需）
sudo setenforce 0
# 永久關閉（如需）
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

# 安裝httpd主程序
sudo yum install -y httpd
# 驗證安裝版本
httpd -v
# 啟動服務并設置開機自啟
sudo systemctl start httpd
sudo systemctl enable httpd
# 檢查服務狀態(tài)（應顯示active/running）
sudo systemctl status httpd
# 查看監(jiān)聽端口（默認80）
sudo netstat -tulnp | grep httpd

# 查看防火墻狀態(tài)
sudo firewall-cmd --state
# 永久開放HTTP(80)和HTTPS(443)服務
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
# 如果需要開放自定義端口（如8080）
sudo firewall-cmd --permanent --add-port=8080/tcp
# 重新加載防火墻配置
sudo firewall-cmd --reload
# 查看當前開放的端口和服務
sudo firewall-cmd --list-all

/etc/httpd/
├── conf/                  # 主配置目錄
│   ├── httpd.conf         # 主配置文件
│   └── magic              # 文件類型識別
├── conf.d/                # 附加配置文件目錄
│   ├── autoindex.conf     # 目錄列表配置
│   ├── userdir.conf       # 用戶目錄配置
│   └── welcome.conf       # 默認歡迎頁
├── conf.modules.d/        # 模塊配置文件
├── logs -> ../../var/log/httpd  # 日志目錄
├── modules/               # 模塊文件
├── run/                   # PID文件
└── state/                 # 狀態(tài)文件
/var/www/html/             # 默認網站根目錄
/var/log/httpd/            # 日志目錄（access_log, error_log）

sudo vim /etc/httpd/conf/httpd.conf

# 全局配置
ServerRoot "/etc/httpd"       # 服務器根目錄
Listen 80                     # 監(jiān)聽端口
User apache                   # 運行用戶
Group apache                  # 運行組
ServerAdmin webmaster@example.com # 管理員郵箱
# 主服務器配置
ServerName www.example.com:80 # 服務器域名
DocumentRoot "/var/www/html"  # 網站根目錄
ErrorLog "logs/error_log"     # 錯誤日志路徑
# 目錄權限設置
<Directory "/var/www/html">
    Options Indexes FollowSymLinks  # 允許目錄列表和符號鏈接
    AllowOverride None        # 是否允許.htaccess覆蓋
    Require all granted       # 訪問控制
</Directory>
# 日志格式定義
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

sudo mkdir -p /var/www/example.com/public_html
sudo mkdir -p /var/www/test.com/public_html
sudo chown -R apache:apache /var/www/example.com
sudo chown -R apache:apache /var/www/test.com

sudo vim /etc/httpd/conf.d/vhosts.conf

# 第一個虛擬主機
<VirtualHost *:80>
    ServerAdmin admin@example.com
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/public_html
    ErrorLog /var/log/httpd/example.com-error.log
    CustomLog /var/log/httpd/example.com-access.log combined
    <Directory "/var/www/example.com/public_html">
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    # 重定向非www到www
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^example\.com [NC]
    RewriteRule ^(.*)$ http://www.example.com$1 [L,R=301]
</VirtualHost>
# 第二個虛擬主機
<VirtualHost *:80>
    ServerName test.com
    DocumentRoot /var/www/test.com/public_html
    ...
</VirtualHost>

# 在httpd.conf中添加
ServerTokens Prod       # 僅顯示Apache
ServerSignature Off     # 關閉頁腳簽名
TraceEnable Off         # 禁用TRACE方法

<DirectoryMatch "^/.*/\.(svn|git|ht)/">
    Require all denied
</DirectoryMatch>
<Files ".ht*">
    Require all denied
</Files>

<Location "/">
    <LimitExcept GET POST HEAD>
        Deny from all
    </LimitExcept>
</Location>

sudo yum install -y mod_ssl openssl

# 創(chuàng)建證書目錄
sudo mkdir /etc/httpd/ssl
sudo chmod 700 /etc/httpd/ssl
# 生成自簽名證書（測試用）
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/httpd/ssl/server.key \
    -out /etc/httpd/ssl/server.crt \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc/CN=example.com"

