一、基于用户的访问控制
1、控制类型
认证质询:WWW-Authenticate:响应码为401,拒绝客户端请求,并说明要求客户端提供账号和密码
认证:Authorization:客户端用户填入账号和密码后再次发送请求报文;认证通过时,则服务器发送响应的资源
认证方式两种:
basic:明文
digest:消息摘要认证,兼容性差安全域:需要用户认证后方能访问的路径;应该通过名称对其进行标识,以便于告知用户认证的原因
用户的账号和密码
虚拟账号:仅用于访问某服务时用到的认证标识
存储方法:文本文件,SQL数据库,ldap目录存储,nis等
2、basic认证配置
(1) 定义安全域
<Directory "/path">
Options None
AllowOverride None
AuthType Basic(验证方法)
AuthName "String"(描述信息)
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"(账户文件存放位置)
Require user username1 username2 ...(允许用户为哪些)
</Directory>
允许账号文件中的所有用户登录访问:
Require valid-user
(2) 提供账号和密码存储(文本文件)
使用专用命令完成此类文件的创建及用户管理
htpasswd [options] /PATH/HTTPD_PASSWD_FILE username
-c:自动创建文件,仅应该在文件不存在时使用
-m:md5格式加密,默认方式
-s: sha格式加密
-D:删除指定用户
#实验:创建加密的用户及密码
[root@Centos6-serverconf.d]#pwd
/etc/httpd/conf.d
[root@Centos6-serverconf.d]#ls -a
. .. .httpusers
[root@Centos6-serverconf.d]#htpasswd -c .httpusers http1
New password:
Re-type new password:
Adding password for user http1
[root@Centos6-serverconf.d]#htpasswd -s .httpusers http2
Adding password for user http2
[root@Centos6-serverconf.d]#htpasswd -m .httpusers http3
Adding password for user http3
[root@Centos6-serverconf.d]#cat .httpusers
http1:b4QECtkC6VarQ
http2:{SHA}s6VCX366xaGxnQ00QYzgpPZKelE=
http3:$apr1$H31NOGIE$tafiBf6tKSZmId1VqUz1H0
[root@Centos6-serverconf.d]#mkdir /app/website/secret
[root@Centos6-serverconf.d]#echo /app/website/secret/index.html > /app/website/secret/index.html
[root@Centos6-serverconf.d]#vim auth.conf
<Directory /app/website/secret>
Authtype Basic
AuthName "Admin dir"
AuthUserFile "/etc/httpd/conf.d/.htusers"
Require user http1 http2
</Directory>
[root@Centos6-serverconf.d]#service httpd restart
[root@centos7mini~]#curl -I HTTP/1.1 401 Authorization Required --->401提示
Date: Wed, 24 Jan 2018 07:19:41 GMT
Server: Apache
WWW-Authenticate: Basic realm="Admin dir"
Connection: close
Content-Type: text/html; charset=iso-8859-1
基于组账号进行认证
(1) 定义安全域
<Directory “/path">
AuthType Basic
AuthName "String“
AuthUserFile "/PATH/HTTPD_USER_PASSWD_FILE"
AuthGroupFile "/PATH/HTTPD_GROUP_FILE"
Require group grpname1 grpname2 ...
</Directory>(2) 创建用户账号和组账号文件;
组文件:每一行定义一个组
GRP_NAME: username1 username2 ...示例:
<Directory "/www/htdocs/admin">
Options None
AllowOverride None
AuthType Basic
AuthName "Administator private"
AuthUserFile "/etc/httpd/conf.d/.httpusers"
AuthGroupFile "/etc/httpd/conf.d/.httpgroups"Require group admins
</Directory>
vim /etc/httpd/conf.d/.httpgroupsadmins: http1 http3
users: http2
[root@Centos6-serverconf.d]#vim auth.conf <Directory /app/website/secret> Authtype Basic AuthName "Administator private" AuthUserFile "/etc/httpd/conf.d/.httpusers" AuthGroupFile "/etc/httpd/conf.d/.httpgroups" Require group admins </Directory> [root@Centos6-serverconf.d]#vim .httpgroups admins: http1 http3 users: http2
3、远程客户端和用户验证的控制
Satisfy ALL|Any
ALL 客户机IP和用户验证都需要通过才可以
Any 客户机IP和用户验证,有一个满足即可示例:
Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any
4、实现用户家目录的http共享
基于模块mod_userdir.so实现
SELinux: http_enable_homedirs
相关设置:
vim /etc/httpd/conf/httpd.conf
<IfModule mod_userdir.c>
#UserDir disabled
UserDir public_html #指定共享目录的名称
</IfModule>
准备目录
su – wang;mkdir ~/public_html
setfacl –m u:apache:x ~student
访问
http://localhost/~wang/index.html注意:要修改共享文件夹的访问权限
[root@Centos6-serverconf.d]#httpd -M | grep userdir userdir_module (shared) [root@Centos6-serverconf.d]#getenforce --->默认就把SELinux关闭了 Disabled [root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf <IfModule mod_userdir.c> # UserDir disabled --->注释掉或者改成enabled UserDir publicweb --->共享文件夹的名字 [root@Centos6-serverconf.d]#ll -d /home/L/ drwx------ 3 L L 4096 Jan 24 15:59 /home/L/ [root@Centos6-serverconf.d]#tail /var/log/httpd/error_log [Wed Jan 24 16:21:32 2018] [error] [client 192.168.1.5] (13)Permission denied: access to /~L/ denied [root@Centos6-serverconf.d]#setfacl -m u:apache:x /home/L/ [root@centos7mini~]#curl /home/L/publicweb/index.html [root@Centos6-serverconf.d]#mkdir /root/publicweb [root@Centos6-serverconf.d]#echo /root/publicweb/index.html > /root/publicweb/index.html [root@Centos6-serverconf.d]#setfacl -m u:apache:x /root/
