htaccess验证与ssl加密

最新推荐文章于 2024-05-24 09:31:46 发布

weixin_34101784

最新推荐文章于 2024-05-24 09:31:46 发布

阅读量92

点赞数

文章标签：开发工具 python 网络

原文链接：https://my.oschina.net/davehe/blog/103801

版权

2019独角兽企业重金招聘Python工程师标准>>>

由于项目需要apache安全加固需要,需要访问用户验证,默认访问的是80端口

1.设置虚拟主机监控端口

root@10.1.1.200:apache2# cat ports.conf 
NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

2.配置虚拟主机

root@10.1.1.200:sites-enabled# cat ossec 
<VirtualHost *:80>
        ServerAdmin root@localhost
        ServerName  10.1.1.200
        DocumentRoot /var/www/ossec
        <Directory /var/www/ossec>
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride None        
                Order allow,deny       
                Allow from 10.1.1.200
                AuthType Basic            #基础认证
                AuthName "ossec system"   #提示
                AuthBasicProvider file
                AuthUserFile /etc/apache2/password/passwords #最好不要放在客户能访问的地方
                Require valid-user    #指定有效用户指代上面passswords 也可单独指定
        </Directory>

        ErrorLog /var/log/apache2/ossec_error.log

        LogLevel warn

        CustomLog /var/log/apache2/ossec_access.log combined

</VirtualHost>

也可将AllowOverride None,改为AllowOverride AuthConfig 这样可以把AuthType等内容从配置文件内容移到/var/www/ossec/.htaccess里(必须是这个文件),这样理论上不用重启,就可以生效密码,因为写在配置文件之外..htaccess放在的位置都需要认证.

3.生成用户数据库

root@10.1.1.200:sites-enabled# cd /etc/apache2/password/
root@10.1.1.200:password# ls
passwords
root@10.1.1.200:password# htpasswd -c /etc/apache2/password/passwords -c ossecadmin
root@10.18.21.201:password# cat passwords 
ossecadmin:faarAgVTPHuXc

4.重启apache

root@10.1.1.200:~# /etc/init.d/apache2 restart

5.测试访问

如果这里我们还要ssl加密443端口访问,并且由于默认访问的是80端口,又不想用户输入https访问,其实有很多方法,这里我们可以在配置文件里做个跳转.

1.加载ssl和rewrite模块

root@10.1.1.200:mods-available# a2enmod ssl 
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
root@10.1.1.200:mods-available# a2enmod rewrite 
Enabling module rewrite.
Run '/etc/init.d/apache2 restart' to activate new configuration!

2.生成密钥

A.创建2048字节的Key文件:(期间会提示输入密码和确认密码)

#openssl genrsa -des3 -out server.key 2048

执行完后应该在当前目录中有一个server.key文件

B.查看创建的key文件:(不是必须)

#openssl rsa -noout -text -in server.key

C.创建pem文件:(不是必须)

#openssl rsa -in server.key -out server.key.unsecure

D.创建scr文件:(系统会向你索取一些信息,其中your nane 是网站域名，如：www.dave.com，其他填写的信息应该与这个域名的注册信息一致)

#openssl req -new -key server.key -out server.csr

执行完后应该在当前目录中有一个server.csr文件

E.创建crt文件:

#openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

执行完后应该在当前目录中有一个server.crt文件

将生成的文件放入/etc/apache2/ssl

3.设置虚拟主机监控端口

root@10.1.1.200:apache2# cat ports.conf 
NameVirtualHost *:80
NameVirtualHost *:443
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

4.配置虚拟主机

root@10.1.1.200:sites-enabled# vim ossec 

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/ossec
        <Directory /var/www/ossec/>
                Options -Indexes FollowSymLinks
                AllowOverride None
                Order allow,deny
                allow from 10.1.1.200
                AuthType Basic
                AuthName "ossec system"
                AuthBasicProvider file
                AuthUserFile /etc/apache2/password/passwords
                Require valid-user
        </Directory>

        ErrorLog /var/log/apache2/error.log
        LogLevel warn
        CustomLog /var/log/apache2/ssl_access.log combined
        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLCACertificateFile /etc/apache2/ssl/server.crt  #如果重启apa报错,注释即可
</VirtualHost>

<VirtualHost *:80>
         ServerName 10.1.1.200
         RewriteEngine On
         RewriteCond %{HTTP_HOST} ^10.1.1.200 [NC]
         RewriteRule ^/(.*)?$ https://10.1.1.200/$1 [L,R]
</VirtualHost>

5.重启apache2

root@10.1.1.200:sites-enabled# /etc/init.d/apache2 restart
Restarting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.1.200 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.1.200 for ServerName
Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 10.1.1.200:443 (RSA)
Enter pass phrase:

输入生成ssl密钥的密码则才能重启成功

root@10.1.1.200:sites-enabled# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::443                  :::*                    LISTEN      562/apache2     
tcp6       0      0 :::80                   :::*                    LISTEN      562/apache2

这就带来一个问题,假如机器重启,apache服务ssl需要等待用户输入密码才能正常启动,否则机器一直处于提示等待状态.

以下方法可以解决apache重启时需要密码问题,简单来说也就是重启服务时让apa自动执行一个脚本输入密码.

root@10.1.1.200:mods-enabled# vim ssl.conf
     #SSLPassPhraseDialog  builtin
     SSLPassPhraseDialog exec:/etc/apache2/ssl/key.sh	
root@10.1.1.200:ssl# vim key.sh 
#!/bin/bash
echo 'password'
root@10.1.1.200:ssl# pwd
/etc/apache2/ssl
root@10.1.1.200:ssl# ls -l           #注意权限755             
-rwxr-xr-x 1 root root   26 2012-05-30 13:48 key.sh

再次重启apache,就不需要用户干预输入密码了

6 测试访问