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot "/var/www/example.com/public_html"
    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/server.crt
    SSLCertificateKeyFile /etc/httpd/ssl/server.key
    # 強制HTTP跳轉到HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    # 啟用HSTS
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>

sudo vim /etc/httpd/conf.modules.d/00-mpm.conf

LoadModule mpm_event_module modules/mod_mpm_event.so

<IfModule mpm_event_module>
    StartServers             3
    MinSpareThreads         75
    MaxSpareThreads        250
    ThreadsPerChild         25
    MaxRequestWorkers      400
    MaxConnectionsPerChild   0
</IfModule>

LoadModule deflate_module modules/mod_deflate.so
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript application/javascript
    DeflateCompressionLevel 6
    SetOutputFilter DEFLATE
</IfModule>

LoadModule expires_module modules/mod_expires.so
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresDefault "access plus 2 days"
</IfModule>

sudo bash -c 'cat > /var/www/html/index.html <<EOF
<!DOCTYPE html>
<html>
<head>
    <title>Apache Test Page</title>
    <meta charset="UTF-8">
</head>
<body>
    <h1>Apache HTTP Server Works!</h1>
    <p>Server time: <?php echo date("Y-m-d H:i:s"); ?></p>
</body>
</html>
EOF'

sudo httpd -t

sudo systemctl reload httpd
# 或完全重啟
sudo systemctl restart httpd

# 查看錯誤日志
sudo tail -50 /var/log/httpd/error_log
# 查看訪問日志
sudo tail -f /var/log/httpd/access_log
# 測試端口連通性
telnet your-server-ip 80
nc -zv your-server-ip 80
# SELinux相關檢查
sudo ausearch -m avc -ts recent  # 查看安全事件
sudo sealert -a /var/log/audit/audit.log  # 分析SELinux問題

# 臨時設置
sudo setenforce 0   # 寬松模式
sudo setenforce 1   # 強制模式
# 永久設置（編輯/etc/selinux/config）
SELINUX=enforcing  # 強制模式
SELINUX=permissive # 僅記錄不阻止
SELINUX=disabled   # 完全禁用
# 調整文件上下文標簽
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
sudo restorecon -Rv /var/www/html

LoadModule rewrite_module modules/mod_rewrite.so
<Directory "/var/www/html">
    RewriteEngine On
    # 示例1：重定向舊URL
    RewriteRule ^oldpage\.html$ newpage.html [R=301,L]
    # 示例2：隱藏.php擴展名
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}\.php -f
    RewriteRule ^(.*)$ $1.php [L]
</Directory>

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<Location "/app/">
    ProxyPass http://localhost:8080/
    ProxyPassReverse http://localhost:8080/
</Location>

sudo yum install -y mod_http2

LoadModule http2_module modules/mod_http2.so
Protocols h2 http/1.1
<VirtualHost *:443>
    ...
    Protocols h2 http/1.1
    H2Direct on
</VirtualHost>

# 安裝GoAccess日志分析工具
sudo yum install -y goaccess
# 生成HTML報告
goaccess /var/log/httpd/access_log -a -o /var/www/html/report.html

# 檢查配置更改
sudo apachectl configtest
# 優(yōu)雅重啟（不中斷連接）
sudo apachectl graceful
# 查看已加載模塊
sudo apachectl -M
# 查看完整配置
sudo apachectl -S

sudo vim /etc/logrotate.d/httpd

/var/log/httpd/*log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    sharedscripts
    postrotate
        /bin/systemctl reload httpd > /dev/null 2>/dev/null || true
    endscript
}

# 安裝mod_status用于服務器狀態(tài)監(jiān)控
sudo yum install -y mod_status

<Location "/server-status">
    SetHandler server-status
    Require ip 192.168.1.0/24  # 限制訪問IP
</Location>

# 備份配置文件
sudo tar czvf httpd_conf_backup.tar.gz /etc/httpd/
# 備份網站數(shù)據
sudo tar czvf web_content_backup.tar.gz /var/www/
# 備份SSL證書
sudo tar czvf ssl_certs_backup.tar.gz /etc/httpd/ssl/

# 停止服務
sudo systemctl stop httpd
# 恢復配置
sudo tar xzvf httpd_conf_backup.tar.gz -C /
# 恢復網站內容
sudo tar xzvf web_content_backup.tar.gz -C /
# 恢復證書
sudo tar xzvf ssl_certs_backup.tar.gz -C /
# 重啟服務
sudo systemctl start httpd