5、错误页面信息设置
ServerSignature On | Off | EMail
当客户请求的网页并不存在时,服务器将产生错误文档,缺省情况下由于打开了 ServerSignature 选项
错误文档的最后一行将包含服务器的名字、Apache的版本等信息
如果不对外显示这些信息,就可以将这个参数设置为Off
设置为Email,将显示 ServerAdmin 的Email提示。建议设置为 Off
[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf ServerSignature Off
6、ServerType inetd | standalone.
standalone 独立服务模式
inetd 非独立服务模式
只适用于Unix平台
7、status页面
LoadModule status_module modules/mod_status.so
<Location /server-status>
SetHandler server-status
Order allow,deny
Allow from 172.16
</Location>ExtendedStatus On 显示扩展信息
[root@Centos6-serverconf.d]#vim /etc/httpd/conf/httpd.conf <Location /status> SetHandler server-status Order deny,allow # Deny from all Allow from .example.com </Location> #正常打开网页所显示的内容 Apache Server Status for 192.168.1.100 Server Version: Apache/2.2.15 (Unix) DAV/2 #软件版本信息 Server Built: Mar 22 2017 06:52:55 #软件编译时间 Current Time: Wednesday, 24-Jan-2018 16:42:14 CST #当前时间 Restart Time: Wednesday, 24-Jan-2018 16:41:49 CST #上次重启服务时间 Parent Server Generation: 0 #父代服务器生成:0 Server uptime: 24 seconds 1 requests currently being processed, 7 idle workers #1个工作中,7个空闲状态 W_______........................................................ ................................................................ ................................................................ ................................................................ Scoreboard Key: "_" Waiting for Connection, "S" Starting up, "R" Reading Request, "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, "C" Closing connection, "L" Logging, "G" Gracefully finishing, "I" Idle cleanup of worker, "." Open slot with no current process PID Key: #子进程pid编号 48392 in state: W , 48393 in state: _ , 48394 in state: _ 48395 in state: _ , 48396 in state: _ , 48397 in state: _ 48398 in state: _ , 48399 in state: _ , To obtain a full report with current status information you need to use the ExtendedStatus On directive. # “_”等待连接 “S”启动 “R”读取请求时 “W”发送回复 “K”保持连接(读) “D” DNS查找 “C”关闭连接 “L”日志 “G”优雅地完成 “I”空闲清理工作人员 “,.”打开没有当前进程的插槽
二、虚拟主机
1、实现方法及注意事项
基于ip:为每个虚拟主机准备至少一个ip地址
基于port:为每个虚拟主机使用至少一个独立的port
基于FQDN:为每个虚拟主机使用至少一个FQDN
注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机
禁用方法:注释中心主机的DocumentRoot指令即可
站点标识: socket
IP相同,但端口不同
IP不同,但端口均为默认端口
FQDN不同:
请求报文中首部
Host: www.magedu.com虚拟主机的配置方法
<VirtualHost IP:PORT>
ServerName FQDN
DocumentRoot “/path"
</VirtualHost>建议:上述配置存放在独立的配置文件中
2、基于IP的虚拟主机示例
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.7:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.8:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
#实验:基于IP地址的虚拟主机 [root@Centos6-serverapp]#ls website [root@Centos6-serverapp]#cp website/ website2 -r [root@Centos6-serverapp]#cp website/ website3 -r [root@Centos6-serverapp]#vim website2/index.html /app/website2 [root@Centos6-serverapp]#vim website3/index.html /app/website3 [root@Centos6-serverconf.d]#pwd /etc/httpd/conf.d [root@Centos6-serverconf.d]#vim vhost.conf documentroot /app/website <Virtualhost 192.168.1.251:80 <Virtualhost 192.168.1.100:80> DocumentRoot /app/website ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common </Virtualhost> <Virtualhost 192.168.1.250:80> DocumentRoot /app/website2 ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common </Virtualhost> <Virtualhost 192.168.1.251:80> DocumentRoot /app/website3 ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common </Virtualhost> [root@centos7mini~]#curl 192.168.1.100 /app/website [root@centos7mini~]#curl 192.168.1.250 /app/website2 [root@centos7mini~]#curl 192.168.1.251 /app/website3 [root@Centos6-serverconf.d]#ll /var/log/httpd/ -rw-r--r-- 1 root root 71 Jan 28 19:46 website1-access_log -rw-r--r-- 1 root root 0 Jan 28 19:45 website1-error_log -rw-r--r-- 1 root root 71 Jan 28 19:46 website2-access_log -rw-r--r-- 1 root root 0 Jan 28 19:45 website2-error_log -rw-r--r-- 1 root root 71 Jan 28 19:46 website3-access_log -rw-r--r-- 1 root root 0 Jan 28 19:45 website3-error_log
3、基于端口的虚拟主机
可和基于IP的虚拟主机混和使用
listen 808
listen 8080
<VirtualHost 172.16.100.6:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:808>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost 172.16.100.6:8080>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
#实验:基于端口的虚拟主机 [root@Centos6-serverconf.d]#vim vhost.conf listen 8001 listen 8002 listen 8003 <Virtualhost *:8001> DocumentRoot /app/website ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common </Virtualhost> <Virtualhost *:8002> DocumentRoot /app/website2 ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common </Virtualhost> <Virtualhost *:8003> DocumentRoot /app/website3 ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common </Virtualhost> [root@Centos6-serverconf.d]#ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 :::8001 :::* LISTEN 0 128 :::8002 :::* LISTEN 0 128 :::8003 :::* LISTEN 0 128 :::80 :::* [root@centos7mini~]#curl 192.168.1.100:8001 /app/website [root@centos7mini~]#curl 192.168.1.100:8002 /app/website2 [root@centos7mini~]#curl 192.168.1.100:8003 /app/website3
4、基于FQDN的虚拟主机
NameVirtualHost *:80 httpd2.4不需要此指令
<VirtualHost *:80>
ServerName www.a.com
DocumentRoot "/www/a.com/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.b.net
DocumentRoot "/www/b.net/htdocs"
</VirtualHost>
<VirtualHost *:80>
ServerName www.c.org
DocumentRoot "/www/c.org/htdocs"
</VirtualHost>
#实验:基于FQDN的虚拟主机 [root@Centos6-serverconf.d]#vim vhost.conf NameVirtualHost *:80 <Virtualhost *:80> DocumentRoot /app/website ServerName www.a.com ErrorLog logs/website1-error_log CustomLog logs/website1-access_log common </Virtualhost> <Virtualhost *:80> DocumentRoot /app/website2 ServerName www.b.com ErrorLog logs/website2-error_log CustomLog logs/website2-access_log common </Virtualhost> <Virtualhost *:80> DocumentRoot /app/website3 ServerName www.c.com ErrorLog logs/website3-error_log CustomLog logs/website3-access_log common </Virtualhost> #注意:如果通过IP来访问,而不是通过FQDN访问,第一个为IP默认要访问的地址!!! [root@centos7mini~]#vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.100 [root@centos7mini~]#curl www.a.com /app/website [root@centos7mini~]#curl www.b.com /app/website2 [root@centos7mini~]#curl www.c.com /app/website3 [root@centos7mini~]#telnet www.b.com 80 ---> 这的FQDN无所谓 Trying 192.168.1.100... Connected to www.b.com. Escape character is '^]'. GET / http/1.1 HOST: ---> 这的主机头才是要访问的地址 HTTP/1.1 200 OK Date: Sun, 28 Jan 2018 12:06:33 GMT Server: Apache Last-Modified: Sun, 28 Jan 2018 11:34:22 GMT ETag: "12000d-e-563d482c9ad21" Accept-Ranges: bytes Content-Length: 14 Connection: close Content-Type: text/html; charset=UTF-8 /app/website3 Connection closed by foreign host. #注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机,一般先禁用main主机 #注意:如果通过IP来访问,而不是通过FQDN访问,第一个为IP默认要访问的地址!!! [root@centos7mini~]#curl 192.168.1.100 /app/website [root@centos7mini~]#vim /etc/hosts 192.168.1.100 [root@centos7mini~]#curl /app/website [root@centos7mini~]#curl /app/website [root@centos7mini~]#curl /app/website
转载于:https://blog.51cto.com/exia00linux/2066103
扫一扫
432
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
