关闭

Linux环境下,apache设置禁止恶意域名绑定和直接ip访问方法

标签: linuxapachessl恶意域名ip访问
1682人阅读 评论(0) 收藏 举报
分类:

       为了防止恶意域名绑定到自己的服务器ip上以及直接通过ip访问方式访问。我们可以通过apache配置可以实现这一目的,具体操作步骤如下。

第一步,httpd.conf配置设置

  • 启用虚拟主机、ssl、重写模块

LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so

  • 禁用根目录访问

<Directory />
    AllowOverride None
    Require all denied
</Directory>

  • 允许htdocs目录访问

DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #

    # cache 
       

    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all denied
</Directory>

httpd-vhosts.conf中配置

   将所有未知的域名访问和直接的ip访问独立一个虚拟主机,并将该主机设置为拒绝访问。对于正式域名访问独立一个虚拟主机访问,并设置为允许访问。注意必须将拒绝的虚拟主机放在第一个。

<VirtualHost *:80>
    ServerAdmin unAllowedDomain
    DocumentRoot "/usr/local/httpd/htdocs"
    ErrorLog "/home/logs/apache/unAllowedDomain-error_log"
    CustomLog "/home/logs/apache/unAllowedDomain-access_log" common
    <Directory "/usr/local/httpd/htdocs">
        AllowOverride None
        Require all denied
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin xxxx.cn
    ServerName www.xxxx.cn
    ServerAlias xxxx.cn
    DocumentRoot "/usr/local/httpd/htdocs"
    ErrorLog "/home/logs/apache/xxxx-error_log"
    CustomLog "/home/logs/apache/xxxx-access_log" common

    <Directory "/usr/local/httpd/htdocs">
        AllowOverride all
        Require all granted
    </Directory>
</VirtualHost>

httpd-ssl.conf中配置

如果使用了ssl证书访问,这个时候像拒绝https://ip访问需要做如下操作。仍然需要创建一个不允许域名访问虚拟主机站点,并设置为拒绝状态,并且放在第一个。ssl虚拟主机需要注意以下两点:

  • serverName必须带上端口号,80端口是默认的因此不需要带端口号
  • xxxx.cn无法作为别名进行访问,ServerAlias xxxx.cn:443是无效的,因此需要单独一个虚拟主机站点访问

<VirtualHost *:443>
	DocumentRoot "/usr/local/httpd/htdocs"
	ServerAdmin unAllowedDomain
	ErrorLog "/usr/local/httpd/logs/error_log"
	TransferLog "/usr/local/httpd/logs/access_log"

	SSLEngine on

	SSLCertificateFile "/usr/local/httpd/conf/server.crt"
	SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
	SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"

	<FilesMatch "\.(cgi|shtml|phtml|php)$">
	    SSLOptions +StdEnvVars
	</FilesMatch>

	<Directory "/usr/local/httpd/htdocs">
	    SSLOptions +StdEnvVars
	    AllowOverride None
	    Require all denied
	</Directory>

	<Directory "/usr/local/httpd/cgi-bin">
	    SSLOptions +StdEnvVars
	    AllowOverride None
            Require all denied
	</Directory>

	BrowserMatch "MSIE [2-5]" \
		 nokeepalive ssl-unclean-shutdown \
		 downgrade-1.0 force-response-1.0

	CustomLog "/usr/local/httpd/logs/ssl_request_log" \
		  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                                                       
  
<VirtualHost *:443>
	DocumentRoot "/usr/local/httpd/htdocs"
	ServerName www.xxxx.cn:443
	ServerAdmin you@example.com
	ErrorLog "/usr/local/httpd/logs/error_log"
	TransferLog "/usr/local/httpd/logs/access_log"

	SSLEngine on
	SSLCertificateFile "/usr/local/httpd/conf/server.crt"
	SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
	SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"

	<FilesMatch "\.(cgi|shtml|phtml|php)$">
	    SSLOptions +StdEnvVars
	</FilesMatch>

        <Directory "/usr/local/httpd/htdocs">
            AllowOverride all
            Require all granted
        </Directory>
        <Directory "/usr/local/httpd/cgi-bin"> 
            SSLOptions +StdEnvVars
        </Directory>
 
        BrowserMatch "MSIE [2-5]" \ 
        nokeepalive ssl-unclean-shutdown \ 
        downgrade-1.0 force-response-1.0CustomLog "/usr/local/httpd/logs/ssl_request_log" \ 
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "/usr/local/httpd/htdocs"
    ServerName xxxx.cn:443
    ServerAdmin you@example.com
    ErrorLog "/usr/local/httpd/logs/error_log"
    TransferLog "/usr/local/httpd/logs/access_log"
    SSLEngine onSSLCertificateFile "/usr/local/httpd/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/httpd/conf/server.key"
    SSLCertificateChainFile "/usr/local/httpd/conf/server-ca.crt"
    <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars</FilesMatch>
    <Directory "/usr/local/httpd/htdocs">
<pre name="code" class="html">         AllowOverride all
         Require all granted
    </Directory>
<Directory "/usr/local/httpd/cgi-bin"> SSLOptions +StdEnvVars</Directory>
BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
"%r\" %b"
</VirtualHost>




0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:530481次
    • 积分:7984
    • 等级:
    • 排名:第2569名
    • 原创:234篇
    • 转载:225篇
    • 译文:1篇
    • 评论:19条
    文章分类
    最新评论